Summary

In this chapter, you learned several techniques for securing WSS applications involving code access security (CAS), custom authentication, and authorization using securable objects. We first discussed the importance of using trust levels and CAS to run Web Part code in a more trustworthy fashion. At this point, you should be able to apply custom CAS settings to your Web Part code through solution packages so that it runs securely and reliably in least-trusted scenarios.

This chapter also discussed how authentication and authorization work within WSS sites. WSS tracks users at the site collection level with a user token that can be created by using either Windows authentication or forms authentication. This user token creates a WSS-specific security context that enables WSS to perform internal access control checks on WSS objects such as a sites, lists, and items.

However, it’s also important to remember that the WSS components you develop often need to access external resources as well. This means that you must be aware of the current Windows security context as well as the WSS security context. This chapter also presented programming techniques involving elevation of privileges and user impersonation that can be used to change the WSS security content as well as the Windows security context.

Within WSS site collections, users are managed in terms of groups that can be assigned roles and permissions. Permissions and access control are based on securable objects, such as sites, lists, and items, that all implement the ISecurableObject interface. A securable object either provides its own unique ACL or relies upon the ACL of its parent. You have also learned how to write custom code against securable objects to ensure that the current user has the required level of permissions, and you now know how to create custom access control policies. The details of this chapter, along with the previous chapters, should give you a foundation for creating secure and reliable business solutions for WSS and MOSS.