tags:

views:

44

answers:

2
+1  Q: 

SecurityException when accessing SPFarm PropertyBag from WCF service hosted in SharePoint

I've hosted an WCF service in SharePoint 2010 (basicHttpBinding) using this tutorial. The assembly is deployed to the GAC and contains the WCF service and a timerjob. Both call the same method. The timerjob works successful.

But when I call the method of the WCF service, I get an exception, that it can't write a property in the SPFarm PropertyBag.

System.Security.SecurityException: Access denied.
   at Microsoft.SharePoint.Administration.SPPersistedObject.BaseUpdate()
   at Microsoft.SharePoint.Administration.SPFarm.Update()
   at MyCompany.MyProduct.Business.Config.SetPropertyValue(IPropertyBag propertyBag, String propertyName, String value)
The Zone of the assembly that failed was:
MyComputer

I tried to call the method using the Farm Administrator account and tried to use SPSecurity.RunWithElevatedPrivileges, but to no success.

I checked WindowsIdentity.GetCurrent() inside and outside the elevated privileges block, outside it's the callers user and inside it's the user of the WebApplications AppPool.

So the AppPool user is correctly impersonated, but SharePoint 2010 "disallows modification ... to all objects inheriting from SPPersistedObject in the Microsoft.SharePoint.Administration namespace ... from content web applications"

The article says, there is a switch SPWebService.ContentService.RemoteAdministratorAccessDenied (namespace Microsoft.SharePoint.Administration) to get rid of this behaviour, but I can't rely on administrators to use this to get my solution running.

So I'm still without a solution

A: 

The security credentials from the calling process are probably copied. You can configure WCF whether or not to do this.

See http://msdn.microsoft.com/en-us/library/ms731925.aspx for more information.

Pieter  2010-10-18 11:17:24
As far as I can see, I can't change that, because I use the factory (http://www.sharepointbits.com/blog/custom-wcf-services-in-sharepoint-2010.html) or maybe I misunderstood your answer ... can you explain a bit further?
Hinek  2010-10-18 11:30:38
Step 5 in your link talks about NTML credentials. This is probably the culprit. Couldn't you change this to not send any security credentials, just to test whether this makes a difference?
Pieter  2010-10-18 11:34:56
This won't work, because the service demands an NTLM authentication. If I don't send the credentials, the WCF service returns 401 Unauthorized.
Hinek  2010-10-18 12:11:21
I take it this specific method requires administrative privileges? Are you calling the WCF service from an account with administrative privileges?
Pieter  2010-10-18 12:50:18
I edited the question: I found, that SharePoint 2010 has a new feature that disallows WebApplications to access farm administration objects. So, the credentials are correct, but SharePoint blocks the access, because it comes from a WebApplication.
Hinek  2010-10-19 07:18:41
+1  A: 

I found a hack to work around the problem. I will not use it, because it is really dirty, but maybe somebody needs it, so:

  1. Don't call the WCF Service by a normal web application URL. Use the URL of the Central Administration (e.g. http://myserver:9999/_vti_bin/project/myservice.svc)
  2. Run the part where you change the Farm Properties with elevated privileges (SPSecurity.RunWithElevatedPrivileges).
  3. Before the elevated part (now it gets really dirty) set System.Web.HttpContext.Current.Items["FormDigestValidated"] = true;

As I said, not a nice one, but working ...

Hinek  2010-10-18 12:54:47

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?