tags:

views:

163

answers:

4
+1  Q: 

SecurityException using SPWebConfigModification

I'm getting a SecurityException, "Access Denied" when trying to make a web.config modification programmatically.

Code closely follows this example:

    public override void FeatureActivated(SPFeatureReceiverProperties properties)
    {
        // create modification
        SPSecurity.RunWithElevatedPrivileges(delegate()
        {
            SPWebConfigModification m = new SPWebConfigModification();
            m.Path = "configuration/SharePoint/SafeControls";
            m.Name = string.Format(CultureInfo.InvariantCulture, "SafeControl[@Assembly='{0}'][@Namespace='{1}'][@TypeName='*'][@Safe='True']", ADSWebPart.GetAssemblyFullName(), ADSWebPart.GetNamespace());
            m.Sequence = 0;
            m.Owner = SPContext.Current.Web.CurrentUser.Name;
            m.Type = SPWebConfigModification.SPWebConfigModificationType.EnsureChildNode;
            m.Value = string.Format(CultureInfo.InvariantCulture, "<SafeControl Assembly='{0}' Namespace='{1}' TypeName='*' Safe='True' />", ADSWebPart.GetAssemblyFullName(), ADSWebPart.GetNamespace());

            // apply modification
            SPWebService service = SPWebService.ContentService;
            service.WebConfigModifications.Add(m);
            service.Update();
            service.ApplyWebConfigModifications();
        });
    }

(I started with no call to RunWithElevatedPrivileges(), got same exception, then continued enclosing more and more code up to enclosing all body of FeatureActivated().)

Ideas welcome, thanks.

A: 

Out of sheer curiosity, is the web.config set to read only? Have you checked the permissions on the filesystem for the web directory in inetpub?

Also, is this being activated on the Web Application level or further down?

zincorp  2010-02-15 18:14:06
app pool account is admin in the local box; web.config is not read-only; activation is being performed at the web application level. Thanks.
Ariel  2010-02-15 18:50:26
Is the app pool account being impersonated also the farm administrator?
zincorp  2010-02-15 19:01:02
app pool account is farm admin.
Ariel  2010-02-16 00:21:46
+1  A: 

Hi Ariel

I'm not answering your question as asked, but why are you using a Feature receiver to add SafeControl Entries?

The "Right" way to add SafeControl Entries is to embed these inside <SafeControls> inside the corresponding <Assembly> in manifest.xml of your Solution like this:

<Assembly Location="MyLib.dll" DeploymentTarget="WebApplication">
  <SafeControls>
    <SafeControl Assembly="MyLib, Version=1.0.0.0, Culture=neutral, PublicKeyToken=4489c7aa5341e32c" Namespace="MyNs" TypeName="*" Safe="True" />
  </SafeControls>
</Assembly>
Per Jakobsen  2010-02-16 08:02:01
Thanks, it worked. I totally missed this option :-)
Ariel  2010-02-16 13:21:10
A: 

Instead of using SPContext.Current.Web.CurrentUser.Name;

Try following the instructions here to impersonate the SystemAccount: http://blackninjasoftware.com/2009/04/09/how-to-programmatically-impersonate-users-in-sharepoint/

Junx  2010-02-16 11:41:04
A: 

Another question, are you activating the feature from a Forms Based Authentication site? You can have issues because the site collection administrator is from the authentication provider path, and not AD. The Web.Config file security is based on the AD account, so you have no ability to update the web.config without doing something bad, like giving Everyone access to web.config.

Here is an earlier question I posted on the topic.

http://stackoverflow.com/questions/868393/modifying-sharepoint-app-web-config-file-with-forms-based-authentication

John Ptacek  2010-02-16 16:28:58

related questions

Upgrading Sharepoint 3.0 to SQL 2005 Backend?
Webpart registration error in event log
Sharepoint COMException 0x81020037
Transactional Design Pattern
Deploying InfoPath forms to different SharePoint servers
Profiling/Optimizing (Sharepoint 2007) Web Parts
Retreiving the PC Name of a Client? (Windows Auth)
What's the best way to report errors from a SharePoint workflow?
How to get out parameters working in SharePoint workflows
Editing User Profile w/ Forms Authentication
WSS/MOSS Book
Creating a development environment for SharePoint.
Sharepoint Wikis
Have you used a wiki in your project or group?
Can I copy files to a Network Place from a script or the command line?
How do you deploy your SharePoint solutions?
SharePoint WSS 3.0 Integration with Mac OSX (either Safari or Firefox)
SharePoint - Connection String dialog box during FeatureActivated event
How can I improve the edit-compile-test loop when developing a SharePoint workflow?
Best ajax library for Sharepoint
Alternative Hostname for an IIS web site for internal access only
How to reference to multiple version assembly
MOSS SSP problem - Failed database logons from deleted SSP
Sharepoint: executing stsadm from a timer job + SHAREPOINT\System rights
Can ASP.NET AJAX partial rendering work inside a SharePoint 2007 application page?