SharePoint Shelter

One code modification Resharper 4.0 will suggest is that if a public constructor is located in an abstract class, it should be adjusted to use the protected access modifier if currently public:

So, from this:

To this:

So, why is this a good code edit?

Well, having a public constructor on an abstract class in the terms of code architecture is irrational since the abstract class can’t be instantiated directly; it is instead created by instantiating the deriving type. Thus only derived types have access to the abstract class constructor. Protected more adequately describes a germane access modifier for the constructor as well as ensuring requisite inheritor types have constructor access.

More noticeably, appropriate access modifier decoration will in turn not populate Intellisence with a bunch of useless crap

Share This

Recommend This Post

While SPList objects do not sustain true relational integrity due to the inherent nature of unstructured SharePoint data storage (in the current version at least), it is common within business applications to use Lookup field types are leveraged to build weak references between SharePoint lists. As such, typed collection queries become important, combining LINQ with method chaining allows us to write succinct SPListItem returns.

Firstly, let's make some requisite test proxy objects:

Now, let’s assume the following business requirement. I want to loop through list1, and match a returned SPField value to a string condition defined by a literal. Subsequently, the return will be used on the list2 SPList object within the Where clause. This is considered in the following code snippet:

The above code is arguable that the second casting operation for the typed collection build should be broken out into a separate variable before the call and replacing the Cast statement within SelectMany with the result of the call using ToList to forces immediate execution. Meh.

Share This

Recommend This Post

By: Noni Hernandez
Enterprise Architect

If you worked/have worked or plan on working within the DoD environment, security will be a subject that haunts your dreams. Not that security isn't prevalent in the private sector, but given the nature of our work security is a top priority if not the number one priority. That being said, I have been working with the DoD's PKI for the past few years so I am fully aware of the scope and implications of providing a secure computing environment. Recently I was tasked with bringing all of our publicly available servers to a secure standard. This involved deploying a load balanced ISA 2006 array and protecting all of our services available through the NIPRNET or commercial internet. One of my projects was securing our SharePoint farm by only allowing access through our ISA array. Normally this would be a task completed in one's sleep, depending on the authentication model being utilized. However, being a DoD element brings on specific requirements that must be met to ensure the protection of our data. Enter the CAC, or Common Access Card, and the utilization of the DoD PKI to enforce a more secure environment.

Inherently, ISA 2006 has great support for the client certificate authentication model, but there are some constraints. The main one being ISA will only allow such a connection by querying your domain to authenticate an active member of your domain. This is perfectly fine, except for the notion of having a publicly available page with limited information, on an anonymous access model. This is where things begin to get tricky. As I stated earlier, one requirement handed down by the DoD is to secure all publicly available servers via CAC authentication. This means granting access to your public site to anyone with a valid CAC. If you are publishing your anonymous site and giving direct access to your farm, then deploying this scenario is rather simple, but you are leaving your server vulnerable to possible unauthorized access simply by giving direct access. So naturally we will need to publish this site through our ISA array to provide that layer of security. This is where I first ran into problems. If you are configuring an access rule in ISA then enabling client certificate authentication requires the user be an active member in your domain with their CAC registered to that account. If you choose to leave the certificate request on the web server and set the authentication request on the listener to 'No Authentication' and the authentication delegation to 'No delegation, but client may authenticate directly', you will most likely receive a 408/Request timed out error when attempting to access the page. I was stuck on this error message for weeks after attempting numerous combinations to make this work.

After many sleepless nights(and even worse, nightmares!) trying to create a solution to this problem, I finally came across the solution only after being requested to secure another server behind our array. So here is the method I developed to allow a user access to our anonymous SharePoint site, with the only stipulation being they have a valid CAC.

Step 1.

On your ISA array, instead of creating a SharePoing Site Publishing Rule or a Web Site Publishing Rule, select 'Non-Web Server Protocol Publishing Rule'. Give it a meaningful name so your admins will be able to easily identify what the rule is performing, I chose 'HQ Anonymous SharePoint Site[CAC Enabled]'. After you click next enter the IP either the individual server or the load balanced IP utilized to reach the site. After clicking next, you'll need to click new to create a modified version of the HTTPS/SSL protocol, I named it 'HTTPS[HQ Anon]' to again reflect its utilization. After clicking next you'll need to first create an Inbound TCP protocol using the Port Range 443 to 443. This is basically stripping down the methods used by ISA, i.e. compression, masking, to allow an SSL connection but still generating a proxy connection to our internal site to protect the data. After clicking OK, you'll need to do the same thing and create and Outbound connection with the same parameters, this will allow the client certificate request to be passed back to the end user for a successful handshake. After clicking OK and then Finish you should see your new protocol in the 'Selected Protocol' dropdown list. Click Next and select the network that will be listening for these requests, most likely 'External' and then click the Address button. Since I am using a load balanced array I already have a VIP ready to be utilized for this published site, so I choose 'Specified IP address..' and then select the IP I will be using to publish this site and then click Add so this rule is only answering requests sent to this specific IP. After you select the IP and click OK, click Finish to complete the creation of the rule.

Step 2.

After you have created the rule, double click the new rule to view the properties. Click on the 'To' tab and change the 'Request for the published server' setting to 'Requests appear to come from the ISA Server computer'. Once you have verified all the settings are correct from steps 1 and 2 then click 'Apply' and 'OK'. This should conclude the ISA configuration portion!

Step 3.

On your SharePoint farm, you'll need to open the IIS settings and then navigate to your anonymous site and view the properties. When you have the properties open, navigate to the Directory Security page and then click Edit on the Secure Communications section. Here you'll need to select 'Require secure channel', 'Require client certificates', and then 'Enable certificate trust list'. Click New to create a new Trust list, click Next and then click 'Add from File'. You'll need to select the DoD Root CA 2 and I have also set DoD CLASS 3 Root CA from where you have these certificates stored. Click next and then give it a name, i.e. DOD CTL, click next and then Finish. After clicking OK all the way through to the Directory Security page of the anonymous site properties, you are done!

So as you see, it's really not a complicated process. But in the grand scheme of things, we all know that we tend to over think and over complicate things to engineer solutions. I am more than guilty of this, I lost weeks of sleep to prove it! This configuration guide is set on a pretense that you do have some preliminary items configured, and that you reached the dead end at the same point I did. If did not being to lose your hair because of this, and have just begun your descent into madness, then you need to know that there are some steps that should be completed before reaching this stage.

--------------------

Thank you Noni for agreeing to write this post! I think everyone will agree this is a valuable contribution to the DoD - SharePoint community!

Share This

Recommend This Post

So, I recently got solicited for feedback and comment from Infragistics because I was for some time heavily into using their control set. Regardless of some of the unwieldy operations to sustain the nifty functions, I think they are neat and a lot of the times clients have a pre-existing license agreements so I just use 'em.

Infragistics appears to be making a tactical move into the SharePoint space; therefore curiosity arose in me to go test out what they had recently released. Regrettably, in conventional “let’s hurry up and provide a SharePoint solution” format which can be vendor criterion, Infragistics wins for the most cumbersome deployment process feasible. Well, maybe not that bad, but it’s pretty damn close.  The WORST part about this situation is the code behind for the solution is fantastic (not being sarcastic, it really is pretty good!), and it’s a bummer that they dropped the ball on everything BUT managed code development. Kudos to the developer on the code though.

So, here is the page of concern:
http://www.infragistics.com/hot/sharepoint.aspx#SharePoint

And here is a link to the configuration guide:
http://dl.infragistics.com/products/NetAdvantage/Silverlight/2008.1/ReferenceApplications/Pomegranate%20-%20Configuration%20Document.pdf

Alrighty, let’s get started. Once the PDF is open, scroll down to page 10.

1) Get to step one. WTF?!?! Cmon Infragistics, you want *manual* web.config modifications? LAME. That can take forever to complete on a staging farm, and is subject to substantial human error. I mean come on; the SPWebConfigModification class exists for a reason and there are all sorts of receivers.
- Moving right along, reference point 1 for the custom configuration sections instances. Are people really supposed to copy and paste that shit?
- Manual safe control entries. HA! I like that one. No note needed on that sweetness.
- Manual CAS adjustments make me want to cry. Seriously, as someone that takes code security critically, I want to shove a pen in my eye to damn the tears up like a Bic beaver.
- Again, the session state stuff? See above.
- Could go on with the rest of em, but you get the point…
2) Creating folders at the root of the site can be automated, that’s why we have SPWebApplication, etc. objects. You can even do your permission requirements as well.
3) You want people to copy things into the 12 hive. Is there a point to that? I mean, it is breaking the fundamental principle of SharePoint Solution architecture. That's one of the reasons WE HAVE SOLUTIONS.
4) Uploading a master page can be automated since the Master Page Gallery upload is the same as any document library. Sigh.
5) As opposed to packing .webpart or .dwp files, you are asking people to new them up out of the gallery. The extent of that laziness is immeasurable in words.
6) Well, I guess back to the 12 hive thing, again, manual Theme deployment. Word.
7) After I saw SPD, I threw up a little bit in my mouth and stopped reading.

I am not bagging on the controls, but FFS, if you are going to build a sample solution, MAKE IT EASY AND QUICK TO DEPLOY. I don’t want to spend a fucking afternoon trying to get some pie charts and random data grids into a demo site.

Share This

Recommend This Post

Often times it is required to get a reference to the SPList that contains the site directory information, this is an important task when you are considering construction of navigation solutions or when building holistic reporting tools in order to support governance of site sprawl (which is easy to have happen, but sure is a PITA to get cleaned up!). In order to do this, you will use the Microsoft.SharePoint.SPListTemplateType enumeration to specify the type of a list definition or a list template, in this case the value 300 leveraging a direct cast. For example, a simple method to hydrate the coordinating SPList object can be done as such:

Easy as pie!

Share This

Recommend This Post

Role assignments can be exposed ala ISecurableObject and pretty much everything, in order to support Securable Objects (for item level security,etc.), is an ISecurableObject in SharePoint 2007. So, to begin with, we are going to use ISecurableObject to get assignments in combination with a SPPrincipal (representing a user or group)  via the GetAssignmentByPrincipal method available off a RoleAssignments collection (it doesn't even require casting!).

Following, a new SPRoleAssignment object is hydrated based on the SPPrincipal object, and that SPRoleAssignment object has a RoleDefinitionBindings collection that exposes the Remove method. Therefore, if you had an array or typed collection of SPRoleDefinitions you wanted to iterate, you could do something like (of course after testing whether the SPRoleAssignment object created is not null):

Gone!

Share This

Recommend This Post

I will be presenting the keynote and a breakout session at Techfuse (NOT TechEd) on Tuesday, March 17, 2009 in Brooklyn Park, MN.

My keynote sessions synopsis is (taking into account I despise esoteric keynotes that are full of marketing, I choose a more pragmatic path )

Title:

Building a Commissionable, Development Aware Virtualized SharePoint Environment

Summary:

Constructing a commissionable collaboration environment that lessens friction for at-will server provisioning is commonly one of the most time-consuming tasks when designing a SharePoint environment targeting flexibility however controlling proliferation. There are certain components required from both a development and architectural perspective; operating systems, applications, service packs, and updates being a few examples. Reproducing these environments on a repetitive piece-meal basis can be attributed to one of the most inefficient processes in an organization, frustrating for both the operations and development departments.

There are several compelling reasons for an organization to virtualize a SharePoint environment. From a cost perspective the immediate benefit of a reduced hardware footprint coupled with lessened physical space requirements, arguably these are the most visible. Furthermore, management and maintenance of the virtualized SharePoint environment is eased, allowing service levels to increase since servers can be provisioned for everything from implementing redundancy to providing siloed testing environments for component testing.

Microsoft System Center Virtual Machine Manager (VMM) 2008 out of the System Center Server Management Suite provides a powerful virtualization scheme (utilizing hypervisor-based virtualization) allowing a commission and decommissioning architecture that, when coupled with SharePoint, provides redundant operations architecture and adaptable development environments to properly support an SDLC. As opposed to scaling tasks that normally takes weeks, VMM allows SharePoint architects to provide a robust solution set to tackle time consuming tasks in a fraction of the time.

The first portion of this session will demonstrate building virtualized SharePoint environment following down to the metal best practices. The preliminary design will be in accordance with simple small farm architecture. Scenario based implementations will follow to demonstrate the introduction of new servers into the environment, along with the benchmarks advised in order to govern the provisioning procedures. From an operations standpoint, this should equip the audience with enough information in order to start to build self-sustaining performance metrics and the associate required actions in order to maintain desirable operational service levels.

The second portion of this session will describe best practices approaches to provide organizational developers with an appropriate development environment that follows a prescribed lifecycle. While the operational component will heavily focus on roles, utilizations, and responses, the development end will focus on maintain a structured SharePoint development process. The preliminary design will demonstrate single instance virtualized development sandboxes, with integrated a conflict reduction architecture pushing to a centralized build machine (for build and testing before sending to QA) leveraging Team Foundation Server.  Using build events, a structured process will also be demonstrated in order to examine how to automate orthodox build pushes, tackling a majority of deployment scenarios. This should equip both the operations and development audience measures with an agreeable approach that eases both parties rhythmic daily tasks.

For my breakout session I will be presenting on SharePoint security froom both an architectural as well as development perspective.

You can find out more about TechFuse here, and it will be hosted at The Northland Inn in Brooklyn Park:

Share This

Recommend This Post