SharePoint Security without the Browser
Ask most people what Microsoft Office SharePoint 2007 looks like and they’ll describe a web application, used via the browser. They’ll probably also say the web pages are all blue and white. Let’s banish that myth straight away: SharePoint uses ASP.NET 2.0 master pages, .aspx pages, and server controls, all using CSS classes. You can customise and/or replace all of these things so your SharePoint application can look however you want it to. But, even more radically, you don’t have to use a browser at all.
At its core, SharePoint has a storage engine. It uses a SQL Server database to store all kinds of content that users create. You’re all aware of the version-control mechanism that SharePoint provides over documents, for example, but really it can store any kind of content that you want. Most people use the browser to access the storage engine, but when you install SharePoint you don’t just get those familiar web forms; you also get an extensive set of web services. This enables rich client applications, or other web services, to access SharePoint directly.
In the rest of this short article I’ll feature those web services that are related to security, but bear in mind that services are available to let you work with SharePoint in all kinds of ways. All the
services are listed on MSDN.
The web services exposed by SharePoint are ASP.NET SOAP services, but they do not use any of the WS-* specifications so don’t expect to use WS-Security for example. Since the services are hosted by IIS, you’ll authenticate using whatever scheme IIS is configured to use, such as Windows authentication. However, SharePoint supports other authentication schemes, such as ASP.NET Forms Authentication, and Windows Live ID that use cookies to gain access. For forms authentication you can use a web service called
Authentication.asmx; it has a Login method to which you can supply credentials and it sets an HTTP cookie to allow access to other services via Forms Authentication.
All of the SharePoint web services are found at a URL that looks like this...
http://<server>/_vti_bin/<service>.asmx
The next interesting service is called
People.asmx. This one allows you to resolve principal names against whatever authentication provider SharePoint is using, and also to search SharePoint for specific principals by name. This is great for those text boxes where you allow the user to enter a username, but you want to check it against SharePoint to make sure it’s a valid user.
UserGroup.asmx provides operations to manage cross-site groups in SharePoint, as well as roles (which are like groups, but only exist inside a site). You can create them, delete them, add and remove users, etc.
Permissions.asmx allows you to assign access rights for specific principals (user, group or role) against specific resources (list or site), using the fine-grained rights defined by SharePoint in the
SPBasePermissions enumeration.
That was a very quick overview of the security-related services exposed by SharePoint. For more detail,
please see my blog entry.
Martin Parry
Read Martin's blog here
