Search This Blog

Wednesday 4 April 2012

QueryString Encryption in SharePoint 2010

Recently I had a situation to use encryption in query string in SharePoint2010
SharePoint does not have any default option for this feature.

Basically encrypting query string is a good and recommended practice for all web development. Its only give high security to the application.

In my scenario I have often used query strings to carry information around # of pages in my site. If the query string is readable, then its easy to memories and possible to play around that. That can be used by hackers to do identity theft or other unpleasant things.

Consider the URL example.com/?user=123&account=456 and then imaging what a hacker could do with it. Security or not, sometimes you just don’t want the visitors to see all the query strings for whatever reason.

In those cases it would be nice if we could encrypt the entire query string so it wouldn’t carry any readable information.

In my project I had a situation to pass an application ID as querystring,





Look the above snapshot, where there query string is readable (JobAidID=24). So anybody can easily memories and possible to misuse this. So I need to encrypt the query string for safe and to avoid the misuse.

where i have gone with .net Security.Cryptography for this encryption. I have created a class called EncryptionEngine and designed two methods (1.Encrypt 2.Decrypt)


I used tripleDEScryptographic service provider with ECB (Electronic Code Book).
ECB:
The ECB mode encrypts each block individually. This means that any block of the plain text that are identical and in the same message or even in a different message but encrypted with the same key, will be transformed into identical cipher text blocks. If the plain text to be encrypted contains substantial repetition, it is feasible for the cipher text to be broken one block at a time. Also it is possible for an active adversary to substitute and exchange individual blocks without detection. If a single bit of the cipher text block is mangled, the entire corresponding plain text block will be mangled.


Well, as you can see, the decryption method is just kind of opposite of the encryption. I talked about the Cipher Mode ECB in the encrypt section. Now let's talk about the padding mode PKCS7. Padding comes when a message data block is shorter than full number of bytes needed for a cryptographic operation. Why did we choose PCKS7. This is because PCKS#7 padding string consists of a sequence of bytes, each of which equal the total number of padding bytes added.
Upto this its look like a .Net application encryption, now i am going to refer this in my SharePoint2010 development.

I completed this encryption class and make a dll to make use the encryption for future projects.
In my previous post i have discussed how to refer external dll in sharepoint2010 webpart. Just go through it from

http://sharepointwings.blogspot.in/2012/04/use-external-dll-in-sharepoint2010.html

After adding the external dll(Encryption dll) in my application i refer the Encrypt method from my application as follows


where i have passed two parameters, first one is the querystring value and second one is for define whether wanna use hashing or not

In the other hand of the page i have to handle the decrpt code to make use of the query string values, for this i refer the Decrypt method from my application as follows.













In this i have used string array to get the values out of the query string. you can also use your own methodology for this.

Thats it, we have encrypted query string in SharePoint 2010 webpart. Now the encrypted string looks like




Cool................

It works now.

Tuesday 3 April 2012

Set default library for Images/Attahment uploading from RteUploaddialog

I have got a situation to define a specific document library for picture/file uploading through RichTextEditor(Multi line of text - Enhanced Rich Text).

where I have used the ListFieldIterator in my Application page for entering value to the List through RichTextEditor.

By default the sharepoint uses the RteUploadDialog.aspx for this. This default page looks like below snapshot


There is a dropdown, where user can select the the library in which they wanna upload the image or file. By default the dropdown shorted with ascending order and the first item is being selected.

But in my case i wanna hide this option from user view and set a specific doucment library for uploading. For this i have gone with following javascript

If you open RteUploadDialog.aspx in some editor, you will see already existing javascript code there, something like:

<script type="text/javascript">
function ULSXuo(){var o=new Object;o.ULSTeamName="Microsoft SharePoint Foundation";
o.ULSFileName="RteUploadDialog.aspx";return o;}
...
SetFocus();
</script>

It already have a variable listDD that references library dropdown. You should change it to:

<script type="text/javascript">
function ULSXuo(){var o=new Object;o.ULSTeamName="Microsoft SharePoint Foundation";
o.ULSFileName="RteUploadDialog.aspx";return o;}
...
SetFocus();

 
// Default upload library - Manikandan Jaguva Rajaram

var defaultLibraryName = "HFSite Assets";

var i = 0;
while (listDD.options[i].text != defaultLibraryName && i < listDD.options.length)
{
 i++;
}
if (i < listDD.options.length)
{ 
 listDD.selectedIndex = i;
}
</script>

Just change the variable defaultLibraryName to the library you want to select and this code should do the trick. In my case I have selected "HFSite Assets".

To hide the dropdown from user view, i have i have change the display:none in the style of the respective table row.






Now I have achieved my requirement, the default library for the uploading picture/file is "HFSite Assets" and user can not view and modify the library. The new RteUploadingDialog now looks like






Monday 2 April 2012

Use External DLL in SharePoint2010 Webpart

In this post I am going to explain how to use External DLL in SharePoint2010 Webpart

Approach 1

With your SP 2010 project open in VS 2010, double click on package.package from solution explorer.





   


You will see the package designer window getting opened. At the bottom of this screen you will see three editor switches. we have to switch to “Advanced” mode to add additional dlls. 
Click on that gray looking button that says “Advanced”

Then the Advanced mode will come up with 3 buttons, looks like the below snapshot






Initially the screen will be empty as there are no additional dlls defined. Let’s add some.

Click Add, and you will be prompted to selected external dll or dll from one of the opened Project
output. For external dll select “Add existing Assembly”.









Then it will bring you to "Add Existing Assembly wizard"





















Where you need to enter the information about the external dll, deployment target(GAC / WebApplication) and Safe Control entry for web.config. If require you can add resources.




















Click ok and that’s it. Just repackage your WSP by right clicking on the project and click package, and you will see that the resulting wsp will contain these external dlls automatically.

Verification:

Once finish these things, we can verify whether we have done these correctly by checking Safe Control entry in web.config file and pkg folder.










 In the solution package (debug/Release based on the solution configuration) you can see the external dll

In web.config you get an entry which you have entered in "Add Existing Assembly wizard"



Note: In this approach you should have strong key name for the external dll.

Approach 2:

There is another very good approach which is mentioned below in steps. That is to deploy the dll directly to the site bin folder. Here are the steps to accomplish:
1. Set Output path of the projects (Project in which you are keeping webpart control classes) to the site bin folder. You can find the path by navigating to C:\Inetpub\wwwroot\virtual directory\port number\bin

2. Build the solution and make sure it is compiling successfully.

3. Add a safe control entry to the web config file. Do not mention public key token. Do not strong name the project.

4. That's it, your code is deployed in the site's bin directory and its information is located in the config file. Go Ahead and populate the web part gallery with the web part and add it to a page.

Advantages:

1. Biggest advantage is the fact that you do not have to reset iis after every compilation of code.

2. You can directly copy the dll from the other bin folders to this as and when required.

DisAdvantage

1. As you are deploying code to the bin folder of particular site, it will not be available globally. That means you will need to add the dll to every site's bin folder.