Logo 
Search:

Sharepoint Forum

Ask Question   UnAnswered
Home » Forum » Sharepoint       RSS Feeds

Webpart SPListItem.update() and impersonation

  Asked By: Stephanie    Date: May 01    Category: Sharepoint    Views: 3671

I have a webpart that need to read a SPList item and
update the information.

With the developer account that have a full access of
the computer server and SharePoint server, I have no
problem running the webpart.

I need to do impersonation in the code for someone
else to use the webpart. After impersonation, my
webpart has no problem to Log (write to the server
Event log) and read SPListItem.

However, even with impersonation and security
level="Full", when I try to do SPListItem.update(), an
exception occurs:

SPException: "The security validation for this page is
invalid. Click Back in your Web browser, refresh the
page, and try your operation again." at
Class: Microsoft.SharePoint
Method: Void a(System.String, System.String, Boolean,
Int32 ByRef, System.String ByRef, System.String,
System.Object ByRef, System.Object ByRef)

Stack Trace:
at Microsoft.SharePoint.Library.a.a(String A_0,
String A_1, Boolean A_2, Int32& A_3, String& A_4,
String A_5, Object& A_6, Object& A_7)
at Microsoft.SharePoint.SPListItem.Update()
at
TestWebPart.TestWebPart.btnSaveChanges_Click(Object
sender, EventArgs e)

Caused by: COMException: "The security validation
for this page is invalid. Click Back in your Web
browser, refresh the page, and try your operation
again." at
Class:
Method: Void AddOrUpdateItem(System.String,
System.String, Boolean, Int32 ByRef, System.String
ByRef, System.String, System.Object ByRef,
System.Object ByRef)

Stack Trace:
at
Microsoft.SharePoint.Library.SPRequestInternalClass.AddOrUpdateItem(String
bstrUrl, String bstrListName, Boolean bAdd, Int32&
plID, String& pbstrGuid, String bstrVersion, Object&
pvarAttachmentNames, Object& pvarAttachmentContents)
at Microsoft.SharePoint.Library.a.a(String A_0,
String A_1, Boolean A_2, Int32& A_3, String& A_4,
String A_5, Object& A_6, Object& A_7)

Does anyone have any idea? What step I've missed? BTW,
I am using Jay Nathan's Impersonator class as in
http://www.15seconds.com/issue/040511.htm. This works
fine to overcome two security roadblocks: Logger to
write into computer server event viewer; and reading
the SPListItem from the SharePoint portal. It just
doesn't work for SPListItem.update().

Share: 

 

4 Answers Found

 
Answer #1    Answered By: Emmett Hyde     Answered On: May 01

There is one more piece to the puzzle:

"The limiting factor is the fact the OM always looks at the original identity of the http context. If you can step  outside of that context, the OM will operate in a "normal" console-like fashion. It will be forced to use identity of the thread, rather than attempting to fallback to the identity of the http context." www.bluedoglimited.com/.../ViewPost.aspx?ID=7

There is a follow-up article at www.bluedoglimited.com/.../ViewPost.aspx?ID=198.

Using this technique, I was able to write  a web page  that resets a user's password, so it certainly works.

 
Answer #2    Answered By: Michelle White     Answered On: May 01

It looks like the technique would solve my problem. I
will take sometime to digest the information.

 
Answer #3    Answered By: Gopal Jamakhandi     Answered On: May 01

The problem  stems from the four app domains that WSS creates when a page
is first requested. As I recall (I don't have Internet access  right now)
Maurice does a good explaining how to use your own app domain to obtain
a new security  context.

While that works, it is a more complex solution than is often needed. If
you combine the security techniques that I explained in my SharePoint
Advisor article, "Credentialess Impersonation", with impersonating the
System user using a null pointer which I describe on my blog (the post
was a few months back), you can achieve roughly the same effect. That
is, generating a security context that does not depend upon the original
identity of the HTTP context. You simply drop back  to the app pool
identity (stop impersonating the current user) and then impersonate the
System user.

Please ask follow up questions if that isn't sufficient detail.

 
Answer #4    Answered By: Jaime Weaver     Answered On: May 01

Updating SharePoint is protected in many ways. Beyond user and code
access security, at least two things must be true for SharePoint to
allow data in its database to be updated. First, updates are only
allowed from pages that POST to the Web server. Second, the Web Part
page must include a RequestDigest (if I remember correctly). These are
required to help prevent one click  attacks. Optionally, you can set the
SPSite or SPWeb object  AllowUnsafeUpdates property to true.

 
Didn't find what you were looking for? Find more on Webpart SPListItem.update() and impersonation Or get search suggestion and latest updates.