Wednesday, May 14, 2008

How to fix Security Validation errors in Sharepoint asp.net page

Problem: I got "The security validation for this page is invalid" when submitting web form

For reasons of security, Microsoft Windows SharePoint Services by default does not allow you to make posts from a Web application to modify the contents of the database unless you include security validation on the page making the request. Two kinds of security validation can be used, depending on whether the code on the page applies globally to a virtual server or Windows SharePoint Services deployment, or to a single site or site collection within the deployment.

Security Validation Type 1:

Updating data for a site or site collection. Two steps to be performed.

Step 1:

Add a page directive and a FormDigest control to the page making the request. The following directive registers the Microsoft.SharePoint.WebControls namespace:

<%@ Register Tagprefix=”SharePoint” Namespace=”Microsoft.SharePoint.WebControls”
Assembly=”Microsoft.SharePoint, Version=11.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c” %>

Step 2:

Include a FormDigest control within the form as follows:

<form id=”Form1″ method=”post” runat=”server”>
<SharePoint:FormDigest runat=”server”/>
<asp:Button id=”Button1″ style=”Z-INDEX: 101; LEFT: 282px; POSITION: absolute;
TOP: 282px” runat=”server” Text=”Button”></asp:Button>
</form>

Inserting this control on an ASPX page generates a security validation, or message digest, to help prevent the type of attack wherein a user is tricked into posting data to the server without knowing it. The security validation is specific to a user, site, and time period and expires after a configurable amount of time. When the user requests a page, the server returns the page with security validation inserted. When the user then submits the form, the server verifies that the security validation has not changed. For more information about this control, see the FormDigest class.
Security Validation Type 2:

Updating global data

Web applications that use methods of the Microsoft.SharePoint.Administration namespace, such as for creating or deleting sites and for global administrative customizations, require a different security validation. Add the following code to the .vb r .cs file in an application:

SPGlobalAdmin globalAdmin = new SPGlobalAdmin();
Context.Items[SPGlobalAdmin.RequestFromAdminPort] = true;
Page.RegisterHiddenField(”__REQUESTDIGEST”, globalAdmin.AdminFormDigest);

This security validation uses the AdminFormDigest property of the SPGlobalAdmin class to insert a message digest on the page in the browser, registering the digest as a hidden field through the RegisterHiddenField method of the System.Web.UI.Page class. In addition, the RequestFromAdminPort field specifies that the context of the request is through the administrative port

No comments: