Securing Application Pages in SharePoint 2007
Anonymous security in SharePoint 2007 is more of an art than an exact science, it seems. Although drastically improved from 2003, there are still some gaps in the security model which need to be plugged (and some that need to be opened) for public-facing SharePoint sites. One of the most glaring examples is the List View application page (12\TEMPLATE\LAYOUTS\viewlsts.aspx) which is accessible by every user with read permissions. While not technically a security risk – there isn’t much a user can do from this page without sufficient access rights – it may expose more information to anonymous users than is acceptable.
To work around this issue, add code to the individual application page(s) to check if the user is authenticated and, if not, redirect the user to the Access Denied page. Insert the following script at the top of the page (before or after the page declarations and registrations):
<script runat="server">
protected void Page_PreInit(object sender, EventArgs e)
{
try
{
string sUserName = SPContext.Current.Web.CurrentUser.LoginName;
}
catch
{
this.Response.Redirect("/_layouts/accessdenied.aspx");
}
}
</script>
protected void Page_PreInit(object sender, EventArgs e)
{
try
{
string sUserName = SPContext.Current.Web.CurrentUser.LoginName;
}
catch
{
this.Response.Redirect("/_layouts/accessdenied.aspx");
}
}
</script>
The above code attempts to assign the user login name to a string variable. If the operation fails, which it will if the user is not authenticated, the catch statement redirects the user to the default access denied page. Once the code is placed on a page in the /_layouts directory, it will effectively be hidden from anonymous users.
This site dont work well in firefox. Please fix. All headings pile up on top of each other at top of page.
howdy,
i couldnt get it to work.
i tired adding it to the master pages, and rcvd an error saying no blocks allowed
and i didnt see an area to add it to the actual .aspx, from within sharepoint deisgner
Look at http://community.bamboosolutions.com/blogs/bambooteamblog/archive/2008/10/15/secure-a-sharepoint-application-page.aspx for more information about securing SharePoint Application pages.