SharePoint 2010 includes a secure isolated environment for user deployable Web solution packages—the user code sandbox. To deploy a sandbox solution, a user (usually the site owner), uploads a WSP to a special library that is part of every SharePoint 2010 site named the solution gallery. Once added to the solution gallery, the site owner can activate the solution by clicking a button on the ribbon.
The sandbox makes it easy to create code that runs on a SharePoint server as Web Parts, pages, and event handlers. Code in the sandbox runs under a restricted set of privileges out of process from the web application in a monitored host process called the Windows SharePoint Services User Code Host Service.
The SharePoint object model includes facilities to allow communication between the main worker process and the user code host. The SPUserCodeWebPart Web Part is one of these facilities. SPUserCodeWebPart provides the ability to host controls running in the sandbox on a page running in the main worker process.
In addition to a reduced set of privileges, the sandbox also provides a limited and safe subset of the SharePoint object model. This prevents sandbox code from making any changes outside the current site and from executing with explicit elevation of privileges via the SPSecurity namespace.
Why Use Sandbox?
The sandbox environment gives farm operators the ability to enable customization for users without providing administrative access to the farm. This power comes with a number of safeguards to protect the overall stability and security of the farm.
The sandbox protects the farm from poorly written or malicious code. This includes protection from:
- Unhandled exceptions
- Processor intensive operations
- Unauthorized manipulation of web application and farm infrastructure
- Elevation of privilege
SharePoint Central Administration and the solution gallery both provide visibility to farm administrators of solution health and resource needs. Administrators can define quotas to block defective solutions and have the ability to manually block execution of specific solutions for any reason.
How the Sandbox Works
The Windows SharePoint Services User Code Host Service provides a partial trust AppDomain to host sandboxed processes. The service consists of three parts:
SPUCHostService manages one or more SPUCWorkerProcess via SPUCWorkerProcessProxy. This architecture makes it possible to scale the user code sandbox across multiple servers in the farm. Solutions in the sandbox use a special version of Microsoft.SharePoint.dll located in the UserCode\Assemblies folder in the SharePoint root.
The host service also allows configuration of server affinity—you can specify that sandbox code runs on the same machine as a request or that requests to run sandboxed code are run on available servers with the Sandboxed Code Service. Regardless of the configuration the host service runs sandbox code within SPUCWorkerProcess.exe. SPUCWorkerProcess.exe is the process to which you attach the debugger to debug sandbox code.
This post is an excerpt from the online courseware for our Microsoft SharePoint 2010 for Developers course written by expert Doug Ware.
Doug Ware is a SharePoint expert and an instructor for many of our SharePoint 2007 and SharePoint 2010 courses. A Microsoft MVP several times over, Doug is the leader of the Atlanta .NET User Group, one of the largest user groups in the Southeast U.S., and is a frequent speaker at code camps and other events. In addition to teaching and writing about SharePoint, Doug stays active as a consultant and has helped numerous organizations implement and customize SharePoint.