SharePoint: How to change the expiration time of the FedAuth cookie

July 2nd, 2013 No comments

    Working on a SharePoint application with the configured Form Based Authentication (FBA), I was asked to reduce somehow the expiration time of the FedAuth cookie. The default expiration time is 10 hours, that is too long for applications with sensitive data. I’d like to limit it with 20 minutes.

As known, the Security Token Service takes part in SharePoint Authentication by issuing, managing and validating security tokens. When the SharePoint Authentication process is initiated, the login and password are passed to the Security Token Service. The Security Token Service, in turn, generates a security token and passes it back to SharePoint. SharePoint then creates a FedAuth cookie based on the issued security token and adds it to the Response. Once the cookie is sent to the client it’s stored there in the local cookies folder. Every next request for the site is accompanied with the cookie, unless it’s expired. SharePoint reads the cookie from requests and provides access to the content without re-authentication.

The default expiration time is a setting of the Security Token Service. We can change it using such PowerShell command as

Set-SPSecurityTokenServiceConfig –FormsTokenLifetime [value in minutes]

That’s well described here. Note, however, if you change the setting it affects the whole SharePoint Farm, so FedAuth cookies issued for other applications will have the same expiration time. From that point of view, the solution isn’t acceptable for me.

Fortunately, I found an alternative way to change the expiration time so that it would impact particular application only. The solution turned out quite easy and straightforward. Within codebehind of the Custom Login page and after user is authenticated, we can just get access to the cookie placed in the Response object and forcibly set another expiration time. So, in my case I have the following code in the Custom Login page:

public partial class CustomLoginPage : FormsSignInPage
{
	...

	protected override void OnInit(EventArgs e)
	{
		base.OnInit(e);
		
		// subscribe to Authenticate event of the asp:Login control
		signInControl.Authenticate += SignInControlOnAuthenticate;
	}

	private void SignInControlOnAuthenticate(object sender, AuthenticateEventArgs authenticateEventArgs)
	{
		// authenticate user
		bool isAuthenticated = SPClaimsUtility.AuthenticateFormsUser(Context.Request.Url, signInControl.UserName, signInControl.Password);
		if (isAuthenticated)
		{
			authenticateEventArgs.Authenticated = true;

			// forcibly change the expiration time of the FedAuth cookie
			HttpCookie cookie = Response.Cookies[0];
			cookie.Expires    = DateTime.UtcNow.AddMinutes(20);
			
			// redirect user to somewhere
			SPUtility.Redirect("some other url", SPRedirectFlags.Default, Context);
		}
	}
}

In the code above I set the cookie’s life time to 20 minutes. You can use the code to increase or decrease the default expiration time.

If you don’t use a Custom Login page, I believe (but didn’t test) it’s possible to achieve the same by employing a HttpModule with handler of the EndRequest event being fired by the HttpApplication object.

SharePoint: SqlMembershipProvider – Get All Users In Role

June 30th, 2013 No comments

    In the SharePoint application I’m currently working on, I configured Form Based Authentication (FBA) using the SqlMembershipProvider and SqlRoleProvider. Implementing some user management functionality, I run into the lack of a method to get the users in particular role by portions (so-called pagination). The SqlRoleProvider exposes the GetUsersInRole method which returns only names of users in the passed role and doesn’t support pagination. The direct way in this case is to get user names and then get appropriate users, calling the GetUser method of SqlMembershipProvider one time per name. This approach results in a bunch of requests to the database: one request is to get names of users in a role and a number of requests are to get each user by his name. In addition, we have somehow to implement pagination ourselves. The approach is acceptable, but let’s try to reduce requests to the database and borrow somewhere the pagination logic.

GetAllUsersInRole Stored Procedure

It’s interesting that the SqlMembershipProvider provides the GetAllUsers method that supports pagination. On the database level, every call of SqlMembershipProvider.GetUsersInRole and SqlMembershipProvider.GetAllUsers ends with executing such Stored Procedures as aspnet_UsersInRoles_GetUsersInRoles and aspnet_Membership_GetAllUsers respectively. So, we know that the aspnet_UsersInRoles_GetUsersInRoles searches for names of users in a role while the aspnet_Membership_GetAllUsers is able to return users by portions. Let’s combine these two Stored Procedures and create another one which would select users in a role and return a required portion of the result. The sql script below creates such Stored Procedure, I named it aspnet_Membership_GetAllUsersInRole. Note the script should be executed on MembershipProvider database, it’s aspnetdb in my case.

USE [aspnetdb]
GO

SET ANSI_NULLS ON
GO

SET QUOTED_IDENTIFIER ON
GO

-- =============================================
-- Author:		.Net Follower
-- Description:	Returns users in role by portions
-- =============================================
CREATE PROCEDURE [dbo].[aspnet_Membership_GetAllUsersInRole]
    @ApplicationName       nvarchar(256),
    @PageIndex             int,
    @PageSize              int,
    @RoleName              nvarchar(256)
AS
BEGIN
    DECLARE @ApplicationId uniqueidentifier
    SELECT  @ApplicationId = NULL
    SELECT  @ApplicationId = ApplicationId FROM dbo.aspnet_Applications WHERE LOWER(@ApplicationName) = LoweredApplicationName
    IF (@ApplicationId IS NULL)
        RETURN 0

	DECLARE @RoleId uniqueidentifier
    SELECT  @RoleId = NULL

    SELECT  @RoleId = RoleId
    FROM    dbo.aspnet_Roles
    WHERE   LOWER(@RoleName) = LoweredRoleName AND ApplicationId = @ApplicationId

    IF (@RoleId IS NULL)
		RETURN 0

    -- Set the page bounds
    DECLARE @PageLowerBound int
    DECLARE @PageUpperBound int
    DECLARE @TotalRecords   int
    SET @PageLowerBound = @PageSize * @PageIndex
    SET @PageUpperBound = @PageSize - 1 + @PageLowerBound

    -- Create a temp table TO store the select results
    CREATE TABLE #PageIndexForUsers
    (
        IndexId int IDENTITY (0, 1) NOT NULL,
        UserId uniqueidentifier
    )

    -- Insert into our temp table
    INSERT INTO #PageIndexForUsers (UserId)
    SELECT u.UserId
    FROM   dbo.aspnet_Membership m, dbo.aspnet_Users u, dbo.aspnet_UsersInRoles ur
    WHERE  u.ApplicationId = @ApplicationId AND u.UserId = m.UserId AND 
		   u.UserId = ur.UserId AND @RoleId = ur.RoleId
    ORDER BY u.UserName

    SELECT @TotalRecords = @@ROWCOUNT

    SELECT u.UserName, m.Email, m.PasswordQuestion, m.Comment, m.IsApproved,
            m.CreateDate,
            m.LastLoginDate,
            u.LastActivityDate,
            m.LastPasswordChangedDate,
            u.UserId, m.IsLockedOut,
            m.LastLockoutDate
    FROM   dbo.aspnet_Membership m, dbo.aspnet_Users u, #PageIndexForUsers p
    WHERE  u.UserId = p.UserId AND u.UserId = m.UserId AND
           p.IndexId >= @PageLowerBound AND p.IndexId <= @PageUpperBound
    ORDER BY u.UserName
    RETURN @TotalRecords
END

Custom Membership Provider

Now let’s extend our Membership Provider with a new method that deals with the aspnet_Membership_GetAllUsersInRole. I created a class SqlMembershipProviderEx derived from SqlMembershipProvider and containing the target GetAllUsersInRole method. The class is demonstrated below, but first of all a few remarks on the code:

  • I had to use Reflection to get values of some important fields (like Connection String to the database, for example) as Microsoft makes everything private or internal;
  • The SqlMembershipProvider elevates privileges when opening SqlConnection. Since the extended Membership Provider is going to be used in SharePoint application, I did the same by means of SPSecurity.RunWithElevatedPrivileges. Note however that if you want to use the extended Membership Provider in a pure ASP.Net application you will need to deal with such internal (of course) classes as SqlConnectionHolder and ApplicationImpersonationContext through Reflection;
  • The code of GetAllUsersInRole method is mainly based on the GetAllUsers of the parent SqlMembershipProvider class.
using System;
using System.Data;
using System.Data.SqlClient;
using System.Reflection;
using System.Web.Security;
using Microsoft.SharePoint;

namespace dotNetFollower
{
    public class SqlMembershipProviderEx : SqlMembershipProvider
    {
        protected string _connectionString;
        protected int?   _sqlCommandTimeout;

        protected string ConnectionString
        {
            get 
            { 
                return _connectionString ?? 
                    (_connectionString = Convert.ToString(this.GetFieldValue("_sqlConnectionString"))); 
            }
        }

        protected int CommandTimeout
        {
            get
            {
                if (_sqlCommandTimeout == null)
                    _sqlCommandTimeout = Convert.ToInt32(this.GetFieldValue("_CommandTimeout"));
                return _sqlCommandTimeout.Value;
            }
        }

        public MembershipUserCollection GetAllUsersInRole(string role, int pageIndex, int pageSize, out int totalRecords)
        {
            if (pageIndex < 0)
                throw new ArgumentException("The pageIndex must be greater than or equal to zero.", "pageIndex");
            if (pageSize < 1)
                throw new ArgumentException("The pageSize must be greater than zero.", "pageSize");
            
            long num = ((pageIndex * pageSize) + pageSize) - 1;
            if (num > 0x7fffffff)
                throw new ArgumentException("The combination of pageIndex and pageSize cannot exceed the maximum value of System.Int32.", "pageIndex and pageSize");
            
            MembershipUserCollection users = new MembershipUserCollection();
            int recordsAmount = 0;

            DoInSqlConnectionContext(delegate(SqlConnection connection)
                {
                    //this.CheckSchemaVersion(connection.Connection);
                    SqlCommand command     = new SqlCommand("dbo.aspnet_Membership_GetAllUsersInRole", connection);
                    SqlDataReader reader   = null;
                    SqlParameter parameter = new SqlParameter("@ReturnValue", SqlDbType.Int);
                    command.CommandTimeout = CommandTimeout;
                    command.CommandType    = CommandType.StoredProcedure;
                    command.Parameters.Add(CreateInputParam("@ApplicationName", SqlDbType.NVarChar, ApplicationName));
                    command.Parameters.Add(CreateInputParam("@PageIndex", SqlDbType.Int, pageIndex));
                    command.Parameters.Add(CreateInputParam("@PageSize", SqlDbType.Int, pageSize));
                    command.Parameters.Add(CreateInputParam("@RoleName", SqlDbType.NVarChar, role));
                    parameter.Direction = ParameterDirection.ReturnValue;
                    command.Parameters.Add(parameter);
                    try
                    {
                        reader = command.ExecuteReader(CommandBehavior.SequentialAccess);
                        while (reader.Read())
                        {
                            string   nullableString          = GetNullableString(reader, 0);
                            string   email                   = GetNullableString(reader, 1);
                            string   passwordQuestion        = GetNullableString(reader, 2);
                            string   comment                 = GetNullableString(reader, 3);
                            bool     boolean                 = reader.GetBoolean(4);
                            DateTime creationDate            = reader.GetDateTime(5).ToLocalTime();
                            DateTime lastLoginDate           = reader.GetDateTime(6).ToLocalTime();
                            DateTime lastActivityDate        = reader.GetDateTime(7).ToLocalTime();
                            DateTime lastPasswordChangedDate = reader.GetDateTime(8).ToLocalTime();
                            Guid     providerUserKey         = reader.GetGuid(9);
                            bool     isLockedOut             = reader.GetBoolean(10);
                            DateTime lastLockoutDate         = reader.GetDateTime(11).ToLocalTime();
                            users.Add(new MembershipUser(Name, nullableString, providerUserKey, email, passwordQuestion,
                                                         comment, boolean, isLockedOut, creationDate, lastLoginDate,
                                                         lastActivityDate, lastPasswordChangedDate, lastLockoutDate));
                        }
                    }
                    catch (Exception ex)
                    {
                        EventLogger.WriteError(ex);
                        throw;
                    }
                    finally
                    {
                        if (reader != null)
                            reader.Close();
                        if (parameter.Value is int)
                            recordsAmount = (int)parameter.Value;
                    }
                });
            totalRecords = recordsAmount;
            return users;
        }

        protected void DoInSqlConnectionContext(Action<SqlConnection> action)
        {
            SqlConnection connection = null;
            try
            {
                connection = new SqlConnection(ConnectionString);
                SPSecurity.RunWithElevatedPrivileges(connection.Open);
                action(connection);
            }
            finally
            {
                if (connection != null)
                    connection.Close();
            }
        }

        protected SqlParameter CreateInputParam(string paramName, SqlDbType dbType, object objValue)
        {
            SqlParameter parameter = new SqlParameter(paramName, dbType);
            if (objValue == null)
            {
                parameter.IsNullable = true;
                parameter.Value      = DBNull.Value;
                return parameter;
            }
            parameter.Value = objValue;
            return parameter;
        }

        protected string GetNullableString(SqlDataReader reader, int col)
        {
            return !reader.IsDBNull(col) ? reader.GetString(col) : null;
        }
    }
}

Note the EventLogger class is described in the post SharePoint: Simple Event Logger while the GetFieldValue method is provided by ReflectionHelper described in the C#: How to set or get value of a private or internal field through the Reflection and C#: How to set or get value of a private or internal property through the Reflection.

The latest version of the SqlMembershipProviderEx along with all used additional classes are available to download here.

Related posts:

C#: How to set or get value of a private or internal field through the Reflection

June 30th, 2013 No comments

    The given post is an extension to the one How to set or get value of a private or internal property through the Reflection. So, here are two more methods to add to the ReflectionHelper. These methods are implemented as extensions to the object class and simplify getting and setting values of object’s private and internal fields.

public static class ReflectionHelper
{
	//...
	// here are methods described in the post 
	// http://dotnetfollower.com/wordpress/2012/12/c-how-to-set-or-get-value-of-a-private-or-internal-property-through-the-reflection/
	//...

	private static FieldInfo GetFieldInfo(Type type, string fieldName)
	{
		FieldInfo fieldInfo;
		do
		{
			fieldInfo = type.GetField(fieldName,
				   BindingFlags.Instance | BindingFlags.Public | BindingFlags.NonPublic);
			type = type.BaseType;
		}
		while (fieldInfo == null && type != null);
		return fieldInfo;
	}

	public static object GetFieldValue(this object obj, string fieldName)
	{
		if (obj == null)
			throw new ArgumentNullException("obj");
		Type objType = obj.GetType();
		FieldInfo fieldInfo = GetFieldInfo(objType, fieldName);
		if (fieldInfo == null)
			throw new ArgumentOutOfRangeException("fieldName",
			  string.Format("Couldn't find field {0} in type {1}", fieldName, objType.FullName));
		return fieldInfo.GetValue(obj);
	}

	public static void SetFieldValue(this object obj, string fieldName, object val)
	{
		if (obj == null)
			throw new ArgumentNullException("obj");
		Type objType = obj.GetType();
		FieldInfo fieldInfo = GetFieldInfo(objType, fieldName);
		if (fieldInfo == null)
			throw new ArgumentOutOfRangeException("fieldName",
			  string.Format("Couldn't find field {0} in type {1}", fieldName, objType.FullName));
		fieldInfo.SetValue(obj, val);
	}
}

The use of methods is shown below:

// get value
string privateValue = (string)someObj.GetFieldValue("_connectionString");
// set value
someObj.SetFieldValue("_connectionString", "some connection string");
Related posts:
Categories: C#, Reflection Tags: ,

SharePoint: Simple Event Logger

June 3rd, 2013 No comments

    Errors, warnings and info messages in all my SharePoint applications are being logged to the Application Event Log. For that I use a simple class tritely named EventLogger and listed later in this post. As for the moment, a couple of words about the EventLogger are stated below.

If necessary, the EventLogger registers a source in the Application Event Log once any its method is called for the first time (see the static constructor). The event logging uses the information stored in the Eventlog registry key. So, when dealing with the Application Event Log, we have to be ready to get exception about a lack of rights to read from or write to the registry. Because of that, the EventLogger initially tries adding a new source under the current user account and then, in case of failure, repeats the same under the application pool account (SPSecurity.RunWithElevatedPrivileges) that is supposed to have all suitable permissions.

Due to the same reason, whenever a user different from the application pool account writes anything to the log, he will likely get an exception which is reporting that the current user doesn’t have write access. To guard users from that, we as administrators have to do some manual work, namely, to add the CustomSD value to the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application] registry key how it’s described in the article SharePoint: Cannot open log for source. You may not have write access. If a SharePoint application supports anonymous access, use WD (all users) instead of AU (authenticated users). Also it’s very important to understand that the appropriate CustomSD must be added on all machines of a SharePoint farm. An alternative way is to wrap the writing to the log in SPSecurity.RunWithElevatedPrivileges. Remember, however, that the SPSecurity.RunWithElevatedPrivileges is quite resource-consuming and excessive for such frequent operation as event logging. So, use the SPSecurity.RunWithElevatedPrivileges as an extreme measure and only when the previous approach with CustomSD didn’t help for some reasons.

Another feature of the EventLogger is that, as a backup plan, it writes to the SharePoint Trace Log through the Unified Logging Service (see the WriteToHiveLog method). In other words, if the EventLogger doesn’t manage to write a message to the Application Event Log, it tries appending the message to the ULS Log stored in the file system and accessible, for example, through the ULS Viewer.

Logging an error or warning based on the passed exception, the EventLogger forms the final text, using the exception’s message along with the message of the inner exception (if any) and stack trace.

Below is a combined example that demonstrates how to use the EventLogger to log errors, warnings and info.

using dotNetFollower;
...

EventLogger.WriteInfo("How to use the EventLogger");

EventLogger.WriteError("Sorry, couldn't perform this operation!");
// OR
EventLogger.WriteWarning("Sorry, couldn't perform this operation!");

try
{
	// the next line throws an exception
	SPList spList = SPContext.Current.Web.Lists["Not existing list"];
}
catch (Exception ex)
{
	EventLogger.WriteError(ex);
	// OR
	EventLogger.WriteWarning(ex);
}

Below is depicted what those records look like in the Windows Event Viewer:
EventLogger Records

Ok, it’s about time for the EventLogger listing:

using System;
using System.Diagnostics;
using Microsoft.SharePoint;
using Microsoft.SharePoint.Administration;

namespace dotNetFollower
{
    public static class EventLogger
    {
        private const string SOURCE = "dotNetFollower"; // put here your own source name

        /// <summary>
        /// Writes an error message
        /// </summary>
        /// <param name="errorText">Error message</param>
        public static void WriteError(string errorText)
        {
            WriteWithinTryCatch(errorText, EventLogEntryType.Error);
        }
        /// <summary>
        /// Writes an error message
        /// </summary>
        /// <param name="ex">Exception</param>
        public static void WriteError(Exception ex)
        {
            WriteWithinTryCatch(GetExceptionFormatted(ex), EventLogEntryType.Error);
        }
        /// <summary>
        /// Writes a warning message
        /// </summary>
        /// <param name="text">Warning message</param>
        public static void WriteWarning(string text)
        {
            WriteWithinTryCatch(string.Format("Warning: {0}", text), EventLogEntryType.Warning);
        }
        /// <summary>
        /// Writes a warning message
        /// </summary>
        /// <param name="ex">Exception</param>
        public static void WriteWarning(Exception ex)
        {
            WriteWithinTryCatch(GetExceptionFormatted(ex), EventLogEntryType.Warning);
        }
        /// <summary>
        /// Writes an info message
        /// </summary>
        /// <param name="text">Info message</param>
        public static void WriteInfo(string text)
        {
            WriteWithinTryCatch(string.Format("Information: {0}", text), EventLogEntryType.Information);
        }

        /// <summary>
        /// Creates the appropriate source in Event Logs, if necessary
        /// </summary>
        public static void EnsureLogSourceExist()
        {
            if (!EventLog.SourceExists(SOURCE))
                EventLog.CreateEventSource(SOURCE, "Application");
        }

        /// <summary>
        /// Returns an error message based on a passed exception. Includes an inner exception (if any) and stack trace
        /// </summary>
        /// <param name="ex">Exception</param>
        /// <returns>Formed error message</returns>
        public static string GetExceptionFormatted(Exception ex)
        {
            return string.Format("Error: {0} (Inner Exception: {1})\t\nDetails: {2}", 
                ex.Message, 
                ex.InnerException != null ? ex.InnerException.Message : string.Empty, 
                ex.StackTrace);
        }

        static EventLogger()
        {
            bool error = false;

            Action action = delegate
                {
                    try
                    {
                        // register source in Event Logs
                        EnsureLogSourceExist();
                    }
                    catch
                    {
                        error = true;
                    }
                };

            // try under current user
            action();

            if(error)
                // try under application pool account
                SPSecurity.RunWithElevatedPrivileges(() => action());
        }

        private static void WriteWithinTryCatch(string message, EventLogEntryType type)
        {
            try
            {
                // To allow users (authenticated only or all of them) writing to Event Log,
                // follow the steps described in the article 
                // http://dotnetfollower.com/wordpress/2012/04/sharepoint-cannot-open-log-for-source-you-may-not-have-write-access/

                // If it doesn't help for some reason, uncomment the line with SPSecurity.RunWithElevatedPrivileges and 
                // comment the other one. Note, however, that the use of SPSecurity.RunWithElevatedPrivileges is 
                // resource-consuming and looks excessive for such frequent operation as event logging.

                //SPSecurity.RunWithElevatedPrivileges(() => EventLog.WriteEntry(SOURCE, message, type));
                EventLog.WriteEntry(SOURCE, message, type);
            }
            catch
            {
                WriteToHiveLog(message, type);
            }
        }

        private static void WriteToHiveLog(string message, EventLogEntryType type)
        {
            EventSeverity eventSeverity = type == EventLogEntryType.Error ? EventSeverity.Error : 
                (type == EventLogEntryType.Warning ? EventSeverity.Warning : EventSeverity.Information);

            var category = new SPDiagnosticsCategory(SOURCE, TraceSeverity.Unexpected, eventSeverity);

            SPDiagnosticsService.Local.WriteTrace(0, category, TraceSeverity.Unexpected, message, null);
        }
    }
}
Related posts:

SharePoint: What is a People Picker? Part 1 – PeopleEditor

April 30th, 2013 No comments

In fact, there is no control with the name PeoplePicker in SharePoint, it’s a common name of the group of elements: a few controls, one aspx-page and a couple of JavaScript files. These elements are closely connected with each other, use each other and all together allow searching and picking out users and groups available in SharePoint and/or Active Directory.

Let’s take a closer look at each element of the People Picker.

PeopleEditor

PeopleEditor is a visual control providing an entry point to deal with People Picker. So, to leverage the People Picker functionality we need just to add the PeopleEditor control to our aspx-page as follows:

<%@ Register TagPrefix="wssawc" Namespace="Microsoft.SharePoint.WebControls" 
 Assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %> 
... 
<wssawc:PeopleEditor id="peoplePicker" runat="server" SelectionSet="User,SecGroup,DL" 
  MultiSelect="true" Height="20px" Width="200px" />
...
 

Below is a class diagram demonstrating the ancestors of the PeopleEditor and supported interfaces:

PeoplePicker Class Diagram

The PeopleEditor usually consists of a composite Edit Box and two buttons: Check Names and Browse.

PeopleEditor Parts

The Hml markup generated by the PeopleEditor is listed below. The listing is a relatively large bunch of the Html-tags but helps figure out what DOM elements are involved in and where in the markup they are located. The Html comments, indents and formatting are added for clarity.

Click to open the PeopleEditor’s Html markup

<span id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker" editoroldvalue="" 
  removetext="Remove" value="" nomatchestext="&lt;No Matching Names&gt;" 
  moreitemstext="More Names..." prefercontenteditablediv="true" 
  showdatavalidationerrorborder="false" eeaftercallbackclientscript="" 
  invalidate="false" allowtypein="true" showentitydisplaytextintextbox="0">

 <!-- [Begin] Hidden inputs of the composite Edit Box -->
 <input type="hidden" value=""
  name="ctl00$PlaceHolderMain$ctl00$ctl01$userPicker$hiddenSpanData"
  id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_hiddenSpanData">
 <input type="hidden" value="&lt;Entities /&gt;"
  name="ctl00$PlaceHolderMain$ctl00$ctl01$userPicker$OriginalEntities" 
  id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_OriginalEntities">
 <input type="hidden"
  name="ctl00$PlaceHolderMain$ctl00$ctl01$userPicker$HiddenEntityKey" 
  id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_HiddenEntityKey">
 <input type="hidden"
  name="ctl00$PlaceHolderMain$ctl00$ctl01$userPicker$HiddenEntityDisplayText" 
  id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_HiddenEntityDisplayText">
 <!-- [End] Hidden inputs of the composite Edit Box -->

 <table id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_OuterTable" class="ms-usereditor" cellspacing="0" cellpadding="0" border="0" style="border-collapse:collapse;">
  <tr>
   <td valign="top">
    <table cellpadding="0" cellspacing="0" border="0" style="width:100%;table-layout:fixed;">
     <tr>
      <td id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_containerCell">

 <!-- [Begin] Visible up level div of the composite Edit Box -->
 <div id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_upLevelDiv" tabindex="0" 
   onfocus="StoreOldValue('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');
            saveOldEntities('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');"
   onclick="onClickRw(true, true,event,'ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');"
   onchange="updateControlValue('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');"
   onpaste="dopaste('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker',event);"
   autopostback="0" rows="3" 
   ondragstart="canEvt(event);" 
   onkeyup="return onKeyUpRw('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');" 
   oncopy="docopy('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker',event);" 
   onblur="
    if(typeof(ExternalCustomControlCallback)=='function'){		
     if(ShouldCallCustomCallBack('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker',event)){
      if(!ValidatePickerControl('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker')){
        ShowValidationError();
        return false;
      }
      else
        ExternalCustomControlCallback('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');                          
     }
    }"
   title="People Picker" 
   onkeydown="return onKeyDownRw('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker', 3, true, event);" 
   aria-multiline="true" contenteditable="true" aria-haspopup="true" class="ms-inputuserfield" 
   style="word-wrap: break-word; overflow-x: hidden; background-color: window; color: windowtext; overflow-y: auto; height: 48px;" 
   prefercontenteditablediv="true" name="upLevelDiv" role="textbox">
 </div>
 <!-- [End] Visible up level div of the composite Edit Box -->

 <!-- [Begin] Usually invisible down level textarea of the composite Edit Box -->
 <textarea rows="3" cols="20" style="width:100%;display: none;position: absolute; "
  name="ctl00$PlaceHolderMain$ctl00$ctl01$userPicker$downlevelTextBox" 
  id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_downlevelTextBox" 
  class="ms-inputuserfield" autopostback="0" 
  onkeyup="return onKeyUpRw('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');" 
  title="People Picker" 
  onfocus="StoreOldValue('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');
           saveOldEntities('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');" 
  onblur="
   if(typeof(ExternalCustomControlCallback)=='function'){		
    if(ShouldCallCustomCallBack('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker',event)){
     if(!ValidatePickerControl('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker')){
       ShowValidationError();
       return false;
     }
     else
       ExternalCustomControlCallback('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');                          
    }
   }"
  onkeydown="return onKeyDownRw('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker', 3, true, event);" 
  renderascontenteditablediv="true" 
  onchange="updateControlValue('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker');">
 </textarea>
 <!-- [End] Usually invisible down level textarea of the composite Edit Box -->

      </td>
     </tr>
    </table>
   </td>
  </tr>
  <tr>
   <td>
    <span id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_errorLabel" class="ms-error"></span>
   </td>
  </tr>
  <tr style="padding-top:2;">
   <td>
    <table cellspacing="0" cellpadding="0" border="0" style="width:100%;border-collapse:collapse;">
     <tr>
      <td valign="top" style="width:88%;">
       <span style="font-size:8pt;"></span>
      </td>
      <td valign="top" nowrap="true" style="padding-left:5px;padding-right:5px;">

 <!-- [Begin] Check Names Button -->
 <a id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_checkNames" 
  title="Check Names"
  href="javascript:"
  onclick="
    if(!ValidatePickerControl('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker')){
      ShowValidationError(); 
      return false;
    }
    var arg=getUplevel('ctl00_PlaceHolderMain_ctl00_ctl01_userPicker'); 
    var ctx='ctl00_PlaceHolderMain_ctl00_ctl01_userPicker';
    EntityEditorSetWaitCursor(ctx);
    WebForm_DoCallback('ctl00$PlaceHolderMain$ctl00$ctl01$userPicker',arg,
           EntityEditorHandleCheckNameResult,
           ctx,EntityEditorHandleCheckNameError,true);
    return false;">
  <img title="Check Names" src="/_layouts/images/checknames.png" alt="Check Names" style="border-width:0px;">
 </a>&nbsp;
 <!-- [End] Check Names Button -->

 <!-- [Begin] Browse Button -->
 <a id="ctl00_PlaceHolderMain_ctl00_ctl01_userPicker_browse" 
  title="Browse" href="javascript:"
  onclick="__Dialog__ctl00_PlaceHolderMain_ctl00_ctl01_userPicker(); 
          return false;">
  <img title="Browse" src="/_layouts/images/addressbook.gif" alt="Browse" style="border-width:0px;">
 </a>
 <!-- [End] Browse Button -->

      </td>
     </tr>
    </table>
   </td>
  </tr>
 </table>
</span>

*Note that this markup corresponds to the empty PeopleEditor when nothing is typed in.

The PeopleEditor (like other classes derived from EntityEditor) uses functions defined in the entityeditor.js that located at 14\TEMPLATE\LAYOUTS.

Composite Edit Box

The composite Edit Box performs the following two functions:

  • displays the already selected users and groups (I call them “resolved accounts”);
  • allows typing names (or part of them) of users and groups (I call them “unresolved accounts”).

All names (resolved and unresolved) should be delimited by the so-called Entity Separator. Usually it’s a semicolon (“;“). So, typing two or more names we need to separate them from each other to let the validation know what entries should be resolved.

Being aggregative, the Edit Box usually comprises a few hidden inputs, one invisible textarea and one visible div element (see the PeopleEditor‘s Html markup above). The div element, so-called upLevelDiv, displays everything we see in the Edit Box and allows typing by handling key pressing. And, of course, there are a lot of JavaScript defined in the entityeditor.js and intended to apply all that rich functionality to the simple div. Besides the upLevelDiv another quite important element of the Edit Box is one of the hidden inputs namely the so-called hiddenSpanData. The value attribute of the hiddenSpanData at any moment contains the copy of the content (innerHtml) of the upLevelDiv. Whenever the content of the upLevelDiv is changed those changes are reflected in the hiddenSpanData by calling the copyUplevelToHidden function defined in the entityeditor.js. As you know, the content of div elements is never sent when submitting data to the server. That’s why we need the hiddenSpanData, which is an input (though invisible) and, therefore, takes part in form submitting. So, everything we typed in or selected in the upLevelDiv will be sent to the server by the hiddenSpanData. Also note that the hiddenSpanData keeps the copy of the upLevelDiv‘s inner Html as is, NO transformation is applied. That means that the very Html used to visualize the “resolved accounts” in the upLevelDiv is going to be posted to the server. That requires the server side to parse the Html (usually bunch of SPAN and DIV tags) to extract the entries. I have no idea why the Microsoft uses such a complex and excess format to pass the entries, but that’s a fact. Later in the article we’ll see an example of such Html-formatted entries sent to the server.

The usually invisible so-called downlevelTextBox textarea is used when browser doesn’t support content editable div. So, in case of legacy browser the downlevelTextBox gets visible while the upLevelDiv disappears. All changes of the text inside the downlevelTextBox are being reflected in the hiddenSpanData as well. Note that since textarea doesn’t support Html formatting inside, the typed entries are being sent to the server as a plain text.

The hidden input so-called OriginalEntities is aimed to keep the users and groups (“resolved accounts”) that were selected formerly. For example, if we are opening a list item to edit and the page contains the PeopleEditor bound to a field of the “Person or Group” type, the current value of the field will be persisted into the OriginalEntities. When data is submitted back to the server the original entities allow tracking whether the set of users and groups has been changed. Unlike the hiddenSpanData, the OriginalEntities input keeps the “resolved accounts” as a pure Xml string. The following two methods are used on the server side to serialize entities to and deserialize from the Xml stored in the OriginalEntities: PickerEntity.ConvertEntitiesToXmlData and PickerEntity.ParseEntitiesFromXml respectively. Below in the article we’ll see an example of such Xml-formatted entries as the same format is used to return the result of the validation process.

Two more hidden inputs, HiddenEntityKey and HiddenEntityDisplayText, make sense only if the MultiSelect property of the PeopleEditor is set to false (that’s true for other controls derived from the EntityEditor unless that behavior is overridden somehow). The inputs keep respectively the Key (ID) and DisplayText (readable alias) of the first and only resolved entity. Both look quite useless for the PeopleEditor, but you can learn the way they are employed for picking out a BDC entity through the Enhanced ItemPicker.

Check Names button

The Check Names button validates/resolves the typed names. If the typed names match real accounts, such accounts are displayed in the Edit Box as the resolved ones. If no matches are found or some typed name matches multiple accounts, the name becomes clickable, and clicking on it displays the drop-down menu that looks like the one depicted below:

Multiple Accounts Matched

The menu allows choosing an entity that, in user’s opinion, best conforms to the typed name. Clicking Remove in the menu deletes the typed name. While More Names… does the same what the Browse button does (described below).

The PeopleEditor implements the ICallbackEventHandler interface and therefore supports Client Callbacks. Clicking Check Names button ends up with sending an async request to the page that hosts the PeopleEditor. When on the server side the page and all its controls have been re-created the instance of the PeopleEditor handles the request by parsing input, validating/resolving entries and sending the result back to the browser, then on the client side the Edit Box’s content is updated. What is the input sent to the server? It’s an inner Html of the upLevelDiv (or text of the downlevelTextBox textarea in case of a legacy browser). The GetInnerHTMLOrTextOfUpLevelDiv function from the entityeditor.js is responsible for getting the current input. So, in case of the Client Callback the Html-like data is taken directly from the upLevelDiv/downlevelTextBox, while in case of the usual Form Submit the data of the same format is posted by the hiddenSpanData.

Ok, let’s take a look at possible inputs (__CALLBACKPARAM in the request) that come into the ICallbackEventHandler.RaiseCallbackEvent method of the PeopleEditor. For example, in case the “jira; student” is typed in the Edit Box, the input will be the same – “jira; student“. If, however, the Edit Box contains one or more of the “resolved accounts”, the input becomes much trickier. For example, the string “JIRA; jir” transforms to the following (indents and formatting are added for clarity):

&nbsp;
<SPAN id=spanHQ\jira class=ms-entity-resolved 
   onmouseover=this.contentEditable=false; 
   title=HQ\jira tabIndex=-1 
   onmouseout=this.contentEditable=true; 
   contentEditable=true isContentType="true">

  <DIV id=divEntityData description="HQ\jira" 
     isresolved="True" displaytext="JIRA" key="HQ\jira" style="DISPLAY: none">

    <DIV data='<ArrayOfDictionaryEntry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
                      <DictionaryEntry>
                        <Key xsi:type="xsd:string">AccountName</Key>
                        <Value xsi:type="xsd:string">HQ\jira</Value>
                      </DictionaryEntry>
                      <DictionaryEntry>
                        <Key xsi:type="xsd:string">Email</Key>
                        <Value xsi:type="xsd:string">jira@someservername.com</Value>
                      </DictionaryEntry>
                      <DictionaryEntry>
                        <Key xsi:type="xsd:string">PrincipalType</Key>
                        <Value xsi:type="xsd:string">User</Value>
                      </DictionaryEntry></ArrayOfDictionaryEntry>'>
    </DIV>

  </DIV>
  <SPAN id=content tabIndex=-1 contentEditable=true
     oncontextmenu='onContextMenuSpnRw(event,"ctl00_PlaceHolderMain_ctl00_ctl01_userPicker");' 
     onmousedown=onMouseDownRw(event);>
		JIRA 
  </SPAN>

</SPAN>; jir&nbsp;; 

So, this listing demonstrates three things at once: the inner html of the upLevelDiv, the data stored in the hiddenSpanData and the data sent during the Client Callback. The EntityEditor.ParseSpanData is called on the server side to parse the input like that, while the ConvertEntityToSpan function from the entityeditor.js is used on the client side to turn the Client Callback result into such Html-like string.

To get the picture of how the PeopleEditor processes the input, see the code along with my comments that are listed below. The code is borrowed from the EntityEditor class (the ancestor of the PeopleEditor).

// eventArgument is an input similar to the ones shown above
private string InvokeCallbackEvent(string eventArgument)
{
	// ensure that all child controls of the PeopleEditor are re-created
    this.EnsureChildControls();
	// remove all "&nbsp;", i.e. Html spaces
    string spans = StrEatUpNbsp(eventArgument);
	// parse input, extract entries, convert them to instances of PickerEntity 
    // and then add to the Entities collection
    this.ParseSpanData(spans);
	// go through the collection and try resolving the entities
    this.Validate();
	// serialize the entities into the output xml string
    return this.GenerateCallbackData(this.Entities, false);
}

During the validation process itself the following methods are used ultimately: SPUtility.ResolvePrincipal or SPUtility.ResolveWindowsPrincipal, or, in case of the claims-based authentication, SPClaimProviderOperations.Resolve. If a name can’t be resolved, the process will make an attempt to find suitable accounts by calling such methods as SPUtility.SearchWindowsPrincipals or SPUtility.SearchPrincipals. As regards the claims-based authentication, the SPClaimProviderOperations.Resolve itself is able to return suitable accounts if the only one couldn’t be found.

Ok, let’s take a look at what kind of result is returned to the browser in case the “jira” entity has been resolved while the “jir” has multiple matches:

Click to open the Client Callback’s XML result

<Entities Append="False" DoEncodeErrorMessage="True" Separator=";" MaxHeight="3"
    Error="No exact match was found. Click the item(s) that did not resolve for more options.">

  <Entity Key="HQ\jira" DisplayText="JIRA" IsResolved="True" Description="HQ\jira">
    <ExtraData>
      <ArrayOfDictionaryEntry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
        <DictionaryEntry>
          <Key xsi:type="xsd:string">AccountName</Key>
          <Value xsi:type="xsd:string">HQ\jira</Value>
        </DictionaryEntry>
        <DictionaryEntry>
          <Key xsi:type="xsd:string">Email</Key>
          <Value xsi:type="xsd:string">jira@someservername.com</Value>
        </DictionaryEntry>
        <DictionaryEntry>
          <Key xsi:type="xsd:string">PrincipalType</Key>
          <Value xsi:type="xsd:string">User</Value>
        </DictionaryEntry>
      </ArrayOfDictionaryEntry>
    </ExtraData>
    <MultipleMatches />
  </Entity>

  <Entity Key="jir" DisplayText="jir" IsResolved="False" Description="Multiple entries matched, please click to resolve.">
    <MultipleMatches>      
      <Entity Key="HQ\jira-users" DisplayText="HQ\jira-users" IsResolved="True" Description="HQ\jira-users">
        <ExtraData>
          <ArrayOfDictionaryEntry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <DictionaryEntry>
              <Key xsi:type="xsd:string">AccountName</Key>
              <Value xsi:type="xsd:string">HQ\jira-users</Value>
            </DictionaryEntry>
            <DictionaryEntry>
              <Key xsi:type="xsd:string">PrincipalType</Key>
              <Value xsi:type="xsd:string">SecurityGroup</Value>
            </DictionaryEntry>
          </ArrayOfDictionaryEntry>
        </ExtraData>
      </Entity>
      <Entity Key="HQ\locadmin" DisplayText="Jira Admin Local" IsResolved="True" Description="HQ\locadmin">
        <ExtraData>
          <ArrayOfDictionaryEntry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <DictionaryEntry>
              <Key xsi:type="xsd:string">AccountName</Key>
              <Value xsi:type="xsd:string">HQ\locadmin</Value>
            </DictionaryEntry>
            <DictionaryEntry>
              <Key xsi:type="xsd:string">PrincipalType</Key>
              <Value xsi:type="xsd:string">User</Value>
            </DictionaryEntry>
          </ArrayOfDictionaryEntry>
        </ExtraData>
      </Entity>
      <Entity Key="HQ\jira" DisplayText="JIRA" IsResolved="True" Description="HQ\jira">
        <ExtraData>
          <ArrayOfDictionaryEntry xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <DictionaryEntry>
              <Key xsi:type="xsd:string">AccountName</Key>
              <Value xsi:type="xsd:string">HQ\jira</Value>
            </DictionaryEntry>
            <DictionaryEntry>
              <Key xsi:type="xsd:string">Email</Key>
              <Value xsi:type="xsd:string">jira@someservername.com</Value>
            </DictionaryEntry>
            <DictionaryEntry>
              <Key xsi:type="xsd:string">PrincipalType</Key>
              <Value xsi:type="xsd:string">User</Value>
            </DictionaryEntry>
          </ArrayOfDictionaryEntry>
        </ExtraData>
      </Entity>
    </MultipleMatches>
  </Entity>

</Entities>

So, the server response is a Xml-based string where each resolved or unresolved name is presented by an Entity-node. The IsResolved attribute indicates if the name is resolved, i.e. whether the name matches a real user or group. Each Entity may contain the nested ones wrapped into MultipleMatches-tag in case the name matches multiple accounts. Those nested Entities will be enumerated in the drop-down menu when clicking the unresolved name.

Note that the OriginalEntities input contains the data in the same format.

Browse button

The Browse button opens the search dialog namely the dialog containing the picker.aspx page. Note that the static method PickerDialog.PickerActivateScript is called to get the appropriate JavaScript opening/activating the search dialog. The PickerDialog.PickerActivateScript, in turn, uses another static method PickerDialog.GetPickerDialogPage that constructs the url to the picker.aspx including all needed query string parameters. The PickerDialog is an ancestor of the PeoplePickerDialog class that along with the picker.aspx will be described in another article.

Related posts: