In my recent post I described two alternatives for accessing external data from the OWS process. One of the options – the RevertToSelf authentication – is not the best choice for a production environment. The other options – the Impersonate Windows Identity authentication mode – requires Secure Store Service (SSS) service, that is a SharePoint Server 2010 feature. It means you might have no ideal solution if you have a SharePoint Foundation 2010 environment.
Although the out-of-the-box Secure Store Implementation is the Microsoft.Office.SecureStoreService.Server.SecureStoreProvider class (Microsoft.Office.SecureStoreService assembly), that is really SharePoint Server only, the main interfaces located in the Microsoft.BusinessData.Infrastructure.SecureStore namespace(Microsoft.BusinessData assembly), that is available in SharePoint Foundation as well.
It means we can implement a custom Secure Store Implementation for SharePoint Foundation.
Below I show you a very basic sample for that. Of course, you can create more sophisticated versions based on the same concepts.
In Visual Studio 2010 we should create a new Class Library project. The target framework should be set to .NET 3.5 and platform target as x64. Since we have to deploy our assembly to GAC, we need a key file as well, to sign the strong-named assembly.
First I include the code for the helper classes.
The SimpleTargetApplicationDefinition class holds information about our target application.
The SimpleTargetApplicationField describes a field of the target application.
The SimpleSecureStoreCredential class contains a piece of the credential information.
The main part of the code is the provider itself, that is SimpleSecureStoreProvider class. The skeleton of the class is like this:
We should return the application definition in the GetTargetApplication method. In this sample we return always the same data, regardless of the appId parameter. As you can see, the sample is an example for a Group Target Application Type. In the GetTargetApplications method we return a single target application. I’ve included Trace commands to help us to monitor which methods are invoked in runtime.
In this application we have two fields, one for the user name and one for the password, as shown in the GetTargetApplicationFields method.
In the GetCredentials and GetRestrictedCredentials methods we should return credentials for the application. In this case I have a user name and password hardcoded, but these should be stored in a bit more secure and configurable way.
The GetSecureString method helps to convert a string into SecureString.
The methods below are not implemented in this sample:
After building the assembly and deploying it to the GAC, we should configure our BCS external system instance. Most important is to set the right Secure Store Implementation value (in my case it is SimpleSecureStoreProvider.SimpleSecureStoreProvider, simplesecurestoreprovider, Version=22.214.171.124, Culture=neutral, PublicKeyToken=9fc83bb193b5ea3b). The value of the Secure Store Target Application Id is irrelevant in this version.
If everything works as expected, we should be able to access the external data (in this case the Northwind database through an external list) using the credentials returned by our custom secure store implementation.