Re: HTML embbeded (via <object> tag) Strong FullTrust Assemblies f
From: Greg Stangler (GregStangler_at_discussions.microsoft.com)
Date: 02/09/05
- Previous message: Hifni Shahzard: "Connecting to Remote SQL Server"
- In reply to: Nicole Calinoiu: "Re: HTML embbeded (via <object> tag) Strong FullTrust Assemblies f"
- Next in thread: Peng Jie: "RE: HTML embbeded (via <object> tag) Strong FullTrust Assemblies fail!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 9 Feb 2005 07:41:05 -0800
Nicole, thank you for all of your precise help.
I finally got back to this issue this morning, and all worked well. I've
tested several combinations of CAS Policy, and have found one which will suit
our needs well.
cordially, a de-confused CAS policy newbee...
"Nicole Calinoiu" wrote:
> "Greg Stangler" <GregStangler@discussions.microsoft.com> wrote in message
> news:E332BEC6-DA51-4042-A3FB-9BFFEEB90EEB@microsoft.com...
> > Nicole,
> > Your answer has been very helpful.
> >
> > It makes sense to me that the AppDomain (sandbox) IE is running in has
> > limited trust, and so my loaded (embedded) assembly's permissions are
> > reduced
> > to the appdomain's permissions (i.e. lowered from fulltrust status).
> >
> > However, I am unclear on how to tell IE about a 'site membership
> > condition'
> > and apply it to the client in a way that the next time IE runs, it's
> > appdomain will now allow my assembly full access.
>
> You don't "tell IE about" it. Instead, you add a new code group under the
> ..NET security policy in the same manner that you added the code group that
> used your strong name for its membership condition. The new group would use
> the assembly's source site as its membership condition instead of the strong
> name.
>
>
> > Can an assembly with internet permissions running as an embedded object,
> > create a new AppDomain, and assign more liberal (e.g. fulltrust)
> > permissions
> > to the new domain, then load and run an assembly into the new full trust
> > Domain and have it run with the the new, more liberal permissions? i.e.
> > Can
> > a assembly in one AppDomain create a new AppDomain, and give it more
> > liberal
> > permissions that it had for itself?
>
> It depends on the exact permission set granted to the first assembly. If by
> "internet permissions" you mean the default Internet permission set declared
> by the .NET Framework and granted to the Internet_Zone code group, then no,
> this wouldn't be possible.
>
>
>
> > FYI: my goal in life (well ... maybe just this particular project), is to
> > enable a fully trusted assembly to run as an embedded object within an IE
> > browser via a web page, without requiring the user to change security
> > settings on their browser.
>
> You seem to be mixing up the .NET Framework security policy and the IE
> settings here. You will most likely need to alter the client machine's .NET
> security policy in order to get your component to be fully trusted in the
> first place. Once that's done, you might still need to contend with the
> browser's settings, which could very well prevent .NET components from
> loading at all. Depending one the client environment, your users may not
> even be able to change either one, so you may need to deal with the systems
> admins rather than the users in order to get the clients configured
> correctly. Of course, if the admins pre-configure stuff, your goal of no
> user-driven configuration may very well be met. <g>
>
>
> > Thanks again for your patience and time with a .NET security newbee,
> >
> >
> > "Nicole Calinoiu" wrote:
> >
> >> See http://blogs.msdn.com/shawnfa/archive/2003/06/26/57026.aspx for a
> >> description of the problem and possible solutions.
> >>
> >>
> >>
> >> "Greg Stangler" <Greg Stangler@discussions.microsoft.com> wrote in
> >> message
> >> news:C33A30FC-C29D-467C-9322-6C40FAB406AB@microsoft.com...
> >> > My problem:
> >> > I am attempting to create a strong named .NET library assembly which
> >> > needs
> >> > FullTrust permissions when loaded from the Internet zone and can be
> >> > embedded
> >> > (via the <object> tag ) within an HTML browser page.
> >> >
> >> > e.g.
> >> > .
> >> > <object id="checkStrongNameAccess" height={controlHeight}
> >> > width={controlWidth}
> >> > classid="http:MyFullTrustAssembly.exe#MyUserControlNameSpace.MyUserControlClass"
> >> > VIEWASTEXT>
> >> > </object>
> >> > .
> >> >
> >> > Note: I've tried the 'MyFullTrustAssembly' assemblies as both exe, and
> >> > dll.
> >> >
> >> > The problem is when this assembly is given a strong name, and a code
> >> > group
> >> > with the same strong name has been created via the caspol utility, it
> >> > no
> >> > longer activates when the html page is activated. However, when the
> >> > same
> >> > strong named assembly is accessed as an application (via an <HREF.
> >> > .exe>),
> >> > the assembly runs with full trust, but now is no longer embedded.
> >> >
> >> > I need this assembly to function within the browser so that it exits
> >> > when
> >> > the browser exits.
> >> >
> >> > I have also tried adding the assembly individually, and not as a code
> >> > group,
> >> > with the same results.
> >> >
> >> > I can make this work, if I set the 'Trusted Sites' zone to FullTrust
> >> > permissions (via caspol), and then add the necessary internet site to
> >> > the
> >> > IE
> >> > Browsers list of trusted sites. In this configuration, the assembly is
> >> > now
> >> > allowed FullTrust as an embedded (<object./>) component.
> >> >
> >> > I do not want to force customers to add a web site to their trusted
> >> > sites
> >> > list since this creates a security hole.
> >> > I do not want to modify the clients IE configuration in any way if at
> >> > all
> >> > possible.
> >> > I want to be able to apply a strong name to my internet delivered
> >> > assemblies
> >> > and load from the internet zone either via a strong named code group,
> >> > or
> >> > via
> >> > individual assembly groups.
> >> >
> >> > My question(s):
> >> > Is the configuration I am attempting outside of security policy bounds
> >> > supported by Microsoft ? It shouldn't be, since setting trust at
> >> > the
> >> > site
> >> > level does work.
> >> >
> >> > If it is not outside of security policy limits, how do I configure the
> >> > local
> >> > CAS policies (via caspol) on a strong named 'FullTrust' assembly, so
> >> > that
> >> > the
> >> > assembly can be used as an embedded object within html, and still have
> >> > unlimited access the all of the clients local resources?
> >> >
> >> > Cordially
> >> > Greg Stangler
> >> >
> >>
> >>
> >>
>
>
>
- Previous message: Hifni Shahzard: "Connecting to Remote SQL Server"
- In reply to: Nicole Calinoiu: "Re: HTML embbeded (via <object> tag) Strong FullTrust Assemblies f"
- Next in thread: Peng Jie: "RE: HTML embbeded (via <object> tag) Strong FullTrust Assemblies fail!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
