Re: Need help with setting security permissions for IE hosted dll
From: Shel Blauman [MSFT] (sheldonb_at_online.microsoft.com)
Date: 11/21/03
- Next message: Paul Wheeler: "Securely Calling Unknown Assembly"
- Previous message: Roberto Martinez-Brunet: "Re: What type of key pair..."
- In reply to: kyle huble: "Need help with setting security permissions for IE hosted dll"
- Next in thread: kyle huble: "Re: Need help with setting security permissions for IE hosted dll"
- Reply: kyle huble: "Re: Need help with setting security permissions for IE hosted dll"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 20 Nov 2003 15:47:12 -0800
Here's some info on running a managed control under IE:
How to run a user control assembly hosted on an Internet Information Server
(IIS) on an Internet Explorer (IE) client.
The following applies to an assembly intended to execute with greater
permissions than would normally be granted to the zone the assembly belongs
to, most likely Internet, Local Intranet or Trusted Sites.
1.. The user control assembly is identifiable in a manner that can be used
to set the membership condition in a code group either using the .NET
Configuration Tool (Mscorcfg.msc) or caspol.exe. Signing using a strong
name or a certificate is preferable, but other sources of identity such as a
URL or site can also be used. Although a URL or site can serve as a
membership condition, they are not recommended, as they are not as secure as
a strong name or a certificate.
To create a strong name use sn.exe:
sn -k keyPair.snk
// This strong name key is used to create a code group that gives //
permissions to this assembly.
// Sign the assembly with the strong name key.
[assembly: AssemblyKeyFile("keyPair.snk")]
2.. If strong named, the user control has the
AllowedPartiallyTrustedCallers attribute.
// The AllowPartiallyTrustedCallersAttribute requires the assembly to // be
signed with a strong name key.
// This attribute is necessary since the control is called by either an //
intranet or Internet Web page that should be running under //
restricted permissions.
// The fully attributed assembly should look similar to the following:
[assembly: AssemblyKeyFile("snKey.snk")]
[assembly: AssemblyVersion("1.0.0.0")]
[assembly:AllowPartiallyTrustedCallers]
namespace SignedAssembly
3.. The user control asserts permissions it requires which the zone in
which it is running would not normally be granted. Permissions should only
be asserted if it is positively known the calling application has
insufficient permissions. Asserts should not be performed without a strong
need.
new FileIOPermission(PermissionState.Unrestricted).Assert();
textBox1.Text = fileDialog.FileName;
// Display the contents of the file in the text box.
FileStream fsIn = new FileStream(textBox1.Text, FileMode.Open,
FileAccess.Read, FileShare.Read);
StreamReader sr = new StreamReader(fsIn);
// Process every line in the file
for (String Line = sr.ReadLine(); Line != null; Line = sr.ReadLine())
{
listBox1.Items.Add(Line);
}
// It is very important to call RevertAssert to restore the stack walk //
for file operations.
FileIOPermission.RevertAssert();
4.. The user control RevertAsserts immediately after performing asserted
actions.
// It is very important to call RevertAssert to restore the stack walk //
for file operations.
FileIOPermission.RevertAssert();
5.. The user control is hosted in an IIS folder on the server that has an
"Execute permission" set to either "None" or "Scripts Only".
6.. The client has a code group that the assembly resolves to that grants
the permissions the assembly requires.
caspol -machine -addgroup All_Code -strong -file signedassembly.exe
FullTrust -name FouthCoffeeStrongName -description "Code group granting
trust to code signed by FourthCoffee"
Alternatively, the code group can be created using the Microsoft .NET
Framework Configuration tool (Mscorcfg.msc) found under Administrative
Tools.
7.. In Internet Explorer, Internet Options, Advanced Security settings,
the "Do not save encrypted pages to disk" should be unchecked if Internet
Explorer Enhanced Security Configuration has been enabled for both
Administrators and for Other Groups on the server. The Internet Explorer
Enhanced Security setting selected is the default on Windows Server 2003.
When in effect, one of the invoked features is the encryption of downloaded
files. Another feature is the automatic setting of "Do not save encrypted
pages to disk" on the client. To successfully download a user control under
these conditions, the client setting for "Do not save encrypted pages to
disk" should be cleared. This functionality is found in Control Panel, Add
or Remove Programs, Add/Remove Windows Components, Internet Explorer
Enhanced Security Configuration.
8.. The runtime version on the client machine is compatible with the used
to compile the assembly.
9.. The code group created for the user control is in the same runtime
that the control uses.
If problems occur you can create a log reporting the IE errors. See KB
article Q313892 for details.
http://support.microsoft.com/default.aspx?scid=kb;en-us;313892 .
-- This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm "kyle huble" <kylehub@hotmail.com> wrote in message news:7287c705.0311201519.5c86f3e2@posting.google.com... > Hello all. I have written a WinForm control that 1) copies a file from > a CD to the local hard drive 2)reads the copied file and does some > processing 3) saves the results to a network server 4)deletes the > copied file and 5)displays some statistics to the user. When I test > this control in a WinForm it works as expected. However when I call > the dll from IE it stops with no exceptions at the point where it > should copy the file from the CD. For full disclosure is am making a > call to the API function SHFileOperation() because I wanted the user > to have a visual while the file was being copied. I tried also using > just the File.Copy() also with no success. These are the steps I have > taken thus far to try to get this to work: > 1) Using the configuration Wizards I added the dll as a trusted > assembly. I put in the url to the dll on my web server > 2) To the AssemblyInfo.cs I added the following: > [assembly:FileIOPermissionSecurityAction.RequestMinimum,Unrestricted=true)] > [assembly:FileIOPermission(SecurityAction.RequestMinimum,Read="d:\\")] > [assembly:PermissionSet(SecurityAction.RequestOptional, > Name="FullTrust")] > 3) I also Assert on the file permissions: > FileIOPermission FilePermission = new > FileIOPermissionFileIOPermissionAccess.AllAccess,@fileName); > FilePermission.AddPathList(FileIOPermissionAccess.AllAccess,CI.COF_PATH); > FilePermission.Assert(); > 4) Using the Framework Configuration I added new code groups to > ENterprise, Machine and User. I set the Condition type to URL and also > tried Strong since I had created the key using sn.exe. > 5) My Intranet Zone is set to Full Trust. > > Just to rule out that it was because I was attempting to copy a file > from the CD I also tried to copy a file from my hard drive - no > success. > > Aside from this I know that the code is getting to the file because I > am able to get the file size as well as the CD's volume label when I > run it from IE. > > What I have I done wrong. Please HELP!
- Next message: Paul Wheeler: "Securely Calling Unknown Assembly"
- Previous message: Roberto Martinez-Brunet: "Re: What type of key pair..."
- In reply to: kyle huble: "Need help with setting security permissions for IE hosted dll"
- Next in thread: kyle huble: "Re: Need help with setting security permissions for IE hosted dll"
- Reply: kyle huble: "Re: Need help with setting security permissions for IE hosted dll"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
