Re: Adjusting security setting to run an embedded windows control in IE

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 01/29/04 

Date: Thu, 29 Jan 2004 13:59:26 -0600

Assuming that the code will not execute given the permissions it is getting
in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.

The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?

Joe K.

"Crirus" <Crirus@datagroup.ro> wrote in message
news:eCh%23IUm5DHA.2560@TK2MSFTNGP09.phx.gbl...
> I have a application, embedded in IE (html assambly).
> That aplication need to connect back to the server in order to get some
> data.
> What are conditions to succeed without requesting any special permissions
> from client? As an applet do it....
> Should I connect back to the server only using port 80?
> Right now the client app is serverd by Apache and connection back is tryed
> to another aplication on port 9500
>
> Changing security permission by the client is not an option
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
> in message news:OUVp7Zb5DHA.2764@TK2MSFTNGP09.phx.gbl...
> > The best way to do this is to give just the assemblies that need Full
> Trust
> > that permission.
> >
> > The reason it doesn't work in your situation is that when IE creates the
> > AppDomain that it runs your code in, that AppDomain is created based on
> the
> > URL which will have some sort of partial trust (unless that URL or the
> whole
> > zone has been given Full Trust).
> >
> > Two things happen after that:
> > - If your assembly is not marked with the
> > AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain
> that
> > it is running in will not be able to call it.
> > - Any code that requires a permission will hit your assembly, where it
> will
> > be granted due to your Full Trust, but will likely fail when the stack
> gets
> > up to the partially trusted AppDomain since the AppDomain may not have
> that
> > permission.
> >
> > You have basically two options to solve this:
> > - Make the AppDomain have Full Trust with something like a URL
membership
> > condition. This is the easiest thing to do, but is not very secure,
> > especially if the URL is not very specific.
> > - Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
> > Permissions that you need when you need them to prevent the stack walk
> into
> > the containing AppDomain. This is more work, but is vastly more secure
> and
> > is the recommended approach.
> >
> > There have been some good articles on implementing the second approach.
I
> > believe Ivan Medvedev has some good info on his website. You might
start
> > there:
> > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> >
> > Joe K.
> >
> > "Marina" <someone@nospam.com> wrote in message
> > news:Os5oCLb5DHA.2572@TK2MSFTNGP09.phx.gbl...
> > > Hi,
> > >
> > > I am trying to find the minimum security settings to allow a windows
> > control
> > > embedded in IE have full trust.
> > >
> > > If I give the entire Intranet zone full trust, this works. However,
this
> > is
> > > very broad and gives the entire zone high privleges.
> > >
> > > I tried giving just the assembly full trust (using the full URL for
the
> > > DLL), but this doesn't seem to work.
> > >
> > > Any direction in how to accomplish this?
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Adjusting security setting to run an embedded windows control in IE
    ... the client app need webPermission to connect ... back to the same server and request some data... ... I'm kinda lost in the woods with this permissions... ... >>> The reason it doesn't work in your situation is that when IE creates the>>> AppDomain that it runs your code in, that AppDomain is created based on>> the ...
    (microsoft.public.dotnet.security)
  • Re: HTML embbeded (via <object> tag) Strong FullTrust Assemblies f
    ... > to the appdomain's permissions. ... > appdomain will now allow my assembly full access. ... you add a new code group under the ... You seem to be mixing up the .NET Framework security policy and the IE ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: security/strong name/zones clarification needed
    ... Was this also true in the Intranet Zone? ... >child code-group with full permissions granted to any ... >> needs to host the CLR, it creates an AppDomain, but due ... All my assemblies are strong named. ...
    (microsoft.public.dotnet.security)
  • Re: security/strong name/zones clarification needed
    ... > this AppDomain needs to be setup before your assembly can be loaded, ... > Your assembly will have enough permissions, ... When the call stack is initiated, ... All my assemblies are strong named. ...
    (microsoft.public.dotnet.security)
  • Re: security/strong name/zones clarification needed
    ... several but not publicly documented) about child code-group permissions ... a strong-name, or Authenticode signature evidence. ... This problem would also crop up in the AppDomain case also. ... All my assemblies are strong named. ...
    (microsoft.public.dotnet.security)