Re: Adjusting security setting to run an embedded windows control in IE

From: Crirus (Crirus_at_datagroup.ro)
Date: 02/05/04

• Next message: Crirus: "Re: Java can do it ... why not .NET ?"
• Previous message: Shawn Farkas: "RE: Signing XML with smartcard.... Not possible?"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Adjusting security setting to run an embedded windows control in IE"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Adjusting security setting to run an embedded windows control in IE"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Adjusting security setting to run an embedded windows control in IE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Thu, 5 Feb 2004 08:17:58 +0200

Hello

> Does the Uri in the WebPermission that is being demanded match the
hostname
> of the Uri that the code was downloaded from?

I'm completly sure that the URI is the same...

I connect IE to http://home and I hardcoded in my code

myWebClient.UploadData("http://home", "POST",data)

>I think you can even check this programmatically by getting the Url
evidence
>object from the Evidence on the current AppDoamin.
I need a hint on how to do that

-- 
Cheers,
    Crirus
------------------------------
If work were a good thing, the boss would  take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23sT4qU16DHA.696@tk2msftngp13.phx.gbl...
> Does the Uri in the WebPermission that is being demanded match the
hostname
> of the Uri that the code was downloaded from?
>
> For example, if your Uri for your request is:
>
> http://cristianserver/resource
>
> did the code also get downloaded from http://cristianserver/resource ?
>
> Essentially, we have been saying that if those host names match, the
Demand
> for the permission should work.  If they are different, then you can
expect
> a failure.
>
> I think you can even check this programmatically by getting the Url
evidence
> object from the Evidence on the current AppDoamin.
>
> Joe K.
>
> "Crirus" <Crirus@hotmail.com> wrote in message
> news:eq4u2106DHA.2796@TK2MSFTNGP09.phx.gbl...
> > This is a message error I raise on a try catch that contain error
> > description and stack trace
> >
> > I really dont understand why I need another permission as they said that
> any
> > internet code have "same site" connection permission, and caspol shows
> this
> >
> > Cristian
> >
> >
> > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
wrote
> > in message news:OmsBch06DHA.1040@TK2MSFTNGP10.phx.gbl...
> > > Just out of curiosity, what does the code look like in the
> HttpWebRequest
> > > that you are doing?  Are you sure the Uri matches the hostname of the
> Uri
> > > you browse from?
> > >
> > > My guess is that the WebPermission that is being demanded makes a
> > comparison
> > > along those lines and a mismatch in the hostname could cause a
problem.
> > It
> > > could be a mismatch between hostname and IP address or something.
> > >
> > > You could try creating a WebPermission with the Uri you are going to
use
> > and
> > > demanding that in a Try/Catch block so you can see the error and
provide
> > > more detailed feedback.
> > >
> > > Joe K.
> > >
> > > "Crirus" <Crirus@hotmail.com> wrote in message
> > > news:uK$c90z6DHA.3896@TK2MSFTNGP11.phx.gbl...
> > > > This is the result of caspol (on both machines the same)
> > > >
> > > > Level = Enterprise
> > > > Code Groups:
> > > >     1.  All code: FullTrust
> > > >
> > > > Level = Machine
> > > > Code Groups:
> > > >     1.  All code: Nothing
> > > >        1.3.  Zone - Internet: Internet
> > > >           1.3.1.  All code: Same site Web.
> > > >
> > > > Level = User
> > > > Code Groups:
> > > >     1.  All code: FullTrust
> > > >
> > > >
> > > > Anyway, on my PC, everything works fine, but on another intranet Pc
it
> > > raise
> > > > WebPermission
> > > >
> > > > Any ideea why?
> > > >
> > > > Crirus
> > > >
> > > > "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com>
> > wrote
> > > > in message news:#7w1#nU6DHA.2656@TK2MSFTNGP11.phx.gbl...
> > > > > Do you know what code group your code is getting assigned?  Also,
do
> > you
> > > > > know specifically what permission is being demanded that is
failing
> > your
> > > > > case?
> > > > >
> > > > > Joe K.
> > > > >
> > > > > "Crirus" <Crirus@hotmail.com> wrote in message
> > > > > news:%231uNsbM6DHA.488@TK2MSFTNGP12.phx.gbl...
> > > > > > Well, I'm sure if I grand certain permission to my code it works
> > > > > > My hope is that client dont need any to set any permission to
> allow
> > my
> > > > > > application to connect back to it's origin server... I'm sure I
> dont
> > > > > intend
> > > > > > to harm my own server system so why should a client set special
> > > > > permissions?
> > > > > >
> > > > > > the worse thing is that  cant find a good article concerning
> > security
> > > > and
> > > > > > what can I do in various permissions groups :(
> > > > > >
> > > > > > Any thoughts?
> > > > > >
> > > > > > Cristian
> > > > > >
> > > > > >
> > > > > >
> > > > > > "Joe Kaplan (MVP - ADSI)"
> <joseph.e.kaplan@removethis.accenture.com>
> > > > wrote
> > > > > > in message news:emxyrE35DHA.504@TK2MSFTNGP11.phx.gbl...
> > > > > > > I'm not an expect at all in Java applet security, but I do
know
> > that
> > > > the
> > > > > > > .NET CAS model is very different.
> > > > > > >
> > > > > > > Essentially, code is sorted into membership of different code
> > groups
> > > > > based
> > > > > > > on evidence it presents to the system.  Evidence can be things
> > like
> > > > the
> > > > > > URL
> > > > > > > it came from, it's strong name, etc.  Based on the code groups
> it
> > is
> > > > put
> > > > > > > into, it will be granted certain permissions.
> > > > > > >
> > > > > > > Thus in your example, your code is presenting some evidence
that
> > > gets
> > > > it
> > > > > > > included in a certain code group that is not granted the
> > permission
> > > it
> > > > > > needs
> > > > > > > to run.  In order to fix this, you probably need to either:
> > > > > > >  - Get your code to fall into a code group that has the
> > permissions
> > > > you
> > > > > > need
> > > > > > >  - Modify the local security policy on the machine to ensure
> that
> > > some
> > > > > > > evidence you can present will get you into a code group with
the
> > > > correct
> > > > > > > permissions
> > > > > > >
> > > > > > > As I was poking around in the default security policy, it
looked
> > to
> > > me
> > > > > > that
> > > > > > > the Trusted_Zone code group gets special permission to connect
> > back
> > > to
> > > > > its
> > > > > > > site of origin.  Do you know if IE is finding your site to be
in
> > > > Trusted
> > > > > > > Sites?  If so, based on what I can see you should be getting
the
> > > > > > permission
> > > > > > > you need.
> > > > > > >
> > > > > > > If that won't work, then you might need to modify the local
> > security
> > > > > > policy.
> > > > > > > You could use a URL membership condition or perhaps a strong
> name.
> > > > > > >
> > > > > > > Joe K.
> > > > > > >
> > > > > > > "Crirus" <Crirus@datagroup.ro> wrote in message
> > > > > > > news:%23PculYw5DHA.1052@TK2MSFTNGP12.phx.gbl...
> > > > > > > > This is the scenario:
> > > > > > > > Clinet open the browser, access my server, receive a client
> app,
> > > > > > embedded
> > > > > > > in
> > > > > > > > IE that start running. Now, the client app need
webPermission
> to
> > > > > connect
> > > > > > > > back to the same server and request some data...
> > > > > > > >
> > > > > > > > My question is if this is allowed, I see no reason why I
cant
> > > > request
> > > > > > data
> > > > > > > > from my own server with my own client application... Any
java
> > > applet
> > > > > can
> > > > > > > do
> > > > > > > > that
> > > > > > > >
> > > > > > > > Java only restrict the acces to server on the same port 80
> from
> > > > where
> > > > > it
> > > > > > > was
> > > > > > > > first downloaded
> > > > > > > >
> > > > > > > > I'm kinda lost in the woods with this permissions...
> > > > > > > > So, do the client need to set some permisions? The
permission
> I
> > > need
> > > > > is
> > > > > > > > WebPermission but i'm not sure how it works...
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > > > --
> > > > > > > > Cheers,
> > > > > > > >     Crirus
> > > > > > > >
> > > > > > > > ------------------------------
> > > > > > > > If work were a good thing, the boss would  take it all from
> you
> > > > > > > >
> > > > > > > > ------------------------------
> > > > > > > >
> > > > > > > > "Joe Kaplan (MVP - ADSI)"
> > > <joseph.e.kaplan@removethis.accenture.com>
> > > > > > wrote
> > > > > > > > in message news:uL%23ooJq5DHA.3308@TK2MSFTNGP11.phx.gbl...
> > > > > > > > > Assuming that the code will not execute given the
> permissions
> > it
> > > > is
> > > > > > > > getting
> > > > > > > > > in the zone it is running in, I'm pretty sure you aren't
> going
> > > to
> > > > > get
> > > > > > > this
> > > > > > > > > to work without changing some kind of security permissions
> on
> > > the
> > > > > > > client.
> > > > > > > > >
> > > > > > > > > The reason is that if that code isn't granted the
permission
> > to
> > > do
> > > > > > what
> > > > > > > it
> > > > > > > > > needs to do, there is no way for the code to get around
> that.
> > > > .NET
> > > > > > > > security
> > > > > > > > > policy is administered on the local machine.  The idea is
> that
> > > the
> > > > > > > > > administrator gets to decide which resources get which
> > > > permissions.
> > > > > > > Then,
> > > > > > > > > code is allowed to execute automatically with the
> permissions
> > it
> > > > is
> > > > > > > given.
> > > > > > > > > This is very different from the downloadable ActiveX
control
> > > model
> > > > > > which
> > > > > > > > > asks the user for permission to install and run and then
can
> > do
> > > > > > anything
> > > > > > > > the
> > > > > > > > > user has permissions to do on their machine.
> > > > > > > > >
> > > > > > > > > Are you sure you can't make adjustments to the client
> machine
> > > > > security
> > > > > > > > > policy?  Are you sure the permission you need isn't
already
> > > > granted
> > > > > to
> > > > > > > the
> > > > > > > > > zone that the code executes in?
> > > > > > > > >
> > > > > > > > > Joe K.
> > > > > > > > >
> > > > > > > > > "Crirus" <Crirus@datagroup.ro> wrote in message
> > > > > > > > > news:eCh%23IUm5DHA.2560@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > > I have a application,  embedded in IE (html assambly).
> > > > > > > > > > That aplication need to connect back to the server in
> order
> > to
> > > > get
> > > > > > > some
> > > > > > > > > > data.
> > > > > > > > > > What are conditions to succeed without requesting any
> > special
> > > > > > > > permissions
> > > > > > > > > > from client? As an applet do it....
> > > > > > > > > > Should I connect back to the server only using port 80?
> > > > > > > > > > Right now the client app is serverd by Apache and
> connection
> > > > back
> > > > > is
> > > > > > > > tryed
> > > > > > > > > > to another aplication on port 9500
> > > > > > > > > >
> > > > > > > > > > Changing security permission by the client is not an
> option
> > > > > > > > > >
> > > > > > > > > > --
> > > > > > > > > > Cheers,
> > > > > > > > > >     Crirus
> > > > > > > > > >
> > > > > > > > > > ------------------------------
> > > > > > > > > > If work were a good thing, the boss would  take it all
> from
> > > you
> > > > > > > > > >
> > > > > > > > > > ------------------------------
> > > > > > > > > >
> > > > > > > > > > "Joe Kaplan (MVP - ADSI)"
> > > > > <joseph.e.kaplan@removethis.accenture.com>
> > > > > > > > wrote
> > > > > > > > > > in message news:OUVp7Zb5DHA.2764@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > > > The best way to do this is to give just the assemblies
> > that
> > > > need
> > > > > > > Full
> > > > > > > > > > Trust
> > > > > > > > > > > that permission.
> > > > > > > > > > >
> > > > > > > > > > > The reason it doesn't work in your situation is that
> when
> > IE
> > > > > > creates
> > > > > > > > the
> > > > > > > > > > > AppDomain that it runs your code in, that AppDomain is
> > > created
> > > > > > based
> > > > > > > > on
> > > > > > > > > > the
> > > > > > > > > > > URL which will have some sort of partial trust (unless
> > that
> > > > URL
> > > > > or
> > > > > > > the
> > > > > > > > > > whole
> > > > > > > > > > > zone has been given Full Trust).
> > > > > > > > > > >
> > > > > > > > > > > Two things happen after that:
> > > > > > > > > > >  - If your assembly is not marked with the
> > > > > > > > > > > AllowPartiallyTrustedCallersAttribute, the partially
> > trusted
> > > > > > > AppDomain
> > > > > > > > > > that
> > > > > > > > > > > it is running in will not be able to call it.
> > > > > > > > > > >  - Any code that requires a permission will hit your
> > > assembly,
> > > > > > where
> > > > > > > > it
> > > > > > > > > > will
> > > > > > > > > > > be granted due to your Full Trust, but will likely
fail
> > when
> > > > the
> > > > > > > stack
> > > > > > > > > > gets
> > > > > > > > > > > up to the partially trusted AppDomain since the
> AppDomain
> > > may
> > > > > not
> > > > > > > have
> > > > > > > > > > that
> > > > > > > > > > > permission.
> > > > > > > > > > >
> > > > > > > > > > > You have basically two options to solve this:
> > > > > > > > > > >  - Make the AppDomain have Full Trust with something
> like
> > a
> > > > URL
> > > > > > > > > membership
> > > > > > > > > > > condition.  This is the easiest thing to do, but is
not
> > very
> > > > > > secure,
> > > > > > > > > > > especially if the URL is not very specific.
> > > > > > > > > > >  - Add the AllowPartiallyTrustedCallersAttribute and
use
> > > > Assert
> > > > > on
> > > > > > > the
> > > > > > > > > > > Permissions that you need when you need them to
prevent
> > the
> > > > > stack
> > > > > > > walk
> > > > > > > > > > into
> > > > > > > > > > > the containing AppDomain.  This is more work, but is
> > vastly
> > > > more
> > > > > > > > secure
> > > > > > > > > > and
> > > > > > > > > > > is the recommended approach.
> > > > > > > > > > >
> > > > > > > > > > > There have been some good articles on implementing the
> > > second
> > > > > > > > approach.
> > > > > > > > > I
> > > > > > > > > > > believe Ivan Medvedev has some good info on his
website.
> > > You
> > > > > > might
> > > > > > > > > start
> > > > > > > > > > > there:
> > > > > > > > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > > > > > > > >
> > > > > > > > > > > Joe K.
> > > > > > > > > > >
> > > > > > > > > > > "Marina" <someone@nospam.com> wrote in message
> > > > > > > > > > > news:Os5oCLb5DHA.2572@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > > > > Hi,
> > > > > > > > > > > >
> > > > > > > > > > > > I am trying to find the minimum security settings to
> > allow
> > > a
> > > > > > > windows
> > > > > > > > > > > control
> > > > > > > > > > > > embedded in IE have full trust.
> > > > > > > > > > > >
> > > > > > > > > > > > If I give the entire Intranet zone full trust, this
> > works.
> > > > > > > However,
> > > > > > > > > this
> > > > > > > > > > > is
> > > > > > > > > > > > very broad and gives the entire zone high privleges.
> > > > > > > > > > > >
> > > > > > > > > > > > I tried giving just the assembly full trust (using
the
> > > full
> > > > > URL
> > > > > > > for
> > > > > > > > > the
> > > > > > > > > > > > DLL), but this doesn't seem to work.
> > > > > > > > > > > >
> > > > > > > > > > > > Any direction in how to accomplish this?
> > > > > > > > > > > >
> > > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > > >
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
> >
>
>

---

• Next message: Crirus: "Re: Java can do it ... why not .NET ?"
• Previous message: Shawn Farkas: "RE: Signing XML with smartcard.... Not possible?"
• In reply to: Joe Kaplan \(MVP - ADSI\): "Re: Adjusting security setting to run an embedded windows control in IE"
• Next in thread: Joe Kaplan \(MVP - ADSI\): "Re: Adjusting security setting to run an embedded windows control in IE"
• Reply: Joe Kaplan \(MVP - ADSI\): "Re: Adjusting security setting to run an embedded windows control in IE"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Adjusting security setting to run an embedded windows control in IE ... I'm completly sure that the URI is the same... ... > Does the Uri in the WebPermission that is being demanded match the hostname> of the Uri that the code was downloaded from? ... > for the permission should work. ... (microsoft.public.dotnet.framework.aspnet) Re: Web Service that calls an external Web Service ... Request for the permission of type ... > permToken, CodeAccessPermission demand, StackCrawlMark& stackMark, Int32 ... > at System.Net.HttpRequestCreator.Create(Uri Uri) ... > String NombreProducto, Int32 NoOrden, String NombreAutoriza, Int32 ... (microsoft.public.windows.server.security) Re: Using sharepoint webservice ... Request for the permission of type ... Int32 checkFrames, Int32 unrestrictedOverride) at ... System.Web.Services.Protocols.WebClientProtocol.GetWebRequest(Uri uri) ... (microsoft.public.sharepoint.portalserver.development) Re: Adjusting security setting to run an embedded windows control in IE ... Does the Uri in the WebPermission that is being demanded match the hostname ... Essentially, we have been saying that if those host names match, the Demand ... for the permission should work. ... (microsoft.public.dotnet.security) Re: Adjusting security setting to run an embedded windows control in IE ... Does the Uri in the WebPermission that is being demanded match the hostname ... Essentially, we have been saying that if those host names match, the Demand ... for the permission should work. ... (microsoft.public.dotnet.framework.aspnet)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)