Re: code access security with URL condition
From: Sankar Nemani (snemani_at_nospamlumedx.com)
Date: 08/25/04
- Next message: Zeng: "Disallowing concurrent login using the same user account"
- Previous message: Guilherme Labigalini: "API Call vs Security"
- In reply to: Shawn Farkas: "Re: code access security with URL condition"
- Next in thread: Shawn Farkas: "Re: code access security with URL condition"
- Reply: Shawn Farkas: "Re: code access security with URL condition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Aug 2004 10:01:56 -0700
Yes indeed it is "unclear". But this is a good starting for me to understand
how CASPol works.
Thanks a bunch
Sankar Nemani
""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message
news:9lhy9ciiEHA.2200@cpmsftngxa10.phx.gbl...
> You can find lots of this information on our MSDN site, for a good intro
look at the Security Policy topic of the following article:
>
http://msdn.microsoft.com/library/en-us/dnnetsec/html/netframesecover.asp?frame=true#netframesecover_topic7
>
> Basically how it works is that on each policy level is a tree of code
groups. Each code group has a membership condition, a permission set,
> some child code groups, and a way to combine multiple sets. Starting from
the root code group, the policy evaluation checks the membership
> condition of the code group that is currently being evaluated. If the
evidence of the assembly being evaluated matches the membership condition,
> then we proceed to the child code groups, combining all children code
groups with the combination mechanism specified by the code group itself.
> (If that wasn't unclear enough ...... almost all code groups are
UnionCodeGroups, which simply take the union of all the permission sets of
their child
> code groups that also match the evidence).
>
> So on each policy level, we end up unioning all the code groups that match
(unless you hit a LevelFinal or Exclusive group), leaving us with four
> permission sets, one per level. Then we intersect all four of these sets
and end up with the final assembly grant.
>
> -Shawn
> http://blogs.msdn.com/shawnfa
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
> originated.
> --------------------
> >From: "Sankar Nemani" <snemani@nospamlumedx.com>
> >References: <ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl>
<#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl>
> >Subject: Re: code access security with URL condition
> >Date: Tue, 24 Aug 2004 13:08:55 -0700
> >Lines: 66
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.3790.181
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
> >Message-ID: <#HERuZhiEHA.3608@TK2MSFTNGP09.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.security
> >NNTP-Posting-Host: 63.80.71.253
> >Path:
cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
.phx.gbl
> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7219
> >X-Tomcat-NG: microsoft.public.dotnet.security
> >
> >So is there a place that discusses how the .NET framework finds the code
> >group when more than one code group exist?
> >
> >"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
> >news:#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl...
> >> UrlMembershipCondition, which is the class responsible for testing
whether
> >> evidence matches a code group URL condition, does not account for the
> >> multiple URLs that could be used to reach the same site. My guess
would
> >be
> >> that while you were working offline, you used the various localhost,
> >machine
> >> name, and 127.0.0.1 addresses in such a way as to make some of the
> >controls
> >> source from each one. As for needing the two root/* and
root/virtdir1/*
> >> forms, I wonder if you really need all 6 or just the 3 root variants of
> >the
> >> more suitable of the two.
> >>
> >> Either way, instead of spending time worrying about a purely dev-time
> >> configuration problem that you've already solved, perhaps it might be
more
> >> worthwhile to spend some time figuring out how to get the controls to
run
> >> without full trust...
> >>
> >>
> >> "Sankar Nemani" <snemani@nospamlumedx.com> wrote in message
> >> news:ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl...
> >> > Hi
> >> > We have two virtual directories in which our .NET controls reside.
We
> >> > host these controls in IE. These controls need full trust permission
> >set.
> >> > We
> >> > tried to create a codegroup that has a URL condition
http://localhost/*
> >> > and
> >> > gave full trust permission and tested by opening IE on the same
machine
> >as
> >> > the server (that is why localhost should have been OK). Some parts of
> >the
> >> > controls worked but we got SecurityExceptions for others. We kept
> >getting
> >> > SecurityExceptions in one part or the other until we created 6 code
> >groups
> >> > with URL conditions
> >> > http://localhost/*
> >> > http://MACHINENAME/*
> >> > http://127.0.0.1/*
> >> > http://localhost/VirtDir1/*
> >> > http://MACHINENAME/VirtDir1/*
> >> > http://127.0.0.1/VirtDir1/*
> >> > and gave full trust for all these code groups. The computer is not on
> >any
> >> > network. When it was hooked up to the a network, we didn't need all 6
> >code
> >> > groups. It seems like the code access security mechanism is not able
to
> >> > figure out localhost,MACHINENAME and 127.0.0.1 as the same URL.
> >> > I would like to understand how .NET applies these permissions and if
> >there
> >> > are any resources that discuss these things in detail.
> >> > TIA
> >> > Sankar Nemani
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
> >
>
>
- Next message: Zeng: "Disallowing concurrent login using the same user account"
- Previous message: Guilherme Labigalini: "API Call vs Security"
- In reply to: Shawn Farkas: "Re: code access security with URL condition"
- Next in thread: Shawn Farkas: "Re: code access security with URL condition"
- Reply: Shawn Farkas: "Re: code access security with URL condition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
