Re: code access security with URL condition
From: Shawn Farkas (shawnfa_at_online.microsoft.com)
Date: 08/25/04
- Next message: Shawn Farkas: "Re: Can an Assert issued following a Deny override it?"
- Previous message: Zeng: "Disallowing concurrent login using the same user account"
- In reply to: Sankar Nemani: "Re: code access security with URL condition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Aug 2004 21:12:15 GMT
Sorry about the confusing explanation. Reread the last paragraph of my post, which sums it up in the general case:
So on each policy level, we end up unioning all the code groups that match (unless you hit a LevelFinal or Exclusive group), leaving us with four
permission sets, one per level. Then we intersect all four of these sets and end up with the final assembly grant.
To clear up one other thing -- CASPol is simply the commandline tool that is used to modify policy settings. CAS (without the -pol) is the code
access security system that includes policy evaluation (what I was describing below).
-Shawn
http://blogs.msdn.com/shawnfa
-- This posting is provided "AS IS" with no warranties, and confers no rights. Note: For the benefit of the community-at-large, all responses to this message are best directed to the newsgroup/thread from which they originated. -------------------- >From: "Sankar Nemani" <snemani@nospamlumedx.com> >References: <ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl> <#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl> <#HERuZhiEHA.3608 @TK2MSFTNGP09.phx.gbl> <9lhy9ciiEHA.2200@cpmsftngxa10.phx.gbl> >Subject: Re: code access security with URL condition >Date: Wed, 25 Aug 2004 10:01:56 -0700 >Lines: 139 >X-Priority: 3 >X-MSMail-Priority: Normal >X-Newsreader: Microsoft Outlook Express 6.00.3790.181 >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181 >Message-ID: <OaO78VsiEHA.3896@TK2MSFTNGP15.phx.gbl> >Newsgroups: microsoft.public.dotnet.security >NNTP-Posting-Host: 63.80.71.248 >Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7232 >X-Tomcat-NG: microsoft.public.dotnet.security > >Yes indeed it is "unclear". But this is a good starting for me to understand >how CASPol works. >Thanks a bunch >Sankar Nemani >""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message >news:9lhy9ciiEHA.2200@cpmsftngxa10.phx.gbl... >> You can find lots of this information on our MSDN site, for a good intro >look at the Security Policy topic of the following article: >> >http://msdn.microsoft.com/library/en-us/dnnetsec/html/netframesecover.asp?frame=true#netframesecover_topic7 >> >> Basically how it works is that on each policy level is a tree of code >groups. Each code group has a membership condition, a permission set, >> some child code groups, and a way to combine multiple sets. Starting from >the root code group, the policy evaluation checks the membership >> condition of the code group that is currently being evaluated. If the >evidence of the assembly being evaluated matches the membership condition, >> then we proceed to the child code groups, combining all children code >groups with the combination mechanism specified by the code group itself. >> (If that wasn't unclear enough ...... almost all code groups are >UnionCodeGroups, which simply take the union of all the permission sets of >their child >> code groups that also match the evidence). >> >> So on each policy level, we end up unioning all the code groups that match >(unless you hit a LevelFinal or Exclusive group), leaving us with four >> permission sets, one per level. Then we intersect all four of these sets >and end up with the final assembly grant. >> >> -Shawn >> http://blogs.msdn.com/shawnfa >> >> -- >> >> This posting is provided "AS IS" with no warranties, and confers no >rights. >> Note: For the benefit of the community-at-large, all responses to this >message are best directed to the newsgroup/thread from which they >> originated. >> -------------------- >> >From: "Sankar Nemani" <snemani@nospamlumedx.com> >> >References: <ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl> ><#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl> >> >Subject: Re: code access security with URL condition >> >Date: Tue, 24 Aug 2004 13:08:55 -0700 >> >Lines: 66 >> >X-Priority: 3 >> >X-MSMail-Priority: Normal >> >X-Newsreader: Microsoft Outlook Express 6.00.3790.181 >> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181 >> >Message-ID: <#HERuZhiEHA.3608@TK2MSFTNGP09.phx.gbl> >> >Newsgroups: microsoft.public.dotnet.security >> >NNTP-Posting-Host: 63.80.71.253 >> >Path: >cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09 >.phx.gbl >> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7219 >> >X-Tomcat-NG: microsoft.public.dotnet.security >> > >> >So is there a place that discusses how the .NET framework finds the code >> >group when more than one code group exist? >> > >> >"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message >> >news:#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl... >> >> UrlMembershipCondition, which is the class responsible for testing >whether >> >> evidence matches a code group URL condition, does not account for the >> >> multiple URLs that could be used to reach the same site. My guess >would >> >be >> >> that while you were working offline, you used the various localhost, >> >machine >> >> name, and 127.0.0.1 addresses in such a way as to make some of the >> >controls >> >> source from each one. As for needing the two root/* and >root/virtdir1/* >> >> forms, I wonder if you really need all 6 or just the 3 root variants of >> >the >> >> more suitable of the two. >> >> >> >> Either way, instead of spending time worrying about a purely dev-time >> >> configuration problem that you've already solved, perhaps it might be >more >> >> worthwhile to spend some time figuring out how to get the controls to >run >> >> without full trust... >> >> >> >> >> >> "Sankar Nemani" <snemani@nospamlumedx.com> wrote in message >> >> news:ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl... >> >> > Hi >> >> > We have two virtual directories in which our .NET controls reside. >We >> >> > host these controls in IE. These controls need full trust permission >> >set. >> >> > We >> >> > tried to create a codegroup that has a URL condition >http://localhost/* >> >> > and >> >> > gave full trust permission and tested by opening IE on the same >machine >> >as >> >> > the server (that is why localhost should have been OK). Some parts of >> >the >> >> > controls worked but we got SecurityExceptions for others. We kept >> >getting >> >> > SecurityExceptions in one part or the other until we created 6 code >> >groups >> >> > with URL conditions >> >> > http://localhost/* >> >> > http://MACHINENAME/* >> >> > http://127.0.0.1/* >> >> > http://localhost/VirtDir1/* >> >> > http://MACHINENAME/VirtDir1/* >> >> > http://127.0.0.1/VirtDir1/* >> >> > and gave full trust for all these code groups. The computer is not on >> >any >> >> > network. When it was hooked up to the a network, we didn't need all 6 >> >code >> >> > groups. It seems like the code access security mechanism is not able >to >> >> > figure out localhost,MACHINENAME and 127.0.0.1 as the same URL. >> >> > I would like to understand how .NET applies these permissions and if >> >there >> >> > are any resources that discuss these things in detail. >> >> > TIA >> >> > Sankar Nemani >> >> > >> >> > >> >> > >> >> >> >> >> > >> > >> > >> >> > > >
- Next message: Shawn Farkas: "Re: Can an Assert issued following a Deny override it?"
- Previous message: Zeng: "Disallowing concurrent login using the same user account"
- In reply to: Sankar Nemani: "Re: code access security with URL condition"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
