Re: security exception for aspx page

From: GoCMS (GoCMS_at_discussions.microsoft.com)
Date: 11/23/04 

Date: Tue, 23 Nov 2004 10:31:02 -0800

Is there any article or example of how to do write the wrapper. I'm just a
newbie in terms of security. Thanks!

"Joe Kaplan (MVP - ADSI)" wrote:

> You can't just inherit, you have wrap. The reason is that you must manually
> assert each permission that their code demands in order to block the stack
> walk. If their code demands a lot of permissions, this will be a pain.
>
> Essentially, you just create a permission object of the same type that is
> being demanded by the code lower down and call the Assert method before
> calling the method that causes their demand. Your assert will then block
> their demand. Make sure you call RevertAssert when you are done.
>
> HTH,
>
> Joe K.
>
> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
> news:06345205-3035-47A3-B37B-07CF5298990D@microsoft.com...
> > About the second approach, I wrote a class that inherits the 3rd party
> > control, or just a class that delegates the functions to 3rd party control
> > functions. I also add APTCA attribute and put both of the assemblies ( my
> > wrapper and 3rd party one) into GAC. It still fails at the same place.
> > What
> > did I miss? ( Note: replace with my assembly doesn't eliminate the
> > reference
> > to the 3rd party control).
> > Thanks a bunch!
> >
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> Contact the vendor?
> >>
> >> Alternately, if it is strong named, you could put it in the GAC, then
> >> write
> >> a wrapper assembly that does have APTCA on it that talks to the control.
> >> Then, your code would talk to your wrapper which is also in the GAC, and
> >> thus would have full trust.
> >>
> >> Obviously, the first option is much less work :)
> >>
> >> Or, give up on partial trust for web development. That's what most of us
> >> do.
> >>
> >> Joe K.
> >>
> >> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
> >> news:5E9C8325-1F83-47C1-A332-DFAFFA98E8D8@microsoft.com...
> >> > Thanks again! That's exactly what happens. The assembly provided
> >> > doesn't
> >> > have
> >> > APTCA. That is a bad news. Even if I don't use it as a share point Web
> >> > Part,
> >> > I'm going to have trouble for any web application with trust level not
> >> > set
> >> > to
> >> > "Full". But on the other hand, I don't want to lowever security level
> >> > just
> >> > to
> >> > use 3rd party DLL. What to do?
> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >
> >> >> The easiest way would be with Reflector or ILDasm. In reflector, you
> >> >> just
> >> >> load up the assembly and click on it. Then, hit space to reverse
> >> >> compile.
> >> >> You should see all the attributes at the assembly level in the
> >> >> decompilation. If APTCA is set, it will be in there.
> >> >>
> >> >> If it isn't set, you are going to have trouble using that control in
> >> >> SharePoint.
> >> >>
> >> >> Joe K.
> >> >>
> >> >> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
> >> >> news:2CF2A027-EA49-4A45-8FAB-DC25F97DFAE2@microsoft.com...
> >> >> > Hi, Joe:
> >> >> > Thanks a lot for your help. You were right, when you said it
> >> >> > should
> >> >> > give
> >> >> > you the specific permission, I began to doubt it wasn't the problem
> >> >> > of
> >> >> > authenticateAsUser("adminUser"...)! I again narrowed it down, and
> >> >> > came
> >> >> > to
> >> >> > third-party control, called Obout tree view.
> >> >> > Before you read along, I want to ask if the third-party provided
> >> >> > assembly
> >> >> > doesn't set APTCA (AllowPartiallyTrustedCallersAttribute), is it
> >> >> > true
> >> >> > that
> >> >> > we
> >> >> > can't get away with partially trusted web application? How to find
> >> >> > out
> >> >> > if
> >> >> > their assembly doesn't set APTCA?
> >> >> >
> >> >> > See the exception below, it throws exception at Line 49,
> >> >> > DisplayPage
> >> >> > function. I made it very short and simple like
> >> >> > private void DisplayPage()
> >> >> > {
> >> >> > oTree = new obout_ASPTreeView_2_NET.Tree();
> >> >> > oTree.FolderIcons = "/TreeIcons/Icons";
> >> >> > oTree.FolderStyle = "/TreeIcons/Styles/Win2003";
> >> >> > oTree.ShowIcons = true;
> >> >> > oTree.SelectedEnable = false;
> >> >> > }
> >> >> > Exception Info.....
> >> >> > ***********************************************************
> >> >> > Description: The application attempted to perform an operation not
> >> >> > allowed
> >> >> > by the security policy. To grant this application the required
> >> >> > permission
> >> >> > please contact your system administrator or change the application's
> >> >> > trust
> >> >> > level in the configuration file.
> >> >> >
> >> >> > Exception Details: System.Security.SecurityException: Security
> >> >> > error.
> >> >> > Source Error:
> >> >> > Line 47: RebuildXMLFile();
> >> >> > Line 48:
> >> >> > Line 49: DisplayPage();
> >> >> > Line 50:
> >> >> > Line 51: RegisterButton.Attributes.Add("onClick", "ob_t2send();");
> >> >> > Source File: d:\inetpub\wwwroot\MyProject\MyFile.aspx.cs Line: 49
> >> >> > Stack Trace:
> >> >> > [SecurityException: Security error.]
> >> >> > MyNamespace.MyProject.MyFile.DisplayPage() +0
> >> >> > MyNamespace.MyProject.MyFile.Page_Load(Object sender, EventArgs e)
> >> >> > in
> >> >> > d:\inetpub\wwwroot\MyProject\MyFile.aspx.cs:49
> >> >> > System.Web.UI.Control.OnLoad(EventArgs e) +67
> >> >> > System.Web.UI.Control.LoadRecursive() +35
> >> >> > System.Web.UI.Page.ProcessRequestMain() +2112
> >> >> > System.Web.UI.Page.ProcessRequest() +218
> >> >> > System.Web.UI.Page.ProcessRequest(HttpContext context) +18
> >> >> >
> >> >> > System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
> >> >> > +179
> >> >> > System.Web.HttpApplication.ExecuteStep(IExecutionStep step,
> >> >> > Boolean&
> >> >> > completedSynchronously) +87
> >> >> > **********************************************************
> >> >> >
> >> >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >
> >> >> >> I'm not sure about how CMS works with CAS, but if a security
> >> >> >> exception
> >> >> >> is
> >> >> >> being thrown, then there should be an indication of what the
> >> >> >> permission
> >> >> >> requirement is. Otherwise, try to get us more details. You might
> >> >> >> also
> >> >> >> try
> >> >> >> asking in one of the CMS groups.
> >> >> >>
> >> >> >> Joe K.
> >> >> >>
> >> >> >> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
> >> >> >> news:765F2C4F-2578-4EDE-AB88-334376CF08BF@microsoft.com...
> >> >> >> > Forget about my previous post, I passed it.
> >> >> >> > Now I came to the REAL problem, it's actually complained when I
> >> >> >> > used
> >> >> >> > a
> >> >> >> > function from Microsoft.ContentManagement.Publishing.dll
> >> >> >> > CmsApplicationContext.AuthenticateAsUser(
> >> >> >> > "admin_user_for_CMS_site","password",PublishingMode.Published);
> >> >> >> >
> >> >> >> > I'm actually not sure what kind of permission it needs. It's not
> >> >> >> > even
> >> >> >> > part
> >> >> >> > of standard .net library.
> >> >> >> > Sorry for the confusion, I came a long way to get rid of all my
> >> >> >> > invalid
> >> >> >> > suspicion...
> >> >> >> >
> >> >> >> > "GoCMS" wrote:
> >> >> >> >
> >> >> >> >> Thanks again for your help. I guess it's me who lacks such
> >> >> >> >> security
> >> >> >> >> knowledge.
> >> >> >> >> In my Wss_MediumTrust.config file, ( just regard it as any
> >> >> >> >> customized
> >> >> >> >> policy
> >> >> >> >> file)
> >> >> >> >> I have:
> >> >> >> >> <PermissionSet
> >> >> >> >> class="NamedPermissionSet"
> >> >> >> >> version="1"
> >> >> >> >> Name="ASP.Net">
> >> >> >> >> <IPermission
> >> >> >> >> class="FileIOPermission"
> >> >> >> >> version="1"
> >> >> >> >> Read="$AppDir$"
> >> >> >> >> Write="$AppDir$"
> >> >> >> >> Append="$AppDir$"
> >> >> >> >> PathDiscovery="$AppDir$"
> >> >> >> >> />
> >> >> >> >> </PermissionSet>
> >> >> >> >> What I really want, besides the alove, is the the
> >> >> >> >> read/write/delete
> >> >> >> >> priviledge for a particular file, say
> >> >> >> >> c:\inetpub\wwwroot\shared\My_File.txt.
> >> >> >> >>
> >> >> >> >> Thanks!
> >> >> >> >>
> >> >> >> >>
> >> >> >> >>
> >> >> >> >> "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >> >>
> >> >> >> >> > So, it is a FileIOPermission that isn't being granted? In
> >> >> >> >> > that
> >> >> >> >> > case,
> >> >> >> >> > you
> >> >> >> >> > need to make sure that the permission set you have grants that
> >> >> >> >> > required
> >> >> >> >> > access. You would need to look at what you are being granted
> >> >> >> >> > in
> >> >> >> >> > the
> >> >> >> >> > policy
> >> >> >> >> > and modify that. I'm not exactly sure where that is
> >> >> >> >> > configured
> >> >> >> >> > in
> >> >> >> >> > SharePoint though. Sorry I'm not too helpful here. Can you
> >> >> >> >> > show
> >> >> >> >> > any
> >> >> >> >> > more
> >> >> >> >> > info about the FileIOPermission that isn't being granted?
> >> >> >> >> >
> >> >> >> >> > The other option would be to peform the privileged operation
> >> >> >> >> > from
> >> >> >> >> > an
> >> >> >> >> > assembly that has higher permissions and Assert the required
> >> >> >> >> > permissions to
> >> >> >> >> > avoid the stack trace.
> >> >> >> >> >
> >> >> >> >> > Joe K.
> >> >> >> >> >
> >> >> >> >> > "GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
> >> >> >> >> > news:65DAE916-21D7-42C5-86D0-78A4478416A1@microsoft.com...
> >> >> >> >> > > Thanks! It turns out, I guess, it's not a problem of
> >> >> >> >> > > calling
> >> >> >> >> > > 3rd
> >> >> >> >> > > party
> >> >> >> >> > > dll (
> >> >> >> >> > > or I haven't reached there). According to the stack trace,
> >> >> >> >> > > it
> >> >> >> >> > > fails
> >> >> >> >> > > where
> >> >> >> >> > > I
> >> >> >> >> > > tried to write to a file. So I guess I don't have the access
> >> >> >> >> > > to
> >> >> >> >> > > the
> >> >> >> >> > > file
> >> >> >> >> > > outside of virtual directory.
> >> >> >> >> > > So... how to grant unrestricted access to a specific file
> >> >> >> >> > > or
> >> >> >> >> > > directory in
> >> >> >> >> > > the Wss_MediumTrust.config file? For my case, I didn't put
> >> >> >> >> > > my
> >> >> >> >> > > code
> >> >> >> >> > > into an
> >> >> >> >> > > assembly, all my files are just aspx pages under
> >> >> >> >> > > inetput\wwwroot\My_Application directory.
> >> >> >> >> > >
> >> >> >> >> > > Many thanks!!
> >> >> >> >> > >
> >> >> >> >> > > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >> >> > >
> >> >> >> >> > >> Well, the first thing to do is to try to figure out what
> >> >> >> >> > >> the
> >> >> >> >> > >> actual
> >> >> >> >> > >> permission that is being demanded is. Then, you have a few
> >> >> >> >> > >> options:
> >> >> >> >> > >>
> >> >> >> >> > >> - Modify policy to allow that permission to be granted
> >> >> >> >> > >> - Modify the assembly in the GAC to Assert that permission
> >> >> >> >> > >> before
> >> >> >> >> > >> the
> >> >> >> >> > >> demand is called so that the stack walk is stopped (note,
> >> >> >> >> > >> potential
> >> >> >> >> > >> security
> >> >> >> >> > >> risk here)
> >> >> >> >> > >> - Create your own assembly that goes in the GAC that wraps
> >> >> >> >> > >> their
> >> >> >> >> > >> assembly
> >> >> >> >> > >> and does the above mentioned Assert. Note the same
> >> >> >> >> > >> security
> >> >> >> >> > >> risk
> >> >> >> >> > >>
> >> >> >> >> > >> You might want to find some articles on CAS so that you get
> >> >> >> >> > >> a
> >> >> >> >> > >> better
> >> >> >> >> > >> feel
> >> >> >> >> > >> for what I'm talking about here as it can be somewhat
> >> >> >> >> > >> confusing
> >> >> >> >> > >> until you
> >> >> >> >> > >> get the hang of it.
> >> >> >> >> > >>
> >> >> >> >> > >> If you can find out what the actual permission that was
> >> >> >> >> > >> demanded
> >> >> >> >> > >> was
> >> >> >> >> > >> and
> >> >> >> >> > >> what the stack trace for the exception was, that would be
> >> >> >> >> > >> very
> >> >> >> >> > >> helpful
> >> >> >> >> > >> for
> >> >> >> >> > >> us to know.
> >> >> >> >> > >>
> >> >> >> >> > >> Joe K.
> >> >> >> >> > >>
> >> >> >> >> > >>
> >> >> >> >> > >> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in message
> >> >> >> >> > >> news:6B2A6B2B-4507-455D-BCE8-9C11897357BF@microsoft.com...
> >> >> >> >> > >> > Since I'm rather new on ASP.net or share point web part
> >> >> >> >> > >> > security,
> >> >> >> >> > >> > I
> >> >> >> >> > >> > wonder
> >> >> >> >> > >> > what will be the standard steps( & configuration entries)
> >> >> >> >> > >> > to
> >> >> >> >> > >> > make
> >> >> >> >> > >> > third
> >> >> >> >> > >> > party
> >> >> >> >> > >> > DLL accessible. The articles I'm reading on internet only
> >> >> >> >> > >> > addresses
> >> >> >> >> > >> > cases
> >> >> >> >> > >> > when user put their own developed ASP.NET assemblies into
> >> >> >> >> > >> > GAC.
> >> >> >> >> > >> > Thanks a lot.
> >> >> >> >> > >> >
> >> >> >> >> > >> > "Joe Kaplan (MVP - ADSI)" wrote:
> >> >> >> >> > >> >
> >> >> >> >> > >> >> Are you sure the third party DLL isn't allowing a full
> >> >> >> >> > >> >> demand
> >> >> >> >> > >> >> for
> >> >> >> >> > >> >> a
> >> >> >> >> > >> >> permission to go up the stack? Just because it is in
> >> >> >> >> > >> >> the
> >> >> >> >> > >> >> GAC
> >> >> >> >> > >> >> and
> >> >> >> >> > >> >> it
> >> >> >> >> > >> >> has
> >> >> >> >> > >> >> Full Trust doesn't mean that some code it is using won't
> >> >> >> >> > >> >> trigger
> >> >> >> >> > >> >> a
> >> >> >> >> > >> >> Demand
> >> >> >> >> > >> >> that results in a full stack walk which would then fail
> >> >> >> >> > >> >> in
> >> >> >> >> > >> >> your
> >> >> >> >> > >> >> code
> >> >> >> >> > >> >> which
> >> >> >> >> > >> >> is partially trusted.
> >> >> >> >> > >> >>
> >> >> >> >> > >> >> Without knowing more details on the exception, it would
> >> >> >> >> > >> >> be
> >> >> >> >> > >> >> hard
> >> >> >> >> > >> >> to
> >> >> >> >> > >> >> know
> >> >> >> >> > >> >> exactly what the problem is, but I suspect it is
> >> >> >> >> > >> >> something
> >> >> >> >> > >> >> along
> >> >> >> >> > >> >> those
> >> >> >> >> > >> >> lines.
> >> >> >> >> > >> >>
> >> >> >> >> > >> >> Joe K.
> >> >> >> >> > >> >>
> >> >> >> >> > >> >> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in
> >> >> >> >> > >> >> message
> >> >> >> >> > >> >> news:095F0E58-0588-4CF3-A520-BF9FB72A6F08@microsoft.com...
> >> >> >> >> > >> >> > The message is not detailed enough though, as follows:
> >> >> >> >> > >> >> >
> >> >> >> >> > >> >> > Security Exception Description: The application
> >> >> >> >> > >> >> > attempted
> >> >> >> >> > >> >> > to
> >> >> >> >> > >> >> > perform
> >> >> >> >> > >> >> > an
> >> >> >> >> > >> >> > operation not allowed by the security policy. To grant
> >> >> >> >> > >> >> > this application the required permission please
> >> >> >> >> > >> >> > contact
> >> >> >> >> > >> >> > your system administrator or change the application's
> >> >> >> >> > >> >> > trust level in the configuration file.
> >> >> >> >> > >> >> >
> >> >> >> >> > >> >> > Exception Details:
> >> >> >> >> > >> >> > System.Security.SecurityException:Security
> >> >> >> >> > >> >> > Error
> >> >> >> >> > >> >> >
> >> >> >> >> > >> >> >
> >> >> >> >> > >> >> > "Nicole Calinoiu" wrote:
> >> >> >> >> > >> >> >
> >> >> >> >> > >> >> >> What is the exception message or, even better, its
> >> >> >> >> > >> >> >> full
> >> >> >> >> > >> >> >> details (as
> >> >> >> >> > >> >> >> returned
> >> >> >> >> > >> >> >> by its ToString method)?
> >> >> >> >> > >> >> >>
> >> >> >> >> > >> >> >>
> >> >> >> >> > >> >> >> "GoCMS" <GoCMS@discussions.microsoft.com> wrote in
> >> >> >> >> > >> >> >> message
> >> >> >> >> > >> >> >> news:3DBB444B-3A4A-419D-A61A-8E281CBE1CA3@microsoft.com...
> >> >> >> >> > >> >> >> > hi, there:
> >> >> >> >> > >> >> >> > I was developing a new page for a web part
> >> >> >> >> > >> >> >> > project.
> >> >> >> >> > >> >> >> > My
> >> >> >> >> > >> >> >> > page
> >> >> >> >> > >> >> >> > keeps
> >> >> >> >> > >> >> >> > on
> >> >> >> >> > >> >> >> > getting security exception whereas other pages in
> >> >> >> >> > >> >> >> > the
> >> >> >> >> > >> >> >> > same
> >> >> >> >> > >> >> >> > project
> >> >> >> >> > >> >> >> > don't.
> >> >> >> >> > >> >> >> > I
> >> >> >> >> > >> >> >> > set the security level to be WSS_MediumTrust level.
> >> >> >> >> > >> >> >> > I
> >> >> >> >> > >> >> >> > wasn't
> >> >> >> >> > >> >> >> > using
> >> >> >> >> > >> >> >> > any
> >> >> >> >> > >> >> >> > database connection, but I was using a third party
> >> >> >> >> > >> >> >> > DLL(
> >> >> >> >> > >> >> >> > which is
> >> >> >> >> > >> >> >> > already
> >> >> >> >> > >> >> >> > signed and put into GAC).
> >> >> >> >> > >> >> >> >
> >> >> >> >> > >> >> >> > I add the third party assembly into the project
> >> >> >> >> > >> >> >> > web.config.
> >> >> >> >> > >> >> >> > I also add the following section into
> >> >> >> >> > >> >> >> > WSS_MediumTrust.config
> >> >> >> >> > >> >> >> > file.
> >> >> >> >> > >> >> >> > <CodeGroup class="UnionCodeGroup" version="1"
> >> >> >> >> > >> >> >> > PermissionSetName="FullTrust">
> >> >> >> >> > >> >> >> > <IMembershipCondition
> >> >> >> >> > >> >> >> > class="StrongNameMembershipCondition"
> >> >> >> >> > >> >> >> > version="1" PublicKeyBlob="public key for 3rd
> >> >> >> >> > >> >> >> > party
> >> >> >> >> > >> >> >> > assembly"/>
> >> >> >> >> > >> >> >> > </CodeGroup>
> >> >> >> >> > >> >> >> >
> >> >> >> >> > >> >> >> > Any other ideas? Thanks a LOT!
> >> >> >> >> > >> >> >> >
> >> >> >> >> > >> >> >> >
> >> >> >> >> > >> >> >> >
> >> >> >> >> > >> >> >>
> >> >> >> >> > >> >> >>
> >> >> >> >> > >> >> >>
> >> >> >> >> > >> >>
> >> >> >> >> > >> >>
> >> >> >> >> > >> >>
> >> >> >> >> > >>
> >> >> >> >> > >>
> >> >> >> >> > >>
> >> >> >> >> >
> >> >> >> >> >
> >> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>