Re: Determine what security permissions are needed
From: Nicole Calinoiu (calinoiu)
Date: 01/24/05
- Previous message: Nicole Calinoiu: "Re: sn.exe -Vr assembly"
- In reply to: Joe: "Re: Determine what security permissions are needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Jan 2005 07:53:32 -0500
Joe,
In order to override or call the underlying CreateParams implementation,
your assembly will need SecurityPermission.UnmanagedCode permission. While
it's possible to grant additional permissions to controls hosted in IE (see
http://blogs.msdn.com/shawnfa/archive/2003/06/20/57023.aspx and
http://blogs.msdn.com/shawnfa/archive/2003/06/26/57026.aspx for
instructions), unmanaged code permission is a dangerous one to grant to code
running from a non-local zone. If at all possible, I would recommend
tweaking the control so that use of CreateParams is not required.
HTH,
Nicole
"Joe" <J_no_spam@_no_spam_Fishinbrain.com> wrote in message
news:ea5IWQ9$EHA.3120@TK2MSFTNGP12.phx.gbl...
> Here's the log: (I removed the domain name for this posting)
> Creating security manager
>
> Microsoft.IE.Manager: Microsoft.IE.Manager: unique id lgth = 50
> Microsoft.IE.SecureFactory: Create SecureFactory() with security
> information
> Microsoft.IE.Manager: Created secure factory
> Microsoft.IE.SecureFactory: Creating instance of the object in the correct
> domain
> Microsoft.IE.SecureFactory: pUrl = http://.../default.aspx
> Microsoft.IE.SecureFactory: id =
> 86474707A347865626F6E6166796471637E236F6D630000000
> Microsoft.IE.SecureFactory: link =
> Microsoft.IE.SecureFactory: licenses =
> Microsoft.IE.Manager: Url = http://.../default.aspx
> Microsoft.IE.Manager: UrlGetPartW returned 0
> Microsoft.IE.Manager: UrlGetPartW returned 80070057
> Microsoft.IE.Manager: CodeBase = http://...
> Microsoft.IE.Manager: Application = mywebsite
> Microsoft.IE.Manager: Found a codebase
> Microsoft.IE.Manager: UrlCanonicalize returned 0
> Microsoft.IE.SecureFactory: URL codeBase: http://...
> Microsoft.IE.SecureFactory: URL application: mywebsite
> Microsoft.IE.SecureFactory: Locating domain for http://...
> Microsoft.IE.IDKey: Created key
> Microsoft.IE.Manager: The domain does not exist.
> Microsoft.IE.IDKey: Created key
> Microsoft.IE.Manager: The domain does not exist.
> Microsoft.IE.SecureFactory: Need to create domain
> Microsoft.IE.SecureFactory: Application base: http://...
> Microsoft.IE.SecureFactory: Private Bin Path: bin
> Microsoft.IE.IDKey: Created key
> Microsoft.IE.SecureFactory: Trying to create instance of type
> http://.../control/WebControl.dll#WebControl.WebControl
> Microsoft.IE.SecureFactory: System.Security.SecurityException: Request for
> the permission of type 'System.Security.Permissions.SecurityPermission,
> mscorlib, Version=2.0.3600.0, Culture=neutral,
> PublicKeyToken=b77a5c561934e089' failed.
> at System.AppDomain.CreateComInstanceFrom(String assemblyFile, String
> typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
> at Microsoft.IE.SecureFactory.CreateInstanceWithSecurity(Int32 dwFlag,
> Int32 dwZone, String pURL, String uniqueIdString, String link, String
> licenses)
> The action that failed was:
> InheritanceDemand
> The Zone of the assembly that failed was:
> Internet
> Microsoft.IE.SecureFactory: LOG exception
> Microsoft.IE.SecureFactory: Creating log entry
> ?FusionBindError!name=WebControl.dll WebControl.WebControl
> Microsoft.IE.SecureFactory: Logging to file C:\Documents and
> Settings\joe\Local Settings\Temporary Internet
> Files\Content.IE5\VVMD17JD\CA64XURK.HTM
>
>
>
>
> "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
> news:#49WGz8$EHA.3120@TK2MSFTNGP12.phx.gbl...
>> It might help if you could post the log results here...
>>
>>
>>
>> "Joe" <J_no_spam@_no_spam_Fishinbrain.com> wrote in message
>> news:uhdmUs8$EHA.3924@TK2MSFTNGP15.phx.gbl...
>> >I don't know how to determine what types of permissions it is. I know
>> >the
>> > Inheritance is due to the CreateParams.
>> >
>> > I'm getting a book on .Net Security today to help me learn more about
>> > this.
>> >
>> > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in
> message
>> > news:OSn#DK7$EHA.2880@TK2MSFTNGP14.phx.gbl...
>> >> What types of permission are being requested by the inheritance and
> link
>> >> demands?
>> >>
>> >>
>> >> "Joe" <J_no_spam@_no_spam_Fishinbrain.com> wrote in message
>> >> news:uqvlmM3$EHA.824@TK2MSFTNGP11.phx.gbl...
>> >> > Thanks. The log shows an InheritenceDemand error which is being
> caused
>> > by
>> >> > the CreateParams override. If I comment that out I get a LinkDemand
>> > error.
>> >> >
>> >> > How can I resolve these? I looked at the help and it just tells me
> that
>> > I
>> >> > need the permissions for the InheritenceDemand but I don't know how
> to
>> >> > specify it.
>> >> >
>> >> > Thanks again,
>> >> > Joe
>> >> >
>> >> > "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in
>> > message
>> >> > news:OXYFDkw$EHA.2196@TK2MSFTNGP14.phx.gbl...
>> >> >> Joe,
>> >> >>
>> >> >> It sounds like it probably is a CAS permissions issue. However,
>> >> >> you
>> > may
>> >> >> want to verify this using the steps outlined at
>> >> >>
> http://dotnetjunkies.com/WebLog/mlevison/archive/2004/08/28/23568.aspx.
>> >> >>
>> >> >> If you want to isolate the minimum permission set for your control,
> I
>> >> > would
>> >> >> recommend testing it in a Windows Forms application so that you can
>> >> > exclude
>> >> >> the complicating factor of the constraints imposed by the IE host.
> If
>> >> >> you
>> >> >> set up the hosting app to have FullTrust and allow partially
>> >> >> trusted
>> >> > callers
>> >> >> into your control library assembly (using
>> >> >> AllowPartiallyTrustedCallersAttribute), you will be able to set up
>> >> >> a
>> >> > variety
>> >> >> of tests to establish the minimum permission set required by your
>> >> >> control.
>> >> >> Probably the simplest way to do this is to ensure that your control
>> >> > assembly
>> >> >> is granted full trust via policy, then declare a minimum permission
>> >> >> set
>> >> >> within the assembly. As security exceptions are raised in your
> tests,
>> >> >> you
>> >> >> would then add a request for the missing permission to the request
>> > list.
>> >> >> For more information on this approach, see
>> >> >>
>> >> >
>> >
> http://groups-beta.google.com/group/microsoft.public.dotnet.security/browse_frm/thread/5fe7af6010cf7800/f6fae0d4c2b7de5f.
>> >> >>
>> >> >> HTH,
>> >> >> Nicole
>> >> >>
>> >> >>
>> >> >>
>> >> >> "Joe" <J_no_spam@_no_spam_Fishinbrain.com> wrote in message
>> >> >> news:uPJUvTv$EHA.1400@TK2MSFTNGP11.phx.gbl...
>> >> >> > Is there a utility to test an assembly for security issues? I
>> >> >> > have
> a
>> >> >> > Winforms user control which I'm hosting in an ASP.NET
>> >> >> > application.
>> >> >> > On
>> >> > some
>> >> >> > machines the assembly doesn't load when I override the
> CreateParams
>> >> >> > method.
>> >> >> > Also, if I add a chart control to this control it doesn't load.
>> >> >> >
>> >> >> > There's no exception being thrown but I'm guessing it has
> something
>> > to
>> >> > do
>> >> >> > with security.
>> >> >> >
>> >> >> >
>> >> >>
>> >> >>
>> >> >
>> >> >
>> >>
>> >>
>> >
>> >
>>
>>
>
>
- Previous message: Nicole Calinoiu: "Re: sn.exe -Vr assembly"
- In reply to: Joe: "Re: Determine what security permissions are needed"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
