Re: Windows user controls in a web page: Security

From: John Francisco Williams (JohnFranciscoWilliams1010_at_Yahoo.Com)
Date: 02/28/05 

Date: Mon, 28 Feb 2005 15:26:45 -0500

Thank you very much for your help. I tried to use Strong Name as the
membership condition (as it mentions the first article) and that didn't
work. I also tried the assert method, mentioned in the second article. That
didn't work either. I then tried on more machines (I was using 3 real
machines and 2 virtual servers) and it worked!!! :-) . This is what I found:

1. My control was made using .Net Framework 1.1. Machines that have both
.Net Framework 1.0 and .Net Framework 1.1 installed, didn't work.
2. Machines that have both .Net Framework 1.1 and .Net Framework 2.0, didn't
work either.
3. Machines with only .Net Framework 1.1, worked perfect.

It worked using the steps I mentioned in my first post. Here are the steps,
a bit more detailed, in case anyone wants them:

1. Create a windows user control, with the functionality needed. In my case,
the control access the file system, and an SQL Server.
2. Create a web page (in my case, I'm using Aspx pages) that uses the
control, like this:

      <object
       classid = AssemblyName.DLL#NameSpace.ControlName
       ViewAsText>
      </object>

3. Each machine that's going to use that page, needs to comply with this:

   3.1. Have the .Net framework installed (same version as the control)
   3.2. Authorize the assembly, or the whole URL, or the whole web site, to
perform the operations needed.

4. To do "3.2":

    4.1. Use one machine as the template, for creating the authorization
needed for all the other machines. After creating all the permissions
needed, an .Msi will be created, that will replicate this same permission
state, on every machine that uses the page with the control.
    4.2. Go to administrative tools, "Microsoft .NET Framework 1.1
Configuration"
    4.3. Go to Runtime Security Policy\Machine\Permission Sets
    4.4. Right click "Permission Sets", select "New".
    4.5. Give it a descriptive name, and select next.
    4.6. Select the permissions your control will need and then click "Add
>>>" to add them to the "Assigned Permissions" list. In my case, I choosed
"DNS", "File IO" and "SQL Client", unrestricted.
    4.7. Click "Finish"
    4.8. After you created a set with the permissions you want to assign,
you now need to specify who is going to get those permissions. Go to Runtime
Security Policy\Machine\Code Groups\All_Code\Internet_Zone
    4.9. Right click "Internet_Zone", select "New"
    4.10. Give it a descriptive name, and select next.
    4.11. Next window is "Condition Type": Where is this assembly that needs
to be authorized? In my case, I selected "Site", to give permission to any
control that comes from a specific site. I you need to be more restrictive,
use "URL", for example, to only authorize assemblies coming from one URL. I
you use URL, include the name of the assembly (e.g.
http://wwww.SiteName.Com/Dir1/Dir1b/AssemblyName.Dll) or a "*", to authorize
all assemblies coming from that URL. (e.g.
http://wwww.SiteName.Com/Dir1/Dir1b/* ). If you select "Site", don't include
the protocol (example: www.SiteName.Com, instead of
http://www.SiteName.Com ).
    4.12. Next section is "Permission Set". You already indicated which
assembly (s) to trust. Now indicate what type of permissions it will have,
by associating it with a permission set. Choose the permission set you
created in 4.5.
    4.13. Click "Next", "Finish", test your page.
    4.14. If everything is working as needed, and you don't need to modify
more permissions, go to "Runtime Security Policy". Right click there, and
select "Create Deployment Package".
    4.15. Indicate the level of security to deploy. In this case, "Machine".
    4.16. Choose the folder and a file name for this Deployment Package.
    4.17. Click "Next", "Finish", the package is ready.
    4.18. Have this MSI run on each machine that needs to use the page with
the control.

NOTES:
. This installer is primitive. If you had previous custom permission sets on
a machine, they will be lost when you run the installer. For those cases, I
suggest having one or more machines with the permissions set, to be used as
templates. And then, always use those machines to make any changes and
deployment packages.
. Depending on your scenario, you might need to use "Local_Intranet_Zone",
"My_Computer_Zone", etc, instead of "Internet_Zone" in step 4.8.
. You need to know what section is your assembly being "assigned to"? Go to
"Runtime Security Policy" and select "Evaluate Assembly" on the right side.

Thanks Nicole. Thanks all :-)

"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:uFyh2ABHFHA.472@TK2MSFTNGP12.phx.gbl...
> See http://blogs.msdn.com/shawnfa/archive/2003/06/20/57023.aspx and
> http://blogs.msdn.com/shawnfa/archive/2003/06/26/57026.aspx for
explanations
> of why your code isn't being granted the permissions you would like and
what
> you can do about it.
>
>
> "John Francisco Williams" <JohnFranciscoWilliams1010@Yahoo.Com> wrote in
> message news:ehEfw04GFHA.1096@tk2msftngp13.phx.gbl...
> > Hi all. Where can I find documentation on using windows user controls in
> > web
> > pages? I've been looking for documentation, but haven't found much.
> > Specifically, I'm now having problems with assembly permissions:
> >
> > 1. I have an Aspx page that uses a windows user control
> > 2. The control uses ADO.Net to retrieve information from an SQL server
(at
> > least it tries)
> > 3. In a client machine, I created a code group under Machine, AllCode,
> > Local_Intranet. Membership. Condition is the URL of my app. Permission
set
> > is one I created allowing EVERYTHING
> > 4. It doesn't work. When the control tries to retrieve the information,
I
> > get an exception: Request for the permission SQLClientPermission failed.
> >
> > Note: The control works fine on the machine I use to host the page. All
I
> > had to do was trust the control's assembly. It doesn't work on other
> > machines that browse to that page.
> >
> > Any suggestions, tips, info are welcome. I don't know what newsgroup to
> > use
> > so, I'm trying with these two.
> >
> > Thanks a lot!!!
> >
> > Frank
> >
> >
> >
>
>

Relevant Pages

  • Re: Issue with SecurityPermission
    ... The following sample shows how to create a user control which can be ... downloaded and executed with specific permissions. ... > The default security policy for assemblies downloaded from an intranet-based> URI is different than that of the local system. ... >> This results in no one being able to execute the application from that ...
    (microsoft.public.dotnet.security)
  • Re: Altering .NET Security policy across domain
    ... caspol.exe to create a code group, but it can also be done using the .NET ... permissions you grant the signed assemblies. ... >>> all machines in the domain. ...
    (microsoft.public.dotnet.security)
  • Re: Windows user controls in a web page: Security
    ... same version of the framework that was being used to load the control. ... After you created a set with the permissions you want to assign, ... > all assemblies coming from that URL. ... > by associating it with a permission set. ...
    (microsoft.public.dotnet.framework.windowsforms.controls)
  • Re: Windows user controls in a web page: Security
    ... same version of the framework that was being used to load the control. ... After you created a set with the permissions you want to assign, ... > all assemblies coming from that URL. ... > by associating it with a permission set. ...
    (microsoft.public.dotnet.security)
  • Re: win forms security
    ... > each strong name you need to grant permissions to. ... I have two strongly named assemblies - both ... I created a code group to give "Full Trust" to the public key used to sign ... >> of our assemblies given strong names and I would rather control the code ...
    (microsoft.public.dotnet.security)