Understanding FullTrust and CAS



Hi all!
I've posted this problem in a number of places, but haven't been able
to get to the bottom of it, so I'll try again here.

I have been trying to work out ways to allow a partial trust web
application limited access to perform sensitive operations (like
retrieving a list of active processes) via a fully trusted proxy
assembly. Basically I have a class with one method to get a list of
active processes and return a list of the names.

Nothing too complex so far, and it works fine if the webpage calling
this separate assembly is running in full trust mode. Trouble is, I
get security exceptions when I lower the web application's trust level
to Medium. This makes sense, because the security demand in the
Process class is supposed to walk up the stack and fail when it gets to
something less than full trust.

The question is, what does one have to do to allow this code to be
called by a partially trusted web app? My plan was to sign the
assembly with a strong name and elevate it to FullTrust level, but
that hasn't worked. Thinking that I didn't quite understand caspol (is
there any decent documentation on this anywhere on the web?) I've tried
quite a few ways to get the full trust applied, but none seem to allow
my application to work. Maybe I"m barking up the wrong tree?

One thing that has worked is to add the intermediate assembly to the
GAC. If I do this, the whole thing runs smooth as silk. Trouble there
is, marking the assembly APTCA, giving it a bunch of functionality that
could pose security risks, then dropping it in the GAC on a web server
seems to miss the point of the whole exercise in the first place.

If anyone has any insight/links/comments on this problem I will be very
grateful. I am really tearing my hair out here...

Also, the combined code for both of these apps is shorter than this
post. I'd be happy to post or send it to any interested parties.

.



Relevant Pages