Re: Custom CAS permission...
- From: "Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com>
- Date: Wed, 14 Jun 2006 10:43:12 -0400
Pieter,
I couldn't see any obvious blocking problems in your code other than failing
to handle the Unrestricted == true condition properly in the attribute. At
a minimum, you should change its CreatePermission method to something like
the following:
public override IPermission CreatePermission()
{
if (this.Unrestricted) this.m_Options =
SmartcardConnectOptions.Unrestricted;
return new SmartcardPermission(m_Options, m_AllowedAtrs);
}
After applying the above change, your sample works fine for me. If it still
doesn't work for you, are you sure that you're changing the CAS policy for
the same version of the .NET Framework under which the application is run?
HTH,
Nicole
"Pieter Philippaerts" <pieter.nospam@xxxxxxxxxxxx> wrote in message
news:%23JsiAsBjGHA.3816@xxxxxxxxxxxxxxxxxxxxxxx
Nicole,
first of all: thanks for replying!
The FromXml and ToXml methods seem to work properly. I used Reflector to
look into the CLR to find out how Microsoft is implementing these
permissions, and my code should be compatible with that. However, still no
success in getting this thing to work.
Since it's driving me a bit mad, I've uploaded the code to my server so
you can take a look if you want to. You can find it at
http://pieter.mentalis.org/SmartcardPermission.zip
The permission in question is a permission to regulate the access to a
smartcard device. It has three possible states: "None" (allowing no access
to the smartcard reader), "Unrestricted" (allowing unrestricted access to
the smartcard reader) and "AllowedATRs" (allowing access to one or more
specific types of smartcards). The zip files contains two stub classes
that were required in the implementation of the permission, and a
"MySmartcard" class with a method that simply demands the permission and
prints a message to the console if the demand succeeded.
The second project is a console application that calls the method in
MySmartcard.
It also includes the file "permission_set.xml". This is an XML file you
can import in the .NET 2.0 configuration tool. It defines an unrestricted
SmartcardPermission. You'll have to change the PublicKeyToken in this
file, of course, if you're going to test this code.
My test scenario goes as follows: I import the
Org.Mentalis.SecurityServices.dll file in the GAC. Then I import the
permission set XML file under "Runtime Security Policy\Machine\Permission
Sets". I add a new conde group under "Runtime Security Policy\Machine\Code
Groups" with membership condition type set to "Zone" and the zone to
"Local Intranet". On the Permission Set tab of this new code group, I
select "SmartcardPermission".
I copy the test application to a shared drive and run it from there. After
doing this, I get the following error:
System.Security.SecurityException: Request for the permission of type
'Org.Mentalis.SecurityServices.Permissions.SmartcardPermission,
Org.Mentalis.SecurityServices, Version=0.0.2.27985, Culture=neutral,
PublicKeyToken=085a8f6006888436' failed.
at System.Security.CodeAccessSecurityEngine.Check(Object demand,
StackCrawlMark& stackMark, Boolean isPermSet)
at System.Security.CodeAccessPermission.Demand()
at Org.Mentalis.SecurityServices.Smartcard.SmartcardReader.GetReaders()
at
Org.Mentalis.SecurityServices.Smartcard.SmartcardReader.OpenReader(Atr
atr)
at SecurityServicesTest.Program.Main(String[] args)
The action that failed was:
Demand
The type of the first permission that failed was:
Org.Mentalis.SecurityServices.Permissions.SmartcardPermission
The Zone of the assembly that failed was:
Intranet
[Note: this stack trace is from my original project, not the test project
from in the ZIP file above]
If I select the "Evaluate Assembly..." option in the "Runtime Security
Policy" context menu in the .NET 2.0 configuration utility, I can see that
the executable on the share should get my permission. So why is this
Demand failing?
I added logging to the permission and I saw that the permission was
successfully created when I was importing the XML file into the Runtime
Security Policy configuration tool. It was constructed (and initialized in
state "None"), then a call to FromXml was executed (updating the status to
Unrestricted -- as expected), then two called to ToXml, a lot of calls
(~60) to the Copy method and two calls to IsUnrestricted.
When I start the test application, the first (and only) instance of the
permission that gets created is the one I use to call the Demand method
on. The Demand calls three times into the IsSubSetOf method (always with
the target parameter set to a null reference) and then calls ToXml twice.
What bothers me is that only one instance of this class is created -- I
would assume that the runtime creates a second copy when the program is
starting up to add it to the program's permission set.
Anyhow, I would appreciate it if anyone could take a look at that code...
It's probably some stupid oversight or something, but it's driving me
crazy :-)
If you need more information or anything else, I'd be happy to give it to
you.
Thanks,
Pieter
"Nicole Calinoiu" <calinoiu REMOVETHIS AT gmail DOT com> wrote in message
news:%23yFl4kiiGHA.3496@xxxxxxxxxxxxxxxxxxxxxxx
What you've described is not a general issue with custom permissions, so
the problem presumably lies in your implementation. Many folks seem to
run into trouble with the ToXml and FromXml methods, so those might be a
good place to start looking for potential problems. If you don't find
any or aren't sure what you should be looking for, might you be able to
provide code for a simple permission that reproduces the problem?
"Pieter Philippaerts" <pieter.nospam@xxxxxxxxxxxx> wrote in message
news:%2324LjC0hGHA.4848@xxxxxxxxxxxxxxxxxxxxxxx
Hi there,
I've created a custom CAS permission in my .NET 2.0 application, but I'm
having some problems to get it to work properly.
I've based the design of my code on the article at
http://msdn2.microsoft.com/en-us/library/yctbsyf4(VS.80).aspx Everything
seems to be in order and pretty much the same as in the article. I've
compiled the code, installed it in the GAC and adjusted the CAS policy
to give my permission to the Local Intranet zone. Up until now,
everything seems to work properly.
However, when I run a partially trusted application (from a shared
intranet drive) that calls into the library and requires my custom
permission, the demand always fails. The IsSubsetOf method is called
once during the demand, but the target parameter is always a null
reference.
Does anyone know why this could be happing? I'd assume that this happens
because my custom permission wasn't granted to the application, however
when I use the "Evaluate Assembly..." option from the Runtime Security
Policy tool, I see that my permission should indeed be granted to the
application.
Thanks,
Pieter
.
- Follow-Ups:
- Re: Custom CAS permission...
- From: Pieter Philippaerts
- Re: Custom CAS permission...
- References:
- Custom CAS permission...
- From: Pieter Philippaerts
- Re: Custom CAS permission...
- From: Nicole Calinoiu
- Re: Custom CAS permission...
- From: Pieter Philippaerts
- Custom CAS permission...
- Prev by Date: Strange behavior or where is SecurityException?
- Next by Date: Re: Mapping AZMAN to our existing security Design, Scenario?
- Previous by thread: Re: Custom CAS permission...
- Next by thread: Re: Custom CAS permission...
- Index(es):
Relevant Pages
|
|
