|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Possibtl to Create a Code Group Programmatically?I am hosting a user contol from a project of type windows control library inside an asp.net page (using the object tag). This control communicates with a Web service. I am able to get it working only if: A) I create a custom code group with the 3 permissions: Web Access, Security, and User Interface. B) I assign my URL to the new code group. I can also get it working by modifying the All Code group to Full Trust, but I don't want to do that. In fact, I don't want to have to do any changes on the client at all. Are either of the following possible: 1) Create and assign the code group programmatically? 2) Successfully request and assert the required permissions in code in the assembly? (Note: I tried using the permissions attributes in AssemblyInfo.cs and also in by instantiating the permission objects themselves with Assert/RevertAssert and that did not work.) Thanks to any who reply. -KJ Hello n_o_s_p_a***@mail.com,
something like that?? PolicyLevel machineLevel = null; IEnumerator policyLevelEnumerator = SecurityManager.PolicyHierarchy(); while (policyLevelEnumerator.MoveNext()) { PolicyLevel lvl = (PolicyLevel)policyLevelEnumerator.Current; if ("Machine" == lvl.Label) { machineLevel = lvl; break; } } NamedPermissionSet nps = new NamedPermissionSet( "AcmeExpense Permissions", PermissionState.None); nps.AddPermission(new FileIOPermission(PermissionState.Unrestricted)); if (null != machineLevel.GetNamedPermissionSet(nps.Name)) { machineLevel.ChangeNamedPermissionSet(nps.Name, nps); } else { machineLevel.AddNamedPermissionSet(nps); } CodeGroup myCodeGroup = new UnionCodeGroup( new StrongNameMembershipCondition( new StrongNamePublicKeyBlob(pubkey), "AcmeExpense", null), new PolicyStatement(nps)); myCodeGroup.Name = "AcmeExpense Application"; myCodeGroup.Description = "Grants the AcmeExpense app access to ..."; machineLevel.RootCodeGroup.AddChild(myCodeGroup); SecurityManager.SavePolicyLevel(machineLevel); --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hello, > > I am hosting a user contol from a project of type windows control > library inside an asp.net page (using the object tag). This control > communicates with a Web service. > > I am able to get it working only if: > > A) I create a custom code group with the 3 permissions: Web Access, > Security, and User Interface. > > B) I assign my URL to the new code group. > > I can also get it working by modifying the All Code group to Full > Trust, but I don't want to do that. In fact, I don't want to have to > do any changes on the client at all. > > Are either of the following possible: > > 1) Create and assign the code group programmatically? > > 2) Successfully request and assert the required permissions in code in > the assembly? > > (Note: I tried using the permissions attributes in AssemblyInfo.cs and > also in by instantiating the permission objects themselves with > Assert/RevertAssert and that did not work.) > > Thanks to any who reply. > -KJ That looks cool. I will try it out on Tuesday and reply back then.
Thanks. -KJ I tested it today with a windows application and it works. I changed
the UnionCodeGroup to a FirstMatchCodeGroup with a UrlMembershipCondition because I'd like to try it in an embedded form. Unfortunately, my form is currently not showing up. I will post back with more details if I get the control to display. Ok, I got my control working and I tried it in the User Control. It
raised the following exception: Server Error in '/WinFormsTestWS' Application. -------------------------------------------------------------------------------- Policy level Machine cannot be saved. Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Security.Policy.PolicyException: Policy level Machine cannot be saved. Source Error: Line 76: Line 77: machineLevel.RootCodeGroup.AddChild(myCodeGroup); Line 78: SecurityManager.SavePolicyLevel(machineLevel); Line 79: } Line 80: On a remote machine (Internet Zone), this exception is also thrown:
System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. at System.Security.PolicyManager.PolicyHierarchy() at System.Security.SecurityManager.PolicyHierarchy() at WinformsTest.UserControl1.SetupSecurity() Hello n_o_s_p_a***@mail.com,
what are you trying to do??? Modifiy CAS policy from a partially trusted program?? besides that this will not work in partial trust the user will additionally need local admin privileges to change machine policy. --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > On a remote machine (Internet Zone), this exception is also thrown: > > System.Security.SecurityException: Request for the permission of type > 'System.Security.Permissions.SecurityPermission, mscorlib, > Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' > failed. > at System.Security.PolicyManager.PolicyHierarchy() > at System.Security.SecurityManager.PolicyHierarchy() > at WinformsTest.UserControl1.SetupSecurity() Hi Dominick,
I know, it's crazy. I just wanted to see it if was possible. But your example helped a lot in showing how to work with the CAS objects. Let's asume my users are all local admins, how might I prompt them over the Internet to run a script that will modify policy? I have seen usenet threads suggesting that this is possible by running a batch file that calls caspol.exe. Is that the only way? -KJ Hello n_o_s_p_a***@mail.com,
just don't do that. that is totally subverting security. And i just hope for you that your user are not admin. If you want to deploy policy - package the code in a MSI packet and install locally (by an admin). In intranets this is usually done through some deployment mechanism like AD GPO or NetInstall or similar. Or have a look at ClickOnce in 2.0 --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Hi Dominick, > > I know, it's crazy. I just wanted to see it if was possible. But your > example helped a lot in showing how to work with the CAS objects. > > Let's asume my users are all local admins, how might I prompt them > over the Internet to run a script that will modify policy? > > I have seen usenet threads suggesting that this is possible by running > a batch file that calls caspol.exe. Is that the only way? > > -KJ > Yes, ClickOnce is nice. I built a ClickOnce test app last week using VS
2005 Beta 2 and it went smoothly, setting up the required permissions without any legwork. The only thing is that ClickOnce just got vetoed here until early 2006, because the admins are afraid to put the .Net Framework 2.0 on the servers. It's a bit of a conservative position, but I might take it if I were in their shoes. Anyhow, thanks for your help. We've actually decided to do the app using straight ASP.NET 1.1 code. The reason we got on the tangent here towards embedded forms was because of the large number of postbacks required with ASP.NET and the app needs to be fast. We will probably attempt to use some form of XMLHTTP to avoid roundtrips, although I bet that will be a pain. -KJ Hello n_o_s_p_a***@mail.com,
no reason to put .NET 2.0 on the servers for ClickOnce - on the clients is sufficient --------------------------------------- Dominick Baier - DevelopMentor http://www.leastprivilege.com Show quoteHide quote > Yes, ClickOnce is nice. I built a ClickOnce test app last week using > VS 2005 Beta 2 and it went smoothly, setting up the required > permissions without any legwork. > > The only thing is that ClickOnce just got vetoed here until early > 2006, because the admins are afraid to put the .Net Framework 2.0 on > the servers. It's a bit of a conservative position, but I might take > it if I were in their shoes. > > Anyhow, thanks for your help. We've actually decided to do the app > using straight ASP.NET 1.1 code. > > The reason we got on the tangent here towards embedded forms was > because of the large number of postbacks required with ASP.NET and the > app needs to be fast. > > We will probably attempt to use some form of XMLHTTP to avoid > roundtrips, although I bet that will be a pain. > > -KJ > 
Other interesting topics
Single sign on in asp.net
Questions and observations about CAS and the StrongNameIdentityPermssionAttribute. Signed XML Private Key X509 Certificate WSE 2.0 Issue\Errors IIS With Basic Authentication Set/FormsAuthentication - HELP PLS!? C#.NET app to run on Win 2003 from another Win2003 on the local net? LsaStorePrivateData and VB .Net Certificate Valid Date Range Providing persistent storage in a locked down environment security warning with https CredentialCache.DefaultCredentials is empty |
|||||||||||||||||||||||
