473,854 Members | 1,495 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Adjusting security setting to run an embedded windows control in IE

Hi,

I am trying to find the minimum security settings to allow a windows control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?
Nov 18 '05 #1
16 2135
The best way to do this is to give just the assemblies that need Full Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the
URL which will have some sort of partial trust (unless that URL or the whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will
be granted due to your Full Trust, but will likely fail when the stack gets
up to the partially trusted AppDomain since the AppDomain may not have that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into
the containing AppDomain. This is more work, but is vastly more secure and
is the recommended approach.

There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:Os******** ******@TK2MSFTN GP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows control embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this is very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?

Nov 18 '05 #2
This assembly is not a strongly named one, so I don't think option 2 would
work.

How does one go about giving an AppDomain full trust by using a URL
membership condition?

Thanks

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the URL which will have some sort of partial trust (unless that URL or the whole zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will be granted due to your Full Trust, but will likely fail when the stack gets up to the partially trusted AppDomain since the AppDomain may not have that permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into the containing AppDomain. This is more work, but is vastly more secure and is the recommended approach.

There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:Os******** ******@TK2MSFTN GP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this

is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?


Nov 18 '05 #3
Actually, I believe I was able to do this through the .net security
configuration tool.

"Marina" <so*****@nospam .com> wrote in message
news:uc******** ******@TK2MSFTN GP10.phx.gbl...
This assembly is not a strongly named one, so I don't think option 2 would
work.

How does one go about giving an AppDomain full trust by using a URL
membership condition?

Thanks

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full

Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on

the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it

will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more secure

and
is the recommended approach.

There have been some good articles on implementing the second approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:Os******** ******@TK2MSFTN GP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this
is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for

the DLL), but this doesn't seem to work.

Any direction in how to accomplish this?



Nov 18 '05 #4
Ok, glad you got it work.

Just so you remember that I said this is the less secure and thus less
preferred option.

Strong naming an assembly is generally quite simple and isn't a bit deal.
The other advantage is that you can easily deploy other assemblies with the
same storng name key later and have them get Full Trust as well.

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:O0******** ******@TK2MSFTN GP12.phx.gbl...
Actually, I believe I was able to do this through the .net security
configuration tool.

"Marina" <so*****@nospam .com> wrote in message
news:uc******** ******@TK2MSFTN GP10.phx.gbl...
This assembly is not a strongly named one, so I don't think option 2 would
work.

How does one go about giving an AppDomain full trust by using a URL
membership condition?

Thanks

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the AppDomain that it runs your code in, that AppDomain is created based
on the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where
it will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more
secure and
is the recommended approach.

There have been some good articles on implementing the second

approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:Os******** ******@TK2MSFTN GP09.phx.gbl...
> Hi,
>
> I am trying to find the minimum security settings to allow a windows
control
> embedded in IE have full trust.
>
> If I give the entire Intranet zone full trust, this works. However, this is
> very broad and gives the entire zone high privleges.
>
> I tried giving just the assembly full trust (using the full URL for the > DLL), but this doesn't seem to work.
>
> Any direction in how to accomplish this?
>
>



Nov 18 '05 #5
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed
to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the URL which will have some sort of partial trust (unless that URL or the whole zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will be granted due to your Full Trust, but will likely fail when the stack gets up to the partially trusted AppDomain since the AppDomain may not have that permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into the containing AppDomain. This is more work, but is vastly more secure and is the recommended approach.

There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:Os******** ******@TK2MSFTN GP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this

is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?


Nov 18 '05 #6
Assuming that the code will not execute given the permissions it is getting
in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.

The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagro up.ro> wrote in message
news:eC******** ********@TK2MSF TNGP09.phx.gbl. ..
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed
to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full

Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on

the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it

will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more secure

and
is the recommended approach.

There have been some good articles on implementing the second approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:Os******** ******@TK2MSFTN GP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this
is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for

the DLL), but this doesn't seem to work.

Any direction in how to accomplish this?



Nov 18 '05 #7
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded in
IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request data
from my own server with my own client application... Any java applet can do
that

Java only restrict the acces to server on the same port 80 from where it was
first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:uL******** ********@TK2MSF TNGP11.phx.gbl. ..
Assuming that the code will not execute given the permissions it is getting in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.

The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET security policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything the user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagro up.ro> wrote in message
news:eC******** ********@TK2MSF TNGP09.phx.gbl. ..
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the AppDomain that it runs your code in, that AppDomain is created based
on the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where
it will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more
secure and
is the recommended approach.

There have been some good articles on implementing the second

approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam .com> wrote in message
news:Os******** ******@TK2MSFTN GP09.phx.gbl...
> Hi,
>
> I am trying to find the minimum security settings to allow a windows
control
> embedded in IE have full trust.
>
> If I give the entire Intranet zone full trust, this works. However, this is
> very broad and gives the entire zone high privleges.
>
> I tried giving just the assembly full trust (using the full URL for the > DLL), but this doesn't seem to work.
>
> Any direction in how to accomplish this?
>
>



Nov 18 '05 #8
I'm not an expect at all in Java applet security, but I do know that the
..NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the URL
it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it needs
to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you need
- Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions

As I was poking around in the default security policy, it looked to me that
the Trusted_Zone code group gets special permission to connect back to its
site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the permission
you need.

If that won't work, then you might need to modify the local security policy.
You could use a URL membership condition or perhaps a strong name.

Joe K.

"Crirus" <Cr****@datagro up.ro> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded in IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request data
from my own server with my own client application... Any java applet can do that

Java only restrict the acces to server on the same port 80 from where it was first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:uL******** ********@TK2MSF TNGP11.phx.gbl. ..
Assuming that the code will not execute given the permissions it is

getting
in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.
The reason is that if that code isn't granted the permission to do what it needs to do, there is no way for the code to get around that. .NET

security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then, code is allowed to execute automatically with the permissions it is given. This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything

the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagro up.ro> wrote in message
news:eC******** ********@TK2MSF TNGP09.phx.gbl. ..
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some data.
What are conditions to succeed without requesting any special permissions from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
> The best way to do this is to give just the assemblies that need Full Trust
> that permission.
>
> The reason it doesn't work in your situation is that when IE creates the > AppDomain that it runs your code in, that AppDomain is created based on the
> URL which will have some sort of partial trust (unless that URL or the whole
> zone has been given Full Trust).
>
> Two things happen after that:
> - If your assembly is not marked with the
> AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain that
> it is running in will not be able to call it.
> - Any code that requires a permission will hit your assembly, where it will
> be granted due to your Full Trust, but will likely fail when the stack gets
> up to the partially trusted AppDomain since the AppDomain may not have that
> permission.
>
> You have basically two options to solve this:
> - Make the AppDomain have Full Trust with something like a URL

membership
> condition. This is the easiest thing to do, but is not very secure,
> especially if the URL is not very specific.
> - Add the AllowPartiallyT rustedCallersAt tribute and use Assert on the > Permissions that you need when you need them to prevent the stack walk into
> the containing AppDomain. This is more work, but is vastly more secure and
> is the recommended approach.
>
> There have been some good articles on implementing the second

approach.
I
> believe Ivan Medvedev has some good info on his website. You might

start
> there:
> http://www.dotnetthis.com/Articles/WritingForSEE.htm
>
> Joe K.
>
> "Marina" <so*****@nospam .com> wrote in message
> news:Os******** ******@TK2MSFTN GP09.phx.gbl...
> > Hi,
> >
> > I am trying to find the minimum security settings to allow a windows > control
> > embedded in IE have full trust.
> >
> > If I give the entire Intranet zone full trust, this works.

However, this
> is
> > very broad and gives the entire zone high privleges.
> >
> > I tried giving just the assembly full trust (using the full URL
for the
> > DLL), but this doesn't seem to work.
> >
> > Any direction in how to accomplish this?
> >
> >
>
>



Nov 18 '05 #9
Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend
to harm my own server system so why should a client set special permissions?

the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups :(

Any thoughts?

Cristian

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote
in message news:em******** *****@TK2MSFTNG P11.phx.gbl...
I'm not an expect at all in Java applet security, but I do know that the
.NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the URL it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it needs to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you need - Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions

As I was poking around in the default security policy, it looked to me that the Trusted_Zone code group gets special permission to connect back to its
site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the permission you need.

If that won't work, then you might need to modify the local security policy. You could use a URL membership condition or perhaps a strong name.

Joe K.

"Crirus" <Cr****@datagro up.ro> wrote in message
news:%2******** ********@TK2MSF TNGP12.phx.gbl. ..
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded
in
IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request data from my own server with my own client application... Any java applet can do
that

Java only restrict the acces to server on the same port 80 from where it

was
first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com> wrote in message news:uL******** ********@TK2MSF TNGP11.phx.gbl. ..
Assuming that the code will not execute given the permissions it is

getting
in the zone it is running in, I'm pretty sure you aren't going to get this to work without changing some kind of security permissions on the client.
The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET

security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then, code is allowed to execute automatically with the permissions it is given. This is very different from the downloadable ActiveX control model
which asks the user for permission to install and run and then can do anything the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagro up.ro> wrote in message
news:eC******** ********@TK2MSF TNGP09.phx.gbl. ..
> I have a application, embedded in IE (html assambly).
> That aplication need to connect back to the server in order to get some > data.
> What are conditions to succeed without requesting any special

permissions
> from client? As an applet do it....
> Should I connect back to the server only using port 80?
> Right now the client app is serverd by Apache and connection back is

tryed
> to another aplication on port 9500
>
> Changing security permission by the client is not an option
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <jo************ *@removethis.ac centure.com>

wrote
> in message news:OU******** ******@TK2MSFTN GP09.phx.gbl...
> > The best way to do this is to give just the assemblies that need Full > Trust
> > that permission.
> >
> > The reason it doesn't work in your situation is that when IE
creates the
> > AppDomain that it runs your code in, that AppDomain is created
based on
> the
> > URL which will have some sort of partial trust (unless that URL or the > whole
> > zone has been given Full Trust).
> >
> > Two things happen after that:
> > - If your assembly is not marked with the
> > AllowPartiallyT rustedCallersAt tribute, the partially trusted AppDomain > that
> > it is running in will not be able to call it.
> > - Any code that requires a permission will hit your assembly,
where it
> will
> > be granted due to your Full Trust, but will likely fail when the

stack > gets
> > up to the partially trusted AppDomain since the AppDomain may not have > that
> > permission.
> >
> > You have basically two options to solve this:
> > - Make the AppDomain have Full Trust with something like a URL
membership
> > condition. This is the easiest thing to do, but is not very
secure, > > especially if the URL is not very specific.
> > - Add the AllowPartiallyT rustedCallersAt tribute and use Assert on

the > > Permissions that you need when you need them to prevent the stack walk > into
> > the containing AppDomain. This is more work, but is vastly more

secure
> and
> > is the recommended approach.
> >
> > There have been some good articles on implementing the second

approach.
I
> > believe Ivan Medvedev has some good info on his website. You might start
> > there:
> > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> >
> > Joe K.
> >
> > "Marina" <so*****@nospam .com> wrote in message
> > news:Os******** ******@TK2MSFTN GP09.phx.gbl...
> > > Hi,
> > >
> > > I am trying to find the minimum security settings to allow a windows > > control
> > > embedded in IE have full trust.
> > >
> > > If I give the entire Intranet zone full trust, this works. However, this
> > is
> > > very broad and gives the entire zone high privleges.
> > >
> > > I tried giving just the assembly full trust (using the full URL for the
> > > DLL), but this doesn't seem to work.
> > >
> > > Any direction in how to accomplish this?
> > >
> > >
> >
> >
>
>



Nov 18 '05 #10

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

2
3943
by: Fran Tirimo | last post by:
I am developing a small website using ASP scripts to format data retrieved from an Access database. It will run on a Windows 2003 server supporting FrontPage extensions 2002 hosted by the company 1&1 with only limited server configuration via a web based control panel. My query relates to the ASP security model and how it relates to FrontPage options for setting file access on a database file. If you know of any online documentation...
29
15564
by: Patrick | last post by:
I have the following code, which regardless which works fine and logs to the EventViewer regardless of whether <processModel/> section of machine.config is set to username="SYSTEM" or "machine" ---Start of test.aspx---- <%@ Page language="C#" AutoEventWireup="false" %> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" > <HTML> <HEAD>
3
1892
by: gregory_may | last post by:
According to this article, I cant change "CanStop" on the fly!!! http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpref/html/frlrfsystemserviceprocessservicebaseclasscanstoptopic.asp So, how can I enable/disable the ability for a user to kill my service (Via Task Manager) on the fly? I would prefer not to tweak the regestry settings that permit Task manager from be available to a user. I have not had good luck down...
1
3861
by: JM | last post by:
I am using the WebBrowser control in .NET 2.0 Windows based application. I want to use the default IE security settings, privacy settings etc. Is there a way by which I can achieve this ? Thanks in advance JM
0
2044
by: gxl034000 | last post by:
Hi, I have been trying to use a .net Forms control in my webpage to open up an application(notepad) on the client. The control works fine when embedded in a windows form, but I keep getting a security exception when trying to run it from my webpage on my intranet. I have tried playing with the Code Access Security settings, but I can't get it to work. What do you think? Thanks,
2
2424
by: Budhi Saputra Prasetya | last post by:
Hi, I managed to create a Windows Form Control and put it on my ASP .NET page. I have done the suggestion that is provided by modifying the security settings. From the stack trace, I would assume that the code throws exception when it is trying to retrieve the processes list that has certain name. Below is the code that I use to retrieve the processes. Process processes = Process.GetProcessesByName("xxxx");
8
13347
by: =?Utf-8?B?TWFuanJlZSBHYXJn?= | last post by:
Hi, I created a web service and hosted it in Windows Services. It is working fine. Now I am trying to implement the X509 certificates for message layer security. But it is throwing the following exception: An unhandled exception of type 'System.ServiceModel.Security.SecurityNegotiationException' occurred in mscorlib.dll
2
7675
by: Ken Fine | last post by:
I want to add the security question and answer security feature to the ChangePassword control. I am aware that this functionality is built into the PasswordRecovery tool. I have implemented the PasswordRecovery with a Password reset required; a temporary password is sent to the account on file. I want an extra layer of security to accommodate the very unlikely contingency that someone's e-mail account is compromised. Challenging with the...
3
2015
by: RedHair | last post by:
I use the Form Authentication and Role base security to secure one ASP.NET 3.5 appication. Below are security settings in web.config <location path="testAdmin.aspx"> <system.web> <authorization> <allow roles="Admin"/> <deny users="*"/> </authorization>
0
9901
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
10679
jinu1996
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
1
10756
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10371
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9513
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7914
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
7081
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
0
5741
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
1
4560
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.