By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
443,505 Members | 1,206 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 443,505 IT Pros & Developers. It's quick & easy.

Adjusting security setting to run an embedded windows control in IE

P: n/a
Hi,

I am trying to find the minimum security settings to allow a windows control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?
Nov 18 '05 #1
Share this Question
Share on Google+
16 Replies


P: n/a
The best way to do this is to give just the assemblies that need Full Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the
URL which will have some sort of partial trust (unless that URL or the whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will
be granted due to your Full Trust, but will likely fail when the stack gets
up to the partially trusted AppDomain since the AppDomain may not have that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into
the containing AppDomain. This is more work, but is vastly more secure and
is the recommended approach.

There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows control embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this is very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?

Nov 18 '05 #2

P: n/a
This assembly is not a strongly named one, so I don't think option 2 would
work.

How does one go about giving an AppDomain full trust by using a URL
membership condition?

Thanks

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the URL which will have some sort of partial trust (unless that URL or the whole zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will be granted due to your Full Trust, but will likely fail when the stack gets up to the partially trusted AppDomain since the AppDomain may not have that permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into the containing AppDomain. This is more work, but is vastly more secure and is the recommended approach.

There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this

is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?


Nov 18 '05 #3

P: n/a
Actually, I believe I was able to do this through the .net security
configuration tool.

"Marina" <so*****@nospam.com> wrote in message
news:uc**************@TK2MSFTNGP10.phx.gbl...
This assembly is not a strongly named one, so I don't think option 2 would
work.

How does one go about giving an AppDomain full trust by using a URL
membership condition?

Thanks

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full

Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on

the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it

will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more secure

and
is the recommended approach.

There have been some good articles on implementing the second approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this
is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for

the DLL), but this doesn't seem to work.

Any direction in how to accomplish this?



Nov 18 '05 #4

P: n/a
Ok, glad you got it work.

Just so you remember that I said this is the less secure and thus less
preferred option.

Strong naming an assembly is generally quite simple and isn't a bit deal.
The other advantage is that you can easily deploy other assemblies with the
same storng name key later and have them get Full Trust as well.

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:O0**************@TK2MSFTNGP12.phx.gbl...
Actually, I believe I was able to do this through the .net security
configuration tool.

"Marina" <so*****@nospam.com> wrote in message
news:uc**************@TK2MSFTNGP10.phx.gbl...
This assembly is not a strongly named one, so I don't think option 2 would
work.

How does one go about giving an AppDomain full trust by using a URL
membership condition?

Thanks

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:OU**************@TK2MSFTNGP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the AppDomain that it runs your code in, that AppDomain is created based
on the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where
it will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more
secure and
is the recommended approach.

There have been some good articles on implementing the second

approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am trying to find the minimum security settings to allow a windows
control
> embedded in IE have full trust.
>
> If I give the entire Intranet zone full trust, this works. However, this is
> very broad and gives the entire zone high privleges.
>
> I tried giving just the assembly full trust (using the full URL for the > DLL), but this doesn't seem to work.
>
> Any direction in how to accomplish this?
>
>



Nov 18 '05 #5

P: n/a
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed
to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the URL which will have some sort of partial trust (unless that URL or the whole zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will be granted due to your Full Trust, but will likely fail when the stack gets up to the partially trusted AppDomain since the AppDomain may not have that permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into the containing AppDomain. This is more work, but is vastly more secure and is the recommended approach.

There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this

is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?


Nov 18 '05 #6

P: n/a
Assuming that the code will not execute given the permissions it is getting
in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.

The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl...
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed
to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full

Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on

the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it

will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more secure

and
is the recommended approach.

There have been some good articles on implementing the second approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
Hi,

I am trying to find the minimum security settings to allow a windows

control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this
is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for

the DLL), but this doesn't seem to work.

Any direction in how to accomplish this?



Nov 18 '05 #7

P: n/a
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded in
IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request data
from my own server with my own client application... Any java applet can do
that

Java only restrict the acces to server on the same port 80 from where it was
first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:uL****************@TK2MSFTNGP11.phx.gbl...
Assuming that the code will not execute given the permissions it is getting in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.

The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET security policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything the user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl...
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:OU**************@TK2MSFTNGP09.phx.gbl...
The best way to do this is to give just the assemblies that need Full Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the AppDomain that it runs your code in, that AppDomain is created based
on the
URL which will have some sort of partial trust (unless that URL or the

whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain

that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where
it will
be granted due to your Full Trust, but will likely fail when the stack

gets
up to the partially trusted AppDomain since the AppDomain may not have

that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk

into
the containing AppDomain. This is more work, but is vastly more
secure and
is the recommended approach.

There have been some good articles on implementing the second

approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am trying to find the minimum security settings to allow a windows
control
> embedded in IE have full trust.
>
> If I give the entire Intranet zone full trust, this works. However, this is
> very broad and gives the entire zone high privleges.
>
> I tried giving just the assembly full trust (using the full URL for the > DLL), but this doesn't seem to work.
>
> Any direction in how to accomplish this?
>
>



Nov 18 '05 #8

P: n/a
I'm not an expect at all in Java applet security, but I do know that the
..NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the URL
it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it needs
to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you need
- Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions

As I was poking around in the default security policy, it looked to me that
the Trusted_Zone code group gets special permission to connect back to its
site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the permission
you need.

If that won't work, then you might need to modify the local security policy.
You could use a URL membership condition or perhaps a strong name.

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded in IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request data
from my own server with my own client application... Any java applet can do that

Java only restrict the acces to server on the same port 80 from where it was first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:uL****************@TK2MSFTNGP11.phx.gbl...
Assuming that the code will not execute given the permissions it is

getting
in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.
The reason is that if that code isn't granted the permission to do what it needs to do, there is no way for the code to get around that. .NET

security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then, code is allowed to execute automatically with the permissions it is given. This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything

the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl...
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some data.
What are conditions to succeed without requesting any special permissions from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed to another aplication on port 9500

Changing security permission by the client is not an option

--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> The best way to do this is to give just the assemblies that need Full Trust
> that permission.
>
> The reason it doesn't work in your situation is that when IE creates the > AppDomain that it runs your code in, that AppDomain is created based on the
> URL which will have some sort of partial trust (unless that URL or the whole
> zone has been given Full Trust).
>
> Two things happen after that:
> - If your assembly is not marked with the
> AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain that
> it is running in will not be able to call it.
> - Any code that requires a permission will hit your assembly, where it will
> be granted due to your Full Trust, but will likely fail when the stack gets
> up to the partially trusted AppDomain since the AppDomain may not have that
> permission.
>
> You have basically two options to solve this:
> - Make the AppDomain have Full Trust with something like a URL

membership
> condition. This is the easiest thing to do, but is not very secure,
> especially if the URL is not very specific.
> - Add the AllowPartiallyTrustedCallersAttribute and use Assert on the > Permissions that you need when you need them to prevent the stack walk into
> the containing AppDomain. This is more work, but is vastly more secure and
> is the recommended approach.
>
> There have been some good articles on implementing the second

approach.
I
> believe Ivan Medvedev has some good info on his website. You might

start
> there:
> http://www.dotnetthis.com/Articles/WritingForSEE.htm
>
> Joe K.
>
> "Marina" <so*****@nospam.com> wrote in message
> news:Os**************@TK2MSFTNGP09.phx.gbl...
> > Hi,
> >
> > I am trying to find the minimum security settings to allow a windows > control
> > embedded in IE have full trust.
> >
> > If I give the entire Intranet zone full trust, this works.

However, this
> is
> > very broad and gives the entire zone high privleges.
> >
> > I tried giving just the assembly full trust (using the full URL
for the
> > DLL), but this doesn't seem to work.
> >
> > Any direction in how to accomplish this?
> >
> >
>
>



Nov 18 '05 #9

P: n/a
Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend
to harm my own server system so why should a client set special permissions?

the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups :(

Any thoughts?

Cristian

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:em*************@TK2MSFTNGP11.phx.gbl...
I'm not an expect at all in Java applet security, but I do know that the
.NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the URL it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it needs to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you need - Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions

As I was poking around in the default security policy, it looked to me that the Trusted_Zone code group gets special permission to connect back to its
site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the permission you need.

If that won't work, then you might need to modify the local security policy. You could use a URL membership condition or perhaps a strong name.

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded
in
IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request data from my own server with my own client application... Any java applet can do
that

Java only restrict the acces to server on the same port 80 from where it

was
first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:uL****************@TK2MSFTNGP11.phx.gbl...
Assuming that the code will not execute given the permissions it is

getting
in the zone it is running in, I'm pretty sure you aren't going to get this to work without changing some kind of security permissions on the client.
The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET

security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then, code is allowed to execute automatically with the permissions it is given. This is very different from the downloadable ActiveX control model
which asks the user for permission to install and run and then can do anything the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the zone that the code executes in?

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl...
> I have a application, embedded in IE (html assambly).
> That aplication need to connect back to the server in order to get some > data.
> What are conditions to succeed without requesting any special

permissions
> from client? As an applet do it....
> Should I connect back to the server only using port 80?
> Right now the client app is serverd by Apache and connection back is

tryed
> to another aplication on port 9500
>
> Changing security permission by the client is not an option
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>

wrote
> in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > The best way to do this is to give just the assemblies that need Full > Trust
> > that permission.
> >
> > The reason it doesn't work in your situation is that when IE
creates the
> > AppDomain that it runs your code in, that AppDomain is created
based on
> the
> > URL which will have some sort of partial trust (unless that URL or the > whole
> > zone has been given Full Trust).
> >
> > Two things happen after that:
> > - If your assembly is not marked with the
> > AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain > that
> > it is running in will not be able to call it.
> > - Any code that requires a permission will hit your assembly,
where it
> will
> > be granted due to your Full Trust, but will likely fail when the

stack > gets
> > up to the partially trusted AppDomain since the AppDomain may not have > that
> > permission.
> >
> > You have basically two options to solve this:
> > - Make the AppDomain have Full Trust with something like a URL
membership
> > condition. This is the easiest thing to do, but is not very
secure, > > especially if the URL is not very specific.
> > - Add the AllowPartiallyTrustedCallersAttribute and use Assert on

the > > Permissions that you need when you need them to prevent the stack walk > into
> > the containing AppDomain. This is more work, but is vastly more

secure
> and
> > is the recommended approach.
> >
> > There have been some good articles on implementing the second

approach.
I
> > believe Ivan Medvedev has some good info on his website. You might start
> > there:
> > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> >
> > Joe K.
> >
> > "Marina" <so*****@nospam.com> wrote in message
> > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > Hi,
> > >
> > > I am trying to find the minimum security settings to allow a windows > > control
> > > embedded in IE have full trust.
> > >
> > > If I give the entire Intranet zone full trust, this works. However, this
> > is
> > > very broad and gives the entire zone high privleges.
> > >
> > > I tried giving just the assembly full trust (using the full URL for the
> > > DLL), but this doesn't seem to work.
> > >
> > > Any direction in how to accomplish this?
> > >
> > >
> >
> >
>
>



Nov 18 '05 #10

P: n/a
Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend to harm my own server system so why should a client set special permissions?
the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups :(

Any thoughts?

Cristian

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:em*************@TK2MSFTNGP11.phx.gbl...
I'm not an expect at all in Java applet security, but I do know that the
.NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the

URL
it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it

needs
to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you

need
- Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions

As I was poking around in the default security policy, it looked to me

that
the Trusted_Zone code group gets special permission to connect back to its site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the

permission
you need.

If that won't work, then you might need to modify the local security

policy.
You could use a URL membership condition or perhaps a strong name.

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded
in
IE that start running. Now, the client app need webPermission to connect back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request

data from my own server with my own client application... Any java applet can do
that

Java only restrict the acces to server on the same port 80 from where
it
was
first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need
is WebPermission but i'm not sure how it works...


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>

wrote in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> Assuming that the code will not execute given the permissions it is
getting
> in the zone it is running in, I'm pretty sure you aren't going to get this
> to work without changing some kind of security permissions on the

client.
>
> The reason is that if that code isn't granted the permission to do what
it
> needs to do, there is no way for the code to get around that. .NET
security
> policy is administered on the local machine. The idea is that the
> administrator gets to decide which resources get which permissions.

Then,
> code is allowed to execute automatically with the permissions it is

given.
> This is very different from the downloadable ActiveX control model which > asks the user for permission to install and run and then can do anything the
> user has permissions to do on their machine.
>
> Are you sure you can't make adjustments to the client machine
security > policy? Are you sure the permission you need isn't already granted to the
> zone that the code executes in?
>
> Joe K.
>
> "Crirus" <Cr****@datagroup.ro> wrote in message
> news:eC****************@TK2MSFTNGP09.phx.gbl...
> > I have a application, embedded in IE (html assambly).
> > That aplication need to connect back to the server in order to get

some
> > data.
> > What are conditions to succeed without requesting any special
permissions
> > from client? As an applet do it....
> > Should I connect back to the server only using port 80?
> > Right now the client app is serverd by Apache and connection back
is tryed
> > to another aplication on port 9500
> >
> > Changing security permission by the client is not an option
> >
> > --
> > Cheers,
> > Crirus
> >
> > ------------------------------
> > If work were a good thing, the boss would take it all from you
> >
> > ------------------------------
> >
> > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
> > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > The best way to do this is to give just the assemblies that need

Full
> > Trust
> > > that permission.
> > >
> > > The reason it doesn't work in your situation is that when IE

creates the
> > > AppDomain that it runs your code in, that AppDomain is created based on
> > the
> > > URL which will have some sort of partial trust (unless that URL
or the
> > whole
> > > zone has been given Full Trust).
> > >
> > > Two things happen after that:
> > > - If your assembly is not marked with the
> > > AllowPartiallyTrustedCallersAttribute, the partially trusted

AppDomain
> > that
> > > it is running in will not be able to call it.
> > > - Any code that requires a permission will hit your assembly, where it
> > will
> > > be granted due to your Full Trust, but will likely fail when the

stack
> > gets
> > > up to the partially trusted AppDomain since the AppDomain may
not have
> > that
> > > permission.
> > >
> > > You have basically two options to solve this:
> > > - Make the AppDomain have Full Trust with something like a URL
> membership
> > > condition. This is the easiest thing to do, but is not very secure, > > > especially if the URL is not very specific.
> > > - Add the AllowPartiallyTrustedCallersAttribute and use Assert
on the
> > > Permissions that you need when you need them to prevent the
stack walk
> > into
> > > the containing AppDomain. This is more work, but is vastly more
secure
> > and
> > > is the recommended approach.
> > >
> > > There have been some good articles on implementing the second
approach.
> I
> > > believe Ivan Medvedev has some good info on his website. You might > start
> > > there:
> > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > >
> > > Joe K.
> > >
> > > "Marina" <so*****@nospam.com> wrote in message
> > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > Hi,
> > > >
> > > > I am trying to find the minimum security settings to allow a

windows
> > > control
> > > > embedded in IE have full trust.
> > > >
> > > > If I give the entire Intranet zone full trust, this works.

However,
> this
> > > is
> > > > very broad and gives the entire zone high privleges.
> > > >
> > > > I tried giving just the assembly full trust (using the full

URL for
> the
> > > > DLL), but this doesn't seem to work.
> > > >
> > > > Any direction in how to accomplish this?
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #11

P: n/a
I need WebPermission in order to send data from server to client.
It's a little fuzzy how all this security work, but as I understood, I can
restrict the code with some permissions.
In my case, I can force my code to connect back to my server only...
In the mean time, my code need permission from client to do that connection?

I was hoping that a html embedded assembly can connect back to it's origin
server without asking permission to do that..
--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2******************@TK2MSFTNGP11.phx.gbl...
Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend
to harm my own server system so why should a client set special

permissions?

the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups :(

Any thoughts?

Cristian

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:em*************@TK2MSFTNGP11.phx.gbl...
I'm not an expect at all in Java applet security, but I do know that the .NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based on evidence it presents to the system. Evidence can be things like the URL
it came from, it's strong name, etc. Based on the code groups it is
put into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it included in a certain code group that is not granted the permission it

needs
to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you
need
- Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the
correct permissions

As I was poking around in the default security policy, it looked to me

that
the Trusted_Zone code group gets special permission to connect back to

its site of origin. Do you know if IE is finding your site to be in Trusted Sites? If so, based on what I can see you should be getting the

permission
you need.

If that won't work, then you might need to modify the local security

policy.
You could use a URL membership condition or perhaps a strong name.

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
> This is the scenario:
> Clinet open the browser, access my server, receive a client app,

embedded
in
> IE that start running. Now, the client app need webPermission to connect > back to the same server and request some data...
>
> My question is if this is allowed, I see no reason why I cant request data
> from my own server with my own client application... Any java applet can do
> that
>
> Java only restrict the acces to server on the same port 80 from
where it was
> first downloaded
>
> I'm kinda lost in the woods with this permissions...
> So, do the client need to set some permisions? The permission I need is > WebPermission but i'm not sure how it works...
>
>
>
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
> in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > Assuming that the code will not execute given the permissions it
is > getting
> > in the zone it is running in, I'm pretty sure you aren't going to

get this
> > to work without changing some kind of security permissions on the
client.
> >
> > The reason is that if that code isn't granted the permission to do

what
it
> > needs to do, there is no way for the code to get around that. ..NET > security
> > policy is administered on the local machine. The idea is that the
> > administrator gets to decide which resources get which permissions. Then,
> > code is allowed to execute automatically with the permissions it is given.
> > This is very different from the downloadable ActiveX control model

which
> > asks the user for permission to install and run and then can do

anything
> the
> > user has permissions to do on their machine.
> >
> > Are you sure you can't make adjustments to the client machine security > > policy? Are you sure the permission you need isn't already granted to
the
> > zone that the code executes in?
> >
> > Joe K.
> >
> > "Crirus" <Cr****@datagroup.ro> wrote in message
> > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > I have a application, embedded in IE (html assambly).
> > > That aplication need to connect back to the server in order to
get some
> > > data.
> > > What are conditions to succeed without requesting any special
> permissions
> > > from client? As an applet do it....
> > > Should I connect back to the server only using port 80?
> > > Right now the client app is serverd by Apache and connection back
is > tryed
> > > to another aplication on port 9500
> > >
> > > Changing security permission by the client is not an option
> > >
> > > --
> > > Cheers,
> > > Crirus
> > >
> > > ------------------------------
> > > If work were a good thing, the boss would take it all from you
> > >
> > > ------------------------------
> > >
> > > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> > wrote
> > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > The best way to do this is to give just the assemblies that
need Full
> > > Trust
> > > > that permission.
> > > >
> > > > The reason it doesn't work in your situation is that when IE creates
> the
> > > > AppDomain that it runs your code in, that AppDomain is created

based
> on
> > > the
> > > > URL which will have some sort of partial trust (unless that URL or the
> > > whole
> > > > zone has been given Full Trust).
> > > >
> > > > Two things happen after that:
> > > > - If your assembly is not marked with the
> > > > AllowPartiallyTrustedCallersAttribute, the partially trusted
AppDomain
> > > that
> > > > it is running in will not be able to call it.
> > > > - Any code that requires a permission will hit your assembly, where
> it
> > > will
> > > > be granted due to your Full Trust, but will likely fail when
the stack
> > > gets
> > > > up to the partially trusted AppDomain since the AppDomain may

not have
> > > that
> > > > permission.
> > > >
> > > > You have basically two options to solve this:
> > > > - Make the AppDomain have Full Trust with something like a URL > > membership
> > > > condition. This is the easiest thing to do, but is not very

secure,
> > > > especially if the URL is not very specific.
> > > > - Add the AllowPartiallyTrustedCallersAttribute and use Assert on
the
> > > > Permissions that you need when you need them to prevent the stack walk
> > > into
> > > > the containing AppDomain. This is more work, but is vastly
more > secure
> > > and
> > > > is the recommended approach.
> > > >
> > > > There have been some good articles on implementing the second
> approach.
> > I
> > > > believe Ivan Medvedev has some good info on his website. You

might
> > start
> > > > there:
> > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > >
> > > > Joe K.
> > > >
> > > > "Marina" <so*****@nospam.com> wrote in message
> > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I am trying to find the minimum security settings to allow a
windows
> > > > control
> > > > > embedded in IE have full trust.
> > > > >
> > > > > If I give the entire Intranet zone full trust, this works.
However,
> > this
> > > > is
> > > > > very broad and gives the entire zone high privleges.
> > > > >
> > > > > I tried giving just the assembly full trust (using the full

URL for
> > the
> > > > > DLL), but this doesn't seem to work.
> > > > >
> > > > > Any direction in how to accomplish this?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #12

P: n/a
This is the result of caspol (on both machines the same)

Level = Enterprise
Code Groups:
1. All code: FullTrust

Level = Machine
Code Groups:
1. All code: Nothing
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.

Level = User
Code Groups:
1. All code: FullTrust
Anyway, on my PC, everything works fine, but on another intranet Pc it raise
WebPermission

Any ideea why?

Crirus

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:#7**************@TK2MSFTNGP11.phx.gbl...
Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend
to harm my own server system so why should a client set special

permissions?

the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups :(

Any thoughts?

Cristian

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:em*************@TK2MSFTNGP11.phx.gbl...
I'm not an expect at all in Java applet security, but I do know that the .NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based on evidence it presents to the system. Evidence can be things like the URL
it came from, it's strong name, etc. Based on the code groups it is
put into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it included in a certain code group that is not granted the permission it

needs
to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you
need
- Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the
correct permissions

As I was poking around in the default security policy, it looked to me

that
the Trusted_Zone code group gets special permission to connect back to

its site of origin. Do you know if IE is finding your site to be in Trusted Sites? If so, based on what I can see you should be getting the

permission
you need.

If that won't work, then you might need to modify the local security

policy.
You could use a URL membership condition or perhaps a strong name.

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
> This is the scenario:
> Clinet open the browser, access my server, receive a client app,

embedded
in
> IE that start running. Now, the client app need webPermission to connect > back to the same server and request some data...
>
> My question is if this is allowed, I see no reason why I cant request data
> from my own server with my own client application... Any java applet can do
> that
>
> Java only restrict the acces to server on the same port 80 from
where it was
> first downloaded
>
> I'm kinda lost in the woods with this permissions...
> So, do the client need to set some permisions? The permission I need is > WebPermission but i'm not sure how it works...
>
>
>
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
> in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > Assuming that the code will not execute given the permissions it
is > getting
> > in the zone it is running in, I'm pretty sure you aren't going to

get this
> > to work without changing some kind of security permissions on the
client.
> >
> > The reason is that if that code isn't granted the permission to do

what
it
> > needs to do, there is no way for the code to get around that. ..NET > security
> > policy is administered on the local machine. The idea is that the
> > administrator gets to decide which resources get which permissions. Then,
> > code is allowed to execute automatically with the permissions it is given.
> > This is very different from the downloadable ActiveX control model

which
> > asks the user for permission to install and run and then can do

anything
> the
> > user has permissions to do on their machine.
> >
> > Are you sure you can't make adjustments to the client machine security > > policy? Are you sure the permission you need isn't already granted to
the
> > zone that the code executes in?
> >
> > Joe K.
> >
> > "Crirus" <Cr****@datagroup.ro> wrote in message
> > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > I have a application, embedded in IE (html assambly).
> > > That aplication need to connect back to the server in order to
get some
> > > data.
> > > What are conditions to succeed without requesting any special
> permissions
> > > from client? As an applet do it....
> > > Should I connect back to the server only using port 80?
> > > Right now the client app is serverd by Apache and connection back
is > tryed
> > > to another aplication on port 9500
> > >
> > > Changing security permission by the client is not an option
> > >
> > > --
> > > Cheers,
> > > Crirus
> > >
> > > ------------------------------
> > > If work were a good thing, the boss would take it all from you
> > >
> > > ------------------------------
> > >
> > > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> > wrote
> > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > The best way to do this is to give just the assemblies that
need Full
> > > Trust
> > > > that permission.
> > > >
> > > > The reason it doesn't work in your situation is that when IE creates
> the
> > > > AppDomain that it runs your code in, that AppDomain is created

based
> on
> > > the
> > > > URL which will have some sort of partial trust (unless that URL or the
> > > whole
> > > > zone has been given Full Trust).
> > > >
> > > > Two things happen after that:
> > > > - If your assembly is not marked with the
> > > > AllowPartiallyTrustedCallersAttribute, the partially trusted
AppDomain
> > > that
> > > > it is running in will not be able to call it.
> > > > - Any code that requires a permission will hit your assembly, where
> it
> > > will
> > > > be granted due to your Full Trust, but will likely fail when
the stack
> > > gets
> > > > up to the partially trusted AppDomain since the AppDomain may

not have
> > > that
> > > > permission.
> > > >
> > > > You have basically two options to solve this:
> > > > - Make the AppDomain have Full Trust with something like a URL > > membership
> > > > condition. This is the easiest thing to do, but is not very

secure,
> > > > especially if the URL is not very specific.
> > > > - Add the AllowPartiallyTrustedCallersAttribute and use Assert on
the
> > > > Permissions that you need when you need them to prevent the stack walk
> > > into
> > > > the containing AppDomain. This is more work, but is vastly
more > secure
> > > and
> > > > is the recommended approach.
> > > >
> > > > There have been some good articles on implementing the second
> approach.
> > I
> > > > believe Ivan Medvedev has some good info on his website. You

might
> > start
> > > > there:
> > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > >
> > > > Joe K.
> > > >
> > > > "Marina" <so*****@nospam.com> wrote in message
> > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I am trying to find the minimum security settings to allow a
windows
> > > > control
> > > > > embedded in IE have full trust.
> > > > >
> > > > > If I give the entire Intranet zone full trust, this works.
However,
> > this
> > > > is
> > > > > very broad and gives the entire zone high privleges.
> > > > >
> > > > > I tried giving just the assembly full trust (using the full

URL for
> > the
> > > > > DLL), but this doesn't seem to work.
> > > > >
> > > > > Any direction in how to accomplish this?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #13

P: n/a
Just out of curiosity, what does the code look like in the HttpWebRequest
that you are doing? Are you sure the Uri matches the hostname of the Uri
you browse from?

My guess is that the WebPermission that is being demanded makes a comparison
along those lines and a mismatch in the hostname could cause a problem. It
could be a mismatch between hostname and IP address or something.

You could try creating a WebPermission with the Uri you are going to use and
demanding that in a Try/Catch block so you can see the error and provide
more detailed feedback.

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:uK**************@TK2MSFTNGP11.phx.gbl...
This is the result of caspol (on both machines the same)

Level = Enterprise
Code Groups:
1. All code: FullTrust

Level = Machine
Code Groups:
1. All code: Nothing
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.

Level = User
Code Groups:
1. All code: FullTrust
Anyway, on my PC, everything works fine, but on another intranet Pc it raise WebPermission

Any ideea why?

Crirus

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:#7**************@TK2MSFTNGP11.phx.gbl...
Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl...
Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend
to harm my own server system so why should a client set special

permissions?

the worse thing is that cant find a good article concerning security and what can I do in various permissions groups :(

Any thoughts?

Cristian

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:em*************@TK2MSFTNGP11.phx.gbl...
> I'm not an expect at all in Java applet security, but I do know that the > .NET CAS model is very different.
>
> Essentially, code is sorted into membership of different code groups

based
> on evidence it presents to the system. Evidence can be things like the URL
> it came from, it's strong name, etc. Based on the code groups it is put > into, it will be granted certain permissions.
>
> Thus in your example, your code is presenting some evidence that gets it
> included in a certain code group that is not granted the permission
it needs
> to run. In order to fix this, you probably need to either:
> - Get your code to fall into a code group that has the permissions you need
> - Modify the local security policy on the machine to ensure that some > evidence you can present will get you into a code group with the correct > permissions
>
> As I was poking around in the default security policy, it looked to me that
> the Trusted_Zone code group gets special permission to connect back to its
> site of origin. Do you know if IE is finding your site to be in Trusted > Sites? If so, based on what I can see you should be getting the
permission
> you need.
>
> If that won't work, then you might need to modify the local security
policy.
> You could use a URL membership condition or perhaps a strong name.
>
> Joe K.
>
> "Crirus" <Cr****@datagroup.ro> wrote in message
> news:%2****************@TK2MSFTNGP12.phx.gbl...
> > This is the scenario:
> > Clinet open the browser, access my server, receive a client app,
embedded
> in
> > IE that start running. Now, the client app need webPermission to

connect
> > back to the same server and request some data...
> >
> > My question is if this is allowed, I see no reason why I cant request data
> > from my own server with my own client application... Any java
applet
can
> do
> > that
> >
> > Java only restrict the acces to server on the same port 80 from where
it
> was
> > first downloaded
> >
> > I'm kinda lost in the woods with this permissions...
> > So, do the client need to set some permisions? The permission I

need is
> > WebPermission but i'm not sure how it works...
> >
> >
> >
> >
> > --
> > Cheers,
> > Crirus
> >
> > ------------------------------
> > If work were a good thing, the boss would take it all from you
> >
> > ------------------------------
> >
> > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> wrote
> > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > Assuming that the code will not execute given the permissions it

is > > getting
> > > in the zone it is running in, I'm pretty sure you aren't going to get
> this
> > > to work without changing some kind of security permissions on
the > client.
> > >
> > > The reason is that if that code isn't granted the permission to do what
> it
> > > needs to do, there is no way for the code to get around that. .NET > > security
> > > policy is administered on the local machine. The idea is that the > > > administrator gets to decide which resources get which permissions. > Then,
> > > code is allowed to execute automatically with the permissions it is > given.
> > > This is very different from the downloadable ActiveX control model which
> > > asks the user for permission to install and run and then can do
anything
> > the
> > > user has permissions to do on their machine.
> > >
> > > Are you sure you can't make adjustments to the client machine

security
> > > policy? Are you sure the permission you need isn't already granted
to
> the
> > > zone that the code executes in?
> > >
> > > Joe K.
> > >
> > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > I have a application, embedded in IE (html assambly).
> > > > That aplication need to connect back to the server in order to

get > some
> > > > data.
> > > > What are conditions to succeed without requesting any special
> > permissions
> > > > from client? As an applet do it....
> > > > Should I connect back to the server only using port 80?
> > > > Right now the client app is serverd by Apache and connection back
is
> > tryed
> > > > to another aplication on port 9500
> > > >
> > > > Changing security permission by the client is not an option
> > > >
> > > > --
> > > > Cheers,
> > > > Crirus
> > > >
> > > > ------------------------------
> > > > If work were a good thing, the boss would take it all from you > > > >
> > > > ------------------------------
> > > >
> > > > "Joe Kaplan (MVP - ADSI)"

<jo*************@removethis.accenture.com>
> > wrote
> > > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > > The best way to do this is to give just the assemblies that

need > Full
> > > > Trust
> > > > > that permission.
> > > > >
> > > > > The reason it doesn't work in your situation is that when IE
creates
> > the
> > > > > AppDomain that it runs your code in, that AppDomain is created based
> > on
> > > > the
> > > > > URL which will have some sort of partial trust (unless that URL
or
> the
> > > > whole
> > > > > zone has been given Full Trust).
> > > > >
> > > > > Two things happen after that:
> > > > > - If your assembly is not marked with the
> > > > > AllowPartiallyTrustedCallersAttribute, the partially trusted
> AppDomain
> > > > that
> > > > > it is running in will not be able to call it.
> > > > > - Any code that requires a permission will hit your assembly, where
> > it
> > > > will
> > > > > be granted due to your Full Trust, but will likely fail when

the > stack
> > > > gets
> > > > > up to the partially trusted AppDomain since the AppDomain may not
> have
> > > > that
> > > > > permission.
> > > > >
> > > > > You have basically two options to solve this:
> > > > > - Make the AppDomain have Full Trust with something like a URL > > > membership
> > > > > condition. This is the easiest thing to do, but is not very
secure,
> > > > > especially if the URL is not very specific.
> > > > > - Add the AllowPartiallyTrustedCallersAttribute and use Assert
on
> the
> > > > > Permissions that you need when you need them to prevent the

stack
> walk
> > > > into
> > > > > the containing AppDomain. This is more work, but is vastly more > > secure
> > > > and
> > > > > is the recommended approach.
> > > > >
> > > > > There have been some good articles on implementing the

second > > approach.
> > > I
> > > > > believe Ivan Medvedev has some good info on his website. You might
> > > start
> > > > > there:
> > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > >
> > > > > Joe K.
> > > > >
> > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > I am trying to find the minimum security settings to allow a > windows
> > > > > control
> > > > > > embedded in IE have full trust.
> > > > > >
> > > > > > If I give the entire Intranet zone full trust, this works.
> However,
> > > this
> > > > > is
> > > > > > very broad and gives the entire zone high privleges.
> > > > > >
> > > > > > I tried giving just the assembly full trust (using the

full URL
> for
> > > the
> > > > > > DLL), but this doesn't seem to work.
> > > > > >
> > > > > > Any direction in how to accomplish this?
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #14

P: n/a
Does the Uri in the WebPermission that is being demanded match the hostname
of the Uri that the code was downloaded from?

For example, if your Uri for your request is:

http://cristianserver/resource

did the code also get downloaded from http://cristianserver/resource ?

Essentially, we have been saying that if those host names match, the Demand
for the permission should work. If they are different, then you can expect
a failure.

I think you can even check this programmatically by getting the Url evidence
object from the Evidence on the current AppDoamin.

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:eq**************@TK2MSFTNGP09.phx.gbl...
This is a message error I raise on a try catch that contain error
description and stack trace

I really dont understand why I need another permission as they said that any internet code have "same site" connection permission, and caspol shows this
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:Om**************@TK2MSFTNGP10.phx.gbl...
Just out of curiosity, what does the code look like in the HttpWebRequest
that you are doing? Are you sure the Uri matches the hostname of the Uri you browse from?

My guess is that the WebPermission that is being demanded makes a comparison
along those lines and a mismatch in the hostname could cause a problem.

It
could be a mismatch between hostname and IP address or something.

You could try creating a WebPermission with the Uri you are going to use

and
demanding that in a Try/Catch block so you can see the error and provide
more detailed feedback.

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:uK**************@TK2MSFTNGP11.phx.gbl...
This is the result of caspol (on both machines the same)

Level = Enterprise
Code Groups:
1. All code: FullTrust

Level = Machine
Code Groups:
1. All code: Nothing
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.

Level = User
Code Groups:
1. All code: FullTrust
Anyway, on my PC, everything works fine, but on another intranet Pc it

raise
WebPermission

Any ideea why?

Crirus

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:#7**************@TK2MSFTNGP11.phx.gbl...
> Do you know what code group your code is getting assigned? Also, do you > know specifically what permission is being demanded that is failing your > case?
>
> Joe K.
>
> "Crirus" <Cr****@hotmail.com> wrote in message
> news:%2***************@TK2MSFTNGP12.phx.gbl...
> > Well, I'm sure if I grand certain permission to my code it works
> > My hope is that client dont need any to set any permission to allow my
> > application to connect back to it's origin server... I'm sure I
dont > intend
> > to harm my own server system so why should a client set special
> permissions?
> >
> > the worse thing is that cant find a good article concerning
security and
> > what can I do in various permissions groups :(
> >
> > Any thoughts?
> >
> > Cristian
> >
> >
> >
> > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
> > in message news:em*************@TK2MSFTNGP11.phx.gbl...
> > > I'm not an expect at all in Java applet security, but I do know that the
> > > .NET CAS model is very different.
> > >
> > > Essentially, code is sorted into membership of different code groups > based
> > > on evidence it presents to the system. Evidence can be things like the
> > URL
> > > it came from, it's strong name, etc. Based on the code groups it is
put
> > > into, it will be granted certain permissions.
> > >
> > > Thus in your example, your code is presenting some evidence that gets
it
> > > included in a certain code group that is not granted the permission
it
> > needs
> > > to run. In order to fix this, you probably need to either:
> > > - Get your code to fall into a code group that has the

permissions you
> > need
> > > - Modify the local security policy on the machine to ensure
that some
> > > evidence you can present will get you into a code group with the
correct
> > > permissions
> > >
> > > As I was poking around in the default security policy, it looked to
me
> > that
> > > the Trusted_Zone code group gets special permission to connect

back
to
> its
> > > site of origin. Do you know if IE is finding your site to be in
Trusted
> > > Sites? If so, based on what I can see you should be getting the
> > permission
> > > you need.
> > >
> > > If that won't work, then you might need to modify the local

security > > policy.
> > > You could use a URL membership condition or perhaps a strong
name. > > >
> > > Joe K.
> > >
> > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > news:%2****************@TK2MSFTNGP12.phx.gbl...
> > > > This is the scenario:
> > > > Clinet open the browser, access my server, receive a client app, > > embedded
> > > in
> > > > IE that start running. Now, the client app need webPermission to > connect
> > > > back to the same server and request some data...
> > > >
> > > > My question is if this is allowed, I see no reason why I cant
request
> > data
> > > > from my own server with my own client application... Any java

applet
> can
> > > do
> > > > that
> > > >
> > > > Java only restrict the acces to server on the same port 80 from where
> it
> > > was
> > > > first downloaded
> > > >
> > > > I'm kinda lost in the woods with this permissions...
> > > > So, do the client need to set some permisions? The permission I need
> is
> > > > WebPermission but i'm not sure how it works...
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Crirus
> > > >
> > > > ------------------------------
> > > > If work were a good thing, the boss would take it all from
you > > > >
> > > > ------------------------------
> > > >
> > > > "Joe Kaplan (MVP - ADSI)"

<jo*************@removethis.accenture.com>
> > wrote
> > > > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > > > Assuming that the code will not execute given the permissions it is
> > > > getting
> > > > > in the zone it is running in, I'm pretty sure you aren't
going to
> get
> > > this
> > > > > to work without changing some kind of security permissions
on the
> > > client.
> > > > >
> > > > > The reason is that if that code isn't granted the permission to
do
> > what
> > > it
> > > > > needs to do, there is no way for the code to get around
that. .NET
> > > > security
> > > > > policy is administered on the local machine. The idea is that the
> > > > > administrator gets to decide which resources get which
permissions.
> > > Then,
> > > > > code is allowed to execute automatically with the
permissions it is
> > > given.
> > > > > This is very different from the downloadable ActiveX control model
> > which
> > > > > asks the user for permission to install and run and then can do > > anything
> > > > the
> > > > > user has permissions to do on their machine.
> > > > >
> > > > > Are you sure you can't make adjustments to the client
machine > security
> > > > > policy? Are you sure the permission you need isn't already
granted
> to
> > > the
> > > > > zone that the code executes in?
> > > > >
> > > > > Joe K.
> > > > >
> > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > > > I have a application, embedded in IE (html assambly).
> > > > > > That aplication need to connect back to the server in order to get
> > > some
> > > > > > data.
> > > > > > What are conditions to succeed without requesting any special > > > > permissions
> > > > > > from client? As an applet do it....
> > > > > > Should I connect back to the server only using port 80?
> > > > > > Right now the client app is serverd by Apache and
connection back
> is
> > > > tryed
> > > > > > to another aplication on port 9500
> > > > > >
> > > > > > Changing security permission by the client is not an option > > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Crirus
> > > > > >
> > > > > > ------------------------------
> > > > > > If work were a good thing, the boss would take it all
from you
> > > > > >
> > > > > > ------------------------------
> > > > > >
> > > > > > "Joe Kaplan (MVP - ADSI)"
> <jo*************@removethis.accenture.com>
> > > > wrote
> > > > > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > The best way to do this is to give just the assemblies that need
> > > Full
> > > > > > Trust
> > > > > > > that permission.
> > > > > > >
> > > > > > > The reason it doesn't work in your situation is that
when IE > > creates
> > > > the
> > > > > > > AppDomain that it runs your code in, that AppDomain is created
> > based
> > > > on
> > > > > > the
> > > > > > > URL which will have some sort of partial trust (unless that URL
> or
> > > the
> > > > > > whole
> > > > > > > zone has been given Full Trust).
> > > > > > >
> > > > > > > Two things happen after that:
> > > > > > > - If your assembly is not marked with the
> > > > > > > AllowPartiallyTrustedCallersAttribute, the partially trusted > > > AppDomain
> > > > > > that
> > > > > > > it is running in will not be able to call it.
> > > > > > > - Any code that requires a permission will hit your

assembly,
> > where
> > > > it
> > > > > > will
> > > > > > > be granted due to your Full Trust, but will likely fail when the
> > > stack
> > > > > > gets
> > > > > > > up to the partially trusted AppDomain since the
AppDomain may
> not
> > > have
> > > > > > that
> > > > > > > permission.
> > > > > > >
> > > > > > > You have basically two options to solve this:
> > > > > > > - Make the AppDomain have Full Trust with something

like a URL
> > > > > membership
> > > > > > > condition. This is the easiest thing to do, but is not very > > secure,
> > > > > > > especially if the URL is not very specific.
> > > > > > > - Add the AllowPartiallyTrustedCallersAttribute and use
Assert
> on
> > > the
> > > > > > > Permissions that you need when you need them to prevent the > stack
> > > walk
> > > > > > into
> > > > > > > the containing AppDomain. This is more work, but is vastly more
> > > > secure
> > > > > > and
> > > > > > > is the recommended approach.
> > > > > > >
> > > > > > > There have been some good articles on implementing the

second
> > > > approach.
> > > > > I
> > > > > > > believe Ivan Medvedev has some good info on his website.

You
> > might
> > > > > start
> > > > > > > there:
> > > > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > > > >
> > > > > > > Joe K.
> > > > > > >
> > > > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I am trying to find the minimum security settings to allow
a
> > > windows
> > > > > > > control
> > > > > > > > embedded in IE have full trust.
> > > > > > > >
> > > > > > > > If I give the entire Intranet zone full trust, this

works. > > > However,
> > > > > this
> > > > > > > is
> > > > > > > > very broad and gives the entire zone high privleges.
> > > > > > > >
> > > > > > > > I tried giving just the assembly full trust (using the

full
> URL
> > > for
> > > > > the
> > > > > > > > DLL), but this doesn't seem to work.
> > > > > > > >
> > > > > > > > Any direction in how to accomplish this?
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #15

P: n/a
Hello
Does the Uri in the WebPermission that is being demanded match the hostname of the Uri that the code was downloaded from?
I'm completly sure that the URI is the same...

I connect IE to http://home and I hardcoded in my code

myWebClient.UploadData("http://home", "POST",data)
I think you can even check this programmatically by getting the Url evidenceobject from the Evidence on the current AppDoamin. I need a hint on how to do that


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2***************@tk2msftngp13.phx.gbl... Does the Uri in the WebPermission that is being demanded match the hostname of the Uri that the code was downloaded from?

For example, if your Uri for your request is:

http://cristianserver/resource

did the code also get downloaded from http://cristianserver/resource ?

Essentially, we have been saying that if those host names match, the Demand for the permission should work. If they are different, then you can expect a failure.

I think you can even check this programmatically by getting the Url evidence object from the Evidence on the current AppDoamin.

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:eq**************@TK2MSFTNGP09.phx.gbl...
This is a message error I raise on a try catch that contain error
description and stack trace

I really dont understand why I need another permission as they said that any
internet code have "same site" connection permission, and caspol shows

this

Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:Om**************@TK2MSFTNGP10.phx.gbl...
Just out of curiosity, what does the code look like in the HttpWebRequest that you are doing? Are you sure the Uri matches the hostname of the Uri you browse from?

My guess is that the WebPermission that is being demanded makes a

comparison
along those lines and a mismatch in the hostname could cause a problem. It
could be a mismatch between hostname and IP address or something.

You could try creating a WebPermission with the Uri you are going to
use
and
demanding that in a Try/Catch block so you can see the error and
provide more detailed feedback.

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:uK**************@TK2MSFTNGP11.phx.gbl...
> This is the result of caspol (on both machines the same)
>
> Level = Enterprise
> Code Groups:
> 1. All code: FullTrust
>
> Level = Machine
> Code Groups:
> 1. All code: Nothing
> 1.3. Zone - Internet: Internet
> 1.3.1. All code: Same site Web.
>
> Level = User
> Code Groups:
> 1. All code: FullTrust
>
>
> Anyway, on my PC, everything works fine, but on another intranet Pc it raise
> WebPermission
>
> Any ideea why?
>
> Crirus
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>

wrote
> in message news:#7**************@TK2MSFTNGP11.phx.gbl...
> > Do you know what code group your code is getting assigned? Also, do you
> > know specifically what permission is being demanded that is
failing your
> > case?
> >
> > Joe K.
> >
> > "Crirus" <Cr****@hotmail.com> wrote in message
> > news:%2***************@TK2MSFTNGP12.phx.gbl...
> > > Well, I'm sure if I grand certain permission to my code it works
> > > My hope is that client dont need any to set any permission to allow
my
> > > application to connect back to it's origin server... I'm sure I

dont > > intend
> > > to harm my own server system so why should a client set special
> > permissions?
> > >
> > > the worse thing is that cant find a good article concerning

security
> and
> > > what can I do in various permissions groups :(
> > >
> > > Any thoughts?
> > >
> > > Cristian
> > >
> > >
> > >
> > > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> > wrote
> > > in message news:em*************@TK2MSFTNGP11.phx.gbl...
> > > > I'm not an expect at all in Java applet security, but I do
know that
> the
> > > > .NET CAS model is very different.
> > > >
> > > > Essentially, code is sorted into membership of different code

groups
> > based
> > > > on evidence it presents to the system. Evidence can be things

like
> the
> > > URL
> > > > it came from, it's strong name, etc. Based on the code groups it
is
> put
> > > > into, it will be granted certain permissions.
> > > >
> > > > Thus in your example, your code is presenting some evidence

that gets
> it
> > > > included in a certain code group that is not granted the

permission
it
> > > needs
> > > > to run. In order to fix this, you probably need to either:
> > > > - Get your code to fall into a code group that has the

permissions
> you
> > > need
> > > > - Modify the local security policy on the machine to ensure

that some
> > > > evidence you can present will get you into a code group with the > correct
> > > > permissions
> > > >
> > > > As I was poking around in the default security policy, it looked to
me
> > > that
> > > > the Trusted_Zone code group gets special permission to connect

back
to
> > its
> > > > site of origin. Do you know if IE is finding your site to be
in > Trusted
> > > > Sites? If so, based on what I can see you should be getting the > > > permission
> > > > you need.
> > > >
> > > > If that won't work, then you might need to modify the local

security
> > > policy.
> > > > You could use a URL membership condition or perhaps a strong name. > > > >
> > > > Joe K.
> > > >
> > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > news:%2****************@TK2MSFTNGP12.phx.gbl...
> > > > > This is the scenario:
> > > > > Clinet open the browser, access my server, receive a client app, > > > embedded
> > > > in
> > > > > IE that start running. Now, the client app need webPermission to
> > connect
> > > > > back to the same server and request some data...
> > > > >
> > > > > My question is if this is allowed, I see no reason why I
cant > request
> > > data
> > > > > from my own server with my own client application... Any java applet
> > can
> > > > do
> > > > > that
> > > > >
> > > > > Java only restrict the acces to server on the same port 80
from > where
> > it
> > > > was
> > > > > first downloaded
> > > > >
> > > > > I'm kinda lost in the woods with this permissions...
> > > > > So, do the client need to set some permisions? The permission I
need
> > is
> > > > > WebPermission but i'm not sure how it works...
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Crirus
> > > > >
> > > > > ------------------------------
> > > > > If work were a good thing, the boss would take it all from you > > > > >
> > > > > ------------------------------
> > > > >
> > > > > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com>
> > > wrote
> > > > > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > > > > Assuming that the code will not execute given the permissions
it
> is
> > > > > getting
> > > > > > in the zone it is running in, I'm pretty sure you aren't

going to
> > get
> > > > this
> > > > > > to work without changing some kind of security permissions on the
> > > > client.
> > > > > >
> > > > > > The reason is that if that code isn't granted the
permission to
do
> > > what
> > > > it
> > > > > > needs to do, there is no way for the code to get around that. > .NET
> > > > > security
> > > > > > policy is administered on the local machine. The idea is that the
> > > > > > administrator gets to decide which resources get which
> permissions.
> > > > Then,
> > > > > > code is allowed to execute automatically with the permissions
it
> is
> > > > given.
> > > > > > This is very different from the downloadable ActiveX

control model
> > > which
> > > > > > asks the user for permission to install and run and then can do
> > > anything
> > > > > the
> > > > > > user has permissions to do on their machine.
> > > > > >
> > > > > > Are you sure you can't make adjustments to the client machine > > security
> > > > > > policy? Are you sure the permission you need isn't
already > granted
> > to
> > > > the
> > > > > > zone that the code executes in?
> > > > > >
> > > > > > Joe K.
> > > > > >
> > > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > > > > I have a application, embedded in IE (html assambly).
> > > > > > > That aplication need to connect back to the server in

order
to
> get
> > > > some
> > > > > > > data.
> > > > > > > What are conditions to succeed without requesting any

special
> > > > > permissions
> > > > > > > from client? As an applet do it....
> > > > > > > Should I connect back to the server only using port 80?
> > > > > > > Right now the client app is serverd by Apache and

connection > back
> > is
> > > > > tryed
> > > > > > > to another aplication on port 9500
> > > > > > >
> > > > > > > Changing security permission by the client is not an option > > > > > > >
> > > > > > > --
> > > > > > > Cheers,
> > > > > > > Crirus
> > > > > > >
> > > > > > > ------------------------------
> > > > > > > If work were a good thing, the boss would take it all from you
> > > > > > >
> > > > > > > ------------------------------
> > > > > > >
> > > > > > > "Joe Kaplan (MVP - ADSI)"
> > <jo*************@removethis.accenture.com>
> > > > > wrote
> > > > > > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > The best way to do this is to give just the assemblies

that
> need
> > > > Full
> > > > > > > Trust
> > > > > > > > that permission.
> > > > > > > >
> > > > > > > > The reason it doesn't work in your situation is that when
IE
> > > creates
> > > > > the
> > > > > > > > AppDomain that it runs your code in, that AppDomain is
created
> > > based
> > > > > on
> > > > > > > the
> > > > > > > > URL which will have some sort of partial trust (unless

that
> URL
> > or
> > > > the
> > > > > > > whole
> > > > > > > > zone has been given Full Trust).
> > > > > > > >
> > > > > > > > Two things happen after that:
> > > > > > > > - If your assembly is not marked with the
> > > > > > > > AllowPartiallyTrustedCallersAttribute, the partially

trusted
> > > > AppDomain
> > > > > > > that
> > > > > > > > it is running in will not be able to call it.
> > > > > > > > - Any code that requires a permission will hit your
assembly,
> > > where
> > > > > it
> > > > > > > will
> > > > > > > > be granted due to your Full Trust, but will likely fail when
> the
> > > > stack
> > > > > > > gets
> > > > > > > > up to the partially trusted AppDomain since the AppDomain may
> > not
> > > > have
> > > > > > > that
> > > > > > > > permission.
> > > > > > > >
> > > > > > > > You have basically two options to solve this:
> > > > > > > > - Make the AppDomain have Full Trust with something

like
a
> URL
> > > > > > membership
> > > > > > > > condition. This is the easiest thing to do, but is

not very
> > > secure,
> > > > > > > > especially if the URL is not very specific.
> > > > > > > > - Add the AllowPartiallyTrustedCallersAttribute and
use > Assert
> > on
> > > > the
> > > > > > > > Permissions that you need when you need them to prevent the
> > stack
> > > > walk
> > > > > > > into
> > > > > > > > the containing AppDomain. This is more work, but is

vastly
> more
> > > > > secure
> > > > > > > and
> > > > > > > > is the recommended approach.
> > > > > > > >
> > > > > > > > There have been some good articles on implementing the
second
> > > > > approach.
> > > > > > I
> > > > > > > > believe Ivan Medvedev has some good info on his

website. You
> > > might
> > > > > > start
> > > > > > > > there:
> > > > > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > > > > >
> > > > > > > > Joe K.
> > > > > > > >
> > > > > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > Hi,
> > > > > > > > >
> > > > > > > > > I am trying to find the minimum security settings to

allow
a
> > > > windows
> > > > > > > > control
> > > > > > > > > embedded in IE have full trust.
> > > > > > > > >
> > > > > > > > > If I give the entire Intranet zone full trust, this

works.
> > > > However,
> > > > > > this
> > > > > > > > is
> > > > > > > > > very broad and gives the entire zone high privleges.
> > > > > > > > >
> > > > > > > > > I tried giving just the assembly full trust (using the full
> > URL
> > > > for
> > > > > > the
> > > > > > > > > DLL), but this doesn't seem to work.
> > > > > > > > >
> > > > > > > > > Any direction in how to accomplish this?
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #16

P: n/a
Ok, just as an experiment, can you grab the Url from the Evidence in your
AppDomain, create a new WebPermission object with that and Demand it in your
code? I wonder if that will fail the same way your code fails or if that
would work.

If that fails, then it seems like you aren't getting the permission to
connect back to the site of origin, so there must be some kind of security
policy thing going on with the other client that would be preventing that.

Joe K.

"Crirus" <Cr****@datagroup.ro> wrote in message
news:e$**************@TK2MSFTNGP11.phx.gbl...
Hello
Does the Uri in the WebPermission that is being demanded match the hostname
of the Uri that the code was downloaded from?


I'm completly sure that the URI is the same...

I connect IE to http://home and I hardcoded in my code

myWebClient.UploadData("http://home", "POST",data)
I think you can even check this programmatically by getting the Url

evidence
object from the Evidence on the current AppDoamin.

I need a hint on how to do that


--
Cheers,
Crirus

------------------------------
If work were a good thing, the boss would take it all from you

------------------------------

"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2***************@tk2msftngp13.phx.gbl...
Does the Uri in the WebPermission that is being demanded match the

hostname
of the Uri that the code was downloaded from?

For example, if your Uri for your request is:

http://cristianserver/resource

did the code also get downloaded from http://cristianserver/resource ?

Essentially, we have been saying that if those host names match, the

Demand
for the permission should work. If they are different, then you can

expect
a failure.

I think you can even check this programmatically by getting the Url

evidence
object from the Evidence on the current AppDoamin.

Joe K.

"Crirus" <Cr****@hotmail.com> wrote in message
news:eq**************@TK2MSFTNGP09.phx.gbl...
This is a message error I raise on a try catch that contain error
description and stack trace

I really dont understand why I need another permission as they said that
any
internet code have "same site" connection permission, and caspol shows

this

Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:Om**************@TK2MSFTNGP10.phx.gbl...
> Just out of curiosity, what does the code look like in the

HttpWebRequest
> that you are doing? Are you sure the Uri matches the hostname of
the
Uri
> you browse from?
>
> My guess is that the WebPermission that is being demanded makes a
comparison
> along those lines and a mismatch in the hostname could cause a problem. It
> could be a mismatch between hostname and IP address or something.
>
> You could try creating a WebPermission with the Uri you are going to use and
> demanding that in a Try/Catch block so you can see the error and provide > more detailed feedback.
>
> Joe K.
>
> "Crirus" <Cr****@hotmail.com> wrote in message
> news:uK**************@TK2MSFTNGP11.phx.gbl...
> > This is the result of caspol (on both machines the same)
> >
> > Level = Enterprise
> > Code Groups:
> > 1. All code: FullTrust
> >
> > Level = Machine
> > Code Groups:
> > 1. All code: Nothing
> > 1.3. Zone - Internet: Internet
> > 1.3.1. All code: Same site Web.
> >
> > Level = User
> > Code Groups:
> > 1. All code: FullTrust
> >
> >
> > Anyway, on my PC, everything works fine, but on another intranet
Pc it > raise
> > WebPermission
> >
> > Any ideea why?
> >
> > Crirus
> >
> > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> wrote
> > in message news:#7**************@TK2MSFTNGP11.phx.gbl...
> > > Do you know what code group your code is getting assigned? Also,
do you
> > > know specifically what permission is being demanded that is failing your
> > > case?
> > >
> > > Joe K.
> > >
> > > "Crirus" <Cr****@hotmail.com> wrote in message
> > > news:%2***************@TK2MSFTNGP12.phx.gbl...
> > > > Well, I'm sure if I grand certain permission to my code it
works > > > > My hope is that client dont need any to set any permission to allow
my
> > > > application to connect back to it's origin server... I'm sure I dont
> > > intend
> > > > to harm my own server system so why should a client set
special > > > permissions?
> > > >
> > > > the worse thing is that cant find a good article concerning
security
> > and
> > > > what can I do in various permissions groups :(
> > > >
> > > > Any thoughts?
> > > >
> > > > Cristian
> > > >
> > > >
> > > >
> > > > "Joe Kaplan (MVP - ADSI)"

<jo*************@removethis.accenture.com>
> > wrote
> > > > in message news:em*************@TK2MSFTNGP11.phx.gbl...
> > > > > I'm not an expect at all in Java applet security, but I do

know that
> > the
> > > > > .NET CAS model is very different.
> > > > >
> > > > > Essentially, code is sorted into membership of different code groups
> > > based
> > > > > on evidence it presents to the system. Evidence can be things like
> > the
> > > > URL
> > > > > it came from, it's strong name, etc. Based on the code groups it
is
> > put
> > > > > into, it will be granted certain permissions.
> > > > >
> > > > > Thus in your example, your code is presenting some evidence that > gets
> > it
> > > > > included in a certain code group that is not granted the
permission
> it
> > > > needs
> > > > > to run. In order to fix this, you probably need to either:
> > > > > - Get your code to fall into a code group that has the
permissions
> > you
> > > > need
> > > > > - Modify the local security policy on the machine to ensure

that
> some
> > > > > evidence you can present will get you into a code group with the > > correct
> > > > > permissions
> > > > >
> > > > > As I was poking around in the default security policy, it looked to
> me
> > > > that
> > > > > the Trusted_Zone code group gets special permission to
connect back
> to
> > > its
> > > > > site of origin. Do you know if IE is finding your site to be in > > Trusted
> > > > > Sites? If so, based on what I can see you should be getting the > > > > permission
> > > > > you need.
> > > > >
> > > > > If that won't work, then you might need to modify the local
security
> > > > policy.
> > > > > You could use a URL membership condition or perhaps a strong

name.
> > > > >
> > > > > Joe K.
> > > > >
> > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > news:%2****************@TK2MSFTNGP12.phx.gbl...
> > > > > > This is the scenario:
> > > > > > Clinet open the browser, access my server, receive a
client
app,
> > > > embedded
> > > > > in
> > > > > > IE that start running. Now, the client app need webPermission
to
> > > connect
> > > > > > back to the same server and request some data...
> > > > > >
> > > > > > My question is if this is allowed, I see no reason why I

cant > > request
> > > > data
> > > > > > from my own server with my own client application... Any java > applet
> > > can
> > > > > do
> > > > > > that
> > > > > >
> > > > > > Java only restrict the acces to server on the same port 80

from
> > where
> > > it
> > > > > was
> > > > > > first downloaded
> > > > > >
> > > > > > I'm kinda lost in the woods with this permissions...
> > > > > > So, do the client need to set some permisions? The permission
I
> need
> > > is
> > > > > > WebPermission but i'm not sure how it works...
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Crirus
> > > > > >
> > > > > > ------------------------------
> > > > > > If work were a good thing, the boss would take it all

from you
> > > > > >
> > > > > > ------------------------------
> > > > > >
> > > > > > "Joe Kaplan (MVP - ADSI)"
> <jo*************@removethis.accenture.com>
> > > > wrote
> > > > > > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > > > > > Assuming that the code will not execute given the

permissions
it
> > is
> > > > > > getting
> > > > > > > in the zone it is running in, I'm pretty sure you aren't

going
> to
> > > get
> > > > > this
> > > > > > > to work without changing some kind of security
permissions on
> the
> > > > > client.
> > > > > > >
> > > > > > > The reason is that if that code isn't granted the permission to
> do
> > > > what
> > > > > it
> > > > > > > needs to do, there is no way for the code to get around

that.
> > .NET
> > > > > > security
> > > > > > > policy is administered on the local machine. The idea
is that
> the
> > > > > > > administrator gets to decide which resources get which
> > permissions.
> > > > > Then,
> > > > > > > code is allowed to execute automatically with the

permissions
it
> > is
> > > > > given.
> > > > > > > This is very different from the downloadable ActiveX

control > model
> > > > which
> > > > > > > asks the user for permission to install and run and then can do
> > > > anything
> > > > > > the
> > > > > > > user has permissions to do on their machine.
> > > > > > >
> > > > > > > Are you sure you can't make adjustments to the client

machine
> > > security
> > > > > > > policy? Are you sure the permission you need isn't already > > granted
> > > to
> > > > > the
> > > > > > > zone that the code executes in?
> > > > > > >
> > > > > > > Joe K.
> > > > > > >
> > > > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > I have a application, embedded in IE (html assambly).
> > > > > > > > That aplication need to connect back to the server in

order
to
> > get
> > > > > some
> > > > > > > > data.
> > > > > > > > What are conditions to succeed without requesting any
special
> > > > > > permissions
> > > > > > > > from client? As an applet do it....
> > > > > > > > Should I connect back to the server only using port
80? > > > > > > > > Right now the client app is serverd by Apache and

connection
> > back
> > > is
> > > > > > tryed
> > > > > > > > to another aplication on port 9500
> > > > > > > >
> > > > > > > > Changing security permission by the client is not an

option
> > > > > > > >
> > > > > > > > --
> > > > > > > > Cheers,
> > > > > > > > Crirus
> > > > > > > >
> > > > > > > > ------------------------------
> > > > > > > > If work were a good thing, the boss would take it all

from
> you
> > > > > > > >
> > > > > > > > ------------------------------
> > > > > > > >
> > > > > > > > "Joe Kaplan (MVP - ADSI)"
> > > <jo*************@removethis.accenture.com>
> > > > > > wrote
> > > > > > > > in message news:OU**************@TK2MSFTNGP09.phx.gbl... > > > > > > > > > The best way to do this is to give just the assemblies that
> > need
> > > > > Full
> > > > > > > > Trust
> > > > > > > > > that permission.
> > > > > > > > >
> > > > > > > > > The reason it doesn't work in your situation is that

when
IE
> > > > creates
> > > > > > the
> > > > > > > > > AppDomain that it runs your code in, that AppDomain is > created
> > > > based
> > > > > > on
> > > > > > > > the
> > > > > > > > > URL which will have some sort of partial trust (unless that
> > URL
> > > or
> > > > > the
> > > > > > > > whole
> > > > > > > > > zone has been given Full Trust).
> > > > > > > > >
> > > > > > > > > Two things happen after that:
> > > > > > > > > - If your assembly is not marked with the
> > > > > > > > > AllowPartiallyTrustedCallersAttribute, the partially
trusted
> > > > > AppDomain
> > > > > > > > that
> > > > > > > > > it is running in will not be able to call it.
> > > > > > > > > - Any code that requires a permission will hit your
> assembly,
> > > > where
> > > > > > it
> > > > > > > > will
> > > > > > > > > be granted due to your Full Trust, but will likely

fail when
> > the
> > > > > stack
> > > > > > > > gets
> > > > > > > > > up to the partially trusted AppDomain since the

AppDomain
> may
> > > not
> > > > > have
> > > > > > > > that
> > > > > > > > > permission.
> > > > > > > > >
> > > > > > > > > You have basically two options to solve this:
> > > > > > > > > - Make the AppDomain have Full Trust with something

like
a
> > URL
> > > > > > > membership
> > > > > > > > > condition. This is the easiest thing to do, but is not very
> > > > secure,
> > > > > > > > > especially if the URL is not very specific.
> > > > > > > > > - Add the AllowPartiallyTrustedCallersAttribute and use > > Assert
> > > on
> > > > > the
> > > > > > > > > Permissions that you need when you need them to prevent the
> > > stack
> > > > > walk
> > > > > > > > into
> > > > > > > > > the containing AppDomain. This is more work, but is
vastly
> > more
> > > > > > secure
> > > > > > > > and
> > > > > > > > > is the recommended approach.
> > > > > > > > >
> > > > > > > > > There have been some good articles on implementing the > second
> > > > > > approach.
> > > > > > > I
> > > > > > > > > believe Ivan Medvedev has some good info on his website. > You
> > > > might
> > > > > > > start
> > > > > > > > > there:
> > > > > > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > > > > > >
> > > > > > > > > Joe K.
> > > > > > > > >
> > > > > > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > I am trying to find the minimum security settings to allow
> a
> > > > > windows
> > > > > > > > > control
> > > > > > > > > > embedded in IE have full trust.
> > > > > > > > > >
> > > > > > > > > > If I give the entire Intranet zone full trust, this works.
> > > > > However,
> > > > > > > this
> > > > > > > > > is
> > > > > > > > > > very broad and gives the entire zone high privleges. > > > > > > > > > >
> > > > > > > > > > I tried giving just the assembly full trust (using the > full
> > > URL
> > > > > for
> > > > > > > the
> > > > > > > > > > DLL), but this doesn't seem to work.
> > > > > > > > > >
> > > > > > > > > > Any direction in how to accomplish this?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>



Nov 18 '05 #17

This discussion thread is closed

Replies have been disabled for this discussion.