Hi,
I am trying to find the minimum security settings to allow a windows control
embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However, this is
very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.
Any direction in how to accomplish this?
16  2064 
The best way to do this is to give just the assemblies that need Full Trust
that permission.
The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the
URL which will have some sort of partial trust (unless that URL or the whole
zone has been given Full Trust).
Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will
be granted due to your Full Trust, but will likely fail when the stack gets
up to the partially trusted AppDomain since the AppDomain may not have that
permission.
You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into
the containing AppDomain. This is more work, but is vastly more secure and
is the recommended approach.
There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there: http://www.dotnetthis.com/Articles/WritingForSEE.htm
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl... Hi,
I am trying to find the minimum security settings to allow a windows
control embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However, this
is very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.
Any direction in how to accomplish this?
This assembly is not a strongly named one, so I don't think option 2 would
work.
How does one go about giving an AppDomain full trust by using a URL
membership condition?
Thanks
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl... The best way to do this is to give just the assemblies that need Full
Trust that permission.
The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on
the URL which will have some sort of partial trust (unless that URL or the
whole zone has been given Full Trust).
Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain
that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it
will be granted due to your Full Trust, but will likely fail when the stack
gets up to the partially trusted AppDomain since the AppDomain may not have
that permission.
You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk
into the containing AppDomain. This is more work, but is vastly more secure
and is the recommended approach.
There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl... Hi,
I am trying to find the minimum security settings to allow a windows
control embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However, this
is very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.
Any direction in how to accomplish this?
Actually, I believe I was able to do this through the .net security
configuration tool.
"Marina" <so*****@nospam.com> wrote in message
news:uc**************@TK2MSFTNGP10.phx.gbl... This assembly is not a strongly named one, so I don't think option 2 would
work.
How does one go about giving an AppDomain full trust by using a URL
membership condition?
Thanks
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl... The best way to do this is to give just the assemblies that need Full
Trust that permission.
The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on
the URL which will have some sort of partial trust (unless that URL or the
whole zone has been given Full Trust).
Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain
that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it
will be granted due to your Full Trust, but will likely fail when the stack
gets up to the partially trusted AppDomain since the AppDomain may not have
that permission.
You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL
membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk
into the containing AppDomain. This is more work, but is vastly more secure
and is the recommended approach.
There have been some good articles on implementing the second approach.
I believe Ivan Medvedev has some good info on his website. You might
start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl... Hi,
I am trying to find the minimum security settings to allow a windows
control embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However,
this is very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for
the DLL), but this doesn't seem to work.
Any direction in how to accomplish this?
Ok, glad you got it work.
Just so you remember that I said this is the less secure and thus less
preferred option.
Strong naming an assembly is generally quite simple and isn't a bit deal.
The other advantage is that you can easily deploy other assemblies with the
same storng name key later and have them get Full Trust as well.
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:O0**************@TK2MSFTNGP12.phx.gbl... Actually, I believe I was able to do this through the .net security
configuration tool.
"Marina" <so*****@nospam.com> wrote in message
news:uc**************@TK2MSFTNGP10.phx.gbl... This assembly is not a strongly named one, so I don't think option 2
would work.
How does one go about giving an AppDomain full trust by using a URL
membership condition?
Thanks
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:OU**************@TK2MSFTNGP09.phx.gbl... The best way to do this is to give just the assemblies that need Full Trust that permission.
The reason it doesn't work in your situation is that when IE creates
the AppDomain that it runs your code in, that AppDomain is created based
on the URL which will have some sort of partial trust (unless that URL or the
whole zone has been given Full Trust).
Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain
that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where
it will be granted due to your Full Trust, but will likely fail when the stack
gets up to the partially trusted AppDomain since the AppDomain may not have
that permission.
You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk
into the containing AppDomain. This is more work, but is vastly more
secure and is the recommended approach.
There have been some good articles on implementing the second
approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am trying to find the minimum security settings to allow a windows
control
> embedded in IE have full trust.
>
> If I give the entire Intranet zone full trust, this works. However, this is
> very broad and gives the entire zone high privleges.
>
> I tried giving just the assembly full trust (using the full URL for the > DLL), but this doesn't seem to work.
>
> Any direction in how to accomplish this?
>
>
I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed
to another aplication on port 9500
Changing security permission by the client is not an option
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl... The best way to do this is to give just the assemblies that need Full
Trust that permission.
The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on
the URL which will have some sort of partial trust (unless that URL or the
whole zone has been given Full Trust).
Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain
that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it
will be granted due to your Full Trust, but will likely fail when the stack
gets up to the partially trusted AppDomain since the AppDomain may not have
that permission.
You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk
into the containing AppDomain. This is more work, but is vastly more secure
and is the recommended approach.
There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl... Hi,
I am trying to find the minimum security settings to allow a windows
control embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However, this
is very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.
Any direction in how to accomplish this?
Assuming that the code will not execute given the permissions it is getting
in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.
The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything the
user has permissions to do on their machine.
Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl... I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed
to another aplication on port 9500
Changing security permission by the client is not an option
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:OU**************@TK2MSFTNGP09.phx.gbl... The best way to do this is to give just the assemblies that need Full
Trust that permission.
The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on
the URL which will have some sort of partial trust (unless that URL or the
whole zone has been given Full Trust).
Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain
that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it
will be granted due to your Full Trust, but will likely fail when the stack
gets up to the partially trusted AppDomain since the AppDomain may not have
that permission.
You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL
membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk
into the containing AppDomain. This is more work, but is vastly more secure
and is the recommended approach.
There have been some good articles on implementing the second approach.
I believe Ivan Medvedev has some good info on his website. You might
start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl... Hi,
I am trying to find the minimum security settings to allow a windows
control embedded in IE have full trust.
If I give the entire Intranet zone full trust, this works. However,
this is very broad and gives the entire zone high privleges.
I tried giving just the assembly full trust (using the full URL for
the DLL), but this doesn't seem to work.
Any direction in how to accomplish this?
This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded in
IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...
My question is if this is allowed, I see no reason why I cant request data
from my own server with my own client application... Any java applet can do
that
Java only restrict the acces to server on the same port 80 from where it was
first downloaded
I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:uL****************@TK2MSFTNGP11.phx.gbl... Assuming that the code will not execute given the permissions it is
getting in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.
The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET
security policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything
the user has permissions to do on their machine.
Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl... I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special
permissions from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is
tryed to another aplication on port 9500
Changing security permission by the client is not an option
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:OU**************@TK2MSFTNGP09.phx.gbl... The best way to do this is to give just the assemblies that need Full Trust that permission.
The reason it doesn't work in your situation is that when IE creates
the AppDomain that it runs your code in, that AppDomain is created based
on the URL which will have some sort of partial trust (unless that URL or the
whole zone has been given Full Trust).
Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain
that it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where
it will be granted due to your Full Trust, but will likely fail when the stack
gets up to the partially trusted AppDomain since the AppDomain may not have
that permission.
You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk
into the containing AppDomain. This is more work, but is vastly more
secure and is the recommended approach.
There have been some good articles on implementing the second
approach. I believe Ivan Medvedev has some good info on his website. You might start there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm
Joe K.
"Marina" <so*****@nospam.com> wrote in message
news:Os**************@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> I am trying to find the minimum security settings to allow a windows
control
> embedded in IE have full trust.
>
> If I give the entire Intranet zone full trust, this works. However, this is
> very broad and gives the entire zone high privleges.
>
> I tried giving just the assembly full trust (using the full URL for the > DLL), but this doesn't seem to work.
>
> Any direction in how to accomplish this?
>
>
I'm not an expect at all in Java applet security, but I do know that the
..NET CAS model is very different.
Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the URL
it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.
Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it needs
to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you need
- Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions
As I was poking around in the default security policy, it looked to me that
the Trusted_Zone code group gets special permission to connect back to its
site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the permission
you need.
If that won't work, then you might need to modify the local security policy.
You could use a URL membership condition or perhaps a strong name.
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded
in IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...
My question is if this is allowed, I see no reason why I cant request data
from my own server with my own client application... Any java applet can
do that
Java only restrict the acces to server on the same port 80 from where it
was first downloaded
I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:uL****************@TK2MSFTNGP11.phx.gbl... Assuming that the code will not execute given the permissions it is
getting in the zone it is running in, I'm pretty sure you aren't going to get
this to work without changing some kind of security permissions on the
client.
The reason is that if that code isn't granted the permission to do what
it needs to do, there is no way for the code to get around that. .NET
security policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions.
Then, code is allowed to execute automatically with the permissions it is
given. This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything
the user has permissions to do on their machine.
Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to
the zone that the code executes in?
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl... I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get
some data.
What are conditions to succeed without requesting any special permissions from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed to another aplication on port 9500
Changing security permission by the client is not an option
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> The best way to do this is to give just the assemblies that need
Full Trust
> that permission.
>
> The reason it doesn't work in your situation is that when IE creates the > AppDomain that it runs your code in, that AppDomain is created based on the
> URL which will have some sort of partial trust (unless that URL or
the whole
> zone has been given Full Trust).
>
> Two things happen after that:
> - If your assembly is not marked with the
> AllowPartiallyTrustedCallersAttribute, the partially trusted
AppDomain that
> it is running in will not be able to call it.
> - Any code that requires a permission will hit your assembly, where it will
> be granted due to your Full Trust, but will likely fail when the
stack gets
> up to the partially trusted AppDomain since the AppDomain may not
have that
> permission.
>
> You have basically two options to solve this:
> - Make the AppDomain have Full Trust with something like a URL
membership > condition. This is the easiest thing to do, but is not very secure,
> especially if the URL is not very specific.
> - Add the AllowPartiallyTrustedCallersAttribute and use Assert on
the > Permissions that you need when you need them to prevent the stack
walk into
> the containing AppDomain. This is more work, but is vastly more secure and
> is the recommended approach.
>
> There have been some good articles on implementing the second
approach. I > believe Ivan Medvedev has some good info on his website. You might
start > there:
> http://www.dotnetthis.com/Articles/WritingForSEE.htm
>
> Joe K.
>
> "Marina" <so*****@nospam.com> wrote in message
> news:Os**************@TK2MSFTNGP09.phx.gbl...
> > Hi,
> >
> > I am trying to find the minimum security settings to allow a
windows > control
> > embedded in IE have full trust.
> >
> > If I give the entire Intranet zone full trust, this works.
However, this > is
> > very broad and gives the entire zone high privleges.
> >
> > I tried giving just the assembly full trust (using the full URL
for the > > DLL), but this doesn't seem to work.
> >
> > Any direction in how to accomplish this?
> >
> >
>
>
Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend
to harm my own server system so why should a client set special permissions?
the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups :(
Any thoughts?
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:em*************@TK2MSFTNGP11.phx.gbl... I'm not an expect at all in Java applet security, but I do know that the
.NET CAS model is very different.
Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the
URL it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.
Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it
needs to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you
need - Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions
As I was poking around in the default security policy, it looked to me
that the Trusted_Zone code group gets special permission to connect back to its
site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the
permission you need.
If that won't work, then you might need to modify the local security
policy. You could use a URL membership condition or perhaps a strong name.
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... This is the scenario:
Clinet open the browser, access my server, receive a client app,
embedded in IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...
My question is if this is allowed, I see no reason why I cant request
data from my own server with my own client application... Any java applet can do that
Java only restrict the acces to server on the same port 80 from where it
was first downloaded
I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:uL****************@TK2MSFTNGP11.phx.gbl... Assuming that the code will not execute given the permissions it is
getting in the zone it is running in, I'm pretty sure you aren't going to get this to work without changing some kind of security permissions on the client.
The reason is that if that code isn't granted the permission to do
what it needs to do, there is no way for the code to get around that. .NET
security policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then, code is allowed to execute automatically with the permissions it is given. This is very different from the downloadable ActiveX control model
which asks the user for permission to install and run and then can do
anything the user has permissions to do on their machine.
Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the zone that the code executes in?
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:eC****************@TK2MSFTNGP09.phx.gbl...
> I have a application, embedded in IE (html assambly).
> That aplication need to connect back to the server in order to get some > data.
> What are conditions to succeed without requesting any special
permissions > from client? As an applet do it....
> Should I connect back to the server only using port 80?
> Right now the client app is serverd by Apache and connection back is
tryed > to another aplication on port 9500
>
> Changing security permission by the client is not an option
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > The best way to do this is to give just the assemblies that need Full > Trust
> > that permission.
> >
> > The reason it doesn't work in your situation is that when IE
creates the > > AppDomain that it runs your code in, that AppDomain is created
based on > the
> > URL which will have some sort of partial trust (unless that URL or the > whole
> > zone has been given Full Trust).
> >
> > Two things happen after that:
> > - If your assembly is not marked with the
> > AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain > that
> > it is running in will not be able to call it.
> > - Any code that requires a permission will hit your assembly,
where it > will
> > be granted due to your Full Trust, but will likely fail when the
stack > gets
> > up to the partially trusted AppDomain since the AppDomain may not have > that
> > permission.
> >
> > You have basically two options to solve this:
> > - Make the AppDomain have Full Trust with something like a URL
membership
> > condition. This is the easiest thing to do, but is not very
secure, > > especially if the URL is not very specific.
> > - Add the AllowPartiallyTrustedCallersAttribute and use Assert on
the > > Permissions that you need when you need them to prevent the stack walk > into
> > the containing AppDomain. This is more work, but is vastly more
secure > and
> > is the recommended approach.
> >
> > There have been some good articles on implementing the second
approach. I
> > believe Ivan Medvedev has some good info on his website. You
might start
> > there:
> > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> >
> > Joe K.
> >
> > "Marina" <so*****@nospam.com> wrote in message
> > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > Hi,
> > >
> > > I am trying to find the minimum security settings to allow a windows > > control
> > > embedded in IE have full trust.
> > >
> > > If I give the entire Intranet zone full trust, this works. However, this
> > is
> > > very broad and gives the entire zone high privleges.
> > >
> > > I tried giving just the assembly full trust (using the full URL for the
> > > DLL), but this doesn't seem to work.
> > >
> > > Any direction in how to accomplish this?
> > >
> > >
> >
> >
>
>
Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont
intend to harm my own server system so why should a client set special
permissions?
the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups :(
Any thoughts?
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:em*************@TK2MSFTNGP11.phx.gbl... I'm not an expect at all in Java applet security, but I do know that the
.NET CAS model is very different.
Essentially, code is sorted into membership of different code groups
based on evidence it presents to the system. Evidence can be things like the
URL it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.
Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it
needs to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you
need - Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions
As I was poking around in the default security policy, it looked to me
that the Trusted_Zone code group gets special permission to connect back to
its site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the
permission you need.
If that won't work, then you might need to modify the local security
policy. You could use a URL membership condition or perhaps a strong name.
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl... This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded in IE that start running. Now, the client app need webPermission to
connect back to the same server and request some data...
My question is if this is allowed, I see no reason why I cant request
data from my own server with my own client application... Any java applet
can do that
Java only restrict the acces to server on the same port 80 from where
it was first downloaded
I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need
is WebPermission but i'm not sure how it works...
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> Assuming that the code will not execute given the permissions it is
getting
> in the zone it is running in, I'm pretty sure you aren't going to
get this > to work without changing some kind of security permissions on the
client. >
> The reason is that if that code isn't granted the permission to do what it > needs to do, there is no way for the code to get around that. .NET
security
> policy is administered on the local machine. The idea is that the
> administrator gets to decide which resources get which permissions.
Then, > code is allowed to execute automatically with the permissions it is
given. > This is very different from the downloadable ActiveX control model which > asks the user for permission to install and run and then can do anything the
> user has permissions to do on their machine.
>
> Are you sure you can't make adjustments to the client machine
security > policy? Are you sure the permission you need isn't already granted
to the > zone that the code executes in?
>
> Joe K.
>
> "Crirus" <Cr****@datagroup.ro> wrote in message
> news:eC****************@TK2MSFTNGP09.phx.gbl...
> > I have a application, embedded in IE (html assambly).
> > That aplication need to connect back to the server in order to get
some > > data.
> > What are conditions to succeed without requesting any special
permissions
> > from client? As an applet do it....
> > Should I connect back to the server only using port 80?
> > Right now the client app is serverd by Apache and connection back
is tryed
> > to another aplication on port 9500
> >
> > Changing security permission by the client is not an option
> >
> > --
> > Cheers,
> > Crirus
> >
> > ------------------------------
> > If work were a good thing, the boss would take it all from you
> >
> > ------------------------------
> >
> > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> wrote
> > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > The best way to do this is to give just the assemblies that need
Full > > Trust
> > > that permission.
> > >
> > > The reason it doesn't work in your situation is that when IE
creates the
> > > AppDomain that it runs your code in, that AppDomain is created based on
> > the
> > > URL which will have some sort of partial trust (unless that URL
or the > > whole
> > > zone has been given Full Trust).
> > >
> > > Two things happen after that:
> > > - If your assembly is not marked with the
> > > AllowPartiallyTrustedCallersAttribute, the partially trusted
AppDomain > > that
> > > it is running in will not be able to call it.
> > > - Any code that requires a permission will hit your assembly, where it
> > will
> > > be granted due to your Full Trust, but will likely fail when the
stack > > gets
> > > up to the partially trusted AppDomain since the AppDomain may
not have > > that
> > > permission.
> > >
> > > You have basically two options to solve this:
> > > - Make the AppDomain have Full Trust with something like a URL
> membership
> > > condition. This is the easiest thing to do, but is not very secure, > > > especially if the URL is not very specific.
> > > - Add the AllowPartiallyTrustedCallersAttribute and use Assert
on the > > > Permissions that you need when you need them to prevent the
stack walk > > into
> > > the containing AppDomain. This is more work, but is vastly more
secure
> > and
> > > is the recommended approach.
> > >
> > > There have been some good articles on implementing the second
approach.
> I
> > > believe Ivan Medvedev has some good info on his website. You might > start
> > > there:
> > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > >
> > > Joe K.
> > >
> > > "Marina" <so*****@nospam.com> wrote in message
> > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > Hi,
> > > >
> > > > I am trying to find the minimum security settings to allow a
windows > > > control
> > > > embedded in IE have full trust.
> > > >
> > > > If I give the entire Intranet zone full trust, this works.
However, > this
> > > is
> > > > very broad and gives the entire zone high privleges.
> > > >
> > > > I tried giving just the assembly full trust (using the full
URL for > the
> > > > DLL), but this doesn't seem to work.
> > > >
> > > > Any direction in how to accomplish this?
> > > >
> > > >
> > >
> > >
> >
> >
>
>
I need WebPermission in order to send data from server to client.
It's a little fuzzy how all this security work, but as I understood, I can
restrict the code with some permissions.
In my case, I can force my code to connect back to my server only...
In the mean time, my code need permission from client to do that connection?
I was hoping that a html embedded assembly can connect back to it's origin
server without asking permission to do that..
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2******************@TK2MSFTNGP11.phx.gbl... Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend to harm my own server system so why should a client set special
permissions?
the worse thing is that cant find a good article concerning security
and what can I do in various permissions groups :(
Any thoughts?
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:em*************@TK2MSFTNGP11.phx.gbl... I'm not an expect at all in Java applet security, but I do know that
the .NET CAS model is very different.
Essentially, code is sorted into membership of different code groups based on evidence it presents to the system. Evidence can be things like
the URL it came from, it's strong name, etc. Based on the code groups it is
put into, it will be granted certain permissions.
Thus in your example, your code is presenting some evidence that gets
it included in a certain code group that is not granted the permission it
needs to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions
you need - Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the
correct permissions
As I was poking around in the default security policy, it looked to me
that the Trusted_Zone code group gets special permission to connect back to
its site of origin. Do you know if IE is finding your site to be in
Trusted Sites? If so, based on what I can see you should be getting the
permission you need.
If that won't work, then you might need to modify the local security
policy. You could use a URL membership condition or perhaps a strong name.
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
> This is the scenario:
> Clinet open the browser, access my server, receive a client app,
embedded in
> IE that start running. Now, the client app need webPermission to connect > back to the same server and request some data...
>
> My question is if this is allowed, I see no reason why I cant
request data > from my own server with my own client application... Any java applet can do
> that
>
> Java only restrict the acces to server on the same port 80 from
where it was
> first downloaded
>
> I'm kinda lost in the woods with this permissions...
> So, do the client need to set some permisions? The permission I need is > WebPermission but i'm not sure how it works...
>
>
>
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > Assuming that the code will not execute given the permissions it
is > getting
> > in the zone it is running in, I'm pretty sure you aren't going to
get this
> > to work without changing some kind of security permissions on the
client.
> >
> > The reason is that if that code isn't granted the permission to do
what it
> > needs to do, there is no way for the code to get around that.
..NET > security
> > policy is administered on the local machine. The idea is that the
> > administrator gets to decide which resources get which
permissions. Then,
> > code is allowed to execute automatically with the permissions it
is given.
> > This is very different from the downloadable ActiveX control model
which > > asks the user for permission to install and run and then can do
anything > the
> > user has permissions to do on their machine.
> >
> > Are you sure you can't make adjustments to the client machine security > > policy? Are you sure the permission you need isn't already
granted to the
> > zone that the code executes in?
> >
> > Joe K.
> >
> > "Crirus" <Cr****@datagroup.ro> wrote in message
> > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > I have a application, embedded in IE (html assambly).
> > > That aplication need to connect back to the server in order to
get some
> > > data.
> > > What are conditions to succeed without requesting any special
> permissions
> > > from client? As an applet do it....
> > > Should I connect back to the server only using port 80?
> > > Right now the client app is serverd by Apache and connection
back is > tryed
> > > to another aplication on port 9500
> > >
> > > Changing security permission by the client is not an option
> > >
> > > --
> > > Cheers,
> > > Crirus
> > >
> > > ------------------------------
> > > If work were a good thing, the boss would take it all from you
> > >
> > > ------------------------------
> > >
> > > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> > wrote
> > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > The best way to do this is to give just the assemblies that
need Full
> > > Trust
> > > > that permission.
> > > >
> > > > The reason it doesn't work in your situation is that when IE creates > the
> > > > AppDomain that it runs your code in, that AppDomain is created
based > on
> > > the
> > > > URL which will have some sort of partial trust (unless that
URL or the
> > > whole
> > > > zone has been given Full Trust).
> > > >
> > > > Two things happen after that:
> > > > - If your assembly is not marked with the
> > > > AllowPartiallyTrustedCallersAttribute, the partially trusted
AppDomain
> > > that
> > > > it is running in will not be able to call it.
> > > > - Any code that requires a permission will hit your assembly, where > it
> > > will
> > > > be granted due to your Full Trust, but will likely fail when
the stack
> > > gets
> > > > up to the partially trusted AppDomain since the AppDomain may
not have
> > > that
> > > > permission.
> > > >
> > > > You have basically two options to solve this:
> > > > - Make the AppDomain have Full Trust with something like a
URL > > membership
> > > > condition. This is the easiest thing to do, but is not very
secure, > > > > especially if the URL is not very specific.
> > > > - Add the AllowPartiallyTrustedCallersAttribute and use
Assert on the
> > > > Permissions that you need when you need them to prevent the stack walk
> > > into
> > > > the containing AppDomain. This is more work, but is vastly
more > secure
> > > and
> > > > is the recommended approach.
> > > >
> > > > There have been some good articles on implementing the second
> approach.
> > I
> > > > believe Ivan Medvedev has some good info on his website. You
might > > start
> > > > there:
> > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > >
> > > > Joe K.
> > > >
> > > > "Marina" <so*****@nospam.com> wrote in message
> > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I am trying to find the minimum security settings to allow a
windows
> > > > control
> > > > > embedded in IE have full trust.
> > > > >
> > > > > If I give the entire Intranet zone full trust, this works.
However,
> > this
> > > > is
> > > > > very broad and gives the entire zone high privleges.
> > > > >
> > > > > I tried giving just the assembly full trust (using the full
URL for
> > the
> > > > > DLL), but this doesn't seem to work.
> > > > >
> > > > > Any direction in how to accomplish this?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
This is the result of caspol (on both machines the same)
Level = Enterprise
Code Groups:
1. All code: FullTrust
Level = Machine
Code Groups:
1. All code: Nothing
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.
Level = User
Code Groups:
1. All code: FullTrust
Anyway, on my PC, everything works fine, but on another intranet Pc it raise
WebPermission
Any ideea why?
Crirus
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:#7**************@TK2MSFTNGP11.phx.gbl... Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend to harm my own server system so why should a client set special
permissions?
the worse thing is that cant find a good article concerning security
and what can I do in various permissions groups :(
Any thoughts?
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:em*************@TK2MSFTNGP11.phx.gbl... I'm not an expect at all in Java applet security, but I do know that
the .NET CAS model is very different.
Essentially, code is sorted into membership of different code groups based on evidence it presents to the system. Evidence can be things like
the URL it came from, it's strong name, etc. Based on the code groups it is
put into, it will be granted certain permissions.
Thus in your example, your code is presenting some evidence that gets
it included in a certain code group that is not granted the permission it
needs to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions
you need - Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the
correct permissions
As I was poking around in the default security policy, it looked to me
that the Trusted_Zone code group gets special permission to connect back to
its site of origin. Do you know if IE is finding your site to be in
Trusted Sites? If so, based on what I can see you should be getting the
permission you need.
If that won't work, then you might need to modify the local security
policy. You could use a URL membership condition or perhaps a strong name.
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:%2****************@TK2MSFTNGP12.phx.gbl...
> This is the scenario:
> Clinet open the browser, access my server, receive a client app,
embedded in
> IE that start running. Now, the client app need webPermission to connect > back to the same server and request some data...
>
> My question is if this is allowed, I see no reason why I cant
request data > from my own server with my own client application... Any java applet can do
> that
>
> Java only restrict the acces to server on the same port 80 from
where it was
> first downloaded
>
> I'm kinda lost in the woods with this permissions...
> So, do the client need to set some permisions? The permission I need is > WebPermission but i'm not sure how it works...
>
>
>
>
> --
> Cheers,
> Crirus
>
> ------------------------------
> If work were a good thing, the boss would take it all from you
>
> ------------------------------
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > Assuming that the code will not execute given the permissions it
is > getting
> > in the zone it is running in, I'm pretty sure you aren't going to
get this
> > to work without changing some kind of security permissions on the
client.
> >
> > The reason is that if that code isn't granted the permission to do
what it
> > needs to do, there is no way for the code to get around that.
..NET > security
> > policy is administered on the local machine. The idea is that the
> > administrator gets to decide which resources get which
permissions. Then,
> > code is allowed to execute automatically with the permissions it
is given.
> > This is very different from the downloadable ActiveX control model
which > > asks the user for permission to install and run and then can do
anything > the
> > user has permissions to do on their machine.
> >
> > Are you sure you can't make adjustments to the client machine security > > policy? Are you sure the permission you need isn't already
granted to the
> > zone that the code executes in?
> >
> > Joe K.
> >
> > "Crirus" <Cr****@datagroup.ro> wrote in message
> > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > I have a application, embedded in IE (html assambly).
> > > That aplication need to connect back to the server in order to
get some
> > > data.
> > > What are conditions to succeed without requesting any special
> permissions
> > > from client? As an applet do it....
> > > Should I connect back to the server only using port 80?
> > > Right now the client app is serverd by Apache and connection
back is > tryed
> > > to another aplication on port 9500
> > >
> > > Changing security permission by the client is not an option
> > >
> > > --
> > > Cheers,
> > > Crirus
> > >
> > > ------------------------------
> > > If work were a good thing, the boss would take it all from you
> > >
> > > ------------------------------
> > >
> > > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> > wrote
> > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > The best way to do this is to give just the assemblies that
need Full
> > > Trust
> > > > that permission.
> > > >
> > > > The reason it doesn't work in your situation is that when IE creates > the
> > > > AppDomain that it runs your code in, that AppDomain is created
based > on
> > > the
> > > > URL which will have some sort of partial trust (unless that
URL or the
> > > whole
> > > > zone has been given Full Trust).
> > > >
> > > > Two things happen after that:
> > > > - If your assembly is not marked with the
> > > > AllowPartiallyTrustedCallersAttribute, the partially trusted
AppDomain
> > > that
> > > > it is running in will not be able to call it.
> > > > - Any code that requires a permission will hit your assembly, where > it
> > > will
> > > > be granted due to your Full Trust, but will likely fail when
the stack
> > > gets
> > > > up to the partially trusted AppDomain since the AppDomain may
not have
> > > that
> > > > permission.
> > > >
> > > > You have basically two options to solve this:
> > > > - Make the AppDomain have Full Trust with something like a
URL > > membership
> > > > condition. This is the easiest thing to do, but is not very
secure, > > > > especially if the URL is not very specific.
> > > > - Add the AllowPartiallyTrustedCallersAttribute and use
Assert on the
> > > > Permissions that you need when you need them to prevent the stack walk
> > > into
> > > > the containing AppDomain. This is more work, but is vastly
more > secure
> > > and
> > > > is the recommended approach.
> > > >
> > > > There have been some good articles on implementing the second
> approach.
> > I
> > > > believe Ivan Medvedev has some good info on his website. You
might > > start
> > > > there:
> > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > >
> > > > Joe K.
> > > >
> > > > "Marina" <so*****@nospam.com> wrote in message
> > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > Hi,
> > > > >
> > > > > I am trying to find the minimum security settings to allow a
windows
> > > > control
> > > > > embedded in IE have full trust.
> > > > >
> > > > > If I give the entire Intranet zone full trust, this works.
However,
> > this
> > > > is
> > > > > very broad and gives the entire zone high privleges.
> > > > >
> > > > > I tried giving just the assembly full trust (using the full
URL for
> > the
> > > > > DLL), but this doesn't seem to work.
> > > > >
> > > > > Any direction in how to accomplish this?
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Just out of curiosity, what does the code look like in the HttpWebRequest
that you are doing? Are you sure the Uri matches the hostname of the Uri
you browse from?
My guess is that the WebPermission that is being demanded makes a comparison
along those lines and a mismatch in the hostname could cause a problem. It
could be a mismatch between hostname and IP address or something.
You could try creating a WebPermission with the Uri you are going to use and
demanding that in a Try/Catch block so you can see the error and provide
more detailed feedback.
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:uK**************@TK2MSFTNGP11.phx.gbl... This is the result of caspol (on both machines the same)
Level = Enterprise
Code Groups:
1. All code: FullTrust
Level = Machine
Code Groups:
1. All code: Nothing
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.
Level = User
Code Groups:
1. All code: FullTrust
Anyway, on my PC, everything works fine, but on another intranet Pc it
raise WebPermission
Any ideea why?
Crirus
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:#7**************@TK2MSFTNGP11.phx.gbl... Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:%2***************@TK2MSFTNGP12.phx.gbl... Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend to harm my own server system so why should a client set special
permissions?
the worse thing is that cant find a good article concerning security and what can I do in various permissions groups :(
Any thoughts?
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:em*************@TK2MSFTNGP11.phx.gbl...
> I'm not an expect at all in Java applet security, but I do know that the > .NET CAS model is very different.
>
> Essentially, code is sorted into membership of different code groups
based > on evidence it presents to the system. Evidence can be things like the URL
> it came from, it's strong name, etc. Based on the code groups it is put > into, it will be granted certain permissions.
>
> Thus in your example, your code is presenting some evidence that
gets it > included in a certain code group that is not granted the permission
it needs
> to run. In order to fix this, you probably need to either:
> - Get your code to fall into a code group that has the permissions you need
> - Modify the local security policy on the machine to ensure that
some > evidence you can present will get you into a code group with the correct > permissions
>
> As I was poking around in the default security policy, it looked to
me that
> the Trusted_Zone code group gets special permission to connect back
to its > site of origin. Do you know if IE is finding your site to be in Trusted > Sites? If so, based on what I can see you should be getting the
permission
> you need.
>
> If that won't work, then you might need to modify the local security
policy.
> You could use a URL membership condition or perhaps a strong name.
>
> Joe K.
>
> "Crirus" <Cr****@datagroup.ro> wrote in message
> news:%2****************@TK2MSFTNGP12.phx.gbl...
> > This is the scenario:
> > Clinet open the browser, access my server, receive a client app,
embedded
> in
> > IE that start running. Now, the client app need webPermission to
connect > > back to the same server and request some data...
> >
> > My question is if this is allowed, I see no reason why I cant request data
> > from my own server with my own client application... Any java
applet can > do
> > that
> >
> > Java only restrict the acces to server on the same port 80 from where it > was
> > first downloaded
> >
> > I'm kinda lost in the woods with this permissions...
> > So, do the client need to set some permisions? The permission I
need is > > WebPermission but i'm not sure how it works...
> >
> >
> >
> >
> > --
> > Cheers,
> > Crirus
> >
> > ------------------------------
> > If work were a good thing, the boss would take it all from you
> >
> > ------------------------------
> >
> > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> wrote
> > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > Assuming that the code will not execute given the permissions it
is > > getting
> > > in the zone it is running in, I'm pretty sure you aren't going
to get > this
> > > to work without changing some kind of security permissions on
the > client.
> > >
> > > The reason is that if that code isn't granted the permission to
do what
> it
> > > needs to do, there is no way for the code to get around that. .NET > > security
> > > policy is administered on the local machine. The idea is that
the > > > administrator gets to decide which resources get which permissions. > Then,
> > > code is allowed to execute automatically with the permissions it is > given.
> > > This is very different from the downloadable ActiveX control
model which
> > > asks the user for permission to install and run and then can do
anything
> > the
> > > user has permissions to do on their machine.
> > >
> > > Are you sure you can't make adjustments to the client machine
security > > > policy? Are you sure the permission you need isn't already granted to > the
> > > zone that the code executes in?
> > >
> > > Joe K.
> > >
> > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > I have a application, embedded in IE (html assambly).
> > > > That aplication need to connect back to the server in order to
get > some
> > > > data.
> > > > What are conditions to succeed without requesting any special
> > permissions
> > > > from client? As an applet do it....
> > > > Should I connect back to the server only using port 80?
> > > > Right now the client app is serverd by Apache and connection back is > > tryed
> > > > to another aplication on port 9500
> > > >
> > > > Changing security permission by the client is not an option
> > > >
> > > > --
> > > > Cheers,
> > > > Crirus
> > > >
> > > > ------------------------------
> > > > If work were a good thing, the boss would take it all from
you > > > >
> > > > ------------------------------
> > > >
> > > > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> > > wrote
> > > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > > The best way to do this is to give just the assemblies that
need > Full
> > > > Trust
> > > > > that permission.
> > > > >
> > > > > The reason it doesn't work in your situation is that when IE
creates
> > the
> > > > > AppDomain that it runs your code in, that AppDomain is
created based
> > on
> > > > the
> > > > > URL which will have some sort of partial trust (unless that URL or > the
> > > > whole
> > > > > zone has been given Full Trust).
> > > > >
> > > > > Two things happen after that:
> > > > > - If your assembly is not marked with the
> > > > > AllowPartiallyTrustedCallersAttribute, the partially trusted
> AppDomain
> > > > that
> > > > > it is running in will not be able to call it.
> > > > > - Any code that requires a permission will hit your
assembly, where
> > it
> > > > will
> > > > > be granted due to your Full Trust, but will likely fail when
the > stack
> > > > gets
> > > > > up to the partially trusted AppDomain since the AppDomain
may not > have
> > > > that
> > > > > permission.
> > > > >
> > > > > You have basically two options to solve this:
> > > > > - Make the AppDomain have Full Trust with something like a URL > > > membership
> > > > > condition. This is the easiest thing to do, but is not very
secure,
> > > > > especially if the URL is not very specific.
> > > > > - Add the AllowPartiallyTrustedCallersAttribute and use Assert on > the
> > > > > Permissions that you need when you need them to prevent the
stack > walk
> > > > into
> > > > > the containing AppDomain. This is more work, but is vastly more > > secure
> > > > and
> > > > > is the recommended approach.
> > > > >
> > > > > There have been some good articles on implementing the
second > > approach.
> > > I
> > > > > believe Ivan Medvedev has some good info on his website.
You might
> > > start
> > > > > there:
> > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > >
> > > > > Joe K.
> > > > >
> > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > Hi,
> > > > > >
> > > > > > I am trying to find the minimum security settings to allow
a > windows
> > > > > control
> > > > > > embedded in IE have full trust.
> > > > > >
> > > > > > If I give the entire Intranet zone full trust, this works.
> However,
> > > this
> > > > > is
> > > > > > very broad and gives the entire zone high privleges.
> > > > > >
> > > > > > I tried giving just the assembly full trust (using the
full URL > for
> > > the
> > > > > > DLL), but this doesn't seem to work.
> > > > > >
> > > > > > Any direction in how to accomplish this?
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Does the Uri in the WebPermission that is being demanded match the hostname
of the Uri that the code was downloaded from?
For example, if your Uri for your request is: http://cristianserver/resource
did the code also get downloaded from http://cristianserver/resource ?
Essentially, we have been saying that if those host names match, the Demand
for the permission should work. If they are different, then you can expect
a failure.
I think you can even check this programmatically by getting the Url evidence
object from the Evidence on the current AppDoamin.
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:eq**************@TK2MSFTNGP09.phx.gbl... This is a message error I raise on a try catch that contain error
description and stack trace
I really dont understand why I need another permission as they said that
any internet code have "same site" connection permission, and caspol shows
this
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:Om**************@TK2MSFTNGP10.phx.gbl... Just out of curiosity, what does the code look like in the
HttpWebRequest that you are doing? Are you sure the Uri matches the hostname of the
Uri you browse from?
My guess is that the WebPermission that is being demanded makes a comparison along those lines and a mismatch in the hostname could cause a problem.
It could be a mismatch between hostname and IP address or something.
You could try creating a WebPermission with the Uri you are going to use
and demanding that in a Try/Catch block so you can see the error and provide
more detailed feedback.
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:uK**************@TK2MSFTNGP11.phx.gbl... This is the result of caspol (on both machines the same)
Level = Enterprise
Code Groups:
1. All code: FullTrust
Level = Machine
Code Groups:
1. All code: Nothing
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.
Level = User
Code Groups:
1. All code: FullTrust
Anyway, on my PC, everything works fine, but on another intranet Pc it
raise WebPermission
Any ideea why?
Crirus
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:#7**************@TK2MSFTNGP11.phx.gbl...
> Do you know what code group your code is getting assigned? Also, do you > know specifically what permission is being demanded that is failing your > case?
>
> Joe K.
>
> "Crirus" <Cr****@hotmail.com> wrote in message
> news:%2***************@TK2MSFTNGP12.phx.gbl...
> > Well, I'm sure if I grand certain permission to my code it works
> > My hope is that client dont need any to set any permission to
allow my > > application to connect back to it's origin server... I'm sure I
dont > intend
> > to harm my own server system so why should a client set special
> permissions?
> >
> > the worse thing is that cant find a good article concerning
security and
> > what can I do in various permissions groups :(
> >
> > Any thoughts?
> >
> > Cristian
> >
> >
> >
> > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> wrote
> > in message news:em*************@TK2MSFTNGP11.phx.gbl...
> > > I'm not an expect at all in Java applet security, but I do know that the
> > > .NET CAS model is very different.
> > >
> > > Essentially, code is sorted into membership of different code groups > based
> > > on evidence it presents to the system. Evidence can be things like the
> > URL
> > > it came from, it's strong name, etc. Based on the code groups
it is put
> > > into, it will be granted certain permissions.
> > >
> > > Thus in your example, your code is presenting some evidence that gets it
> > > included in a certain code group that is not granted the permission it > > needs
> > > to run. In order to fix this, you probably need to either:
> > > - Get your code to fall into a code group that has the
permissions you
> > need
> > > - Modify the local security policy on the machine to ensure
that some > > > evidence you can present will get you into a code group with the
correct
> > > permissions
> > >
> > > As I was poking around in the default security policy, it looked to me > > that
> > > the Trusted_Zone code group gets special permission to connect
back to > its
> > > site of origin. Do you know if IE is finding your site to be in
Trusted
> > > Sites? If so, based on what I can see you should be getting the
> > permission
> > > you need.
> > >
> > > If that won't work, then you might need to modify the local
security > > policy.
> > > You could use a URL membership condition or perhaps a strong
name. > > >
> > > Joe K.
> > >
> > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > news:%2****************@TK2MSFTNGP12.phx.gbl...
> > > > This is the scenario:
> > > > Clinet open the browser, access my server, receive a client
app, > > embedded
> > > in
> > > > IE that start running. Now, the client app need webPermission
to > connect
> > > > back to the same server and request some data...
> > > >
> > > > My question is if this is allowed, I see no reason why I cant
request
> > data
> > > > from my own server with my own client application... Any java
applet > can
> > > do
> > > > that
> > > >
> > > > Java only restrict the acces to server on the same port 80
from where
> it
> > > was
> > > > first downloaded
> > > >
> > > > I'm kinda lost in the woods with this permissions...
> > > > So, do the client need to set some permisions? The permission
I need > is
> > > > WebPermission but i'm not sure how it works...
> > > >
> > > >
> > > >
> > > >
> > > > --
> > > > Cheers,
> > > > Crirus
> > > >
> > > > ------------------------------
> > > > If work were a good thing, the boss would take it all from
you > > > >
> > > > ------------------------------
> > > >
> > > > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> > > wrote
> > > > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > > > Assuming that the code will not execute given the
permissions it is
> > > > getting
> > > > > in the zone it is running in, I'm pretty sure you aren't
going to > get
> > > this
> > > > > to work without changing some kind of security permissions
on the > > > client.
> > > > >
> > > > > The reason is that if that code isn't granted the permission to do > > what
> > > it
> > > > > needs to do, there is no way for the code to get around
that. .NET
> > > > security
> > > > > policy is administered on the local machine. The idea is
that the > > > > > administrator gets to decide which resources get which
permissions.
> > > Then,
> > > > > code is allowed to execute automatically with the
permissions it is
> > > given.
> > > > > This is very different from the downloadable ActiveX control model > > which
> > > > > asks the user for permission to install and run and then can do > > anything
> > > > the
> > > > > user has permissions to do on their machine.
> > > > >
> > > > > Are you sure you can't make adjustments to the client
machine > security
> > > > > policy? Are you sure the permission you need isn't already
granted
> to
> > > the
> > > > > zone that the code executes in?
> > > > >
> > > > > Joe K.
> > > > >
> > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > > > I have a application, embedded in IE (html assambly).
> > > > > > That aplication need to connect back to the server in
order to get
> > > some
> > > > > > data.
> > > > > > What are conditions to succeed without requesting any special > > > > permissions
> > > > > > from client? As an applet do it....
> > > > > > Should I connect back to the server only using port 80?
> > > > > > Right now the client app is serverd by Apache and
connection back
> is
> > > > tryed
> > > > > > to another aplication on port 9500
> > > > > >
> > > > > > Changing security permission by the client is not an
option > > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Crirus
> > > > > >
> > > > > > ------------------------------
> > > > > > If work were a good thing, the boss would take it all
from you > > > > > >
> > > > > > ------------------------------
> > > > > >
> > > > > > "Joe Kaplan (MVP - ADSI)"
> <jo*************@removethis.accenture.com>
> > > > wrote
> > > > > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > The best way to do this is to give just the assemblies that need
> > > Full
> > > > > > Trust
> > > > > > > that permission.
> > > > > > >
> > > > > > > The reason it doesn't work in your situation is that
when IE > > creates
> > > > the
> > > > > > > AppDomain that it runs your code in, that AppDomain is created > > based
> > > > on
> > > > > > the
> > > > > > > URL which will have some sort of partial trust (unless that URL
> or
> > > the
> > > > > > whole
> > > > > > > zone has been given Full Trust).
> > > > > > >
> > > > > > > Two things happen after that:
> > > > > > > - If your assembly is not marked with the
> > > > > > > AllowPartiallyTrustedCallersAttribute, the partially trusted > > > AppDomain
> > > > > > that
> > > > > > > it is running in will not be able to call it.
> > > > > > > - Any code that requires a permission will hit your
assembly, > > where
> > > > it
> > > > > > will
> > > > > > > be granted due to your Full Trust, but will likely fail when the
> > > stack
> > > > > > gets
> > > > > > > up to the partially trusted AppDomain since the
AppDomain may > not
> > > have
> > > > > > that
> > > > > > > permission.
> > > > > > >
> > > > > > > You have basically two options to solve this:
> > > > > > > - Make the AppDomain have Full Trust with something
like a URL
> > > > > membership
> > > > > > > condition. This is the easiest thing to do, but is not very > > secure,
> > > > > > > especially if the URL is not very specific.
> > > > > > > - Add the AllowPartiallyTrustedCallersAttribute and use
Assert
> on
> > > the
> > > > > > > Permissions that you need when you need them to prevent the > stack
> > > walk
> > > > > > into
> > > > > > > the containing AppDomain. This is more work, but is vastly more
> > > > secure
> > > > > > and
> > > > > > > is the recommended approach.
> > > > > > >
> > > > > > > There have been some good articles on implementing the
second > > > > approach.
> > > > > I
> > > > > > > believe Ivan Medvedev has some good info on his website.
You > > might
> > > > > start
> > > > > > > there:
> > > > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > > > >
> > > > > > > Joe K.
> > > > > > >
> > > > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > Hi,
> > > > > > > >
> > > > > > > > I am trying to find the minimum security settings to allow a > > > windows
> > > > > > > control
> > > > > > > > embedded in IE have full trust.
> > > > > > > >
> > > > > > > > If I give the entire Intranet zone full trust, this
works. > > > However,
> > > > > this
> > > > > > > is
> > > > > > > > very broad and gives the entire zone high privleges.
> > > > > > > >
> > > > > > > > I tried giving just the assembly full trust (using the
full > URL
> > > for
> > > > > the
> > > > > > > > DLL), but this doesn't seem to work.
> > > > > > > >
> > > > > > > > Any direction in how to accomplish this?
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Hello Does the Uri in the WebPermission that is being demanded match the
hostname of the Uri that the code was downloaded from?
I'm completly sure that the URI is the same...
I connect IE to http://home and I hardcoded in my code
myWebClient.UploadData("http://home", "POST",data)
I think you can even check this programmatically by getting the Url
evidenceobject from the Evidence on the current AppDoamin.
I need a hint on how to do that
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2***************@tk2msftngp13.phx.gbl... Does the Uri in the WebPermission that is being demanded match the
hostname of the Uri that the code was downloaded from?
For example, if your Uri for your request is:
http://cristianserver/resource
did the code also get downloaded from http://cristianserver/resource ?
Essentially, we have been saying that if those host names match, the
Demand for the permission should work. If they are different, then you can
expect a failure.
I think you can even check this programmatically by getting the Url
evidence object from the Evidence on the current AppDoamin.
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:eq**************@TK2MSFTNGP09.phx.gbl... This is a message error I raise on a try catch that contain error
description and stack trace
I really dont understand why I need another permission as they said that any internet code have "same site" connection permission, and caspol shows
this
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote in message news:Om**************@TK2MSFTNGP10.phx.gbl... Just out of curiosity, what does the code look like in the HttpWebRequest that you are doing? Are you sure the Uri matches the hostname of the Uri you browse from?
My guess is that the WebPermission that is being demanded makes a
comparison along those lines and a mismatch in the hostname could cause a
problem. It could be a mismatch between hostname and IP address or something.
You could try creating a WebPermission with the Uri you are going to
use and demanding that in a Try/Catch block so you can see the error and
provide more detailed feedback.
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:uK**************@TK2MSFTNGP11.phx.gbl...
> This is the result of caspol (on both machines the same)
>
> Level = Enterprise
> Code Groups:
> 1. All code: FullTrust
>
> Level = Machine
> Code Groups:
> 1. All code: Nothing
> 1.3. Zone - Internet: Internet
> 1.3.1. All code: Same site Web.
>
> Level = User
> Code Groups:
> 1. All code: FullTrust
>
>
> Anyway, on my PC, everything works fine, but on another intranet Pc
it raise
> WebPermission
>
> Any ideea why?
>
> Crirus
>
> "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com>
wrote > in message news:#7**************@TK2MSFTNGP11.phx.gbl...
> > Do you know what code group your code is getting assigned? Also,
do you > > know specifically what permission is being demanded that is
failing your > > case?
> >
> > Joe K.
> >
> > "Crirus" <Cr****@hotmail.com> wrote in message
> > news:%2***************@TK2MSFTNGP12.phx.gbl...
> > > Well, I'm sure if I grand certain permission to my code it works
> > > My hope is that client dont need any to set any permission to allow my > > > application to connect back to it's origin server... I'm sure I
dont > > intend
> > > to harm my own server system so why should a client set special
> > permissions?
> > >
> > > the worse thing is that cant find a good article concerning
security > and
> > > what can I do in various permissions groups :(
> > >
> > > Any thoughts?
> > >
> > > Cristian
> > >
> > >
> > >
> > > "Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> > wrote
> > > in message news:em*************@TK2MSFTNGP11.phx.gbl...
> > > > I'm not an expect at all in Java applet security, but I do
know that > the
> > > > .NET CAS model is very different.
> > > >
> > > > Essentially, code is sorted into membership of different code
groups > > based
> > > > on evidence it presents to the system. Evidence can be things
like > the
> > > URL
> > > > it came from, it's strong name, etc. Based on the code groups it is > put
> > > > into, it will be granted certain permissions.
> > > >
> > > > Thus in your example, your code is presenting some evidence
that gets
> it
> > > > included in a certain code group that is not granted the
permission it
> > > needs
> > > > to run. In order to fix this, you probably need to either:
> > > > - Get your code to fall into a code group that has the
permissions > you
> > > need
> > > > - Modify the local security policy on the machine to ensure
that some
> > > > evidence you can present will get you into a code group with
the > correct
> > > > permissions
> > > >
> > > > As I was poking around in the default security policy, it
looked to me
> > > that
> > > > the Trusted_Zone code group gets special permission to connect
back to
> > its
> > > > site of origin. Do you know if IE is finding your site to be
in > Trusted
> > > > Sites? If so, based on what I can see you should be getting
the > > > permission
> > > > you need.
> > > >
> > > > If that won't work, then you might need to modify the local
security > > > policy.
> > > > You could use a URL membership condition or perhaps a strong name. > > > >
> > > > Joe K.
> > > >
> > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > news:%2****************@TK2MSFTNGP12.phx.gbl...
> > > > > This is the scenario:
> > > > > Clinet open the browser, access my server, receive a client app, > > > embedded
> > > > in
> > > > > IE that start running. Now, the client app need
webPermission to > > connect
> > > > > back to the same server and request some data...
> > > > >
> > > > > My question is if this is allowed, I see no reason why I
cant > request
> > > data
> > > > > from my own server with my own client application... Any
java applet
> > can
> > > > do
> > > > > that
> > > > >
> > > > > Java only restrict the acces to server on the same port 80
from > where
> > it
> > > > was
> > > > > first downloaded
> > > > >
> > > > > I'm kinda lost in the woods with this permissions...
> > > > > So, do the client need to set some permisions? The
permission I need
> > is
> > > > > WebPermission but i'm not sure how it works...
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > --
> > > > > Cheers,
> > > > > Crirus
> > > > >
> > > > > ------------------------------
> > > > > If work were a good thing, the boss would take it all from you > > > > >
> > > > > ------------------------------
> > > > >
> > > > > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com>
> > > wrote
> > > > > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > > > > Assuming that the code will not execute given the permissions it > is
> > > > > getting
> > > > > > in the zone it is running in, I'm pretty sure you aren't
going to
> > get
> > > > this
> > > > > > to work without changing some kind of security permissions on the
> > > > client.
> > > > > >
> > > > > > The reason is that if that code isn't granted the
permission to do
> > > what
> > > > it
> > > > > > needs to do, there is no way for the code to get around that. > .NET
> > > > > security
> > > > > > policy is administered on the local machine. The idea is that the
> > > > > > administrator gets to decide which resources get which
> permissions.
> > > > Then,
> > > > > > code is allowed to execute automatically with the permissions it > is
> > > > given.
> > > > > > This is very different from the downloadable ActiveX
control model
> > > which
> > > > > > asks the user for permission to install and run and then
can do > > > anything
> > > > > the
> > > > > > user has permissions to do on their machine.
> > > > > >
> > > > > > Are you sure you can't make adjustments to the client machine > > security
> > > > > > policy? Are you sure the permission you need isn't
already > granted
> > to
> > > > the
> > > > > > zone that the code executes in?
> > > > > >
> > > > > > Joe K.
> > > > > >
> > > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > > > > I have a application, embedded in IE (html assambly).
> > > > > > > That aplication need to connect back to the server in
order to > get
> > > > some
> > > > > > > data.
> > > > > > > What are conditions to succeed without requesting any
special > > > > > permissions
> > > > > > > from client? As an applet do it....
> > > > > > > Should I connect back to the server only using port 80?
> > > > > > > Right now the client app is serverd by Apache and
connection > back
> > is
> > > > > tryed
> > > > > > > to another aplication on port 9500
> > > > > > >
> > > > > > > Changing security permission by the client is not an option > > > > > > >
> > > > > > > --
> > > > > > > Cheers,
> > > > > > > Crirus
> > > > > > >
> > > > > > > ------------------------------
> > > > > > > If work were a good thing, the boss would take it all from you
> > > > > > >
> > > > > > > ------------------------------
> > > > > > >
> > > > > > > "Joe Kaplan (MVP - ADSI)"
> > <jo*************@removethis.accenture.com>
> > > > > wrote
> > > > > > > in message news:OU**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > The best way to do this is to give just the assemblies
that > need
> > > > Full
> > > > > > > Trust
> > > > > > > > that permission.
> > > > > > > >
> > > > > > > > The reason it doesn't work in your situation is that when IE > > > creates
> > > > > the
> > > > > > > > AppDomain that it runs your code in, that AppDomain is
created
> > > based
> > > > > on
> > > > > > > the
> > > > > > > > URL which will have some sort of partial trust (unless
that > URL
> > or
> > > > the
> > > > > > > whole
> > > > > > > > zone has been given Full Trust).
> > > > > > > >
> > > > > > > > Two things happen after that:
> > > > > > > > - If your assembly is not marked with the
> > > > > > > > AllowPartiallyTrustedCallersAttribute, the partially
trusted > > > > AppDomain
> > > > > > > that
> > > > > > > > it is running in will not be able to call it.
> > > > > > > > - Any code that requires a permission will hit your
assembly,
> > > where
> > > > > it
> > > > > > > will
> > > > > > > > be granted due to your Full Trust, but will likely
fail when > the
> > > > stack
> > > > > > > gets
> > > > > > > > up to the partially trusted AppDomain since the AppDomain may
> > not
> > > > have
> > > > > > > that
> > > > > > > > permission.
> > > > > > > >
> > > > > > > > You have basically two options to solve this:
> > > > > > > > - Make the AppDomain have Full Trust with something
like a > URL
> > > > > > membership
> > > > > > > > condition. This is the easiest thing to do, but is
not very > > > secure,
> > > > > > > > especially if the URL is not very specific.
> > > > > > > > - Add the AllowPartiallyTrustedCallersAttribute and
use > Assert
> > on
> > > > the
> > > > > > > > Permissions that you need when you need them to
prevent the > > stack
> > > > walk
> > > > > > > into
> > > > > > > > the containing AppDomain. This is more work, but is
vastly > more
> > > > > secure
> > > > > > > and
> > > > > > > > is the recommended approach.
> > > > > > > >
> > > > > > > > There have been some good articles on implementing the
second
> > > > > approach.
> > > > > > I
> > > > > > > > believe Ivan Medvedev has some good info on his
website. You
> > > might
> > > > > > start
> > > > > > > > there:
> > > > > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > > > > >
> > > > > > > > Joe K.
> > > > > > > >
> > > > > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > Hi,
> > > > > > > > >
> > > > > > > > > I am trying to find the minimum security settings to
allow a
> > > > windows
> > > > > > > > control
> > > > > > > > > embedded in IE have full trust.
> > > > > > > > >
> > > > > > > > > If I give the entire Intranet zone full trust, this
works. > > > > However,
> > > > > > this
> > > > > > > > is
> > > > > > > > > very broad and gives the entire zone high privleges.
> > > > > > > > >
> > > > > > > > > I tried giving just the assembly full trust (using
the full
> > URL
> > > > for
> > > > > > the
> > > > > > > > > DLL), but this doesn't seem to work.
> > > > > > > > >
> > > > > > > > > Any direction in how to accomplish this?
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
Ok, just as an experiment, can you grab the Url from the Evidence in your
AppDomain, create a new WebPermission object with that and Demand it in your
code? I wonder if that will fail the same way your code fails or if that
would work.
If that fails, then it seems like you aren't getting the permission to
connect back to the site of origin, so there must be some kind of security
policy thing going on with the other client that would be preventing that.
Joe K.
"Crirus" <Cr****@datagroup.ro> wrote in message
news:e$**************@TK2MSFTNGP11.phx.gbl... Hello
Does the Uri in the WebPermission that is being demanded match the hostname of the Uri that the code was downloaded from?
I'm completly sure that the URI is the same...
I connect IE to http://home and I hardcoded in my code
myWebClient.UploadData("http://home", "POST",data)
I think you can even check this programmatically by getting the Url
evidenceobject from the Evidence on the current AppDoamin.
I need a hint on how to do that
--
Cheers,
Crirus
------------------------------
If work were a good thing, the boss would take it all from you
------------------------------
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote
in message news:%2***************@tk2msftngp13.phx.gbl... Does the Uri in the WebPermission that is being demanded match the
hostname of the Uri that the code was downloaded from?
For example, if your Uri for your request is:
http://cristianserver/resource
did the code also get downloaded from http://cristianserver/resource ?
Essentially, we have been saying that if those host names match, the
Demand for the permission should work. If they are different, then you can
expect a failure.
I think you can even check this programmatically by getting the Url
evidence object from the Evidence on the current AppDoamin.
Joe K.
"Crirus" <Cr****@hotmail.com> wrote in message
news:eq**************@TK2MSFTNGP09.phx.gbl... This is a message error I raise on a try catch that contain error
description and stack trace
I really dont understand why I need another permission as they said
that any internet code have "same site" connection permission, and caspol shows
this
Cristian
"Joe Kaplan (MVP - ADSI)" <jo*************@removethis.accenture.com> wrote in message news:Om**************@TK2MSFTNGP10.phx.gbl...
> Just out of curiosity, what does the code look like in the
HttpWebRequest > that you are doing? Are you sure the Uri matches the hostname of
the Uri > you browse from?
>
> My guess is that the WebPermission that is being demanded makes a
comparison
> along those lines and a mismatch in the hostname could cause a problem. It
> could be a mismatch between hostname and IP address or something.
>
> You could try creating a WebPermission with the Uri you are going to use and
> demanding that in a Try/Catch block so you can see the error and provide > more detailed feedback.
>
> Joe K.
>
> "Crirus" <Cr****@hotmail.com> wrote in message
> news:uK**************@TK2MSFTNGP11.phx.gbl...
> > This is the result of caspol (on both machines the same)
> >
> > Level = Enterprise
> > Code Groups:
> > 1. All code: FullTrust
> >
> > Level = Machine
> > Code Groups:
> > 1. All code: Nothing
> > 1.3. Zone - Internet: Internet
> > 1.3.1. All code: Same site Web.
> >
> > Level = User
> > Code Groups:
> > 1. All code: FullTrust
> >
> >
> > Anyway, on my PC, everything works fine, but on another intranet
Pc it > raise
> > WebPermission
> >
> > Any ideea why?
> >
> > Crirus
> >
> > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> wrote
> > in message news:#7**************@TK2MSFTNGP11.phx.gbl...
> > > Do you know what code group your code is getting assigned?
Also, do you
> > > know specifically what permission is being demanded that is failing your
> > > case?
> > >
> > > Joe K.
> > >
> > > "Crirus" <Cr****@hotmail.com> wrote in message
> > > news:%2***************@TK2MSFTNGP12.phx.gbl...
> > > > Well, I'm sure if I grand certain permission to my code it
works > > > > My hope is that client dont need any to set any permission to allow my
> > > > application to connect back to it's origin server... I'm sure
I dont > > > intend
> > > > to harm my own server system so why should a client set
special > > > permissions?
> > > >
> > > > the worse thing is that cant find a good article concerning
security
> > and
> > > > what can I do in various permissions groups :(
> > > >
> > > > Any thoughts?
> > > >
> > > > Cristian
> > > >
> > > >
> > > >
> > > > "Joe Kaplan (MVP - ADSI)"
<jo*************@removethis.accenture.com> > > wrote
> > > > in message news:em*************@TK2MSFTNGP11.phx.gbl...
> > > > > I'm not an expect at all in Java applet security, but I do
know that
> > the
> > > > > .NET CAS model is very different.
> > > > >
> > > > > Essentially, code is sorted into membership of different
code groups
> > > based
> > > > > on evidence it presents to the system. Evidence can be
things like
> > the
> > > > URL
> > > > > it came from, it's strong name, etc. Based on the code
groups it is
> > put
> > > > > into, it will be granted certain permissions.
> > > > >
> > > > > Thus in your example, your code is presenting some evidence that > gets
> > it
> > > > > included in a certain code group that is not granted the
permission
> it
> > > > needs
> > > > > to run. In order to fix this, you probably need to either:
> > > > > - Get your code to fall into a code group that has the
permissions
> > you
> > > > need
> > > > > - Modify the local security policy on the machine to ensure
that > some
> > > > > evidence you can present will get you into a code group with the > > correct
> > > > > permissions
> > > > >
> > > > > As I was poking around in the default security policy, it looked to
> me
> > > > that
> > > > > the Trusted_Zone code group gets special permission to
connect back
> to
> > > its
> > > > > site of origin. Do you know if IE is finding your site to
be in > > Trusted
> > > > > Sites? If so, based on what I can see you should be getting the > > > > permission
> > > > > you need.
> > > > >
> > > > > If that won't work, then you might need to modify the local
security
> > > > policy.
> > > > > You could use a URL membership condition or perhaps a strong
name. > > > > >
> > > > > Joe K.
> > > > >
> > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > news:%2****************@TK2MSFTNGP12.phx.gbl...
> > > > > > This is the scenario:
> > > > > > Clinet open the browser, access my server, receive a
client app, > > > > embedded
> > > > > in
> > > > > > IE that start running. Now, the client app need webPermission to > > > connect
> > > > > > back to the same server and request some data...
> > > > > >
> > > > > > My question is if this is allowed, I see no reason why I
cant > > request
> > > > data
> > > > > > from my own server with my own client application... Any java > applet
> > > can
> > > > > do
> > > > > > that
> > > > > >
> > > > > > Java only restrict the acces to server on the same port 80
from > > where
> > > it
> > > > > was
> > > > > > first downloaded
> > > > > >
> > > > > > I'm kinda lost in the woods with this permissions...
> > > > > > So, do the client need to set some permisions? The permission I > need
> > > is
> > > > > > WebPermission but i'm not sure how it works...
> > > > > >
> > > > > >
> > > > > >
> > > > > >
> > > > > > --
> > > > > > Cheers,
> > > > > > Crirus
> > > > > >
> > > > > > ------------------------------
> > > > > > If work were a good thing, the boss would take it all
from you > > > > > >
> > > > > > ------------------------------
> > > > > >
> > > > > > "Joe Kaplan (MVP - ADSI)"
> <jo*************@removethis.accenture.com>
> > > > wrote
> > > > > > in message news:uL****************@TK2MSFTNGP11.phx.gbl...
> > > > > > > Assuming that the code will not execute given the
permissions it
> > is
> > > > > > getting
> > > > > > > in the zone it is running in, I'm pretty sure you aren't
going > to
> > > get
> > > > > this
> > > > > > > to work without changing some kind of security
permissions on > the
> > > > > client.
> > > > > > >
> > > > > > > The reason is that if that code isn't granted the permission to
> do
> > > > what
> > > > > it
> > > > > > > needs to do, there is no way for the code to get around
that. > > .NET
> > > > > > security
> > > > > > > policy is administered on the local machine. The idea
is that > the
> > > > > > > administrator gets to decide which resources get which
> > permissions.
> > > > > Then,
> > > > > > > code is allowed to execute automatically with the
permissions it
> > is
> > > > > given.
> > > > > > > This is very different from the downloadable ActiveX
control > model
> > > > which
> > > > > > > asks the user for permission to install and run and then can do
> > > > anything
> > > > > > the
> > > > > > > user has permissions to do on their machine.
> > > > > > >
> > > > > > > Are you sure you can't make adjustments to the client
machine > > > security
> > > > > > > policy? Are you sure the permission you need isn't already > > granted
> > > to
> > > > > the
> > > > > > > zone that the code executes in?
> > > > > > >
> > > > > > > Joe K.
> > > > > > >
> > > > > > > "Crirus" <Cr****@datagroup.ro> wrote in message
> > > > > > > news:eC****************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > I have a application, embedded in IE (html assambly).
> > > > > > > > That aplication need to connect back to the server in
order to
> > get
> > > > > some
> > > > > > > > data.
> > > > > > > > What are conditions to succeed without requesting any
special
> > > > > > permissions
> > > > > > > > from client? As an applet do it....
> > > > > > > > Should I connect back to the server only using port
80? > > > > > > > > Right now the client app is serverd by Apache and
connection > > back
> > > is
> > > > > > tryed
> > > > > > > > to another aplication on port 9500
> > > > > > > >
> > > > > > > > Changing security permission by the client is not an
option > > > > > > > >
> > > > > > > > --
> > > > > > > > Cheers,
> > > > > > > > Crirus
> > > > > > > >
> > > > > > > > ------------------------------
> > > > > > > > If work were a good thing, the boss would take it all
from > you
> > > > > > > >
> > > > > > > > ------------------------------
> > > > > > > >
> > > > > > > > "Joe Kaplan (MVP - ADSI)"
> > > <jo*************@removethis.accenture.com>
> > > > > > wrote
> > > > > > > > in message
news:OU**************@TK2MSFTNGP09.phx.gbl... > > > > > > > > > The best way to do this is to give just the
assemblies that
> > need
> > > > > Full
> > > > > > > > Trust
> > > > > > > > > that permission.
> > > > > > > > >
> > > > > > > > > The reason it doesn't work in your situation is that
when IE
> > > > creates
> > > > > > the
> > > > > > > > > AppDomain that it runs your code in, that AppDomain
is > created
> > > > based
> > > > > > on
> > > > > > > > the
> > > > > > > > > URL which will have some sort of partial trust
(unless that
> > URL
> > > or
> > > > > the
> > > > > > > > whole
> > > > > > > > > zone has been given Full Trust).
> > > > > > > > >
> > > > > > > > > Two things happen after that:
> > > > > > > > > - If your assembly is not marked with the
> > > > > > > > > AllowPartiallyTrustedCallersAttribute, the partially
trusted
> > > > > AppDomain
> > > > > > > > that
> > > > > > > > > it is running in will not be able to call it.
> > > > > > > > > - Any code that requires a permission will hit your
> assembly,
> > > > where
> > > > > > it
> > > > > > > > will
> > > > > > > > > be granted due to your Full Trust, but will likely
fail when
> > the
> > > > > stack
> > > > > > > > gets
> > > > > > > > > up to the partially trusted AppDomain since the
AppDomain > may
> > > not
> > > > > have
> > > > > > > > that
> > > > > > > > > permission.
> > > > > > > > >
> > > > > > > > > You have basically two options to solve this:
> > > > > > > > > - Make the AppDomain have Full Trust with something
like a
> > URL
> > > > > > > membership
> > > > > > > > > condition. This is the easiest thing to do, but is not very
> > > > secure,
> > > > > > > > > especially if the URL is not very specific.
> > > > > > > > > - Add the AllowPartiallyTrustedCallersAttribute and use > > Assert
> > > on
> > > > > the
> > > > > > > > > Permissions that you need when you need them to prevent the
> > > stack
> > > > > walk
> > > > > > > > into
> > > > > > > > > the containing AppDomain. This is more work, but is
vastly
> > more
> > > > > > secure
> > > > > > > > and
> > > > > > > > > is the recommended approach.
> > > > > > > > >
> > > > > > > > > There have been some good articles on implementing
the > second
> > > > > > approach.
> > > > > > > I
> > > > > > > > > believe Ivan Medvedev has some good info on his website. > You
> > > > might
> > > > > > > start
> > > > > > > > > there:
> > > > > > > > > http://www.dotnetthis.com/Articles/WritingForSEE.htm
> > > > > > > > >
> > > > > > > > > Joe K.
> > > > > > > > >
> > > > > > > > > "Marina" <so*****@nospam.com> wrote in message
> > > > > > > > > news:Os**************@TK2MSFTNGP09.phx.gbl...
> > > > > > > > > > Hi,
> > > > > > > > > >
> > > > > > > > > > I am trying to find the minimum security settings
to allow
> a
> > > > > windows
> > > > > > > > > control
> > > > > > > > > > embedded in IE have full trust.
> > > > > > > > > >
> > > > > > > > > > If I give the entire Intranet zone full trust,
this works.
> > > > > However,
> > > > > > > this
> > > > > > > > > is
> > > > > > > > > > very broad and gives the entire zone high
privleges. > > > > > > > > > >
> > > > > > > > > > I tried giving just the assembly full trust (using the > full
> > > URL
> > > > > for
> > > > > > > the
> > > > > > > > > > DLL), but this doesn't seem to work.
> > > > > > > > > >
> > > > > > > > > > Any direction in how to accomplish this?
> > > > > > > > > >
> > > > > > > > > >
> > > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > >
> > > > > > >
> > > > > > >
> > > > > >
> > > > > >
> > > > >
> > > > >
> > > >
> > > >
> > >
> > >
> >
> >
>
>
This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Fran Tirimo |
last post by:
I am developing a small website using ASP scripts to format data retrieved
from an Access database. It will run on a Windows 2003 server supporting
FrontPage extensions 2002 hosted by the company...
|
by: Patrick |
last post by:
I have the following code, which regardless which works fine and logs to the
EventViewer regardless of whether
<processModel/> section of machine.config is set to username="SYSTEM" or
"machine"
...
|
by: gregory_may |
last post by:
According to this article, I cant change "CanStop" on the fly!!!
...
|
by: JM |
last post by:
I am using the WebBrowser control in .NET 2.0 Windows based
application. I want to use the default IE security settings, privacy
settings etc.
Is there a way by which I can achieve this ?
...
|
by: gxl034000 |
last post by:
Hi,
I have been trying to use a .net Forms control in my webpage to open up
an application(notepad) on the client. The control works fine when
embedded in a windows form, but I keep getting a...
|
by: Budhi Saputra Prasetya |
last post by:
Hi,
I managed to create a Windows Form Control and put it on my ASP .NET page. I
have done the suggestion that is provided by modifying the security settings.
From the stack trace, I would...
|
by: =?Utf-8?B?TWFuanJlZSBHYXJn?= |
last post by:
Hi,
I created a web service and hosted it in Windows Services. It is working
fine. Now I am trying to implement the X509 certificates for message layer
security. But it is throwing the following...
|
by: Ken Fine |
last post by:
I want to add the security question and answer security feature to the
ChangePassword control. I am aware that this functionality is built into the
PasswordRecovery tool. I have implemented the...
|
by: RedHair |
last post by:
I use the Form Authentication and Role base security to secure one ASP.NET
3.5 appication.
Below are security settings in web.config
<location path="testAdmin.aspx">
<system.web>...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: Hystou |
last post by:
Overview:
Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows...
|
by: tracyyun |
last post by:
Dear forum friends,
With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
|
by: agi2029 |
last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing,...
|
by: isladogs |
last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM).
In this session, we are pleased to welcome a new...
| |
