We are trying to create a system where our users will navigate to a web
page, and this web page will reference a Windows User Control which is
then downloaded and run on the users machine.
The User Control is referenced on the web page in the following way
<OBJECT id="RegistryReaderCtrl"
classid="http://localhost/CustomerRegistration/UserCtrlRegistry.dll#UserCtrlRegistry.RegistryRead er"
VIEWASTEXT></OBJECT>
Now this works IF we do the following on the clients machine;
1) Fully trust the assembly using the .NET Configuration Tool
2) Include our site in the Trusted Sites Group and give this group full
access.
(this is because the user control directly access the filesystem on the
clients machine, to read data from it).
However we don't want to have to do this on every client machine.
One approach we considered was the following;
1) Install (using an msi installer) an assembly in the GAC on the
client machine. This assembly would handle all the restricted actions
(such as file IO etc). This assembly has the attribute:
<Assembly: AllowPartiallyTrustedCallers()>
Set so that it can be called from locations which aren't fully trusted.
2) Our Usercontrol now, rather than trying to directly access the
Filesystem on the clients machine, creates an instance of the Type we
added to the GAC.
3) The new type is then used to read from the Filesystem (as it is
trusted because it is in the GAC).
However this second approach doesn't work. We can create an instance of
the type stored in the GAC, but attmpting to call the method within it
throws the same exception as before (request for permission
System.Security.Permissions.FileIOPermission denied).
I can't see why the second approach doesn't work though, any pointers
much appreciated. Code is in VB.net.
