Adjusting security setting to run an embedded windows control in IE

[Marina]

Hi,

I am trying to find the minimum security settings to allow a windows control
embedded in IE have full trust.

If I give the entire Intranet zone full trust, this works. However, this is
very broad and gives the entire zone high privleges.

I tried giving just the assembly full trust (using the full URL for the
DLL), but this doesn't seem to work.

Any direction in how to accomplish this?

 

[Joe Kaplan \(MVP - ADSI\)]

The best way to do this is to give just the assemblies that need Full Trust
that permission.

The reason it doesn't work in your situation is that when IE creates the
AppDomain that it runs your code in, that AppDomain is created based on the
URL which will have some sort of partial trust (unless that URL or the whole
zone has been given Full Trust).

Two things happen after that:
- If your assembly is not marked with the
AllowPartiallyTrustedCallersAttribute, the partially trusted AppDomain that
it is running in will not be able to call it.
- Any code that requires a permission will hit your assembly, where it will
be granted due to your Full Trust, but will likely fail when the stack gets
up to the partially trusted AppDomain since the AppDomain may not have that
permission.

You have basically two options to solve this:
- Make the AppDomain have Full Trust with something like a URL membership
condition. This is the easiest thing to do, but is not very secure,
especially if the URL is not very specific.
- Add the AllowPartiallyTrustedCallersAttribute and use Assert on the
Permissions that you need when you need them to prevent the stack walk into
the containing AppDomain. This is more work, but is vastly more secure and
is the recommended approach.

There have been some good articles on implementing the second approach. I
believe Ivan Medvedev has some good info on his website. You might start
there:
http://www.dotnetthis.com/Articles/WritingForSEE.htm

Joe K.

 

[Marina]

This assembly is not a strongly named one, so I don't think option 2 would
work.

How does one go about giving an AppDomain full trust by using a URL
membership condition?

Thanks

 

[Marina]

Actually, I believe I was able to do this through the .net security
configuration tool.

 

[Joe Kaplan \(MVP - ADSI\)]

Ok, glad you got it work.

Just so you remember that I said this is the less secure and thus less
preferred option.

Strong naming an assembly is generally quite simple and isn't a bit deal.
The other advantage is that you can easily deploy other assemblies with the
same storng name key later and have them get Full Trust as well.

Joe K.

 

[Crirus]

I have a application, embedded in IE (html assambly).
That aplication need to connect back to the server in order to get some
data.
What are conditions to succeed without requesting any special permissions
from client? As an applet do it....
Should I connect back to the server only using port 80?
Right now the client app is serverd by Apache and connection back is tryed
to another aplication on port 9500

Changing security permission by the client is not an option

 

[Joe Kaplan \(MVP - ADSI\)]

Assuming that the code will not execute given the permissions it is getting
in the zone it is running in, I'm pretty sure you aren't going to get this
to work without changing some kind of security permissions on the client.

The reason is that if that code isn't granted the permission to do what it
needs to do, there is no way for the code to get around that. .NET security
policy is administered on the local machine. The idea is that the
administrator gets to decide which resources get which permissions. Then,
code is allowed to execute automatically with the permissions it is given.
This is very different from the downloadable ActiveX control model which
asks the user for permission to install and run and then can do anything the
user has permissions to do on their machine.

Are you sure you can't make adjustments to the client machine security
policy? Are you sure the permission you need isn't already granted to the
zone that the code executes in?

Joe K.

 

[Crirus]

This is the scenario:
Clinet open the browser, access my server, receive a client app, embedded in
IE that start running. Now, the client app need webPermission to connect
back to the same server and request some data...

My question is if this is allowed, I see no reason why I cant request data
from my own server with my own client application... Any java applet can do
that

Java only restrict the acces to server on the same port 80 from where it was
first downloaded

I'm kinda lost in the woods with this permissions...
So, do the client need to set some permisions? The permission I need is
WebPermission but i'm not sure how it works...

 

[Joe Kaplan \(MVP - ADSI\)]

I'm not an expect at all in Java applet security, but I do know that the
..NET CAS model is very different.

Essentially, code is sorted into membership of different code groups based
on evidence it presents to the system. Evidence can be things like the URL
it came from, it's strong name, etc. Based on the code groups it is put
into, it will be granted certain permissions.

Thus in your example, your code is presenting some evidence that gets it
included in a certain code group that is not granted the permission it needs
to run. In order to fix this, you probably need to either:
- Get your code to fall into a code group that has the permissions you need
- Modify the local security policy on the machine to ensure that some
evidence you can present will get you into a code group with the correct
permissions

As I was poking around in the default security policy, it looked to me that
the Trusted_Zone code group gets special permission to connect back to its
site of origin. Do you know if IE is finding your site to be in Trusted
Sites? If so, based on what I can see you should be getting the permission
you need.

If that won't work, then you might need to modify the local security policy.
You could use a URL membership condition or perhaps a strong name.

Joe K.

 

[Crirus]

Well, I'm sure if I grand certain permission to my code it works
My hope is that client dont need any to set any permission to allow my
application to connect back to it's origin server... I'm sure I dont intend
to harm my own server system so why should a client set special permissions?

the worse thing is that cant find a good article concerning security and
what can I do in various permissions groups

Any thoughts?

Cristian

 

[Joe Kaplan \(MVP - ADSI\)]

Do you know what code group your code is getting assigned? Also, do you
know specifically what permission is being demanded that is failing your
case?

Joe K.

 

[Crirus]

I need WebPermission in order to send data from server to client.
It's a little fuzzy how all this security work, but as I understood, I can
restrict the code with some permissions.
In my case, I can force my code to connect back to my server only...
In the mean time, my code need permission from client to do that connection?

I was hoping that a html embedded assembly can connect back to it's origin
server without asking permission to do that..

 

[Crirus]

This is the result of caspol (on both machines the same)

Level = Enterprise
Code Groups:
1. All code: FullTrust

Level = Machine
Code Groups:
1. All code: Nothing
1.3. Zone - Internet: Internet
1.3.1. All code: Same site Web.

Level = User
Code Groups:
1. All code: FullTrust


Anyway, on my PC, everything works fine, but on another intranet Pc it raise
WebPermission

Any ideea why?

Crirus

 

[Joe Kaplan \(MVP - ADSI\)]

Just out of curiosity, what does the code look like in the HttpWebRequest
that you are doing? Are you sure the Uri matches the hostname of the Uri
you browse from?

My guess is that the WebPermission that is being demanded makes a comparison
along those lines and a mismatch in the hostname could cause a problem. It
could be a mismatch between hostname and IP address or something.

You could try creating a WebPermission with the Uri you are going to use and
demanding that in a Try/Catch block so you can see the error and provide
more detailed feedback.

Joe K.

 

[Joe Kaplan \(MVP - ADSI\)]

Does the Uri in the WebPermission that is being demanded match the hostname
of the Uri that the code was downloaded from?

For example, if your Uri for your request is:

http://cristianserver/resource

did the code also get downloaded from http://cristianserver/resource ?

Essentially, we have been saying that if those host names match, the Demand
for the permission should work. If they are different, then you can expect
a failure.

I think you can even check this programmatically by getting the Url evidence
object from the Evidence on the current AppDoamin.

Joe K.

 

[Crirus]

Hello

Does the Uri in the WebPermission that is being demanded match the hostname
of the Uri that the code was downloaded from?

I'm completly sure that the URI is the same...

I connect IE to http://home and I hardcoded in my code

myWebClient.UploadData("http://home", "POST",data)

I think you can even check this programmatically by getting the Url evidence
object from the Evidence on the current AppDoamin.

I need a hint on how to do that

 

[Joe Kaplan \(MVP - ADSI\)]

Ok, just as an experiment, can you grab the Url from the Evidence in your
AppDomain, create a new WebPermission object with that and Demand it in your
code? I wonder if that will fail the same way your code fails or if that
would work.

If that fails, then it seems like you aren't getting the permission to
connect back to the site of origin, so there must be some kind of security
policy thing going on with the other client that would be preventing that.

Joe K.