Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsFree MagazinesWhite PapersSubmit Content
Discussion GroupsASP.NETWindows FormsLanguages.NET FrameworkVisual Studio.NET
Articles.NET FrameworkASP.NETToolsWindows Forms
.NET DirectoryOpen Source ProjectsUser GroupsWeb Resources
Related Topics
Visual Basic 6SQL ServerMS AccessOther DB ProductsMS Server ProductsMore Topics ...
.NET Forum / .NET Framework / Security / January 2006

Tip: Looking for answers? Try searching our database.

System.Security.SecurityException: Request failed.

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
danieljlord@hotmail.com - 12 Jan 2006 12:24 GMT
Hi,

I'm getting the following error when running a VB.NET 2.0 user control
within Internet Explorer (i.e. embedded as an object in an HTML page):

"Microsoft .NET Framework
Application attempted to perform an operation not allowed by the
security policy. To grant this application the required permission,
contact your security administrator, or use the Microsoft .NET
Framework Configuration tool.
System.Security.SecurityException: Request failed."

The application needs to be able to read (and ideally to write) files
on the client machine; but I was hoping to achieve this by having users
add the site to the Trusted zone.

Unfortunately it makes no difference on my PC whether the site is in
the Trusted zone. I've also tried modifying the .net permissions (as
suggested in the error message) but bizarely the .NET framework config
tool itself fails with the same error.

I'd be very grateful for any guidance on this problem.

Many thanks
- Daniel
Reply to this Message
Nicole Calinoiu - 13 Jan 2006 14:01 GMT
> Hi,
>
[quoted text clipped - 14 lines]
> Unfortunately it makes no difference on my PC whether the site is in
> the Trusted zone.

That's to be expected.  Under default CAS policy, the trusted zone has the
same permissions as the internet zone.

> I've also tried modifying the .net permissions (as
> suggested in the error message) but bizarely the .NET framework config
> tool itself fails with the same error.

In that case, you've likely modified your own CAS policy in such a way as to
remove the default full trust grant for locally run assemblies.  If you have
been mucking about with your own CAS policy, you might want to reset it,
which you might be able to do via caspol.exe even if the mscorcfg.msc won't
launch.  If not, you might need to manually edit your enterprise, machine,
and/or user policy files (see
http://msdn2.microsoft.com/en-us/library/ms229703.aspx for file locations).

If you haven't made any modifications to your own CAS policy, it might be
that a custom CAS policy has been deployed to your machine by your network
admins.  In this case, you should probably talk to them before you start
making any changes (including a reset).

> I'd be very grateful for any guidance on this problem.
>
> Many thanks
> - Daniel
Reply to this Message
danieljlord@hotmail.com - 16 Jan 2006 12:55 GMT
Nicole, thank you for your reply. The CAS settings on the PC haven't
been changed; but now you've pointed out the likely cause I should be
able to solve it with some more research.

Thanks again
- Daniel
Reply to this Message
danieljlord@hotmail.com - 16 Jan 2006 16:44 GMT
I've done quite a lot more research now, but still can't get past this
error..

Do you know whether there's a simple step-by-step guide for people who
are new to CAS, and which shows specifically how to setup a VB.NET 2.0
user control to be loaded by IE in a web page and granted read/write
rights on the user's file system?

Thanks again
- Daniel
Reply to this Message
Nicole Calinoiu - 17 Jan 2006 13:42 GMT
Unfortunately, I don't know of any such sample.  At which point are you
stuck: altering local policy to add the extra permissions or deploying the
policy to the intended client machines?  If the former, have you gotten to
the point where you can use any of the security configuration tools on your
machine?  If the latter, is this meant for deployment over the internet or
only on your intranet?

> I've done quite a lot more research now, but still can't get past this
> error..
[quoted text clipped - 6 lines]
> Thanks again
> - Daniel
Reply to this Message
danieljlord@hotmail.com - 18 Jan 2006 12:17 GMT
Thanks Nicole

When the control is working, we'd like to distribute it to our clients
over the internet. Ideally, they would just configure the website as a
'Trusted site' in IE, and then confirm they'd like to run an ActiveX
control when it starts to run.

But I can't get it working even on my development PC, which I guess
would be a local policy problem. The user control works correctly in IE
until it requests a privileged operation e.g. file access. From what
I've researched there seems to be 4 ways that might resolve it (but I'm
completely lost as to which ones I should do!):

1. In VS project properties: Signing: Configure 'Sign the ClickOnce
manifests', 'Timestamp server URL' or 'Sign the assembly'. I've played
around with this, but I'm not really sure what settings to use, and the
certificate is still untrusted.

2. In VS project properties: Security: I've tried various options, but
assume "Enable ClickOnce Security Settings" with "This is a full trust
application" is correct

3. Using Caspol or similar to trust the assembly. I've expriemtented
with this without success. However, it's not really the angle I'd
prefer to take, as we wouldn't want our clients to manually configure
their computers in this way just to run our program.

4. Modifying the application code: I've tried to request / assert
permissions at the start of procedures that access the file system.
Presumably this doesn't work because the permission should be requested
by a more trusted assembly etc.

Best regards
- Daniel
Reply to this Message
Nicole Calinoiu - 19 Jan 2006 13:38 GMT
> Thanks Nicole
>
> When the control is working, we'd like to distribute it to our clients
> over the internet. Ideally, they would just configure the website as a
> 'Trusted site' in IE, and then confirm they'd like to run an ActiveX
> control when it starts to run.

You really need to give up on the trusted site approach.  This will not work
without modifying the CAS policy on the client and, as long as you're going
to do that, you  might as well make a safer, more constrained modification.

> But I can't get it working even on my development PC, which I guess
> would be a local policy problem.

Have you made any CAS policy modifications at all yet?  If so, what are
they?

> The user control works correctly in IE
> until it requests a privileged operation e.g. file access. From what
[quoted text clipped - 5 lines]
> around with this, but I'm not really sure what settings to use, and the
> certificate is still untrusted.

The ClickOnce settings are irrelevant to an IE-hosted control.  You should
basically just ignore the ClickOnce tab of this project's properties window.

> 2. In VS project properties: Security: I've tried various options, but
> assume "Enable ClickOnce Security Settings" with "This is a full trust
> application" is correct

Nope.  An IE-hosted control has no access to this ClickOnce functionality.

> 3. Using Caspol or similar to trust the assembly. I've expriemtented
> with this without success. However, it's not really the angle I'd
> prefer to take, as we wouldn't want our clients to manually configure
> their computers in this way just to run our program.

Unfortunately, their CAS policy will need to be modified if your control
requires permissions not granted by their existing policy.  You can given
them a script that would help automate this policy modification, but it will
likely need to be manually executed under an administrator account if you're
distributing to an internet audience.  If this isn't acceptable, you have
two main alternatives:

1.  Modify your control so that it doesn't require elevated CAS permissions.
Depending on what the control is meant to do, this may or may not be
possible.  If you could provide a bit more detail about what your code is
doing (as well as the full exception details, as returned by its ToString
method) when the SecurityException is thrown, I may be able to suggest a
workaround.

2.  Since you're targeting version 2.0 of the .NET Framework, you could
perhaps switch from a control to a ClickOnce application.  Obviously, this
will change the user's interaction with the application, so the resulting
user experience may or may not be acceptable.

> 4. Modifying the application code: I've tried to request / assert
> permissions at the start of procedures that access the file system.
> Presumably this doesn't work because the permission should be requested
> by a more trusted assembly etc.

Permission demands are what cause security exceptions (when the demand
fails), not a mechanism for avoiding them.  Assertion would be the
appropriate technique, but your code can only successfully assert a
permission it actually possesses (and only if it's also been granted
permission to make assertions in the first place), so it won't work here
either since your code won't be able to successfully assert the permission
it's missing.
Reply to this Message
danieljlord@hotmail.com - 23 Jan 2006 09:00 GMT
Nicole, thank you very much for all your help on this.
Reply to this Message

Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.