 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
.NET Forum / .NET Framework / Security / November 2004security exception for aspx page
hi, there: I was developing a new page for a web part project. My page keeps on getting security exception whereas other pages in the same project don't. I set the security level to be WSS_MediumTrust level. I wasn't using any database connection, but I was using a third party DLL( which is already signed and put into GAC). I add the third party assembly into the project web.config. I also add the following section into WSS_MediumTrust.config file. <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust"> <IMembershipCondition class="StrongNameMembershipCondition" version="1" PublicKeyBlob="public key for 3rd party assembly"/> </CodeGroup> Any other ideas? Thanks a LOT! What is the exception message or, even better, its full details (as returned by its ToString method)? > hi, there: > I was developing a new page for a web part project. My page keeps on [quoted text clipped - 13 lines] > > Any other ideas? Thanks a LOT! The message is not detailed enough though, as follows: Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException:Security Error > What is the exception message or, even better, its full details (as returned > by its ToString method)? [quoted text clipped - 16 lines] > > > > Any other ideas? Thanks a LOT! Are you sure the third party DLL isn't allowing a full demand for a permission to go up the stack? Just because it is in the GAC and it has Full Trust doesn't mean that some code it is using won't trigger a Demand that results in a full stack walk which would then fail in your code which is partially trusted. Without knowing more details on the exception, it would be hard to know exactly what the problem is, but I suspect it is something along those lines. Joe K. > The message is not detailed enough though, as follows: > [quoted text clipped - 29 lines] >> > >> > Any other ideas? Thanks a LOT! Since I'm rather new on ASP.net or share point web part security, I wonder what will be the standard steps( & configuration entries) to make third party DLL accessible. The articles I'm reading on internet only addresses cases when user put their own developed ASP.NET assemblies into GAC. Thanks a lot. "Joe Kaplan (MVP - ADSI)" wrote: > Are you sure the third party DLL isn't allowing a full demand for a > permission to go up the stack? Just because it is in the GAC and it has [quoted text clipped - 41 lines] > >> > > >> > Any other ideas? Thanks a LOT! Well, the first thing to do is to try to figure out what the actual permission that is being demanded is. Then, you have a few options: - Modify policy to allow that permission to be granted - Modify the assembly in the GAC to Assert that permission before the demand is called so that the stack walk is stopped (note, potential security risk here) - Create your own assembly that goes in the GAC that wraps their assembly and does the above mentioned Assert. Note the same security risk You might want to find some articles on CAS so that you get a better feel for what I'm talking about here as it can be somewhat confusing until you get the hang of it. If you can find out what the actual permission that was demanded was and what the stack trace for the exception was, that would be very helpful for us to know. Joe K. > Since I'm rather new on ASP.net or share point web part security, I wonder > what will be the standard steps( & configuration entries) to make third [quoted text clipped - 53 lines] >> >> > >> >> > Any other ideas? Thanks a LOT! Thanks! It turns out, I guess, it's not a problem of calling 3rd party dll ( or I haven't reached there). According to the stack trace, it fails where I tried to write to a file. So I guess I don't have the access to the file outside of virtual directory. So... how to grant unrestricted access to a specific file or directory in the Wss_MediumTrust.config file? For my case, I didn't put my code into an assembly, all my files are just aspx pages under inetput\wwwroot\My_Application directory. Many thanks!! "Joe Kaplan (MVP - ADSI)" wrote: > Well, the first thing to do is to try to figure out what the actual > permission that is being demanded is. Then, you have a few options: [quoted text clipped - 73 lines] > >> >> > > >> >> > Any other ideas? Thanks a LOT! So, it is a FileIOPermission that isn't being granted? In that case, you need to make sure that the permission set you have grants that required access. You would need to look at what you are being granted in the policy and modify that. I'm not exactly sure where that is configured in SharePoint though. Sorry I'm not too helpful here. Can you show any more info about the FileIOPermission that isn't being granted? The other option would be to peform the privileged operation from an assembly that has higher permissions and Assert the required permissions to avoid the stack trace. Joe K. > Thanks! It turns out, I guess, it's not a problem of calling 3rd party > dll ( [quoted text clipped - 102 lines] >> >> >> > >> >> >> > Any other ideas? Thanks a LOT! Thanks again for your help. I guess it's me who lacks such security knowledge. In my Wss_MediumTrust.config file, ( just regard it as any customized policy file) I have: <PermissionSet class="NamedPermissionSet" version="1" Name="ASP.Net"> <IPermission class="FileIOPermission" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$" /> </PermissionSet> What I really want, besides the alove, is the the read/write/delete priviledge for a particular file, say c:\inetpub\wwwroot\shared\My_File.txt. Thanks! "Joe Kaplan (MVP - ADSI)" wrote: > So, it is a FileIOPermission that isn't being granted? In that case, you > need to make sure that the permission set you have grants that required [quoted text clipped - 115 lines] > >> >> >> > > >> >> >> > Any other ideas? Thanks a LOT! Forget about my previous post, I passed it. Now I came to the REAL problem, it's actually complained when I used a function from Microsoft.ContentManagement.Publishing.dll CmsApplicationContext.AuthenticateAsUser( "admin_user_for_CMS_site","password",PublishingMode.Published); I'm actually not sure what kind of permission it needs. It's not even part of standard .net library. Sorry for the confusion, I came a long way to get rid of all my invalid suspicion... > Thanks again for your help. I guess it's me who lacks such security knowledge. > In my Wss_MediumTrust.config file, ( just regard it as any customized policy [quoted text clipped - 139 lines] > > >> >> >> > > > >> >> >> > Any other ideas? Thanks a LOT! I'm not sure about how CMS works with CAS, but if a security exception is being thrown, then there should be an indication of what the permission requirement is. Otherwise, try to get us more details. You might also try asking in one of the CMS groups. Joe K. > Forget about my previous post, I passed it. > Now I came to the REAL problem, it's actually complained when I used a [quoted text clipped - 182 lines] >> > >> >> >> > >> > >> >> >> > Any other ideas? Thanks a LOT! Hi, Joe: Thanks a lot for your help. You were right, when you said it should give you the specific permission, I began to doubt it wasn't the problem of authenticateAsUser("adminUser"...)! I again narrowed it down, and came to third-party control, called Obout tree view. Before you read along, I want to ask if the third-party provided assembly doesn't set APTCA (AllowPartiallyTrustedCallersAttribute), is it true that we can't get away with partially trusted web application? How to find out if their assembly doesn't set APTCA? See the exception below, it throws exception at Line 49, DisplayPage function. I made it very short and simple like private void DisplayPage() { oTree = new obout_ASPTreeView_2_NET.Tree(); oTree.FolderIcons = "/TreeIcons/Icons"; oTree.FolderStyle = "/TreeIcons/Styles/Win2003"; oTree.ShowIcons = true; oTree.SelectedEnable = false; } Exception Info..... *********************************************************** Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file. Exception Details: System.Security.SecurityException: Security error. Source Error: Line 47: RebuildXMLFile(); Line 48: Line 49: DisplayPage(); Line 50: Line 51: RegisterButton.Attributes.Add("onClick", "ob_t2send();"); Source File: d:\inetpub\wwwroot\MyProject\MyFile.aspx.cs Line: 49 Stack Trace: [SecurityException: Security error.] MyNamespace.MyProject.MyFile.DisplayPage() +0 MyNamespace.MyProject.MyFile.Page_Load(Object sender, EventArgs e) in d:\inetpub\wwwroot\MyProject\MyFile.aspx.cs:49 System.Web.UI.Control.OnLoad(EventArgs e) +67 System.Web.UI.Control.LoadRecursive() +35 System.Web.UI.Page.ProcessRequestMain() +2112 System.Web.UI.Page.ProcessRequest() +218 System.Web.UI.Page.ProcessRequest(HttpContext context) +18 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute() +179 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +87 ********************************************************** "Joe Kaplan (MVP - ADSI)" wrote: > I'm not sure about how CMS works with CAS, but if a security exception is > being thrown, then there should be an indication of what the permission [quoted text clipped - 189 lines] > >> > >> >> >> > > >> > >> >> >> > Any other ideas? Thanks a LOT! The easiest way would be with Reflector or ILDasm. In reflector, you just load up the assembly and click on it. Then, hit space to reverse compile. You should see all the attributes at the assembly level in the decompilation. If APTCA is set, it will be in there. If it isn't set, you are going to have trouble using that control in SharePoint. Joe K. > Hi, Joe: > Thanks a lot for your help. You were right, when you said it should give [quoted text clipped - 271 lines] >> >> > >> >> >> > >> >> > >> >> >> > Any other ideas? Thanks a LOT! Thanks again! That's exactly what happens. The assembly provided doesn't have APTCA. That is a bad news. Even if I don't use it as a share point Web Part, I'm going to have trouble for any web application with trust level not set to "Full". But on the other hand, I don't want to lowever security level just to use 3rd party DLL. What to do? "Joe Kaplan (MVP - ADSI)" wrote: > The easiest way would be with Reflector or ILDasm. In reflector, you just > load up the assembly and click on it. Then, hit space to reverse compile. [quoted text clipped - 281 lines] > >> >> > >> >> >> > > >> >> > >> >> >> > Any other ideas? Thanks a LOT! Contact the vendor? Alternately, if it is strong named, you could put it in the GAC, then write a wrapper assembly that does have APTCA on it that talks to the control. Then, your code would talk to your wrapper which is also in the GAC, and thus would have full trust. Obviously, the first option is much less work :) Or, give up on partial trust for web development. That's what most of us do. Joe K. > Thanks again! That's exactly what happens. The assembly provided doesn't > have [quoted text clipped - 325 lines] >> >> >> > >> >> >> > >> >> >> > >> >> >> > Any other ideas? Thanks a LOT! Good suggestion. :) I wish I had the choice of 3rd way. "Joe Kaplan (MVP - ADSI)" wrote: > Contact the vendor? > [quoted text clipped - 339 lines] > >> >> >> > >> >> >> > > >> >> >> > >> >> >> > Any other ideas? Thanks a LOT! About the second approach, I wrote a class that inherits the 3rd party control, or just a class that delegates the functions to 3rd party control functions. I also add APTCA attribute and put both of the assemblies ( my wrapper and 3rd party one) into GAC. It still fails at the same place. What did I miss? ( Note: replace with my assembly doesn't eliminate the reference to the 3rd party control). Thanks a bunch! "Joe Kaplan (MVP - ADSI)" wrote: > Contact the vendor? > [quoted text clipped - 339 lines] > >> >> >> > >> >> >> > > >> >> >> > >> >> >> > Any other ideas? Thanks a LOT! You can't just inherit, you have wrap. The reason is that you must manually assert each permission that their code demands in order to block the stack walk. If their code demands a lot of permissions, this will be a pain. Essentially, you just create a permission object of the same type that is being demanded by the code lower down and call the Assert method before calling the method that causes their demand. Your assert will then block their demand. Make sure you call RevertAssert when you are done. HTH, Joe K. > About the second approach, I wrote a class that inherits the 3rd party > control, or just a class that delegates the functions to 3rd party control [quoted text clipped - 392 lines] >> >> >> >> > >> >> >> > >> >> >> >> > >> >> >> > Any other ideas? Thanks a LOT! Is there any article or example of how to do write the wrapper. I'm just a newbie in terms of security. Thanks! "Joe Kaplan (MVP - ADSI)" wrote: > You can't just inherit, you have wrap. The reason is that you must manually > assert each permission that their code demands in order to block the stack [quoted text clipped - 405 lines] > >> >> >> >> > >> >> >> > > >> >> >> >> > >> >> >> > Any other ideas? Thanks a LOT! I'm sorry, but I don't have a sample. However, you might want to check out some of the blogs by the CAS gurus such as Nicole Calinoiu, Shawn Farkas and Peter Torr. I actually think you'll be better off if you get the vendor to update their code as writing a wrapper would be a lot of work if the control is at all complex and would make it hard for you to upgrade. Best of luck, Joe K. > Is there any article or example of how to do write the wrapper. I'm just a > newbie in terms of security. Thanks! [quoted text clipped - 464 lines] >> >> >> >> >> > >> >> >> > >> >> >> >> >> > >> >> >> > Any other ideas? Thanks a LOT! Free MagazinesGet these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...
|
Reply to this Message
|
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2008 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.