Professional Web Applications Themes

making permissions optional - ASP.NET Security

ps - our AssemblyInfo.jsl is: /** assembly ComVisible(false) */ /** assembly CLSCompliant(false) */ /** assembly SocketPermission(SecurityAction.RequestMinimum, Unrestricted = true) */ /** assembly DnsPermission(SecurityAction.RequestMinimum, Unrestricted = true) */ -- thanks - dave david_at_windward_dot_net http://www.windwardreports.com Cubicle Wars - http://www.windwardreports.com/film.htm...

  1. #1

    Default RE: making permissions optional

    ps - our AssemblyInfo.jsl is:

    /** assembly ComVisible(false) */
    /** assembly CLSCompliant(false) */
    /** assembly SocketPermission(SecurityAction.RequestMinimum, Unrestricted =
    true) */
    /** assembly DnsPermission(SecurityAction.RequestMinimum, Unrestricted =
    true) */


    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm


    David Guest

  2. #2

    Default making permissions optional

    Hi;

    I have the following method:
    public static InputStream loadResource(String filename, int location)
    throws IOException
    {

    if ((filename == null) || (filename.length() == 0))
    return null;

    if ((location & (THREAD | APP_CLASS | SYSTEM_CLASS)) != 0)
    {
    System.IO.Stream stream =
    Class.ToType(SystemWrapper.class).get_Assembly().G etManifestResourceStream(filename);
    if (stream != null)
    return new JavaInputStream(stream);
    }

    // file
    if ((location & FILE) != 0) {
    File file = new File(filename);
    if (file.exists()) {
    if (log.isInfoEnabled())
    log.info("Loading resource file: " + new
    File(filename).getAbsolutePath());
    return new FileInputStream(file);
    }
    }

    // url last
    if ((location & URL) != 0) {
    try {
    URL url = new URL(filename);
    if (log.isInfoEnabled())
    log.info("Loading resource file: " + new
    File(filename).getAbsolutePath());
    return url.openStream();
    } catch (MalformedURLException mue) {
    // nothing
    }
    }

    return null;
    }

    And it's permissions demanded are:
    <Method Sig="class InputStream loadResource(string , int )">
    <Demand>
    <PermissionSet version="1"
    class="System.Security.PermissionSet">
    <IPermission version="1"
    class="System.Security.Permissions.EnvironmentPerm ission, mscorlib,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    Read="UserName" />
    <IPermission version="1"
    class="System.Security.Permissions.FileIOPermissio n, mscorlib,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    Unrestricted="true" />
    <IPermission version="1"
    class="System.Security.Permissions.ReflectionPermi ssion, mscorlib,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    Flags="MemberAccess" />
    <IPermission version="1"
    class="System.Security.Permissions.RegistryPermiss ion, mscorlib,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    Unrestricted="true" />
    <IPermission version="1"
    class="System.Security.Permissions.SecurityPermiss ion, mscorlib,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    Flags="UnmanagedCode, ControlThread, ControlEvidence" />
    <IPermission version="1"
    class="System.Security.Permissions.KeyContainerPer mission, mscorlib,
    Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
    Unrestricted="true" />
    </PermissionSet>
    </Demand>
    <Sandbox>
    <PermissionSet version="1"
    class="System.Security.PermissionSet" Unrestricted="true" />
    </Sandbox>
    </Method>

    However, all of the above permissions are not required to run our program.
    In most cases the GetManifestResourceStream is the only part used. How do I
    set this to say that these requests are optional not required?

    I hope it's not having to go set permissions on each method throughout our
    code because that would take weeks.

    --
    thanks - dave
    david_at_windward_dot_net
    http://www.windwardreports.com

    Cubicle Wars - http://www.windwardreports.com/film.htm


    David Guest

  3. #3

    Default RE: making permissions optional

    Hi Dave,

    The Permission Calculator Tool calculates the minimum permission set
    required to run an application by examining all applicable code paths of
    all application assemblies and dependency assemblies:

    #Permission Calculator Tool (Permcalc.exe)
    http://msdn2.microsoft.com/en-us/library/ms165077(VS.80).aspx
    Starting from the entry point of the application, the tool traces all code
    paths through all application assemblies and the shared and system
    libraries called from the application. The tool maintains a simulated call
    stack that contains all the assemblies involved in the code path trace. On
    every code path trace, the tool checks for the presence of declarative
    demands, link demands, and declarative stack walk modifiers.


    If you use Reflector to view J# Assembly.GetManifestResourceStream(), you
    will find one of its called function has unsafe signature:

    internal virtual unsafe Stream GetManifestResourceStream(string name, ref
    StackCrawlMark stackMark, bool skipSecurityCheck)


    The resulting permission set is calculated using the all code paths. That's
    why you're seeing some permission sets that are never used in your code
    directly.


    If your Web application contains code that requires more permissions than
    are granted by a particular ASP.NET trust level, the easiest option is
    customizing a policy file to grant the additional code access security
    permission to your Web application. You can either modify an existing
    policy file and grant additional permissions or create a new one based on
    an existing policy file.

    Another approach that does not require an update to ASP.NET code access
    security policy is wrapping your resource access code in its own wrapper
    assembly and configuring machine-level code access security policy to grant
    the specific assembly the appropriate permission. Then you can sandbox the
    higher-privileged code using the CodeAccessPermission.Assert method so you
    do not have to change the overall permission grant of the Web application.
    The Assert method prevents the security demand issued by the resource
    access code from propagating back up the call stack beyond the boundaries
    of the wrapper assembly.

    For more information about above two different approaches, please refer to
    following article:

    #Using Code Access Security with ASP.NET
    http://msdn2.microsoft.com/en-us/library/aa302425.aspx


    Sincerely,
    Walter Wang (microsoft.com, remove 'online.')
    Microsoft Online Community Support

    ==================================================
    Get notification to my posts through email? Please refer to
    http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
    ications. If you are using Outlook Express, please make sure you clear the
    check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
    promptly.

    Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
    where an initial response from the community or a Microsoft Support
    Engineer within 1 business day is acceptable. Please note that each follow
    up response may take approximately 2 business days as the support
    professional working with you may need further investigation to reach the
    most efficient resolution. The offering is not appropriate for situations
    that require urgent, real-time or phone-based interactions or complex
    project ysis and dump ysis issues. Issues of this nature are best
    handled working with a dedicated Microsoft Support Engineer by contacting
    Microsoft Customer Support Services (CSS) at
    http://msdn.microsoft.com/subscriptions/support/default.aspx.
    ==================================================

    This posting is provided "AS IS" with no warranties, and confers no rights.

    Walter Guest

Similar Threads

  1. Contribute permissions vs. network permissions
    By ghope in forum Macromedia Contribute Connection Administrtion
    Replies: 2
    Last Post: February 21st, 08:18 PM
  2. Replies: 0
    Last Post: August 4th, 04:48 AM
  3. Optional Arguments in a CFC
    By Cannikinn in forum Coldfusion - Advanced Techniques
    Replies: 3
    Last Post: June 22nd, 09:16 PM
  4. numberformat - is optional no longer optional?
    By miki in forum Macromedia ColdFusion
    Replies: 1
    Last Post: April 18th, 11:07 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139