Thank you for all the answers. It helped a lot. Steve > -----Original Message----- > From: Moderated discussion of advanced .NET topics. > [mailto:[EMAIL PROTECTED]] On Behalf Of > John Cavnar-Johnson > Sent: Tuesday, April 30, 2002 3:47 AM > To: [EMAIL PROTECTED] > Subject: Re: [ADVANCED-DOTNET] remoting from browser, security bug (?) > > > inline > > -----Original Message----- > From: Michael Bealer [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 2:22 PM > To: [EMAIL PROTECTED] > Subject: Re: [ADVANCED-DOTNET] remoting from browser, security bug (?) > > Thank you for the link and the information, but I'm very > confused now. Basically what it seems to be saying is that > although I have given unrestricted access to the sql client > and ole db permission set, it's useless because the > assemblies involved do not allow partially trusted callers? > <John> Yes, that's the way it is. </John> > > Regardless of those permissions, I cannot connect to a SQL > Server? <John>Correct</John> > > So if I build an application to be depolyed via the web, I > have to convice people to give me full-trust access to their > machines? <John>Yes, if you want to use the SQLClient classes > to connect to SQL Server</John> > > I don't understand > the point of the permission sets then. What can you do with > the SQL Client and ole db permissions? <John> As far as I can > tell, not much. The decision to add the > AllowPartiallyTrustedCallers attribute and require shared > assemblies to use it was made late in the beta cycle. > Microsoft apparently decided that using the SQLConnection was > operation requiring full trust and added a SecurityDemand to > that (and many other parts of System.Data.dll). To me, this > seems to obsolete those permissions. However, perhaps they > intend to remove the requirement for full trust in the future.</John> > > Is it impossible then to connect to a sql server > box without full-trust? > <John>Yes</John> > > My code example that I sent to MS is only > attempting to open a connection. I am not even querying > data. I'm not sure why full-trust would be required for that > operation. <John>I think that connecting to a database should > be highly privileged operations, but you will have to ask > Microsoft why it requires full trust.</John> > > Thanks, > Michael > > ----- Original Message ----- > From: "John Cavnar-Johnson" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, April 29, 2002 1:09 PM > Subject: Re: [ADVANCED-DOTNET] remoting from browser, security bug (?) > > > You still have a similar problem. Although System.Data.dll > does have the attribute many of its methods require full > trust. See > http://msdn.microsoft.com/library/default.asp?url=/library/en- > us/dnnetse > c/html/aptcatypes.asp for a complete list. > > It is important to remember that FullTrust and the Everything > permission set are very different. The requirement for > shared assemblies to specify whether their methods are > callable from partially trusted code is essential to creating > secure libraries. > > -----Original Message----- > From: Michael Bealer [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 10:57 AM > To: [EMAIL PROTECTED] > Subject: Re: [ADVANCED-DOTNET] remoting from browser, security bug (?) > > Sorry, I guess I should have been more specific. In my case > I am not trying to use remoting, the thing that is happening > to me is that I cannot connect to a SQL Server database > without giving full-trust. The odd part of my problem and > Steve's problem is that giving every permission available > doesn't allow the code to work. Only full-trust works. It > seems odd that you are required to give an app full-trust > when there should be and seems to be permission sets > available to accomplish what you want. > > Thanks, > Michael > > ----- Original Message ----- > From: "John Cavnar-Johnson" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, April 29, 2002 11:15 AM > Subject: Re: [ADVANCED-DOTNET] remoting from browser, security bug (?) > > > This is by design. Strong-named assemblies (like > System.Runtime.Remoting) can not be called by partially > trusted code (code that has any permission set other than > full trust) unless that strong named assembly is decorated > with the AllowPartiallyTrustedCallers attribute. > System.Runtime.Remoting does not have that attribute, with > good reason. You will either need to give your component > full trust or use another mechanism to communicate with the > server. Why do you want to use remoting from within IE? > > > -----Original Message----- > From: Michael Bealer [mailto:[EMAIL PROTECTED]] > Sent: Monday, April 29, 2002 9:14 AM > To: [EMAIL PROTECTED] > Subject: Re: [ADVANCED-DOTNET] remoting from browser, security bug (?) > > Steve, I have seen the exact same problem with just a winform > exe or dll deployed from the web and I've been speaking with > someone at Microsoft who is looking into it. > > Michael > > ----- Original Message ----- > From: "Steve Albert" <[EMAIL PROTECTED]> > To: <[EMAIL PROTECTED]> > Sent: Monday, April 29, 2002 3:28 AM > Subject: [ADVANCED-DOTNET] remoting from browser, security bug (?) > > > Hi. > I'm writing a winforms control which is hosted in IE. I'd > like to use remoting to communiate with the server. If I give > FullTrust (CAS right) to the component it works fine. But if > I give Everything or give all rights to the component (one by > one, granting everything, including skip security check) it > doesn't work. I wrote a very simple control with only one > button, and a method constructing a TcpChannel object. > > Here is the code (very very simple): > > private void Test() > { > MessageBox.Show( "c" ); > new System.Runtime.Remoting.Channels.Tcp.TcpChannel(); > } > > private void button1_Click(object sender, System.EventArgs e) { > MessageBox.Show( "calling test now..." ); > Test(); > } > > First message box is shown, second is not. Security error > exception thrown. It seems to me it must be thrown by the JIT. > > any suggestions? > has anyone tried to do remoting from an IE hosted winforms > control with properly configured security? > > thanks, > Steve > > You can read messages from the Advanced DOTNET archive, > unsubscribe from Advanced DOTNET, or subscribe to other > DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the Advanced DOTNET archive, > unsubscribe from Advanced DOTNET, or subscribe to other > DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the Advanced DOTNET archive, > unsubscribe from Advanced DOTNET, or subscribe to other > DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the Advanced DOTNET archive, > unsubscribe from Advanced DOTNET, or subscribe to other > DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the Advanced DOTNET archive, > unsubscribe from Advanced DOTNET, or subscribe to other > DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the Advanced DOTNET archive, > unsubscribe from Advanced DOTNET, or subscribe to other > DevelopMentor lists at http://discuss.develop.com. > > You can read messages from the Advanced DOTNET archive, > unsubscribe from Advanced DOTNET, or subscribe to other > DevelopMentor lists at http://discuss.develop.com. > > >
You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
