Velocity Reviews

Velocity Reviews (http://www.velocityreviews.com/forums/index.php)
-   ASP .Net Security (http://www.velocityreviews.com/forums/f62-asp-net-security.html)
-   -   System.Security.Permissions.FileIOPermission (http://www.velocityreviews.com/forums/t766208-system-security-permissions-fileiopermission.html)

Eric Phetteplace 06-11-2004 02:20 PM

System.Security.Permissions.FileIOPermission
 
Hello,

This seems to be a common question, but all the posts I see do not have a
clear answer.

Here's an excerpt of my WebPart code:
************
Imports System.IO

Dim oFS As FileStream
oFS = File.Open([PermPath], FileMode.Open)
If Err.Number > 0 Then ...
************
It compiles fine.

The only way I can get this to work is by modifying the web.config file
************
<trust level="Full" originUrl="" />
************

EVERYTHING ELSE I TRIED DID NOT WORK, AS STATED BELOW:

I tried asserting permissions, but this seems undesirable, and it doesn't
work without trust level= "full"
I would hope the .Net security wouldn't allow coders to automatically bypass
security, as I think this is what happens here.
*******************
Dim f As System.Security.Permissions.FileIOPermission

f = New
System.Security.Permissions.FileIOPermission(Secur ity.Permissions.Permission
State.Unrestricted)

f.AddPathList(Security.Permissions.FileIOPermissio nAccess.Read,
[PermPath])

f.Assert()

*******************

I tried modifying the wss_mediumtrust.config policy file
removing the Flags attribute and adding the Unrestricted attribute (I'm
guessing this was the att name)
I believe this is undesirable too, since it opens a gaping security hole.
***********************

<IPermission
class="SecurityPermission"
version="1"
Unrestricted = "true"
/>

***********************

I saw another suggestion to use WPPackager and add the IPermission for the
web part package. That sounds like the proper way.

My questions are:

1. How do I allow my Web part to have file access, without setting the
trust level to "full?"
2. Is the WPPackager the proper way to grant file access to this individual
web part?

Thanks,

Eric



Keith Brown 06-11-2004 11:12 PM

RE: System.Security.Permissions.FileIOPermission
 
Hey Eric,

You definitely do NOT want to make the SecurityPermission unrestricted. That has no effect at all on the FileIOPermission, which is what you really want to fix, but what it does do is grant all *sorts* of scary permissions (like ControlPolicy, which allows you to set SecurityManager.SecurityEnabled=false and turn off all of CAS!)

You have a couple of choices: you can either move your functionality into an assembly in the GAC (where it will be fully trusted) and mark your assembly with the AllowPartiallyTrustedCallers attribute, or you can change policy like you were suggesting by adding an element for FileIOPermission, either making it unrestricted or (even better) specifying the exact directory and permission level you need to grant.

Keith Brown, MVP
http://www.pluralsight.com

Eric Phetteplace 06-12-2004 01:59 AM

Re: System.Security.Permissions.FileIOPermission
 
Hi Keith,

Thanks for your help!

I tried adding an IPermission element for FileIOPermission, right under the
existing one in the wss_mediumtrust.config:
<IPermission
class="FileIOPermission"
version="1"
Read="G:\SpecialDir"
PathDiscovery="G:\SpecialDir"
/>
When I try to read g:\specialdir\test.txt, I receive the following error:
The HelloWorldApp, Version=1.0.0.1, Culture=neutral,
PublicKeyToken=dc2757a2b56c5017 assembly specified in a Register directive
of this page could not be found

Any suggestions?

Eric

"Keith Brown" <Keith Brown@discussions.microsoft.com> wrote in message
news:7CB11EAB-D2CE-4306-8BC2-2208083725C2@microsoft.com...
> Hey Eric,
>
> You definitely do NOT want to make the SecurityPermission unrestricted.

That has no effect at all on the FileIOPermission, which is what you really
want to fix, but what it does do is grant all *sorts* of scary permissions
(like ControlPolicy, which allows you to set
SecurityManager.SecurityEnabled=false and turn off all of CAS!)
>
> You have a couple of choices: you can either move your functionality into

an assembly in the GAC (where it will be fully trusted) and mark your
assembly with the AllowPartiallyTrustedCallers attribute, or you can change
policy like you were suggesting by adding an element for FileIOPermission,
either making it unrestricted or (even better) specifying the exact
directory and permission level you need to grant.
>
> Keith Brown, MVP
> http://www.pluralsight.com





All times are GMT. The time now is 08:43 AM.

Powered by vBulletin®. Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO ©2010, Crawlability, Inc.