Deploying the WCSF blocks in a partially trusted environment

Topics: Web Client Software Factory, User Forum
Feb 11, 2007 at 4:43 AM
Edited Feb 11, 2007 at 4:44 AM
Just looking into the security configuration of the app I’ve just build with WCSF. I thought I’d tone down the rights the apps has by changing the trust level in Web.config.

Basically I thought the privileges for Medium Trust looked ok (CAS and Asp.Net security links on this below). However when I change the trust to medium I get the following exception:

System.Security.SecurityException: That assembly does not allow partially trusted callers.

Ok I thought, the dll’s that come with WCSF out of the box are signed (I ran this to confirm: secutil -s Assembly.dll) so by default the runtime will subject partially trusted callers to CAS checking unless the blocks define they AllowPartiallyTrustedCallers (this is an assembly level attribute), which they don’t. Ok I can compile the block myself, in which case they won’t be signed, and this kinda sidesteps that issue. However running permcalc.exe over the out of the box assemblies it shows that there are a fair few permissions required for these blocks to run, so perhaps a medium trust environment still won’t work regardless of the signing and AllowPartiallyTrustedCallers issue.

Security is somewhat a gray area for me but I’m still researching what approach to take, basically where I’m going with this is what approach can I take to lock down my app so it’s not running under full trust but still use the WCSF blocks (i couldn’t see any info in the doc).

Do I have to write a custom policy that defines all the permissions listed by permcalc or can I just go with the release dlls and tell CAS to trust my own dlls and it should just all work under medium trust as long as I don’t explicitly call functionality that demands a higher security.

Any thoughts?


Links and info regarding above

Here are some good resources on CAS in Asp.Net apps, listed from general to more specific if you feel like a read:
Security Guidelines: ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998258.aspx#pagguidelines0001_codeaccesssecurity
How To: Use Code Access Security in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998326.aspx
How To: Use Medium Trust in ASP.NET 2.0
http://msdn2.microsoft.com/en-us/library/ms998341.aspx

Looking at required permissions with Permcalc.exe
Assuming permcalc.exe is in your path (it lives here: c:\program files\microsoft visual studio 8\sdk\v2.0\bin\permcalc.exe) you can run this command to get an xml file of the permissions:
permcalc -cleancache -stacks -show Microsoft.Practices.CompositeWeb.dll

(the xpath to the relevant permissions in that file is /descendant::Demand/PermissionSet)
Coordinator
Feb 13, 2007 at 10:31 PM
First, those are good articles to look at. I have referred to them in the past.

Medium Trust was not a goal of the project (sorry), and it might be a challenge to achieve. The PageFlow block uses Workflow Foundation, which requires full trust to run. If all you want is the Composite Web App Block, it uses reflection, which is a no-no under Medium Trust. You may be able to create a security context based on Medium Trust, with extra permissions (from permcalc) allowed.

I will have some members of our team investigate running a web site using the Composite Web block in Medium Trust, and report back to you and the rest of the community.

If Medium Trust is something you really want, please create an feature request in Issue Tracker and vote on it for v2.
Feb 14, 2007 at 10:25 AM
Thanks for the reply Michael, turns out that it’s going to be more trouble that gain trying to run this under anything than full trust. But along the way, I’ve learnt heaps about CAS  and how asp.net applies it.

If I did end up going under a partial trust environment below is what I would have ended up doing when trying to get it to work, anyone feel free to add comments...

I would have created a custom security policy which sits somewhere between the medium and high (or perhaps even leaning towards full will) trust policies that come out of the box with .net 2.0. Then because the out of the box WCSF dlls are signed the runtime will subject partially trusted callers to security checking (if the WCSF dlls declared AllowPartiallyTrustedCallers this check could be bypassed, but there could be other functionality that that may break), at this point things fall over very fast as my unknown custom app assemblies are un-trusted by the runtime. I could sign them and grant them full trust in the custom policy, but this would defeat the purpose of the whole thing. I was thinking I could recompile the WCSF myself (unsigned), therefore CAS wont check callers into those, then make a new trust policy based on medium-high trust, then just keep adding permissions to see how far I got to get the whole thing running... Not tested, just the approach I was going to try, but now won’t... perhaps this may be of use to someone else.

Feb 14, 2007 at 10:38 AM
I mentioned above ‘if the WCSF dlls declared AllowPartiallyTrustedCallers this check could be bypassed, but there could be other functionality that that may break’

I just noticed on this post that timber (that the guys name :)) mentioned on this post http://www.codeplex.com/websf/Thread/View.aspx?ThreadId=7159 that ‘Windows Workflow assemblies requires full trust, and do not allow partially trusted callers’. So yeah I dont think thats going to work...