Embedded .NET Control in IE - Policy issue not causing it to work???

[Marco]

I have a .NET control embedded in Internet Explorer. Right now I am
loading the control in a Local Intranet Zone, meaning that
http://localhost/MyWebPage.htm has the embedded control. I have:

1) Strong Named my control
2) added [assembly: System.Security.AllowPartiallyTrustedCallers]
attribute to my AssemblyInfo.cs file
3) created a custom Code Group under "All_Code" in Machine Runtime
Security Policy
4) set the "Membership Condition" of my code group to be "Strong Name" and
imported the file (with and without the Name and Version)
5) set the "Permission Set" to be "FullTrust"

All to not have my control load up correctly. This is the IEDebug output:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/MySite/MyControlDir/MyControl.dll#MyControlNamespace.MyControl
Microsoft.IE.SecureFactory: System.Reflection.TargetInvocationException:
Exception has been thrown by the target of an invocation. --->
System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.CheckSecurity(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped
record)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum
binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler
handler, __BinaryParser serParser, Boolean fCheck, IMethodCallMessage
methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream, HeaderHandler handler, Boolean fCheck,
IMethodCallMessage methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream)
at System.Resources.ResourceReader.LoadObject(Int32 pos)
at System.Resources.RuntimeResourceSet.GetObject(String key, Boolean
ignoreCase)
at System.Resources.ResourceManager.GetObject(String name, CultureInfo
culture)
at System.Resources.ResourceManager.GetObject(String name)
at MyControl.InitializeComponent()
at MyControl..ctor()
--- End of inner exception stack trace ---

I can't make much sense of the exception but I have searched to no avail.
Am I missing a small but important step? Please let me know!

Thank you in advance,
Marco

 

[Nicole Calinoiu]

In general, you shouldn't even need to grant full trust to your assembly in
order to allow the hosted control to run, so the problem may well lie
elsewhere. From the stack trace, it would appear that your control is
actually being instantiated. The problem seems to originate in the
MyControl.InitializeComponent method. Is there anything going on there that
might account for the problem?

I have a .NET control embedded in Internet Explorer. Right now I am
loading the control in a Local Intranet Zone, meaning that
http://localhost/MyWebPage.htm has the embedded control. I have:

1) Strong Named my control
2) added [assembly: System.Security.AllowPartiallyTrustedCallers]
attribute to my AssemblyInfo.cs file
3) created a custom Code Group under "All_Code" in Machine Runtime
Security Policy
4) set the "Membership Condition" of my code group to be "Strong Name"
and
imported the file (with and without the Name and Version)
5) set the "Permission Set" to be "FullTrust"

All to not have my control load up correctly. This is the IEDebug output:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/MySite/MyControlDir/MyControl.dll#MyControlNamespace.MyControl
Microsoft.IE.SecureFactory: System.Reflection.TargetInvocationException:
Exception has been thrown by the target of an invocation. --->
System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.CheckSecurity(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped
record)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum
binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler
handler, __BinaryParser serParser, Boolean fCheck, IMethodCallMessage
methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream, HeaderHandler handler, Boolean fCheck,
IMethodCallMessage methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream)
at System.Resources.ResourceReader.LoadObject(Int32 pos)
at System.Resources.RuntimeResourceSet.GetObject(String key, Boolean
ignoreCase)
at System.Resources.ResourceManager.GetObject(String name, CultureInfo
culture)
at System.Resources.ResourceManager.GetObject(String name)
at MyControl.InitializeComponent()
at MyControl..ctor()
--- End of inner exception stack trace ---

I can't make much sense of the exception but I have searched to no
avail.
Am I missing a small but important step? Please let me know!

Thank you in advance,
Marco

 

[Marco]

(sorry if this was sent twice)

Thank you for the reply Nicole,

In general, you shouldn't even need to grant full trust to your
assembly in
order to allow the hosted control to run, so the problem may well lie
elsewhere. From the stack trace, it would appear that your control is
actually being instantiated. The problem seems to originate in the
MyControl.InitializeComponent method. Is there anything going on
there that
might account for the problem?

In general, you shouldn't even need to grant full trust to your assembly in
order to allow the hosted control to run, so the problem may well lie
elsewhere. From the stack trace, it would appear that your control is
actually being instantiated. The problem seems to originate in the
MyControl.InitializeComponent method. Is there anything going on there that
might account for the problem?

I have a .NET control embedded in Internet Explorer. Right now I am
loading the control in a Local Intranet Zone, meaning that
http://localhost/MyWebPage.htm has the embedded control. I have:

1) Strong Named my control
2) added [assembly: System.Security.AllowPartiallyTrustedCallers]
attribute to my AssemblyInfo.cs file
3) created a custom Code Group under "All_Code" in Machine Runtime
Security Policy
4) set the "Membership Condition" of my code group to be "Strong Name"
and
imported the file (with and without the Name and Version)
5) set the "Permission Set" to be "FullTrust"

All to not have my control load up correctly. This is the IEDebug output:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/MySite/MyControlDir/MyControl.dll#MyControlNamespace.MyControl
Microsoft.IE.SecureFactory: System.Reflection.TargetInvocationException:
Exception has been thrown by the target of an invocation. --->
System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.CheckSecurity(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped
record)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum
binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler
handler, __BinaryParser serParser, Boolean fCheck, IMethodCallMessage
methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream, HeaderHandler handler, Boolean fCheck,
IMethodCallMessage methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream)
at System.Resources.ResourceReader.LoadObject(Int32 pos)
at System.Resources.RuntimeResourceSet.GetObject(String key, Boolean
ignoreCase)
at System.Resources.ResourceManager.GetObject(String name, CultureInfo
culture)
at System.Resources.ResourceManager.GetObject(String name)
at MyControl.InitializeComponent()
at MyControl..ctor()
--- End of inner exception stack trace ---

I can't make much sense of the exception but I have searched to no
avail.
Am I missing a small but important step? Please let me know!

Thank you in advance,
Marco

 

[Valery Pryamikov]

Hi,
From your exception it looks that you need SerializationFormatter
permission. Additionally you may need to assert that permission in your
code. If I remember it correctly - IE opens your components in AppDomain
with quite reduced permissions and SerializationFormatter isn't allowed as
one of the dangerous permissions (that stays close by its dangerousness to
skip verification). That means that for getting it to work you have to use
assembly's own rights and assert these permissions (to stop stack walk that
will fail with access denied).

-Valery.
http://www.harper.no/valery

I have a .NET control embedded in Internet Explorer. Right now I am
loading the control in a Local Intranet Zone, meaning that
http://localhost/MyWebPage.htm has the embedded control. I have:

1) Strong Named my control
2) added [assembly: System.Security.AllowPartiallyTrustedCallers]
attribute to my AssemblyInfo.cs file
3) created a custom Code Group under "All_Code" in Machine Runtime
Security Policy
4) set the "Membership Condition" of my code group to be "Strong Name"
and
imported the file (with and without the Name and Version)
5) set the "Permission Set" to be "FullTrust"

All to not have my control load up correctly. This is the IEDebug output:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/MySite/MyControlDir/MyControl.dll#MyControlNamespace.MyControl
Microsoft.IE.SecureFactory: System.Reflection.TargetInvocationException:
Exception has been thrown by the target of an invocation. --->
System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.CheckSecurity(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped
record)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum
binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler
handler, __BinaryParser serParser, Boolean fCheck, IMethodCallMessage
methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream, HeaderHandler handler, Boolean fCheck,
IMethodCallMessage methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream)
at System.Resources.ResourceReader.LoadObject(Int32 pos)
at System.Resources.RuntimeResourceSet.GetObject(String key, Boolean
ignoreCase)
at System.Resources.ResourceManager.GetObject(String name, CultureInfo
culture)
at System.Resources.ResourceManager.GetObject(String name)
at MyControl.InitializeComponent()
at MyControl..ctor()
--- End of inner exception stack trace ---

I can't make much sense of the exception but I have searched to no
avail.
Am I missing a small but important step? Please let me know!

Thank you in advance,
Marco

 

[Guest]

Marco,

This is actually to do with the permissions the AppDomain starts up with -
basically IE doesn't know the strong name of your assembly before it loads
it, so doesn't match the membership condition.

It's something I came across a while ago, and in the end you have to use a
SiteMembershipCondition or a ZoneMembershipCondition.

The article dated June 26, 2003 on Shawn Farkas' blog should explain things
fully:
http://blogs.gotdotnet.com/shawnfa/

Cheers,
Mike
--
Mike Goatly
http://www.livesoftwaresolutions.com

I have a .NET control embedded in Internet Explorer. Right now I am
loading the control in a Local Intranet Zone, meaning that
http://localhost/MyWebPage.htm has the embedded control. I have:

1) Strong Named my control
2) added [assembly: System.Security.AllowPartiallyTrustedCallers]
attribute to my AssemblyInfo.cs file
3) created a custom Code Group under "All_Code" in Machine Runtime
Security Policy
4) set the "Membership Condition" of my code group to be "Strong Name" and
imported the file (with and without the Name and Version)
5) set the "Permission Set" to be "FullTrust"

All to not have my control load up correctly. This is the IEDebug output:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/MySite/MyControlDir/MyControl.dll#MyControlNamespace.MyControl
Microsoft.IE.SecureFactory: System.Reflection.TargetInvocationException:
Exception has been thrown by the target of an invocation. --->
System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.CheckSecurity(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped
record)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum
binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler
handler, __BinaryParser serParser, Boolean fCheck, IMethodCallMessage
methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream, HeaderHandler handler, Boolean fCheck,
IMethodCallMessage methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream)
at System.Resources.ResourceReader.LoadObject(Int32 pos)
at System.Resources.RuntimeResourceSet.GetObject(String key, Boolean
ignoreCase)
at System.Resources.ResourceManager.GetObject(String name, CultureInfo
culture)
at System.Resources.ResourceManager.GetObject(String name)
at MyControl.InitializeComponent()
at MyControl..ctor()
--- End of inner exception stack trace ---

I can't make much sense of the exception but I have searched to no avail.
Am I missing a small but important step? Please let me know!

Thank you in advance,
Marco

 

[Marco Carvalho]

Thank you for the reply Valery and Mike...

I believe that Valery has the right idea with asserting. Mike, using a
SiteMembershipCondition or a ZoneMembershipCondition would work but in
my case its not an option, that link you refered me to was great and
also verified Valery's post.

The only problem now is to find the right place to assert
SerializationFormatter. My main code doesn't contain any instance (its
out of reach of my code) but I do a lot of XML work in my code. I guess
I would need to do it there???

Thanks,
Marco

 

[Marco]

Thanks for the reply Vilary and Mike,

Now I am ever more confused, here's why:

I set my code group "LocalIntranet_Zone" to have an "Everything"
permission set. My control loaded fine. At this point, if the control
loaded correctly, it would suffice to say that the control was not
depended on a non secure (APTCA anabled) assembly. I even figured out
that the control only needs 4 permissions: File IO, Security, User
Interface, and Printing. In other words, it would work with the
"LocalIntranet_Zone" code group if it had "File IO" permissions.

Does this mean that I need to Assert some "File IO" permission to get
to force a stack walk to my control's code group instead? Thus fixing
all those System.Runtime.Serialization.Formatters.* exceptions and
allowing my control to run??

Thanks in advanced,
Marco

Hi,
From your exception it looks that you need SerializationFormatter
permission. Additionally you may need to assert that permission in your
code. If I remember it correctly - IE opens your components in AppDomain
with quite reduced permissions and SerializationFormatter isn't allowed as
one of the dangerous permissions (that stays close by its dangerousness to
skip verification). That means that for getting it to work you have to use
assembly's own rights and assert these permissions (to stop stack walk that
will fail with access denied).

-Valery.
http://www.harper.no/valery

I have a .NET control embedded in Internet Explorer. Right now I am
loading the control in a Local Intranet Zone, meaning that
http://localhost/MyWebPage.htm has the embedded control. I have:

1) Strong Named my control
2) added [assembly: System.Security.AllowPartiallyTrustedCallers]
attribute to my AssemblyInfo.cs file
3) created a custom Code Group under "All_Code" in Machine Runtime
Security Policy
4) set the "Membership Condition" of my code group to be "Strong Name"
and
imported the file (with and without the Name and Version)
5) set the "Permission Set" to be "FullTrust"

All to not have my control load up correctly. This is the IEDebug output:

Microsoft.IE.SecureFactory: Trying to create instance of type
http://localhost/MySite/MyControlDir/MyControl.dll#MyControlNamespace.MyControl
Microsoft.IE.SecureFactory: System.Reflection.TargetInvocationException:
Exception has been thrown by the target of an invocation. --->
System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.CheckSecurity(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped
record)
at
System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum
binaryHeaderEnum)
at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
at
System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler
handler, __BinaryParser serParser, Boolean fCheck, IMethodCallMessage
methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream, HeaderHandler handler, Boolean fCheck,
IMethodCallMessage methodCallMessage)
at
System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream
serializationStream)
at System.Resources.ResourceReader.LoadObject(Int32 pos)
at System.Resources.RuntimeResourceSet.GetObject(String key, Boolean
ignoreCase)
at System.Resources.ResourceManager.GetObject(String name, CultureInfo
culture)
at System.Resources.ResourceManager.GetObject(String name)
at MyControl.InitializeComponent()
at MyControl..ctor()
--- End of inner exception stack trace ---

I can't make much sense of the exception but I have searched to no
avail.
Am I missing a small but important step? Please let me know!

Thank you in advance,
Marco