Hi
I have a .NET dll Control (WinFormsControl) which has to be hosted in a HTML page for Internet Explorer.
But I have found a problem when I try to view it with another computer. It throws a security exception when tries to call an extern function from OpenGL library, for example:
glMatrixMode
The methods I am using from OpenGL are declared with:
[DllImport("opengl32.dll", EntryPoint = "glMatrixMode"), SuppressUnmanagedCodeSecurity, CLSCompliantAttribute(true)] public static extern void glMatrixMode(int mode);
When I run it from my computer it works (trusting the assembly with caspol). But when I try with another computer it throws a Security Exception. The control loads, but when tries to call the above function it throws the exception.
Any ideas?
I have received the answer in other forums.
The solution is running that command: caspol -m -ag 1.3 -url http://MySite/MyControl.dll FullTrust -n MyControlGroup
victu: When I run it from my computer it works (trusting the assembly with caspol). But when I try with another computer it throws a Security Exception. The control loads, but when tries to call the above function it throws the exception. Any ideas?
Isn't that you have answered your own question in your post.
By the way, the solution you used may not be in accordance to the least privilege principle of the security best practices.
victu:The solution is running that command:caspol -m -ag 1.3 -url http://MySite/MyControl.dll FullTrust -n MyControlGroup
The solution is running that command:caspol -m -ag 1.3 -url http://MySite/MyControl.dll FullTrust -n MyControlGroup
Instead of granting the assembly "FullTrust", why don't you consider using the custom permission set that contains "Security - Unmanaged code call" permission and other necessary permissions.
Another suggestion, consider using StrongNameMembershipCondition as it would be stronger evidence than the url. With the strong name membership condition code group, even if the server is compromised and other malicious dlls were injected, the client would still be safe.
Cheers.
MaungMaung:Isn't that you have answered your own question in your post.
Yes but in my computer I trusted the assembly with the option -ag 1.2, which I saw in other posts from internet. But this option doesn't work from another computer. I didn't know what was the meaning of 1.2; now I know this means LocalInternet_Zone, and 1.3 means Internet_Zone. So changing 1.2 to 1.3 I can run the control from another computer.
MaungMaung: Instead of granting the assembly "FullTrust", why don't you consider using the custom permission set that contains "Security - Unmanaged code call" permission and other necessary permissions.Another suggestion, consider using StrongNameMembershipCondition as it would be stronger evidence than the url. With the strong name membership condition code group, even if the server is compromised and other malicious dlls were injected, the client would still be safe. Cheers.
I'll consider that. Thank you!
victu:Yes but in my computer I trusted the assembly with the option -ag 1.2, which I saw in other posts from internet. But this option doesn't work from another computer. I didn't know what was the meaning of 1.2; now I know this means LocalInternet_Zone, and 1.3 means Internet_Zone. So changing 1.2 to 1.3 I can run the control from another computer.
You can type "caspol -m -lg" to display all the code groups information at machine level. The enterprise and user level code access security are not secured by default, as they grant all code with full trust permission set.
The code groups are hierarchically organized.
Good luck.