making permissions optional

D

David Thielen

Hi;

I have the following method:
public static InputStream loadResource(String filename, int location)
throws IOException
{

if ((filename == null) || (filename.length() == 0))
return null;

if ((location & (THREAD | APP_CLASS | SYSTEM_CLASS)) != 0)
{
System.IO.Stream stream =
Class.ToType(SystemWrapper.class).get_Assembly().GetManifestResourceStream(filename);
if (stream != null)
return new JavaInputStream(stream);
}

// file
if ((location & FILE) != 0) {
File file = new File(filename);
if (file.exists()) {
if (log.isInfoEnabled())
log.info("Loading resource file: " + new
File(filename).getAbsolutePath());
return new FileInputStream(file);
}
}

// url last
if ((location & URL) != 0) {
try {
URL url = new URL(filename);
if (log.isInfoEnabled())
log.info("Loading resource file: " + new
File(filename).getAbsolutePath());
return url.openStream();
} catch (MalformedURLException mue) {
// nothing
}
}

return null;
}

And it's permissions demanded are:
<Method Sig="class InputStream loadResource(string , int )">
<Demand>
<PermissionSet version="1"
class="System.Security.PermissionSet">
<IPermission version="1"
class="System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Read="UserName" />
<IPermission version="1"
class="System.Security.Permissions.FileIOPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.ReflectionPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Flags="MemberAccess" />
<IPermission version="1"
class="System.Security.Permissions.RegistryPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
<IPermission version="1"
class="System.Security.Permissions.SecurityPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Flags="UnmanagedCode, ControlThread, ControlEvidence" />
<IPermission version="1"
class="System.Security.Permissions.KeyContainerPermission, mscorlib,
Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
Unrestricted="true" />
</PermissionSet>
</Demand>
<Sandbox>
<PermissionSet version="1"
class="System.Security.PermissionSet" Unrestricted="true" />
</Sandbox>
</Method>

However, all of the above permissions are not required to run our program.
In most cases the GetManifestResourceStream is the only part used. How do I
set this to say that these requests are optional not required?

I hope it's not having to go set permissions on each method throughout our
code because that would take weeks.

--
thanks - dave
david_at_windward_dot_net
http://www.windwardreports.com

Cubicle Wars - http://www.windwardreports.com/film.htm
 
W

Walter Wang [MSFT]

Hi Dave,

The Permission Calculator Tool calculates the minimum permission set
required to run an application by examining all applicable code paths of
all application assemblies and dependency assemblies:

#Permission Calculator Tool (Permcalc.exe)
http://msdn2.microsoft.com/en-us/library/ms165077(VS.80).aspx
Starting from the entry point of the application, the tool traces all code
paths through all application assemblies and the shared and system
libraries called from the application. The tool maintains a simulated call
stack that contains all the assemblies involved in the code path trace. On
every code path trace, the tool checks for the presence of declarative
demands, link demands, and declarative stack walk modifiers.


If you use Reflector to view J# Assembly.GetManifestResourceStream(), you
will find one of its called function has unsafe signature:

internal virtual unsafe Stream GetManifestResourceStream(string name, ref
StackCrawlMark stackMark, bool skipSecurityCheck)


The resulting permission set is calculated using the all code paths. That's
why you're seeing some permission sets that are never used in your code
directly.


If your Web application contains code that requires more permissions than
are granted by a particular ASP.NET trust level, the easiest option is
customizing a policy file to grant the additional code access security
permission to your Web application. You can either modify an existing
policy file and grant additional permissions or create a new one based on
an existing policy file.

Another approach that does not require an update to ASP.NET code access
security policy is wrapping your resource access code in its own wrapper
assembly and configuring machine-level code access security policy to grant
the specific assembly the appropriate permission. Then you can sandbox the
higher-privileged code using the CodeAccessPermission.Assert method so you
do not have to change the overall permission grant of the Web application.
The Assert method prevents the security demand issued by the resource
access code from propagating back up the call stack beyond the boundaries
of the wrapper assembly.

For more information about above two different approaches, please refer to
following article:

#Using Code Access Security with ASP.NET
http://msdn2.microsoft.com/en-us/library/aa302425.aspx


Sincerely,
Walter Wang ([email protected], remove 'online.')
Microsoft Online Community Support

==================================================
Get notification to my posts through email? Please refer to
http://msdn.microsoft.com/subscriptions/managednewsgroups/default.aspx#notif
ications. If you are using Outlook Express, please make sure you clear the
check box "Tools/Options/Read: Get 300 headers at a time" to see your reply
promptly.

Note: The MSDN Managed Newsgroup support offering is for non-urgent issues
where an initial response from the community or a Microsoft Support
Engineer within 1 business day is acceptable. Please note that each follow
up response may take approximately 2 business days as the support
professional working with you may need further investigation to reach the
most efficient resolution. The offering is not appropriate for situations
that require urgent, real-time or phone-based interactions or complex
project analysis and dump analysis issues. Issues of this nature are best
handled working with a dedicated Microsoft Support Engineer by contacting
Microsoft Customer Support Services (CSS) at
http://msdn.microsoft.com/subscriptions/support/default.aspx.
==================================================

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Why is this method requesting these permissions? 7
Permissions for access to Active Directory (CAS) 0
Permissions 0
SecurityException in Web Service using ADOMD.NET 0
Still the same problem with embedding Windows Control 0
System.Security.Permissions.SecurityPermission 0
Embedding Windows Form Control to ASP .NET Security Problem 2
still probs ::: how to use microsoft application blocks ent libjune 2005 3

Members online

Total: 58 (members: 3, guests: 55)
Robots: 365

Forum statistics

Threads
473,968
Messages
2,570,153
Members
46,699
Latest member
AnneRosen

Latest Threads

Top