no touch deployment

[Mark]

I'm trying to distribute an application using the .NET No Touch Deployment
method. Which is basically
browsing to a .NET .exe in Internet Explorer. I do this and the application
comes up fine. The only problem I have
is that a lot of the functionality of the app won't work because of security
issues.
Can someone tell me the easiest way to give the needed permissions to allow
the app to run on users machines
when it is accessed? Without going to each persons machine individually and
giving them permissions??

Thanks in advance. Mark

 

[Fredrick Grass]

The simple answer is no you can't get full rights for an assembly gotten
over the web, but there is a way to get a good deal of them.

First of all to get good rights it must be a intranet. And you must
beable to refernce the site with out the domain attached. ex you would
refrence test.domain.com as test.
That sets IE to work in local intranet mode which sets the security
level of dot net to one notch below full trust.

The text for that level reads .
Programs might no beable to access most protected resources such as the
registry or security policy settings, or access your local file system
with out user interaction.
Programs will beable to connect back to thier sight of origin, resolve
domain names, and use all windowing resources.

I ran a quick test and I couln't write to the file system.

Hope this helps.

 

[Mark]

Yeah, that's what I seem to be finding out with this whole thing.
Unfortunately it looks like it would be a major pain in the butt to deploy
an app using this method. Seemed like an awesome idea though.
I know there are caveats with writing or accessing files, but the error I'm
getting only happens when I'm trying to shut down my application.

Here's the line I'm erroring on (this is just in a button click event):

Application.Exit();

Here's the error:

Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib
version=1.0.5000.0, Culture=neutral
PublicKeyToken=b77a5c561934e089 failed.



Any help on this one would be great. I'm accessing the program using
http://localhost, so that should be intranet.
It makes sense to me about the filesystem being restricted , but it makes
absolutely no sense that the application would not be able to close itself.

 

[Mark]

Oh, I just tried one more thing. If you just close the form (me.close())
you don't get an error. It has something to do with doing an
Application.Exit().
That boggles me of why the application wouldn't have permission to "exit" or
close (in intranet/internet mode).

 

[SEWilson]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

because Application.Exit terminates the process at the OS
level. A hosted environment should NEVER have the right to
terminateprocess, thus Application.Exit is rightly
inaccessible from what is otherwise a hosted assembly (even
if it is an exe, implementors of browsers may opt to
completely sandbox the app).

Aside from that. Application.Exit and TerminateProcess are
known by component developers to be the worst way to exit a
modern/windows compnent-based application. Tsk tsk. You
should be properly disposing all of your objects and then
closing the main form (which puts execution back into
Main() where it exits the process normally).

Oh, I just tried one more thing. If you just close the
form (me.close()) you don't get an error. It has
something to do with doing an Application.Exit().
That boggles me of why the application wouldn't have
permission to "exit" or close (in intranet/internet
mode).

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.2

iQA/AwUBP0bmGqZcqAh+utlREQI4RQCgx9omBV6FK2RrOhK1tToOEP3dKYQAoJSe
oY/Bya8kfcfN9bPyvMAbFIME
=hMz6
-----END PGP SIGNATURE-----

 

[Eric Cadwell]

Someone tell me how crazy this idea is:

You can configure all this through policy files - security.config has the
power to enable full trust for the Intranet Zone (or any other zone). You
can create new permission sets, code groups, and the whole nine yards.

I've been thinking of setting up an internal site as a Trusted site (through
IE) and granting Trusted Sites full access. Or more specifically I could
create a new permission set that allows just the added permissions that I
need (Sockets, File IO).

Can you add a Trusted Site via a remote admin tool or script? Can you do
this with AD group policy? Even if you had to instruct the users to add a
trusted site or touch all the machines once, this would lay the groundwork
for any other app you push.

You'd need to create a deployment package for the policy and another to set
up a desktop shortcut for the users to launch the app.

Eric Cadwell

You can use the .NET Framework Configuration tool in Control Panel >
Administrative Tools to edit the security.config file