Comments on System.What?: Creating a Custom CAS Policy File For SharePoint

After apply my custom Code policy file my applicat...

2012-01-28T01:42:51.699-08:00

After apply my custom Code policy file my application comes with error.

Resource not found 404
/default.aspx

but with GAC deployment its working fine.

Add even a UrlMemberShipCondition which should sol...

2010-02-17T07:22:10.754-08:00

Add even a UrlMemberShipCondition which should solve your issue.

Try moving the Page.LoadControl method to OnInit m...

2009-09-16T19:04:37.511-07:00

Try moving the Page.LoadControl method to OnInit method instead of in the CreateControls. I was getting the exact same error that control could not be found.

I saw the article about changing the CAS permission but there are long term issues with that as Chris correctly pointed out.

OK! So I followed your example but inside the root...

2009-08-25T12:12:35.618-07:00

OK! So I followed your example but inside the root web.config as opposed to just Sharepoint but now I get:

Parser Error Message: An error occurred loading a configuration file: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. (machine.config)

Source Error:

[No relevant source lines]

Source File: machine.config Line: 161

Line 161 in my machine.config is my custom MembershipProvider:

add name="NetPerfectMembershipProvider"
type="NetPerfect.MembershipProvider,NetPerfect,version=3.5.0.0,Culture=neutral,PublicKeyToken=9a65a3585a4c74a6"......

If I dont add it as an IMembershipCondition, then it works fine, but I need to add another functional part that requires reading the siteid from the applicationhosts.config file that will require fulltrust!

Any ideas why would be much appreciated :s

Tyler, Regarding your first option listed in your...

2009-08-17T07:19:43.831-07:00

Tyler,

Regarding your first option listed in your comment above, Creating a custom CAS Policy:

This is what we've been trying to accomplish, but as it turns out, is not completely possible to define in the solution manifest. The LoadControl() method requires that the PermissionSet node in CAS has Unrestricted="true", which is not valid when placed inside the manifest.xml file of the solution. You have to manually add this attribute into the .config file on the server in order to accomplish this. It's rather bothersome - I hope this can be fixed with the next update of .Net Framework.

I believe this is happening because the assembly i...

2009-08-14T13:50:29.045-07:00

I believe this is happening because the assembly is not running in full trust and does not have the required permissions to reflect on some other control/assembly.

To remedy this you should consider either:
1) Creating a custom CAS policy for your application granting your assembly full trust.
2) GACing the assembly that does the reflecting.
3) Raise the trust level of the application (I'd recommend against this).

A table listed in the following post shows that neither WSS_Minimal of WSS_Medium grant the necessary trust level to reflect on other assemblies.

http://blog.tylerholmes.com/2008/10/don-set-your-sharepoint-app-to-full.html

Let me know if I'm missing something.

Best,
Tyler

Yes it turns out my solution above is not entirely...

2009-08-14T06:57:48.833-07:00

Yes it turns out my solution above is not entirely correct. Apparently there is an issue with using LoadControl -- it requires that the PermissionSet tag contains Unrestricted="true", which _cannot_ be set in the solution manifest (stsadm throws error about invalid Unrestricted attribute). Read through some of the comments here:

http://www.dotnetmonster.com/Uwe/Forum.aspx/dotnet-security/2519/SecurityException-Request-failed-in-LoadControl

One solution is to manually modify the customtrust.config file which is used, and add the Unrestricted="true", however whenever the solution is updated, this is removed again. I have not yet found another solution.

Thanks for the reply Chris. but I am trying to lo...

2009-08-11T10:13:52.459-07:00

Thanks for the reply Chris.

but I am trying to load a specific user control. If you use the code snippet,

Page.LoadControl(typeof(MyControl), null);

or

MyControl myctl = new MyControl();
Page.Controls.Add(myctl);

How am I going to load the specific control that I want to load?

Seung-Rak I was getting a very similar error (not...

2009-08-11T09:45:39.096-07:00

Seung-Rak

I was getting a very similar error (not sure if it was the same, as it states Request Failed on that same method, but does not specify Security Exception (could not get this info anywhere).

The line of code which was causing this issue for me was

Page.LoadControl("~/controltemplates/mystuff/mycontrol.ascx");

I modified this to

Page.LoadControl(typeof(MyControl), null);

or

MyControl myctl = new MyControl();
Page.Controls.Add(myctl);

And was able to get passed that issue.

Hey Sung-Rak, There's not a tonne of informati...

2009-06-09T22:11:29.886-07:00

Hey Sung-Rak,
There's not a tonne of information in that stack trace, do you what it's trying to construct?

I'm not even positive this is a code access security exception, usually they look something like:

Request for the permission of type
Microsoft.SharePoint.Security.SharePointPermission,
Microsoft.SharePoint.Security, Version=11.0.0.0, Culture=neutral,
PublicKeyToken=71e9bce111e9429c failed.

I would consider slowly deconstructing your page to try and isolate the code/component that is generating this exception.

Hope that helps.

Best,
Tyler

Thanks for your prompt response, Tyler. I will be...

2009-06-09T13:04:23.508-07:00

Thanks for your prompt response, Tyler. I will be looking at the code, but in the meantime, please see if it is really the code that is generating this problem.

[SecurityException: Request failed.]
System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandle& ctor, Boolean& bNeedSecurityCheck) +0
System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean fillCache) +86
System.RuntimeType.CreateInstanceImpl(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean fillCache) +230
System.Activator.CreateInstance(Type type, Boolean nonPublic) +67
System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) +1051
System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes) +111
System.Web.Configuration.PagesSection.CreateControlTypeFilter() +8704955
System.Web.UI.PageParserFilter.Create(PagesSection pagesConfig, VirtualPath virtualPath, TemplateParser parser) +13
System.Web.UI.TemplateParser.ProcessConfigSettings() +224
System.Web.UI.TemplateControlParser.ProcessConfigSettings() +13
System.Web.UI.UserControlParser.ProcessConfigSettings() +12
System.Web.UI.TemplateParser.PrepareParse() +141
System.Web.UI.TemplateParser.Parse() +167
System.Web.UI.TemplateParser.Parse(ICollection referencedAssemblies, VirtualPath virtualPath) +34
System.Web.Compilation.BaseTemplateBuildProvider.get_CodeCompilerType() +85
System.Web.Compilation.BuildProvider.GetCompilerTypeFromBuildProvider(BuildProvider buildProvider) +62
System.Web.Compilation.BuildProvidersCompiler.ProcessBuildProviders() +199
System.Web.Compilation.BuildProvidersCompiler.PerformBuild() +42
System.Web.Compilation.BuildManager.CompileWebFile(VirtualPath virtualPath) +8732923
System.Web.Compilation.BuildManager.GetVPathBuildResultInternal(VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) +261
System.Web.Compilation.BuildManager.GetVPathBuildResultWithNoAssert(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) +101
System.Web.Compilation.BuildManager.GetVPathBuildResult(HttpContext context, VirtualPath virtualPath, Boolean noBuild, Boolean allowCrossApp, Boolean allowBuildInPrecompile) +83
System.Web.UI.TemplateControl.LoadControl(VirtualPath virtualPath) +48
System.Web.UI.TemplateControl.LoadControl(String virtualPath) +26
SharePointHQ.WebPart.AudienceMaster.AudienceMasterWebPart.CreateChildControls() +80
System.Web.UI.Control.EnsureChildControls() +87
System.Web.UI.Control.PreRenderRecursiveInternal() +44
System.Web.UI.WebControls.WebParts.WebPart.PreRenderRecursiveInternal() +42
System.Web.UI.Control.PreRenderRecursiveInternal() +171
System.Web.UI.Control.PreRenderRecursiveInternal() +171
System.Web.UI.Control.PreRenderRecursiveInternal() +171
System.Web.UI.Control.PreRenderRecursiveInternal() +171
System.Web.UI.Control.PreRenderRecursiveInternal() +171
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +6785
System.Web.UI.Page.ProcessRequest(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +242
System.Web.UI.Page.ProcessRequest() +80
System.Web.UI.Page.ProcessRequestWithNoAssert(HttpContext context) +21
System.Web.UI.Page.ProcessRequest(HttpContext context) +49
ASP.DEFAULT_ASPX__82859748.ProcessRequest(HttpContext context) +4
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +181
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Hey Sung-Rak, It's very likely that your cust...

2009-06-09T12:56:12.907-07:00

Hey Sung-Rak,

It's very likely that your custom CAS policy is working correctly...it's just that there's other code that is throwing a CAS exception. This information would be in the stack trace.

I would suggest running your code in a blank site collection if you wanted to test your own CAS policy.
OR
Stare intently at the stack trace and try to discern what code is throwing the exception. If you can find out which assembly is responsible for the CAS exception then you can have it run in full trust by modifying your custom CAS policy.

You can extract public keys from signed assemblies for which you don't have the .snk by running sn -Tp [assemblyname].

Hope that helps.

My Best,
Tyler

Hi Tyler, After I followed the same steps describ...

2009-06-09T09:27:58.656-07:00

Hi Tyler,

After I followed the same steps described, that is, as soon as I replaced "Full" with "WSS_Custom", I complete lost access to the portal with this error below:

Server Error in '/' Application.
--------------------------------------------------------------------------------

Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request failed.

Source Error:

The source code that generated this unhandled exception can only be shown when compiled in debug mode. To enable this, please follow one of the below steps, then request the URL:

1. Add a "Debug=true" directive at the top of the file that generated the error.

or:

2) Add the following section to the configuration file of your application:

Note that this second technique will cause all files within a given application to be compiled in debug mode. The first technique will cause only that particular file to be compiled in debug mode.

Important: Running applications in debug mode does incur a memory/performance overhead. You should make sure that an application has debugging disabled before deploying into production scenario.

(i excluded stack trace because it exceeded the number of characters allowed)

Is there any other step or configuration that must have been arranged? Any opinion would be appreciated.

Thanks.

You're right Malcolm, your assemblies are indeed r...

2008-12-18T23:03:00.000-08:00

You're right Malcolm, your assemblies are indeed running in full trust. The problem is your web application isn't (it's probably still in WSS_Minimal/WSS_Medium).

When code that isn't running in full trust makes calls to code that IS running in full trust there's a risk that the calling code is luring the called assembly in to doing something malicious on it's behalf.

If you're sure this isn't a risk, then you can put the AllowPartiallyTrustedCallers attribute on your assembly.

There's more info on APTCA here (http://blogs.msdn.com/shawnfa/archive/2005/02/04/367390.aspx)

Best,
Tyler

Hi Tyler

Great article, thanks!

I se...

2008-12-18T19:15:00.000-08:00

Hi Tyler

Great article, thanks!

I seem to keep running into the issue of safe controls when I sign my assembly. I had an unsigned web part, deploying to the bin directory and it worked fine. I had need to use LINQ in the web part and trust was set to full. I followed the steps in your article to get away from having trust set to full - it all seemed to make sense and I got everything done. Now, when I try and place the web part on the page I get a messagebox saying that assemblies that implement ASP.Net web parts and are installed in a partially trusted location such as the bin directory must be compiled with AllowPartiallyTrustedCallersAttribute set for import to succeed.

Does this make sense? I thought this assembly was now trusted as a result of the changes made to the CAS config. Any thoughts?

Thanks

Malcolm

great post! Thanks

2008-12-08T05:12:00.000-08:00

great post! Thanks

Comments on System.What?: Creating a Custom CAS Policy File For SharePoint

After apply my custom Code policy file my applicat...

Other people have left various solutions to this p...

Add even a UrlMemberShipCondition which should sol...

Try moving the Page.LoadControl method to OnInit m...

OK! So I followed your example but inside the root...

Tyler, Regarding your first option listed in your...

I believe this is happening because the assembly i...

Yes it turns out my solution above is not entirely...

Thanks for the reply Chris. but I am trying to lo...

Seung-Rak I was getting a very similar error (not...

Hey Sung-Rak, There's not a tonne of informati...

Thanks for your prompt response, Tyler. I will be...

Hey Sung-Rak, It's very likely that your cust...

Hi Tyler, After I followed the same steps describ...

You're right Malcolm, your assemblies are indeed r...

Hi TylerGreat article, thanks!I se...

great post! Thanks

Hi Tyler

Great article, thanks!

I se...