Use MSI Files to Increase Permissions
Execute code at FullTrust and award permissions for your Web-deployed WinForms apps.
by Chris Sells
VSLive! Orlando, September 18, 2002
Note: Chris Sells presented "WinForms Over the Web" at C# Live! Orlando, Tuesday, September 17. This tip is from that session.
Right after everyone gets the demo that shows them how to launch a WinForms application from a Web server using a URL, they always ask what permissions the code has. When I tell them "very few," they say "great," relieved that .NET hasn't become the world's best virus construction kit. Then they ask me how they can award additional permissions to their assemblies.
Awarding Permissions
The basic tool for awarding permissions is the Microsoft .NET Framework Configuration, available from the Start menu's Administrative Tools section. Of course, as facile as you might become with this tool, you don't want to wander to each of your clients' machines to create the necessary code groups and permission sets that they need to run your code, especially if that code is to be deployed across the Internet. Luckily, .NET provides classes to create code groups and permission sets. For example, check out the code used to create a custom code group to award all assemblies from www.sellsbrothers.com Internet permissions (see Listing 1).
Start by using the SecurityManager to find the top of the Machine runtime policy hierarchy, where you'll add new code groups. Then grab the Internet NamedPermissionSet and join it with a SiteMembershipCondition to produce the new code group, which you then name something that'll make sense in the administration tools and add to the root code group along with all the existing code groups. To commit the changes to the Machine runtime security policy, ask the SecurityManager to save.
Deploying Permissions
Of course, now you've got managed code that needs to run on the machine with FullTrust, otherwise it won't be able to modify the permission policy. The easiest way to package up managed code for execution on the client machine with FullTrust is using an installer package (MSI) file. MSI files are executed by a runtime engine that will download the code to the machine before running it, thereby giving you the permissions you need to award other permissions.
There are many tools for building MSI files, but the one most readily available comes with advanced versions of VS.NET. The trick is to convince a setup project to execute your code during installation. Assuming you've got a VS.NET solution with a setup project and a class library project, you have only two major tasks left to do this convincing.
The first task is to add a class to your class library project that derives from System.Configuration.Install.Installer and is tagged with the RunInstaller(true) attribute. An instance of any such class will be created by the MSI engine during setup, so that's where you put your custom code. The easiest way to get such a class is to right-click on your class library project in the Solution Explorer and choose Add New Item | Code | Installer Class. It will create a place for your permission award code in the constructor:
[RunInstaller(true)]
public class Installer1 :
System.Configuration.Install.Installer {
public Installer1() {
...
// TODO: Add your permission award code here
}
}
Your second task is to add this assembly to the list of custom actions that your setup will perform during installation. To do that, right-click on your setup project in the Solution Explorer and choose View | Custom Actions. This will show you a list of the custom actions at each phase of the setup.
To add a custom action to the install phase, right-click on the Install custom action list and choose Add Custom Action, which will show you the list of folders to place your custom action code into.
Double-click on the Application Folder and select Add Output to choose the output from one of the other projects in the solution. Make sure the class library project with your installer class is selected at the top, and choose Primary Output.
These settings will cause the installer classes in your class library assembly to be created during the Install phase of your MSI setup. Now, when you build and execute the MSI file produced by the setup project, your code will execute at FullTrust and can award permissions for your assemblies.
About the Author
Chris Sells in an independent consultant specializing in distributed applications in .NET and COM, as well as an Instructor for DevelopMentor. He's written several books, including ATL Internals, which is in the process of being updated for ATL7 as you read this. He's also working on Essential Windows Forms for Addison-Wesley and Mastering Visual Studio .NET for O'Reilly. In his free time, Chris directs the Genghis source-available project. More information about Chris, and his various projects, is available at http://www.sellsbrothers.com.
Back to top
|
