Using VisiBroker for .NET with Partially Trusted Applications

Code access security is a very powerful feature that allows systems to be configured to execute partially trusted code without prompting the user.This is, in fact, the default setting. Meanwhile, partially trusted code is only allowed to do things appropriate to its level of trust.

The level of trust applied to a body of code depends on various pieces of evidence that are provided to the security policy engine at runtime. Evidence is provided at the granularity of an assembly. There are many kinds of evidence. Some evidence is provided by the hosting CLR environment such as the source of the assembly, the 'Zone' to which that source belongs (much like Internet Explorer), and some evidence is provided by the assembly itself, such as its Public Key Token. Based on the evidence associated with an assembly, the assemblies are assigned to code groups by the policy engine. Each code group can have a membership condition (such as 'Assembly must be from the Intranet zone') and an associated set of permissions.

Read the following documents to get a basic familiarity with Partially Trusted Applications.

•	.NET documentation on the MSDN web site for a detailed introduction to Code Access Security (http://msdn.microsoft.com/en-us/library/930b76w0(v=vs.90).aspx)

•	An article that describes Partially Trusted Code and Partially Trusted Environments located at http://msdn.microsoft.com/en-us/library/ff664608(v=PandP.50).aspx.

Using VisiBroker for .NET in Partially Trusted Environments

To use VisiBroker for .NET in partially trusted environments, VisiBroker for .NET should be installed locally. Alternatively, you may also configure your security policies such that VisiBroker for .NET DLLs are given full trust. This is due to the fact that VisiBroker for .NET uses other assemblies (such as Visual J#) that are not usable directly by partially trusted assemblies (PTAs)

Note

To be used by partially trusted code, an assembly must have the AllowPartiallyTrustedCallersAttribute (APTCA) applied to it.

VisiBroker for .NET's public assemblies are marked with the APTCA to allow partially trusted callers to load and call into it. However, VisiBroker for .NET itself requires full trust to perform its functions.

Once VisiBroker for .NET is locally installed, partially trusted applications can load VisiBroker for .NET and call methods on it. However, to communicate with remote servers using VisiBroker for .NET, changes to the local security policy are required to give appropriate permissions to the partially trusted assemblies.

For example, partially trusted assemblies do not have access to network. Specifically, they do not have the ability to open sockets to arbitrary servers. The only exception is for assemblies that are loaded from the 'LocalIntranet' zone. These are allowed to connect back to the site they came from using the protocol they were downloaded with (or a protocol that is more secure). This typically means that an assembly that is downloaded using http (which is the most common scenario) is allowed to have http (or https) access back to the host it came from.

When using VisiBroker for .NET, however, the assembly will communicate using IIOP (and TCP/UDP sockets) and the default security policy does not give the PTA, the permission to use sockets. VisiBroker for .NET will NOT assert that permission as that will constitute a security hole. If VisiBroker for .NET asserts that permission, then any partially trusted application can access the remote host it came from, without restrictions, and this is not recommended from a security perspective.

To enable VisiBroker for .NET clients to communicate remotely, make sure that such applications do have the socket permission. The criteria for determining which particular application (or PTA) has socket permissions to connect to a given host or not is dependent on user requirements. Users must configure the Code Access Security policies of the machine that is executing the application such that the appropriate permissions are given to the application. There are a few choices provided by the Microsoft security framework. In addition, you may use custom code groups to fine tune the security policy.

Permissions Required by VisiBroker for .NET

VisiBroker for .NET requires partially trusted application code the following permissions to execute correctly. Note that the application may require other permissions depending on what it actually does. For example, it may need UI permissions if it is launching windows.

SecurityPermission.Execute: This permission is not required by VisiBroker for .NET per-se but is required by any assembly that is partially trusted to load and execute

DnsPermission.Unrestricted: The ability to resolve DNS names. VisiBroker for .NET will not assert this permission. Otherwise, the code could use VisiBroker for .NET to probe for valid hosts. The PTA must have the ability to do DNS resolves.

SocketPermission: Code that uses VisiBroker for .NET is invariably calling into remote servers. So, the PTA requires permissions to open sockets to (or allow connections from, in the case of callbacks) the appropriate server host and port. VisiBroker for .NET will not assert permissions even back to the same host. This is because doing so, will allow arbitrary untrusted code to connect back to its host. Note here that socket permissions given to the application must allow the client to connect to the remote server that VisiBroker for .NET code is accessing. This may not be the same as the host that is serving the application assemblies.

See the documentation for Security Policy configuration and the caspol tool for more details on how one can configure security policy.

Usage in No Touch Deployment environments

It is expected that client machines are configured with appropriate security policies that give partially trusted code (based on appropriate evidence, such as Strong Name, Site, or URL) the appropriate permissions in order to use VisiBroker for .NET. Once VisiBroker for .NET is installed, and these security policies are in place, the application code that uses VisiBroker for .NET can be deployed using No Touch Deployment techniques. If you choose not to install VisiBroker for .NET, it is required that you give VisiBroker for .NET DLLs Full Trust for VisiBroker for .NET to function properly. It is recommended that you use StrongName membership condition to give VisiBroker for .NET DLLs full trust unless other membership conditions are deemed more appropriate for your environment.