SecurityException during deserialization
- From: "Christian Häberli" <christian.haeberli@xxxxxx>
- Date: Wed, 31 Aug 2005 15:26:27 +0200
Hello everyone,
I get SecurityExceptions during deserialization of marshal-by-value objects
if such an object has a static field initialized with
Environment.MachineName.
The same code works if the static field is not initialized or the
initialization is delayed after the deserialization or the server creates
such an object before the first request.
The client and server-exe's are running on the same machine under the
administrators account and no code access security restrictions have been
applied.
Does anybody know, which (CAS) limitations apply during deserialization and
how these can be removed or how the static initialization of classes can be
run under the security context of the server?
Thanks for any hint!
Chris
#### Sample Code to reproduce behaviour ####
using System;
using System.Runtime.Remoting;
using System.Runtime.Remoting.Channels;
using System.Runtime.Remoting.Channels.Http;
namespace RemotingSecurity
{
class Application
{
[MTAThread]
static void Main(string[] args)
{
bool bClient = args.Length > 0;
Console.WriteLine("Running as {0}", bClient ? "client" : "server");
if(bClient)
{
RunAsClient(args[0]);
}
else
{
RunAsServer();
}
Console.WriteLine("Terminated");
}
static void RunAsClient(string strMessage)
{
// Init Remoting
HttpChannel channel = new HttpChannel(0);
ChannelServices.RegisterChannel(channel);
RemotingConfiguration.RegisterWellKnownClientType(typeof(Server),
"http://localhost:8080/Service";);
// Get Server
Server srv = new Server();
// Test 1
Test1 obj1 = new Test1(strMessage);
string strResult1 = srv.Process(obj1);
Console.WriteLine("Test1: Server returned '{0}'", strResult1);
// Test 2
Test2 obj2 = new Test2(strMessage);
string strResult2 = srv.Process(obj2);
Console.WriteLine("Test2: Server returned '{0}'", strResult2);
}
static void RunAsServer()
{
// Init Remoting
HttpChannel channel = new HttpChannel(8080);
ChannelServices.RegisterChannel(channel);
WellKnownServiceTypeEntry service = new
WellKnownServiceTypeEntry(typeof(Server),"Service",
WellKnownObjectMode.SingleCall);
RemotingConfiguration.RegisterWellKnownServiceType(service);
// Wait
Console.ReadLine();
}
}
public class Server : MarshalByRefObject
{
public string Process(Object obj)
{
Console.WriteLine("Process called with '{0}'", obj);
return obj.ToString();
}
}
[Serializable]
public class Test1
{
public readonly string Message;
public Test1(string message)
{
this.Message = message;
}
public override string ToString()
{
return string.Format("{0} ({1})", this.Message, base.ToString());
}
}
[Serializable]
public class Test2 : Test1
{
public static readonly string MachineName = Environment.MachineName;
public Test2(string message) : base(message) { }
public override string ToString()
{
return string.Format("{0} from {1}", base.ToString(), MachineName);
}
}
}
### Exception details ###
Unhandled Exception: System.TypeInitializationException: The type
initializer for "RemotingSecurity.Test2" threw an exception.
---> System.Security.SecurityException: Request for the permission of type
System.Security.Permissions.EnvironmentPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089 failed.
at
System.Security.SecurityRuntime.FrameDescHelper(FrameSecurityDescriptor
secDesc, IPermission demand, PermissionToken permToken)
at System.Security.CodeAccessSecurityEngine.Check(PermissionToken
permToken, CodeAccessPermission demand, StackCrawlMark& stackMark, Int32
checkFrames, Int32 unrestrictedOverride)
at System.Security.CodeAccessSecurityEngine.Check(CodeAccessPermission
cap, StackCrawlMark& stackMark)
at System.Security.CodeAccessPermission.Demand()
at System.Environment.get_MachineName()
at RemotingSecurity.Test2..cctor()
The state of the failed permission was:
<IPermission class="System.Security.Permissions.EnvironmentPermission,
mscorlib, Version=1.0.5000.0, Culture=neutral,
PublicKeyToken=b77a5c561934e089"
version="1"
Unrestricted="true"/>
--- End of inner exception stack trace ---
Server stack trace:
at
System.Runtime.Serialization.FormatterServices.nativeGetSafeUninitializedObject(RuntimeType
type)
at
System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type
type)
at
System.Runtime.Serialization.Formatters.Soap.ObjectReader.ParseObject(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Soap.ObjectReader.Parse(ParseRecord
pr)
at
System.Runtime.Serialization.Formatters.Soap.SoapHandler.StartChildren()
at System.Runtime.Serialization.Formatters.Soap.SoapParser.ParseXml()
at System.Runtime.Serialization.Formatters.Soap.SoapParser.Run()
at
System.Runtime.Serialization.Formatters.Soap.ObjectReader.Deserialize(HeaderHandler
handler, ISerParser serParser)
at
System.Runtime.Serialization.Formatters.Soap.SoapFormatter.Deserialize(Stream
serializationStream, HeaderHandler handler)
at
System.Runtime.Remoting.Channels.CoreChannel.DeserializeSoapRequestMessage(Stream
inputStream, Header[] h, Boolean bStrictBinding, TypeFilterLevel
securityLevel)
at
System.Runtime.Remoting.Channels.SoapServerFormatterSink.ProcessMessage(IServerChannelSinkStack
sinkStack, IMessage requestMsg, ITransportHeaders requestHeaders, Stream
requestStream, IMessage& responseMsg, ITransportHeaders& responseHeaders,
Stream& responseStream)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage
reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData&
msgData, Int32 type)
at RemotingSecurity.Server.Process(Object obj)
at RemotingSecurity.Application.RunAsClient(String strMessage)
at RemotingSecurity.Application.Main(String[] args)
.
- Prev by Date: how to confiure the remoting without .config File by changinf url of the Server
- Next by Date: Service not available
- Previous by thread: how to confiure the remoting without .config File by changinf url of the Server
- Next by thread: Service not available
- Index(es):
Relevant Pages
|
