.Net Object tag that loads additional DLLs

0

Okay, so I have a project to create a .Net control that interacts with a clients barcode scanner via a COM object from an web page (only IE is required). To do this, we have utilized a .Net Windows Form Control Library DLL which is loaded using an Object tag:

<object id="scannerCont" classid="http:ControlAssembly.dll#Controls.MyControl"/>

So far, I've gotten the .Net control to render in the web page, but now I'm having trouble because I cannot get the control to gain access to an additional DLL. Basically, the control calls an unmanaged DLL which provides COM interop access to the scanner unit. When I load the page without trying to access the DLL it loads just fine, but when I then try to reference it I receive FusionBindErrors in the temporary internet files folder.

The error is as follows:

*****   IEHOST Error Log (Friday, 12 October 2012 09:27)    *****



URL:        http://scanner:8014/scanner/ControlAssembly.dll
Zone:       2
Assembly Name:  ControlAssembly.dll
Type Name:  Controls.MyControl



----- Thrown Exception -----


System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.IO.FileLoadException: Could not load file or assembly 'ActiveScanner, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417)
File name: 'ActiveScanner, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null' ---> System.Security.Policy.PolicyException: Required permissions cannot be acquired.
   at System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Boolean checkExecutionPermission)
   at System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Int32& securitySpecialFlags, Boolean checkExecutionPermission)
   at Controls.MyControl..ctor()
   --- End of inner exception stack trace ---
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandle& ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean fillCache)
   at System.RuntimeType.CreateInstanceImpl(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean fillCache)
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)
   at System.RuntimeType.CreateInstanceImpl(BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateInstance(Type type, BindingFlags bindingAttr, Binder binder, Object[] args, CultureInfo culture, Object[] activationAttributes)
   at System.Activator.CreateComInstanceFrom(String assemblyName, String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at System.AppDomain.CreateComInstanceFrom(String assemblyFile, String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at System.AppDomain.CreateComInstanceFrom(String assemblyFile, String typeName, Byte[] hashValue, AssemblyHashAlgorithm hashAlgorithm)
   at Microsoft.IE.SecureFactory.CreateInstanceWithSecurity2(Int32 dwFlags, Int32 dwZone, String wszSite, String wszId, String wszConfig, String wszLicenses, String wszDeploymentManifest)

Now, as I am understanding the error it is due to a permissions issue. Before you guys respond saying to add the web page to the trusted sites list this is not an option. This is a customer facing component and at most we are only able to submit them to receiving a security warning message that they can click on to allow the control elevated permissions.

I've been trying to find the resolution to this, but it doesn't appear that this is a widely adopted practice and as such there is very little documentation as to how to alleviate this error.

I would like to note though that if I remove the extraneous DLL from the web site folder that the control is loaded from I then receive a File Not Found FusionBindError, meaning that the system should be able to load this extraneous DLL once I resolve this permissions issue...

Anyone have experience granting this permission? Again, we are fine with the end user getting a popup from .Net asking their permission to grant this privilege, but we cannot ask our end user to add our site to the trusted zone.

I'm wondering if I can just add some information to the object tag to say that it also requires this other DLL?

c#
.net
internet-explorer
com
object-tag
asked on Stack Overflow Oct 12, 2012 by Robert Petz

1 Answer

1

.NET controls hosted in IE run in a "sandbox" that has restricted permissions, as you've seen. With .NET 2.0 / 3.0 / 3.5, the only way to adjust the permissions is to modify the Code Access Security (CAS) Policy on the client computer. I can't tell from the error message the specific permissions needed, but I am guessing that ActiveScanner.dll is demanding "FullTrust" (since it has to Interop with COM) -- and there is no Zone in Internet Explorer that grants full trust by default.

With .NET 4.0+, the sandboxing model has changed (it uses attributes in the code -- SecurityCrtical, SecurityTransparent, etc.); I haven't worked with .NET 4.0, but again I don't think Internet Explorer would grant "full trust" to your control.

To summarize: I am not aware of anything you can do on the web page / object-tag to request additional permissions. IE simply will not grant full trust permissions without modifying something on the client PC.

answered on Stack Overflow Dec 7, 2012 by z9_x

User contributions licensed under CC BY-SA 3.0