"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
news:#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl...
> UrlMembershipCondition, which is the class responsible for testing whether
> evidence matches a code group URL condition, does not account for the
> multiple URLs that could be used to reach the same site. My guess would
be
> that while you were working offline, you used the various localhost,
machine
> name, and 127.0.0.1 addresses in such a way as to make some of the
controls
> source from each one. As for needing the two root/* and root/virtdir1/*
> forms, I wonder if you really need all 6 or just the 3 root variants of
the
> more suitable of the two.
>
> Either way, instead of spending time worrying about a purely dev-time
> configuration problem that you've already solved, perhaps it might be more
> worthwhile to spend some time figuring out how to get the controls to run
> without full trust...
>
>
> "Sankar Nemani" <snemani@nospamlumedx.com> wrote in message
> news:ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl...
> > Hi
> > We have two virtual directories in which our .NET controls reside. We
> > host these controls in IE. These controls need full trust permission
set.
> > We
> > tried to create a codegroup that has a URL condition http://localhost/*
> > and
> > gave full trust permission and tested by opening IE on the same machine
as
> > the server (that is why localhost should have been OK). Some parts of
the
> > controls worked but we got SecurityExceptions for others. We kept
getting
> > SecurityExceptions in one part or the other until we created 6 code
groups
> > with URL conditions
> > http://localhost/*
> > http://MACHINENAME/*
> > http://127.0.0.1/*
> > http://localhost/VirtDir1/*
> > http://MACHINENAME/VirtDir1/*
> > http://127.0.0.1/VirtDir1/*
> > and gave full trust for all these code groups. The computer is not on
any
> > network. When it was hooked up to the a network, we didn't need all 6
code
> > groups. It seems like the code access security mechanism is not able to
> > figure out localhost,MACHINENAME and 127.0.0.1 as the same URL.
> > I would like to understand how .NET applies these permissions and if
there
> > are any resources that discuss these things in detail.
> > TIA
> > Sankar Nemani
> >
> >
> >
>
>

"Sankar Nemani" <snemani@nospamlumedx.com> wrote in message
news:ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl...
> Hi
> We have two virtual directories in which our .NET controls reside. We
> host these controls in IE. These controls need full trust permission set.
> We
> tried to create a codegroup that has a URL condition http://localhost/*
> and
> gave full trust permission and tested by opening IE on the same machine as
> the server (that is why localhost should have been OK). Some parts of the
> controls worked but we got SecurityExceptions for others. We kept getting
> SecurityExceptions in one part or the other until we created 6 code groups
> with URL conditions
> http://localhost/*
> http://MACHINENAME/*
> http://127.0.0.1/*
> http://localhost/VirtDir1/*
> http://MACHINENAME/VirtDir1/*
> http://127.0.0.1/VirtDir1/*
> and gave full trust for all these code groups. The computer is not on any
> network. When it was hooked up to the a network, we didn't need all 6 code
> groups. It seems like the code access security mechanism is not able to
> figure out localhost,MACHINENAME and 127.0.0.1 as the same URL.
> I would like to understand how .NET applies these permissions and if there
> are any resources that discuss these things in detail.
> TIA
> Sankar Nemani
>
>
>

>From: "Sankar Nemani" <snemani@nospamlumedx.com>
>References: <ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl> <#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl>
>Subject: Re: code access security with URL condition
>Date: Tue, 24 Aug 2004 13:08:55 -0700
>Lines: 66
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.3790.181
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
>Message-ID: <#HERuZhiEHA.3608@TK2MSFTNGP09.phx.gbl>
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: 63.80.71.253
>Path: cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7219
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>So is there a place that discusses how the .NET framework finds the code
>group when more than one code group exist?
>
>"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
>news:#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl...
>> UrlMembershipCondition, which is the class responsible for testing whether
>> evidence matches a code group URL condition, does not account for the
>> multiple URLs that could be used to reach the same site. My guess would
>be
>> that while you were working offline, you used the various localhost,
>machine
>> name, and 127.0.0.1 addresses in such a way as to make some of the
>controls
>> source from each one. As for needing the two root/* and root/virtdir1/*
>> forms, I wonder if you really need all 6 or just the 3 root variants of
>the
>> more suitable of the two.
>>
>> Either way, instead of spending time worrying about a purely dev-time
>> configuration problem that you've already solved, perhaps it might be more
>> worthwhile to spend some time figuring out how to get the controls to run
>> without full trust...
>>
>>
>> "Sankar Nemani" <snemani@nospamlumedx.com> wrote in message
>> news:ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl...
>> > Hi
>> > We have two virtual directories in which our .NET controls reside. We
>> > host these controls in IE. These controls need full trust permission
>set.
>> > We
>> > tried to create a codegroup that has a URL condition http://localhost/*
>> > and
>> > gave full trust permission and tested by opening IE on the same machine
>as
>> > the server (that is why localhost should have been OK). Some parts of
>the
>> > controls worked but we got SecurityExceptions for others. We kept
>getting
>> > SecurityExceptions in one part or the other until we created 6 code
>groups
>> > with URL conditions
>> > http://localhost/*
>> > http://MACHINENAME/*
>> > http://127.0.0.1/*
>> > http://localhost/VirtDir1/*
>> > http://MACHINENAME/VirtDir1/*
>> > http://127.0.0.1/VirtDir1/*
>> > and gave full trust for all these code groups. The computer is not on
>any
>> > network. When it was hooked up to the a network, we didn't need all 6
>code
>> > groups. It seems like the code access security mechanism is not able to
>> > figure out localhost,MACHINENAME and 127.0.0.1 as the same URL.
>> > I would like to understand how .NET applies these permissions and if
>there
>> > are any resources that discuss these things in detail.
>> > TIA
>> > Sankar Nemani
>> >
>> >
>> >
>>
>>
>
>
>

""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message
news:9lhy9ciiEHA.2200@cpmsftngxa10.phx.gbl...
> You can find lots of this information on our MSDN site, for a good intro
look at the Security Policy topic of the following article:
>
http://msdn.microsoft.com/library/en-us/dnnetsec/html/netframesecover.asp?frame=true#netframesecover_topic7
>
> Basically how it works is that on each policy level is a tree of code
groups. Each code group has a membership condition, a permission set,
> some child code groups, and a way to combine multiple sets. Starting from
the root code group, the policy evaluation checks the membership
> condition of the code group that is currently being evaluated. If the
evidence of the assembly being evaluated matches the membership condition,
> then we proceed to the child code groups, combining all children code
groups with the combination mechanism specified by the code group itself.
> (If that wasn't unclear enough ...... almost all code groups are

> code groups that also match the evidence).
>
> So on each policy level, we end up unioning all the code groups that match
(unless you hit a LevelFinal or Exclusive group), leaving us with four
> permission sets, one per level. Then we intersect all four of these sets
and end up with the final assembly grant.
>
> -Shawn
> http://blogs.msdn.com/shawnfa
>
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Note: For the benefit of the community-at-large, all responses to this
message are best directed to the newsgroup/thread from which they
> originated.
> --------------------
> >From: "Sankar Nemani" <snemani@nospamlumedx.com>
> >References: <ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl>
<#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl>
> >Subject: Re: code access security with URL condition
> >Date: Tue, 24 Aug 2004 13:08:55 -0700
> >Lines: 66
> >X-Priority: 3
> >X-MSMail-Priority: Normal
> >X-Newsreader: Microsoft Outlook Express 6.00.3790.181
> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
> >Message-ID: <#HERuZhiEHA.3608@TK2MSFTNGP09.phx.gbl>
> >Newsgroups: microsoft.public.dotnet.security
> >NNTP-Posting-Host: 63.80.71.253
> >Path:

> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7219
> >X-Tomcat-NG: microsoft.public.dotnet.security
> >
> >So is there a place that discusses how the .NET framework finds the code
> >group when more than one code group exist?
> >
> >"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
> >news:#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl...
> >> UrlMembershipCondition, which is the class responsible for testing
whether
> >> evidence matches a code group URL condition, does not account for the
> >> multiple URLs that could be used to reach the same site. My guess
would
> >be
> >> that while you were working offline, you used the various localhost,
> >machine
> >> name, and 127.0.0.1 addresses in such a way as to make some of the
> >controls
> >> source from each one. As for needing the two root/* and
root/virtdir1/*
> >> forms, I wonder if you really need all 6 or just the 3 root variants of
> >the
> >> more suitable of the two.
> >>
> >> Either way, instead of spending time worrying about a purely dev-time
> >> configuration problem that you've already solved, perhaps it might be
more
> >> worthwhile to spend some time figuring out how to get the controls to
run
> >> without full trust...
> >>
> >>
> >> "Sankar Nemani" <snemani@nospamlumedx.com> wrote in message
> >> news:ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl...
> >> > Hi
> >> > We have two virtual directories in which our .NET controls reside.
We
> >> > host these controls in IE. These controls need full trust permission
> >set.
> >> > We
> >> > tried to create a codegroup that has a URL condition
http://localhost/*
> >> > and
> >> > gave full trust permission and tested by opening IE on the same
machine
> >as
> >> > the server (that is why localhost should have been OK). Some parts of
> >the
> >> > controls worked but we got SecurityExceptions for others. We kept
> >getting
> >> > SecurityExceptions in one part or the other until we created 6 code
> >groups
> >> > with URL conditions
> >> > http://localhost/*
> >> > http://MACHINENAME/*
> >> > http://127.0.0.1/*
> >> > http://localhost/VirtDir1/*
> >> > http://MACHINENAME/VirtDir1/*
> >> > http://127.0.0.1/VirtDir1/*
> >> > and gave full trust for all these code groups. The computer is not on
> >any
> >> > network. When it was hooked up to the a network, we didn't need all 6
> >code
> >> > groups. It seems like the code access security mechanism is not able
to
> >> > figure out localhost,MACHINENAME and 127.0.0.1 as the same URL.
> >> > I would like to understand how .NET applies these permissions and if
> >there
> >> > are any resources that discuss these things in detail.
> >> > TIA
> >> > Sankar Nemani
> >> >
> >> >
> >> >
> >>
> >>
> >
> >
> >
>
>

>From: "Sankar Nemani" <snemani@nospamlumedx.com>
>References: <ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl> <#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl> <#HERuZhiEHA.3608
@TK2MSFTNGP09.phx.gbl> <9lhy9ciiEHA.2200@cpmsftngxa10.phx.gbl>
>Subject: Re: code access security with URL condition
>Date: Wed, 25 Aug 2004 10:01:56 -0700
>Lines: 139
>X-Priority: 3
>X-MSMail-Priority: Normal
>X-Newsreader: Microsoft Outlook Express 6.00.3790.181
>X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
>Message-ID: <OaO78VsiEHA.3896@TK2MSFTNGP15.phx.gbl>
>Newsgroups: microsoft.public.dotnet.security
>NNTP-Posting-Host: 63.80.71.248
>Path: cpmsftngxa10.phx.gbl!TK2MSFTFEED01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP15.phx.gbl
>Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7232
>X-Tomcat-NG: microsoft.public.dotnet.security
>
>Yes indeed it is "unclear". But this is a good starting for me to understand
>how CASPol works.
>Thanks a bunch
>Sankar Nemani
>""Shawn Farkas"" <shawnfa@online.microsoft.com> wrote in message
>news:9lhy9ciiEHA.2200@cpmsftngxa10.phx.gbl...
>> You can find lots of this information on our MSDN site, for a good intro
>look at the Security Policy topic of the following article:
>>
>http://msdn.microsoft.com/library/en-us/dnnetsec/html/netframesecover.asp?frame=true#netframesecover_topic7
>>
>> Basically how it works is that on each policy level is a tree of code
>groups. Each code group has a membership condition, a permission set,
>> some child code groups, and a way to combine multiple sets. Starting from
>the root code group, the policy evaluation checks the membership
>> condition of the code group that is currently being evaluated. If the
>evidence of the assembly being evaluated matches the membership condition,
>> then we proceed to the child code groups, combining all children code
>groups with the combination mechanism specified by the code group itself.
>> (If that wasn't unclear enough ...... almost all code groups are
>UnionCodeGroups, which simply take the union of all the permission sets of
>their child
>> code groups that also match the evidence).
>>
>> So on each policy level, we end up unioning all the code groups that match
>(unless you hit a LevelFinal or Exclusive group), leaving us with four
>> permission sets, one per level. Then we intersect all four of these sets
>and end up with the final assembly grant.
>>
>> -Shawn
>> http://blogs.msdn.com/shawnfa
>>
>> --
>>
>> This posting is provided "AS IS" with no warranties, and confers no
>rights.
>> Note: For the benefit of the community-at-large, all responses to this
>message are best directed to the newsgroup/thread from which they
>> originated.
>> --------------------
>> >From: "Sankar Nemani" <snemani@nospamlumedx.com>
>> >References: <ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl>
><#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl>
>> >Subject: Re: code access security with URL condition
>> >Date: Tue, 24 Aug 2004 13:08:55 -0700
>> >Lines: 66
>> >X-Priority: 3
>> >X-MSMail-Priority: Normal
>> >X-Newsreader: Microsoft Outlook Express 6.00.3790.181
>> >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181
>> >Message-ID: <#HERuZhiEHA.3608@TK2MSFTNGP09.phx.gbl>
>> >Newsgroups: microsoft.public.dotnet.security
>> >NNTP-Posting-Host: 63.80.71.253
>> >Path:
>cpmsftngxa10.phx.gbl!TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09
>.phx.gbl
>> >Xref: cpmsftngxa10.phx.gbl microsoft.public.dotnet.security:7219
>> >X-Tomcat-NG: microsoft.public.dotnet.security
>> >
>> >So is there a place that discusses how the .NET framework finds the code
>> >group when more than one code group exist?
>> >
>> >"Nicole Calinoiu" <nicolec@somewhere.net> wrote in message
>> >news:#PSpQHhiEHA.4056@TK2MSFTNGP09.phx.gbl...
>> >> UrlMembershipCondition, which is the class responsible for testing
>whether
>> >> evidence matches a code group URL condition, does not account for the
>> >> multiple URLs that could be used to reach the same site. My guess
>would
>> >be
>> >> that while you were working offline, you used the various localhost,
>> >machine
>> >> name, and 127.0.0.1 addresses in such a way as to make some of the
>> >controls
>> >> source from each one. As for needing the two root/* and
>root/virtdir1/*
>> >> forms, I wonder if you really need all 6 or just the 3 root variants of
>> >the
>> >> more suitable of the two.
>> >>
>> >> Either way, instead of spending time worrying about a purely dev-time
>> >> configuration problem that you've already solved, perhaps it might be
>more
>> >> worthwhile to spend some time figuring out how to get the controls to
>run
>> >> without full trust...
>> >>
>> >>
>> >> "Sankar Nemani" <snemani@nospamlumedx.com> wrote in message
>> >> news:ux7TKqfiEHA.1356@TK2MSFTNGP09.phx.gbl...
>> >> > Hi
>> >> > We have two virtual directories in which our .NET controls reside.
>We
>> >> > host these controls in IE. These controls need full trust permission
>> >set.
>> >> > We
>> >> > tried to create a codegroup that has a URL condition
>http://localhost/*
>> >> > and
>> >> > gave full trust permission and tested by opening IE on the same
>machine
>> >as
>> >> > the server (that is why localhost should have been OK). Some parts of
>> >the
>> >> > controls worked but we got SecurityExceptions for others. We kept
>> >getting
>> >> > SecurityExceptions in one part or the other until we created 6 code
>> >groups
>> >> > with URL conditions
>> >> > http://localhost/*
>> >> > http://MACHINENAME/*
>> >> > http://127.0.0.1/*
>> >> > http://localhost/VirtDir1/*
>> >> > http://MACHINENAME/VirtDir1/*
>> >> > http://127.0.0.1/VirtDir1/*
>> >> > and gave full trust for all these code groups. The computer is not on
>> >any
>> >> > network. When it was hooked up to the a network, we didn't need all 6
>> >code
>> >> > groups. It seems like the code access security mechanism is not able
>to
>> >> > figure out localhost,MACHINENAME and 127.0.0.1 as the same URL.