<= Home

Pain of Remoting with Strong Named Assemblies

Posted about over 2 years ago

I’ve just spent a couple of hours of my life that I’ll never get back again dealing with security exceptions with remoting.

 

Scenario: A client .NET web application communicating via remoting over a HTTP channel. The web app uses anonymous access with the default asp.net user account. Everything worked fine until I strong named the assemblies that were being invoked on the server (with remoting) I received the following exception:

 

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request failed.

 

 

I finally stumbled along this discussion that lead me to a resolution. The reason this error occurs is because the asp.net web application is not fully trusted, but because the assembly being called from the web app is strong named, then it by defaults only allows access from if you have FullTrust permissions. There are a couple ways around this.

 

1)      Set the typeFilterLevel to FullTrust e.g.:

 

<formatter ref="soap" typeFilterLevel="Full" />

 

This works, but I had to resolve the security issue without affecting anything upstream. This fix requires all applications using the newly strong named assemblies to have their web.config files changed.

 

2)      Make the newly strong named assemblies allow partially trusted callers (which in this case ASP.NET is. Add the following to the assemblyInfo.cs file

 

[assembly:System.Security.AllowPartiallyTrustedCallers()]

 

To me, this negates some reasons why you strong name the assemblies in the first place, but it works and is there for a reason. We had to put assemblies into the GAC therefore having to strong name them, but we needed to distribute the assemblies knowing they would be invoked by some partially trusted assemblies. See this article for an in depth discussion of the AllowPartiallyTrustedCallers attribute.