当前位置: 文江博客话题详情

使用反射时 LinkDemand 检查失败 - “该程序集不允许部分受信任的调用者。”

发布于 2024-11-10 15:12:59 字数 1397 浏览 8 评论 0原文

我遇到了一个问题,即从具有 AllowPartiallyTrustedCallers 属性的 GAC 编辑程序集到另一个在部分信任环境中没有该属性的 GAC 编辑程序集进行的调用如果直接进行,则会成功,但会失败如果通过反射进行。

涉及的程序集:

  • AssemblyA(安装在 GAC 中,没有有AllowPartiallyTrustedCallers,无法修改)
  • AssemblyB(安装在 GAC 中,有AllowPartiallyTrustedCallers,无法修改)
  • AssemblyC(安装在GAC,确实有AllowPartiallyTrustedCallers,可以修改)
  • AssemblyD(已签名,但未安装在GAC中,有AllowPartiallyTrustedCallers,可以修改)。

我需要直接或间接从 AssemblyD 调用 AssemblyA 中的代码。对于直接调用,我只是将它们从 AssemblyD 移至 AssemblyC,一切正常。对于间接调用,我需要调用 AssemblyB 中的一个方法,该方法将在内部使用反射来创建 AssemblyA 中类的实例。我可以直接从 AssemblyD 调用 AssemblyB 或通过 AssemblyC 间接调用 AssemblyB - 两者都可以接受,但都不适合我。

直接调用效果很好。如果调用堆栈上存在任何部分受信任的代码,则使用反射的调用将会失败。我无法避免 AssemblyB 正在执行的反射调用 - 在进行这些调用之前,它为我做了很多其他工作 - 我无法在 AssemblyC 中复制这些工作,而只能直接进行调用。

我已将一个演示此问题的项目上传到 BitBucket:https://bitbucket.org/jorupp/partialtrusttest。根据我对部分信任的理解,所有 4 个都应该有效(直接从 B 或 C 调用 A 并通过 B 或 C 的反射调用 A),但是基于反射的调用失败。

我猜想我需要在 AssemblyC 的代码中声明一些 CAS 权限或类似权限才能使其正常工作,但我不知道是什么。

注意:我的场景中的名称显然是人为的,但实际场景是一个 Sharepoint 应用程序,其中 AssemblyA 是 Microsoft.Sharepoint.Taxonomy,AssemblyB 是 Microsoft.Sharepoint,AssemblyC 是我的自定义 GAC 程序集,AssemblyD 是我的自定义 Web 应用程序部署的程序集。据我所知,这不是 Sharepoint 特有的问题。

预先感谢您的任何想法或帮助。

原文

I'm running into an issue where calls made from a GAC-ed assembly with the AllowPartiallyTrustedCallers attribute to another GAC-ed assembly without that attribute made in a partial-trust environment succeed if made directly, but fail if made via reflection.

Assemblies involved:

  • AssemblyA (installed in GAC, does not have AllowPartiallyTrustedCallers, cannot be modified)
  • AssemblyB (installed in GAC, does have AllowPartiallyTrustedCallers, cannot be modified)
  • AssemblyC (installed in GAC, does have AllowPartiallyTrustedCallers, can be modified)
  • AssemblyD (signed, but not installed in GAC, does have AllowPartiallyTrustedCallers, can be modified).

I need to call code in AssemblyA from AssemblyD both directly and indirectly. For the direct calls, I just moved them from AssemblyD into AssemblyC and everything works. For the indirect calls, I need to call a method in AssemblyB that will internally use Reflection to create an use an instance of a class in AssemblyA. I can make the call to AssemblyB directly from AssemblyD or indirectly via AssemblyC - either would be acceptable, but neither is working for me.

The direct calls work great. The calls that use reflection fail if there is any partially-trusted code on the call stack. I can't avoid the reflection calls AssemblyB is doing - it's doing a lot of other work for me before it makes those calls - work that I can't duplicate in AssemblyC and just make the calls direct.

I've uploaded a project demonstrating this to BitBucket: https://bitbucket.org/jorupp/partialtrusttest. Based on my understanding of partial-trust, all 4 should work (calling A directly from B or C and calling A via reflection from B or C), but the reflection-based calls are failing.

I'm guessing I need to be asserting some CAS permission or the like in my code in AssemblyC to get this working, but I can't figure out what.

Note: the names in my scenario is obviously contrived, but the real-world scenario is a Sharepoint application, where AssemblyA is Microsoft.Sharepoint.Taxonomy, AssemblyB is Microsoft.Sharepoint, AssemblyC is my custom GAC-ed assembly, and AssemblyD is my custom webapp-deployed assembly. As near as I can tell, this is not a Sharepoint-specific problem.

Thanks in advance for any ideas or help.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

狼亦尘 2024-11-17 15:12:59

在我花了一个小时写下重现案例和解释它的问题之后,我偶然发现了一个解决方案(尽管我不确定它是正确的):

我试图使用这样的代码(在 AssemblyC 中

public void UseClassBToCreateClassAViaReflection()
{
    new SecurityPermission(PermissionState.Unrestricted).Assert();
    ClassB.CreateClassAViaReflection();
}

)工作。然而,这确实是:

[PermissionSet(SecurityAction.Assert, Name = "FullTrust")]
public void UseClassBToCreateClassAViaReflection()
{
    ClassB.CreateClassAViaReflection();
}

我仍然没有完全理解 CAS,但至少这让我度过了第一个问题并进入了下一个问题。我不认为我在这里创建了一个庞大的安全整体,但我不太确定......

And after I spent an hour writing up the repro case and the question explaining it, I stumbled on a solution (though I'm not sure it's the right one):

I was trying to use code like this (in AssemblyC)

public void UseClassBToCreateClassAViaReflection()
{
    new SecurityPermission(PermissionState.Unrestricted).Assert();
    ClassB.CreateClassAViaReflection();
}

Which wasn't working. This however, does:

[PermissionSet(SecurityAction.Assert, Name = "FullTrust")]
public void UseClassBToCreateClassAViaReflection()
{
    ClassB.CreateClassAViaReflection();
}

I still don't fully get CAS, but at least this gets me past my first issue and on to my the next one. I don't think I'm creating a massive security whole here, but I'm not quite sure...

回复 原文
~没有更多了~

关于作者

猥︴琐丶欲为

暂无简介

文章
评论
26 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

十二

文章 0 评论 0

飞烟轻若梦

文章 0 评论 0

OPleyuhuo

文章 0 评论 0

wxb0109

文章 0 评论 0

旧城空念

文章 0 评论 0

-小熊_

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文