SecurityExceptions and compile warnings in xbap projects

WPF Studio, Themes, and Shared Library for WPF Forum

Posted 7 years ago by Munish - Netherlands
Version: 12.1.0560
Platform: Silverlight Controls
Environment: Windows 7 (64-bit)
Avatar

Greetings,

I'm in the process of upgrading our project from 11.1.542 to the new 12.1.560. Our project was already using .NET 4.0 before, and now your assemblies are .NET 4.0 as well, which is great, i suppose.

However i've been running into some problems with that. From what i understand Security has changed a bit in 4.0 (http://msdn.microsoft.com/en-us/library/dd233103.aspx).

 

At first i got the following compile error on classes that used our own custom subclasses of WizardPage and SyntaxEditor.

'Inheritance security rules violated by type: 'X'. Derived types must either match the security accessibility of the base type or be less accessible

To fix this i added the following to the AssemblyInfo:

[assembly: SecurityRules(SecurityRuleSet.Level1)]

 

After this, there were still compile warnings from our XBAP project for every reference to an Actipro assembly (references added according to the documentation, with Copy Local set to true)

Reference 'ActiproSoftware.Wizard.Wpf' does not allow partially trusted callers.

 

I figured it's only a warning, so i tried to run/debug the XBAP project anyway, but that failed with a SecurityException (no further info in debug mode)

System.Security.SecurityException was unhandled

Message: That assembly does not allow partially trusted callers.

 

Then i remembered that you guys have an XBAP demo running on your site, and when i try to run that (http://www.actiprosoftware.com/files/demos/online/wpf/samplebrowser.xbap) i get a similar exception:

System.Windows.Markup.XamlParseException: 'Set property 'System.Windows.ResourceDictionary.DeferrableContent' threw an exception.' Line number '3' and line position '6'.
---> System.MethodAccessException: Attempt by security transparent method 'System.Windows.Markup.StaticExtension.GetFieldOrPropertyValue(System.Type, System.String, System.Object ByRef)' to access security critical method 'ActiproSoftware.Windows.Themes.SharedResourceKeys.get_TreeViewItemStyleKey()' failed.

Assembly 'System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' is marked with the AllowPartiallyTrustedCallersAttribute, and uses the level 2 security transparency model. Level 2 transparency causes all methods in AllowPartiallyTrustedCallers assemblies to become security transparent by default, which may be the cause of this exception.

 

 

I also searched for an XBAP sample project, figuring that could at least show me a working configuration, but i couldn't find one in the samples. So now i'm wondering: am i doing something wrong, or did the XBAP/partial trust support break in 2012.1?

[Modified 7 years ago]

Comments (5)

Posted 7 years ago by Munish - Netherlands
Avatar

Update:

I have removed the following attributes from my AssemblyInfos (which makes sense i suppose), and i seem to have gotten a bit further.

[assembly:AllowPartiallyTrustedCallers]
[assembly: SecurityRules(SecurityRuleSet.Level1)]

I'm now able to load my assembly and get a 'proper' MethodAccessException on an actual line of code

Attempt by security transparent method '*..ctor(...)' to access security critical method 'ActiproSoftware.Windows.Themes.ThemeManager.BeginUpdate()' failed.

Posted 7 years ago by Actipro Software Support - Cleveland, OH, USA
Avatar

Hi Munish,

Yes in .NET 4.0 Microsoft changed completely how security works.  We had to remove the AllowPartiallyTrustedCallersAttribute on the assemblies since it caused .NET 4.0 security issues for some of our features.

I'm not seeing any issues running our XBAP demo on the site though.  Do you get that error on startup or on a specific sample?

We don't ship an XBAP demo project but on its project properties' Security tab, we have "Enabled ClickOnce security settings" checked, the partial trust radio button checked, and Internet zone selected.


Actipro Software Support

Posted 7 years ago by Munish - Netherlands
Avatar

Regarding your demo:

I first get a "Application Run - Security Warning" dialog, where it asks me to "Run" or "Don't Run" the sample browser. I choose run, obviously, and after downloading the XBAP i immediately get the above error, i never actually see the sample browser.

Since it works on your machine, i thought maybe it's a local problem, but i tried to run other 4.0 XBAPs online and they seem to work fine.

On our XBAP project security tab we also have "Enabled ClickOnce security settings" checked, and the partial trust radio button checked. We have Zone set to Custom however, because we need some additional permissions (which we define in app.manifest), to run/debug our application locally. Perhaps something in there is causing it, though that wouldn't explain why i can't run your XBAP demo.

I will try some things out in a clean project and keep you guys updated.

Posted 7 years ago by Munish - Netherlands
Avatar

Update:

When i uninstall 12.1, the online sample browser runs fine. Installed 12.1 again, and i get the exception again.

Only thing i can think of at the moment is that the online demo tries to use the assemblies from the GAC when i have 12.1 installed and that they are somehow different from the assemblies the online demo uses normally.

 

With a clean project i get the same result as in our 'real' project, it fails when i try to call ThemeManager.BeginUpdate.

[Modified 7 years ago]

Posted 7 years ago by Actipro Software Support - Cleveland, OH, USA
Avatar

Hi Munish,

We've been researching this and see the same thing you do.  If WPF Studio is installed on the machine, the XBAP demo on our site fails.  If we uninstall WPF Studio, the XBAP demo works fine.  The assemblies should be the same in the GAC as they are from the XBAP.  But for some reason the security is treating them differently.  We've been looking on the web for answers but aren't finding anything so far.

As for new clean projects, we tried one here and it worked ok.  If you want to e-mail our support address with your new simple sample, we can try it.  Please rename the .zip file extension file so it's not spam blocked.


Actipro Software Support

The latest build of this product (v2018.1 build 0675) was released 11 days ago, which was after the last post in this thread.

Add Comment

Please log in to a validated account to post comments.