HTTP Deployment, What is allowed in your local intranet?
Lately I developed some applications that are deployed using HTTP deployment. This is a great way of leveraging the web model of centralized deployment while using the full richness of a windows interface.
This all is great but you must be aware of the fact that you will face a different security model regarding code access security. When deploying an application on a local machine, your assembly will be granted the full trust Permission set. I discovered (the hard way) that not all permissions you might find useful in a windows application are accessible when using HTTP deployment. ( I spawned an additional thread to do background requests to the server, and got the security exception quite unexpected) This is because you assembly will be getting the permission set from the code groups “Intranet_Same_Site_Access” and “Intranet_Same_Directory_Access”. This results in the following set of permissions:
- Environment Variables:
- USERNAME: Granted Read
- File Dialog:
- Unrestricted
- Isolated Storage
- File: Usage Allowed
- Disc quota: 9223372036854775807 (I assume that’s enough :-))
- Reflection:
- Member Access: No
- Type Information: No
- Reflection Emit: Yes
- Security Permission:
- Enable Code Execution: Yes
- Allow Calls to Unmanaged Code: No
- Assert any permission that has been granted: Yes
- Skip Verification: No
- Enable thread control: No
- Allow Policy Control: No
- Allow Domain Policy Control: No
- Allow Principal Control: No
- Create and Control Application Domains: No
- Serialization Formatter: No
- Allow Evidence Control: No
- Extend Infrastructure: No
- Enable Remoting Configuration: No
- User Interface
- Unrestricted
- DNS
- DNS: Yes
- Printing
- Default Printing: Yes
- EventLog
- Local Machine: Read Only
- Web Access
- (https|http)://YourHostName /.* Accept: No
- (https|http)://YourHostName /.* Connect: Yes
As you can see, this is really something you need to take into account when using HTTP deployment. Of course you can grand additional permissions, but then you need to take the effort of configuring code Access security for your assembly or your corporate key used for signing assemblies. Hope this list can help you decide upfront if HTTP deployment with the default code access policies will work for you.