Assemblies That Require Other Than Execute Permissions


A developer who wants to grant custom assemblies privileges beyond Execute permission needs to edit one or both configuration files: C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\ rssrvpolicy.config and/or C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\ RSPreviewPolicy.config .

Note

Reporting Services 2000 used different configuration files ( RSReportServer.config and RSReportDesigner.config ). SSRS 2005 uses rssrvpolicy.config and RSPreviewPolicy.config for permission- related configuration.


To have access to system resources, such as File IO , from the assemblies, you need to add the following to one or both rssrvpolicy.config and RSPreviewPolicy.config configuration files (refer to Table 23.2).

Correspondingly, this configuration setting ensures successful execution of the assembly deployed to the Reporting Services and assembly used by Report Designer.

 <PermissionSet         class="NamedPermissionSet"        version="1"        Name="MyPermissionSet"         Description="A custom permission set to grant read access to a configuration  file.">        <IPermission              class="FileIOPermission"              version="1"              Read="C:\configuration.xml"              Write="C:\configuration.xml"        />       <IPermission class="SecurityPermission"              version="1"              Flags="Execution, Assertion"       /> </PermissionSet> 

The preceding configuration section is a definition of a NamedPermissionSet with the name MyPermissionSet , which is located under the <NamedPermissionSets> tag in the configuration file ( rssrvpolicy.config and/or RSPreviewPolicy.config ). MyPermissionSet grants the assembly two security permissions:

  • Execute Allows executing code in the assembly. This permission was discussed earlier in this section.

  • Assert Allows asserting other defined permissions in the code. In this case, it allows asserting a FileIOPermission .

MyPermissionSet also grants the assembly a FileIOPermission permission to read and write configuration files. The named permission set is optional and used to create a fine granularity of permissions that are not already defined by built-in permissions.

In addition, the following <CodeGroup> configuration needs to be added to the configuration file ( rssrvpolicy.config in this particular case).

[View full width]
 
[View full width]
<CodeGroup class="UnionCodeGroup" version="1" PermissionSetName= "MyPermissionSet" Name="MyCodeGroup" Description="A special code group for my custom assembly."> <IMembershipCondition class="UrlMembershipCondition" version="1" Url="C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ ReportServer\bin\RSCustomLibrary.dll"/> </CodeGroup>

Note that CodeGroup refers back to MyPermissionSet . Alternatively, CodeGroup could have used a predefined set, such as FullTrust : PermissionSetName="FullTrust" .

Note how the Url property of the UrlMembershipCondition condition points to the library that was deployed for use by SSRS. You might have spotted this because the rssrvpolicy.config configuration was edited and the library was deployed to SSRS' binary directory ( C:\Program Files\Microsoft SQL Server\MSSQL.3\Reporting Services\ReportServer\bin\ ).

For Report Designer, the configuration file would have changed to RSPreviewPolicy.config and the deployment directory (and, thus, the value of the Url property) would be C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\PrivateAssemblies\RSCustomLibrary.dll .

The position of CodeGroup is extremely important. It has to be positioned like the following code fragment:

...

[View full width]
 
[View full width]
</CodeGroup> <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="FullTrust" Name="MyNewCodeGroup"> <IMembershipCondition class="UrlMembershipCondition" version="1" Url="C:\Program Files\Microsoft Visual Studio PrivateAssemblies \RSCustomLibrary.dll"/> </CodeGroup> </CodeGroup> </CodeGroup> </PolicyLevel>

...

This code fragment gives the RSCustomLibrary.dll FullTrust or unrestricted permission. As mentioned previously, because FullTrust is a predefined PermissionSet , it does not require you to specify anything in the <NamedPermissionSets> section of the configuration file.

For a code to acquire the appropriate permission, it must first assert the permission:

 FileIOPermission permission = new FileIOPermission(FileIOPermissionAccess.Read   FileIOPermissionAccess.Write, @"C:\configuration.xml");  try  {       permission.Assert();       XmlDocument doc = new XmlDocument();       doc.Load(@"C:\configuration.xml");       ...  } 

Alternatively, a method's attribute can carry an assertion: [FileIOPermissionAttribute(SecurityAction.Assert, ViewAndModify= @"C:\ configuration.xml")]

The details of what happens during Assert are outside the scope of this book. You can find a very good explanation of Assert at http:// blogs .msdn.com/shawnfa/archive/2004/08/23/219155.aspx.

What happens if you properly set all configurations, but did not do an Assert ? In this case, .NET throws a SecurityException , such as the following:

 Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed. 



Microsoft SQL Server 2005 Reporting Services
Microsoft SQL Server 2005 Reporting Services
ISBN: 0672327996
EAN: 2147483647
Year: 2004
Pages: 254

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net