locked
CAS Policy Permission issue when doing KeywordQuery RRS feed

  • Question

  • We havce a web part that does a bit of searching but is having a permission related issue. The following code works fine when the web part's assembly is in the GAC. When we move it to the bin directory, it does not work. This is clearly a permission issue.

                SPSite site = CurrentWeb.Site;
                KeywordQuery qRequest = new KeywordQuery(site);

    In this code, an exception is thrown by KeywordQuery. The error is:

    System.ArgumentException was unhandled by user code
      Message="Bad Xml Unrestricted"
      Source="mscorlib"
      StackTrace:
           at System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet)
           at System.Security.CodeAccessPermission.Demand()
           at Microsoft.Win32.RegistryKey.CheckSubKeyReadPermission(String subkeyName)
           at Microsoft.Win32.RegistryKey.CheckOpenSubKeyPermission(String subkeyName, Boolean subKeyWritable)
           at Microsoft.Win32.RegistryKey.OpenSubKey(String name, Boolean writable)
           at Microsoft.Win32.RegistryKey.OpenSubKey(String name)
           at Microsoft.SharePoint.Search.Query.CommandCreator..ctor()
           at Microsoft.SharePoint.Search.Query.Query.FinishConstruction(String appName)
           at Microsoft.SharePoint.Search.Query.Query..ctor(SPSite site)
           at Microsoft.SharePoint.Search.Query.KeywordQuery..ctor(SPSite site)
           at HCInsight.WSS.PDFSearch.PDFSearch.btnTSearch_Click(Object sender, EventArgs e)
           at System.Web.UI.WebControls.Button.OnClick(EventArgs e)
           at System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument)
           at System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument)
           at System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument)
           at System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
           at System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)
      InnerException:

    We have the following CAS policy setup in the manifest.xml

      <CodeAccessSecurity>
        <PolicyItem>
          <PermissionSet class="NamedPermissionSet" version="1" Description="Permission Set for HCInsightPDFSearch Solution" Name="HCInsightPDFSearchPolicy">
            <IPermission class="AspNetHostingPermission" version="1" Level="Medium" />
            <IPermission class="SecurityPermission" version="1" Flags="Assertion, Execution, UnmanagedCode, ControlThread, RemotingConfiguration" />
            <IPermission class="System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Unrestricted="true" />
            <IPermission class="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Read="$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$" />
            <IPermission class="Microsoft.SharePoint.Security.SharePointPermission, Microsoft.SharePoint.Security, version=12.0.0.0, culture=neutral, PublicKeyToken=71e9bce111e9429c" version="1" UnsafeSaveOnGet="True" ObjectModel="True" Unrestricted="true" />
            <IPermission class="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Allowed="AssemblyIsolationByUser" UserQuota="9223372036854775807" />
            <IPermission class="System.Drawing.Printing.PrintingPermission, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" version="1" Level="DefaultPrinting" />
            <IPermission class="System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" version="1" Unrestricted="True" />
            <IPermission class="WebPartPermission" version="1" Connections="True" />
            <IPermission class="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Flags="MemberAccess" Unrestricted="True" />
            <IPermission class="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Unrestricted="True" />
            <IPermission class="System.DirectoryServices.DirectoryServicesPermission, System.DirectoryServices, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" version="1" Unrestricted="true"/>
            <IPermission class="System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1" Unrestricted="true" />
            <IPermission class="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" version="1">
              <ConnectAccess>
                <URI uri="https?://.*"/>
              </ConnectAccess>
            </IPermission>
          </PermissionSet>
          <Assemblies>
            <Assembly Name="HCInsight.WSS.PDFSearch"/>
          </Assemblies>
        </PolicyItem>
      </CodeAccessSecurity>

    What do you think is wrong? What would cause a Bad Xml Unrestricted and what does it mean?

    Thanks.

    Paul
    Wednesday, April 8, 2009 11:20 AM

Answers

All replies

  • I think you ned an IPermission for Registry access.  I think you just need Read access and I am not sure which key you need exactly, but you should be able to figure it out with some experimentation.  I checked some code of mine that I am using with the KeywordQuery class and I didn't need to set registry permission, so I am not sure why your code would need it.

    Thanks,
    Corey


    Corey Roth blog: www.dotnetmafia.com twitter: twitter.com/coreyroth
    Wednesday, April 8, 2009 1:57 PM
  • Try using the Permission Calculator Tool located at http://msdn.microsoft.com/en-us/library/ms165077(vs.80).aspx.

    Hope this helps,

    Dan
    http://devcow.com/blogs/jdattis/
    Wednesday, April 8, 2009 7:19 PM
  • I have tried the calculator, but it did not suggest any additional permission that isn't already set.

    The problem does appear to be registry related. However, I cannot figure out how to set permission for registry access.

    I even gave full trust to the asphostpermission, but this did not solve the problem. I am out of ideas? Any one?

    One more thing, the search is running from a smartpart. I don't know if this adds another layer of complexity to the security?

    Paul

     

    Tuesday, April 14, 2009 11:45 AM
  • The KeyWordQuery.CommandCreator is trying to access the following  in the local machine hive Software\Microsoft\Shared Tools\Web Server Extensions\12.0\Search\Setup to determine if search is installed. You need to add the System.Security.Permissions.RegistryPermissionAttribute to either your webpart or the cas policy xml.


    http://msdn.microsoft.com/en-us/library/system.security.permissions.registrypermissionattribute.aspx

    http://www.code-magazine.com/Article.aspx?quickid=0405031
    http://www.certdev.com
    • Marked as answer by Paul Siu Thursday, April 16, 2009 3:10 AM
    Tuesday, April 14, 2009 1:45 PM
  • Apparently the RegistryPermission is the cause of the problem, though when I added it to the CAS Policy as a IPermission, it did not resolve the problem. It turns out that the WSS custom file generated by the manifest did not have a Security Group for RegistryPermission. After I added the security group, it resolved the problem.

    Is there a way to add a SecurityGroup in the manifest.xml so that when I deploy the wsp file, it adds the SecurityGroup node?
    Thursday, April 16, 2009 3:10 AM