[Objective]
With VSTO 2005 SE, an addin that use other .NET dll(assemblies) is developed. In order to deplying the project, we use Windoes Installer follows the instructions as below
http://blogs.msdn.com/chcast/archive/2007/03/28/creating-visio-add-ins-with-vsto-2005-se.aspx
However, after setup, we must grant full trust for all asseblies(including the addin one). In order to do it automatically, we made some modification in SetSecurity project. It is described as below.
1 Add new method in [CaspolSecurityPolicyCreator.cs] to register multiple asseblies with one parent group
2 Modify [SetSecurity.cs] to use the new method
3 Set CustomActioData in Setup(Installer) project
[Solutions]
1 In [CaspolSecurityPolicyCreator.cs], Add a new method of AddMultiSecurityPolicy() as following. The code is based on AddSecurityPolicy() with some modification highlighted in red
internal static void AddMultiSecurityPolicy(
bool machinePolicyLevel,
string assemblyName,
string solutionCodeGroupName,
string solutionCodeGroupDescription,
string targetDir,
string assemblyCodeGroupName,
string assemblyCodeGroupDescription)
{
string frameworkFolder = GetFrameworkFolder();
//string solutionInstallationLocation = Path.GetDirectoryName(assemblyPath);
string solutionInstallationLocation = targetDir;
string solutionInstallationUrl = Path.Combine(solutionInstallationLocation, "*");
string policyLevel;
string parentCodeGroup;
if (machinePolicyLevel)
{
policyLevel = "-m"; // Use Machine-level policy.
parentCodeGroup = "My_Computer_Zone"; // Use My_Computer_Zone for assemblies installed on the computer.
}
else
{
policyLevel = "-u"; // Use User-level policy.
parentCodeGroup = "All_Code";
}
// Add the solution code group. Grant no permission at this level.
string arguments = policyLevel + " -q -ag " + parentCodeGroup + " -url \"" + solutionInstallationUrl + "\" Nothing -n \"" + solutionCodeGroupName + "\" -d \"" + solutionCodeGroupDescription + "\"";
try
{
RunCaspolCommand(frameworkFolder, arguments);
}
catch (Exception ex)
{
string error = String.Format("Cannot create the security code group '{0}'.", solutionCodeGroupName);
throw new Exception(error, ex);
}
// Add the assembly code group. Grant FullTrust permissions to the main assembly.
try
{
Int16 index;
string[] assemblys = assemblyName.Split(',');
string[] assemblyCGN = assemblyCodeGroupName.Split(',');
index = 0;
foreach (string assembly in assemblys)
{
string assemblyPath = Path.Combine(targetDir, assembly);
// not using the assembly strong name as the membership condition.
arguments = policyLevel + " -q -ag \"" + solutionCodeGroupName + "\" -url \"" + assemblyPath + "\" FullTrust -n \"" + assemblyCGN[index] + "\" -d \"" + assemblyCodeGroupDescription + "\"";
RunCaspolCommand(frameworkFolder, arguments);
index++;
}
}
catch (Exception ex)
{
try
{
// Clean the solutionCodeGroupName.
RemoveSecurityPolicy(machinePolicyLevel, solutionCodeGroupName);
}
catch { }
string error = String.Format("Cannot create the security code group '{0}'.", assemblyCodeGroupName);
throw new Exception(error, ex);
}
}
2 Find the codes below in [SetSecurity.cs], and make modification as in red
try
{
bool allUsers = String.Equals(allUsersString, "1");
//string assemblyPath = Path.Combine(targetDir, assemblyName);
// Note that Install method may be invoked during Repair mode and the code group
// may already exist.
// To prevent adding of another code group, remove the code group if it exists.
try
{
// The solutionCodeGroupName must be a unique name; otherwise, the method might delete wrong code group.
CaspolSecurityPolicyCreator.RemoveSecurityPolicy(allUsers, solutionCodeGroupName);
}
catch {}
/*
CaspolSecurityPolicyCreator.AddSecurityPolicy(
allUsers,
solutionCodeGroupName,
solutionCodeGroupDescription,
assemblyPath,
assemblyCodeGroupName,
assemblyCodeGroupDescription);
*/
CaspolSecurityPolicyCreator.AddMultiSecurityPolicy(
allUsers,
assemblyName,
solutionCodeGroupName,
solutionCodeGroupDescription,
targetDir,
assemblyCodeGroupName,
assemblyCodeGroupDescription);
stateSaver.Add("allUsers", allUsers);
}
catch (Exception ex)
{
throw new InstallException("Cannot set the security policy.", ex);
}
3 In Setup project, the CustomActioData in CustomAction-->Install-->Primary output of SetSecurity-->Property Window, use the following string in one line
/assemblyName="AAA.dll,BBB.dll,CCC.dll" /targetDir="[TARGETDIR]\" /solutionCodeGroupName="HITACHI.kyaddin" /solutionCodeGroupDescription="Code group for kyaddin" /assemblyCodeGroupName="AAA,BBB,CCC" /assemblyCodeGroupDescription="Code group for kyaddin" /allUsers=[ALLUSERS]
Build and run the setup.exe
With the above modification, we enhanced the SetSecurity to support granting full trust for multiple assemblies
Limitation: All assemblies must be located in same folder.
Comment: With similar modifications the followings can be done to improve SetSecurity
1 to support different targetdir
Attention: For those assemblies without strong name, they must be located under the application folder.
2 Now we can support to grant full trust to assemblies that all with strong name or none. In order to grant assemblies with strong name or without strong name identically, we can consider the followings.
Adding new membership like /StrongName = "1, 0, 1".
In AddMultiSecurityPolicy(), add the process to check StrongName and make different arguments.
