Security in .NET framework is rather complex subject and developers often have to resort to various tricks configuring security settings for browser-hosted controls. Web demo project of Aspose.Editor 2.0.0 uses static script file stored server side. Configuration script has an URL of application as the main argument, so each installation of such web application requires script file modification by hand. Such approach is sometimes inconvenient, especially when an application URL is not known in advance.
To solve this problem we suggest generating proper configuration script on server dynamically.
Let’s fix the web demo project (in Aspose.Editor 2.0.0):
- Open the Aspose.Editor.Demo.Web project;
- Create new empty text file in the root folder of the project and name it security_script.aspx (Click right mouse button on the project, select Add – Add New Item, in dialog select Text File and enter it’s new name security_script.aspx);
- Open just created file, switch to HTML mode (Design mode is on by default) and copy the following code to the file:
<%@ Page language="c#" %>
<%
Response.Clear();
Response.ContentType = "application/js";
Response.AddHeader("Content-Type", "application/js");
Response.AddHeader("Content-Disposition", "inline;filename=SecurityConfig.js");
%>
// adjustable settings
var Name = "Aspose.Editor.Client";
var Url = "<%=Request.Url.GetLeftPart(UriPartial.Authority)%>/*";
var Publisher = "Aspose Pty Ltd."
var Description = "Security settings for Aspose.Editor.Client";
var Permission = "FullTrust";
// update security
update(Name, Url, Permission, Publisher, Description);
function update(name, url, permission, publisher, description)
{
try
{
// define .NET framework directories location
var WSHShell = WScript.CreateObject("WScript.Shell");
var path = WSHShell.RegRead("HKLM\\SOFTWARE\\Microsoft\\.NETFramework\\InstallRoot");
// get the directory of the latest available .NET framework runtime
var fso = WScript.CreateObject("Scripting.FileSystemObject");
f = fso.GetFolder(path);
fc = new Enumerator(f.SubFolders);
for (; !fc.atEnd(); fc.moveNext())
{
s = fc.item();
switch(s.Name.substring(0, 5))
{
case "v2.0.":
case "v1.1.":
case "v1.0.":
f = s;
break;
}
}
// execute security policy configuration tool
args = "-m -q -pp off -ag 1. -url " + url + " " +
permission + " -n \"" + name + "\" -d \"" + description + "\"";
WSHShell.Run(f.Path + "\\caspol " + args, 0);
WSHShell.Popup("Security settings for " + Name + " successfully applied." +
"\nInternet browser should be restarted.", 0, "Congratulations!");
}
catch(e)
{
WSHShell.Popup(e.message, 0, "Error occured");
}
}
<%
Response.End();
%>
- Open security_config.aspx in HTML mode and change "Scripts/SecurityConfig.js" with “security_script.aspx” in <a href="Scripts/SecurityConfig.js">Download Configuration Script</a> string.
- Save and close all modified files of the project.
In order to test the script delete the security entry for your application if one exists using the caspol utility:
- Go to the appropriate folder which contains the .NET Framework used by Internet Explorer. Internet Explorer uses latest installed .NET Runtime version by default, however this can be overridden in iexplore.exe.config file. Common location of .NET framework folders is "C:\WINDOWS\Microsoft.NET\Framework\<Framework version>\".
- Execute the following command “caspol -lg”. If you’ll see something like “1.7. Url - http://localhost/*: FullTrust” in the list (1.7 – is not fixed position so it may vary) where "http://localhost" is your application URL then execute command “caspol –rg 1.7” to delete this entry.
- Repeat step 2 until no entries for your application remain in the list.
- Restart browser and go to the application URL. If everything is correct, security configuration page will be displayed.
- Run new dynamically generated script from security page.
- Restart browser and check the application works.
Next version of Aspose.Editor will use this approach in web demo project.
