CSLA .NET 2 - Because of security restrictions, the type Csla.Server.DataPortalContext cannot be accessed

dan72 posted on Tuesday, October 31, 2006

I am getting an serialization exception when attempting to run my solution using a Remote Data Portal (.NET Remoting using IIS as the host).

I've only found one post that mentions such an error and that was to do with 1.1 not 2.0. Can anyone help?

I've spent the last three hours trying to see how Code Access Security is causing this error but have not found anything obvious.

Thanks

Dan72

Further info:

************** Exception Text **************
System.Runtime.Serialization.SerializationException: Because of security restrictions, the type Csla.Server.DataPortalContext cannot be accessed. ---> System.Security.SecurityException: Request failed.
at System.Runtime.Serialization.FormatterServices.nativeGetSafeUninitializedObject(RuntimeType type)
at System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type type)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Security.PermissionSet
The demand was for:
<PermissionSet class="System.Security.PermissionSet"
version="1"
Unrestricted="true"/>

The only permitted permissions were:
<PermissionSet class="System.Security.PermissionSet"
version="1">
<IPermission class="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"
version="1"
Flags="SerializationFormatter"/>
</PermissionSet>

The method that caused the failure was:
System.Runtime.Remoting.Channels.ServerProcessing ProcessMessage(System.Runtime.Remoting.Channels.IServerChannelSinkStack, System.Runtime.Remoting.Messaging.IMessage, System.Runtime.Remoting.Channels.ITransportHeaders, System.IO.Stream, System.Runtime.Remoting.Messaging.IMessage ByRef, System.Runtime.Remoting.Channels.ITransportHeaders ByRef, System.IO.Stream ByRef)
--- End of inner exception stack trace ---

guyroch replied on Tuesday, October 31, 2006

Is your Csla assembly signed with a .snk file?

Programs that run on the CLR use something called code access security (CAS). CAS is different from traditional security systems in that it assigns trust to code rather than users. To do this, the security system gathers a set of evidence about every assembly it loads. This evidence is then compared against the security policy, and a permission grant is generated.

One of the pieces of evidence that the security system gathers is the security zone that the code is running from. When you run the code from your local machine, this will be the MyComputer zone, but when you run it off of a server, or even a network share mapped to a drive on your machine, it will be the LocalIntranet zone.

By default any code that is run from the MyComputer zone will get a permission set of FullTrust (unrestricted permission to do anything it pleases). However, by default, there is a more restrictive permission set given to LocalIntranet assemblies.

The way to make an application that works from the MyComputer zone work from the LocalIntranet zone is to give the assemblies in your application a strong name, and modify the security policy to trust this strong name. Hence the need for a key.

In Csla, the remoting portal runs in LocalIntranet zone.

Also, make sure that your virtual directory in IIS points to the right version of the .Net framework. If you have both framework installed on your remoting server the virtual directory will default to the 1.1 framework when you initially create your virtual directory. If your use .Net 2.0, make sure to change this default and have point to the 2.0 framework

Here's something I posted a while back. It fully explain how to get remoting to work.

http://forums.lhotka.net/forums/post/6131.aspx

Hope this helps

Bayu replied on Tuesday, October 31, 2006

Oh, guyroch is slightly faster. ;-)
His answer encompasses mine fully.

Anyways ... :-)
Bayu

guyroch replied on Tuesday, October 31, 2006

Call me Cowboy Guy, faster that a speeding bullet. :) LOL

guyroch replied on Tuesday, October 31, 2006

I just realized that the link I provided above was how to setup remoting with Csla 1.5x and not 2.0.

I HAVE MODIFIED the above post and it now points to a link that explains how to get remoting to work in Csla 2.0.

I ASLO removed the content of this post as it was no longer relevant. Sorry the any inconvenience.

dan72 replied on Tuesday, October 31, 2006

Yep - thanks guy - I am sure the remoting section of web.config is all good.

dan72 replied on Tuesday, October 31, 2006

Thanks guyroch

Csla is signed:

C:\Development\PersonalAsset\PersonalAsset.Library\PAWinUI\bin\Debug>sn -T Csla.dll

Public key token is 93be5fdc093e4c30

I was able to verify that the remote host is up and working too. I even tried signing my business assembly but that doesn't affect the error.

Any other ideas? I've put in additional error info in case that helps.

I have this in my web.config:

<system.runtime.remoting>

<wellknown mode="SingleCall" objectUri="RemotingPortal.rem"

type="Csla.Server.Hosts.RemotingPortal, Csla"/>

</service>

</serviceProviders>

</channels>

</application>

</system.runtime.remoting>

And I also added

I have the correct url in my app.config of my windows client. Here is the full exception:

See the end of this message for details on invoking
just-in-time (JIT) debugging instead of this dialog box.

************** Exception Text **************
System.Runtime.Serialization.SerializationException: Because of security restrictions, the type PersonalAsset.Library.Security.PAIdentity+Criteria cannot be accessed. ---> System.Security.SecurityException: Request failed.
at System.Runtime.Serialization.FormatterServices.nativeGetSafeUninitializedObject(RuntimeType type)
at System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type type)
The action that failed was:
Demand
The type of the first permission that failed was:
System.Security.PermissionSet
The demand was for:
<PermissionSet class="System.Security.PermissionSet"
version="1"
Unrestricted="true"/>

Server stack trace:
   at System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type type)
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord pr)
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord pr)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum binaryHeaderEnum)
   at System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run()
   at System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
   at System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage)
   at System.Runtime.Remoting.Channels.CoreChannel.DeserializeBinaryRequestMessage(String objectUri, Stream inputStream, Boolean bStrictBinding, TypeFilterLevel securityLevel)
   at System.Runtime.Remoting.Channels.BinaryServerFormatterSink.ProcessMessage(IServerChannelSinkStack sinkStack, IMessage requestMsg, ITransportHeaders requestHeaders, Stream requestStream, IMessage& responseMsg, ITransportHeaders& responseHeaders, Stream& responseStream)

Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at Csla.Server.IDataPortalServer.Fetch(Type objectType, Object criteria, DataPortalContext context)
   at Csla.DataPortalClient.RemotingProxy.Fetch(Type objectType, Object criteria, DataPortalContext context) in C:\Development\csla20cs\csla20cs\Csla\DataPortal\Client\RemotingProxy.cs:line 111
   at Csla.DataPortal.Fetch(Type objectType, Object criteria) in C:\Development\csla20cs\csla20cs\Csla\DataPortal\Client\DataPortal.cs:line 184
   at Csla.DataPortal.Fetch[T](Object criteria) in C:\Development\csla20cs\csla20cs\Csla\DataPortal\Client\DataPortal.cs:line 138
   at PersonalAsset.Library.Security.PAPrincipal.Login(String username, String password) in C:\Development\PersonalAsset\PersonalAsset.Library\PersonalAsset.Library\Security\PAPrincipal.cs:line 15
   at PAWinUI.LoginUser.btnLogin_Click(Object sender, EventArgs e) in C:\Development\PersonalAsset\PersonalAsset.Library\PAWinUI\LoginUser.cs:line 19
   at System.Windows.Forms.Control.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnClick(EventArgs e)
   at System.Windows.Forms.Button.OnMouseUp(MouseEventArgs mevent)
   at System.Windows.Forms.Control.WmMouseUp(Message& m, MouseButtons button, Int32 clicks)
   at System.Windows.Forms.Control.WndProc(Message& m)
   at System.Windows.Forms.ButtonBase.WndProc(Message& m)
   at System.Windows.Forms.Button.WndProc(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.OnMessage(Message& m)
   at System.Windows.Forms.Control.ControlNativeWindow.WndProc(Message& m)
   at System.Windows.Forms.NativeWindow.Callback(IntPtr hWnd, Int32 msg, IntPtr wparam, IntPtr lparam)

************** Loaded Assemblies **************
mscorlib
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.42 (RTM.050727-4200)
    CodeBase: file:///C:/WINDOWS/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
----------------------------------------
PAWinUI
    Assembly Version: 1.0.0.0
    Win32 Version: 1.0.0.0
    CodeBase: file:///C:/Development/PersonalAsset/PersonalAsset.Library/PAWinUI/bin/Release/PAWinUI.exe
----------------------------------------
System.Windows.Forms
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.42 (RTM.050727-4200)
    CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Windows.Forms/2.0.0.0__b77a5c561934e089/System.Windows.Forms.dll
----------------------------------------
System
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.42 (RTM.050727-4200)
    CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
----------------------------------------
System.Drawing
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.42 (RTM.050727-4200)
    CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Drawing/2.0.0.0__b03f5f7f11d50a3a/System.Drawing.dll
----------------------------------------
System.Configuration
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.42 (RTM.050727-4200)
    CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Configuration/2.0.0.0__b03f5f7f11d50a3a/System.Configuration.dll
----------------------------------------
System.Xml
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.42 (RTM.050727-4200)
    CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
----------------------------------------
PersonalAsset.Library
    Assembly Version: 1.0.0.0
    Win32 Version: 1.0.0.0
    CodeBase: file:///C:/Development/PersonalAsset/PersonalAsset.Library/PAWinUI/bin/Release/PersonalAsset.Library.DLL
----------------------------------------
Csla
    Assembly Version: 2.0.3.0
    Win32 Version: 1.0.0.0
    CodeBase: file:///C:/Development/PersonalAsset/PersonalAsset.Library/PAWinUI/bin/Release/Csla.DLL
----------------------------------------
System.Web
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.210 (QFE.050727-2100)
    CodeBase: file:///C:/WINDOWS/assembly/GAC_32/System.Web/2.0.0.0__b03f5f7f11d50a3a/System.Web.dll
----------------------------------------
CommonResources
    Assembly Version: 1.0.0.0
    Win32 Version: 1.0.0.0
    CodeBase: file:///C:/Development/PersonalAsset/PersonalAsset.Library/PAWinUI/bin/Release/CommonResources.DLL
----------------------------------------
System.Runtime.Remoting
    Assembly Version: 2.0.0.0
    Win32 Version: 2.0.50727.42 (RTM.050727-4200)
    CodeBase: file:///C:/WINDOWS/assembly/GAC_MSIL/System.Runtime.Remoting/2.0.0.0__b77a5c561934e089/System.Runtime.Remoting.dll
----------------------------------------

************** JIT Debugging **************
To enable just-in-time (JIT) debugging, the .config file for this
application or computer (machine.config) must have the
jitDebugging value set in the system.windows.forms section.
The application must also be compiled with debugging
enabled.

For example:

When JIT debugging is enabled, any unhandled exception
will be sent to the JIT debugger registered on the computer
rather than be handled by this dialog box.

guyroch replied on Tuesday, October 31, 2006

dan72:

************** Exception Text **************
System.Runtime.Serialization.SerializationException: Because of security restrictions, the type PersonalAsset.Library.Security.PAIdentity+Criteria cannot be accessed. ---> System.Security.SecurityException: Request failed.
at System.Runtime.Serialization.FormatterServices.nativeGetSafeUninitializedObject(RuntimeType type)
at System.Runtime.Serialization.FormatterServices.GetSafeUninitializedObject(Type type)

Could be on the right track here, you error message does talk about the Criteria class in your PAIdentity class. Make sure its Serializable.

Best regards,

dan72 replied on Tuesday, October 31, 2006

Thanks for your help - I wasn't sure how to check the remote host was up - at least I know that works.

I checked the entire project for the serializable attribute and did find one offender - though not in the PAIdentity class. Rebuilt and retested and I'm still getting the same error.

Must be something odd in my code - I tried setting up the remote host on another 2003 server box and I still get the same error.

Any one else game to help?

guyroch replied on Tuesday, October 31, 2006

Hey, one other thing. It just daunt on me that the culprit here is your Identity class. There is an old issue that keep coming back from time to time, though the error would more around the lines of GenericPrincipal, YOU SHOULD TRY a logout before login in the first time. This might seem odd, but it will set the underlying Principal/Identity pair to the right type. It’s worth a shot here even if the exception defers from what I've seen in the past.

Bayu replied on Tuesday, October 31, 2006

guyroch:
Hey, one other thing. It just daunt on me that the culprit here is your Identity class. There is an old issue that keep coming back from time to time, though the error would more around the lines of GenericPrincipal, YOU SHOULD TRY a logout be login in the first time. This might seem odd, but it will set the underlying Principal/Identity pair to the right type. It’s worth a shot here even if the exception defers from what I've seen in the past.

I think guyroch is straight on.

If you have a web app, check the Global.asax file in the PTWeb sample, over there a logout is performed at startup. This does exactly what guy mentions: it will set the correct principal/identity types.

In case of a winforms app: you need to do something similar at startup. I do it as part of my CAB boot, but in your case you can find relevant sample code in the PTWin sample.

(fingers crossed ;-) )

Bayu

dan72 replied on Tuesday, October 31, 2006

Sorry to report back with bad news. I rebooted both machines and then I added the logout call on startup and made sure that call setups up the unuathenticated identity/principle and no joy Crying [:'(]

I'm heading home now - I'll give it another look tomorrow.

Thanks again.

guyroch replied on Wednesday, November 01, 2006

Dan, can you send me your Principal/Identity business objects. I'll take a look, maybe I'll spot something. Your remoting hosts does work, so I'm thinking it could be something in your code. :(

guyroch [no spam please] at gmail dot com

Thanks

Bayu replied on Tuesday, October 31, 2006

Hey,

Have you ever successfully run your setup?
Or did it work before but some change caused the malfunction?

In case of the former, then check if you remotinghost works by directly typing in the URL of your remoting host in a browser (in my case it is http://localhost/DBHost/RemotingPortal.rem). Note, this will always return an exception:

- if get the following message:
System.Runtime.Remoting.RemotingException: Requested Service not found

Then all is fine.

- if you get some extensive ASP.NET exception message you know something is not correctly set up, most probably one that is related to security (but read exception message for details), try to solve this by configuring a specific account that is used by ASP.Net AND which has access to the database (or try giving the system's ASPNET and IUSR_<YOUR_MACHINENAME> accound access to your DB, this is of course not recommended practice, but just for testing ... )

If all is fine and it still does not work .... then come back here. ;-)

Bayu

dan72 replied on Tuesday, October 31, 2006

Thanks Guy and Bayu,

I've confirmed 1. that the csla assembly is signed, and 2, that the remoting app is running correctly using the ?wsdl parameter.

I've run this project successfully using the local data portal. I'm getting this errorr trying the remote data portal (remoting channel) using local IIS as a host.

Any other ideas?

P.S I run the IIS web app under full trust

and here's the full exception:

guyroch replied on Tuesday, October 31, 2006

Are you using a Virtual Directory to reach your remoting hosts? Is the virtual directory located under the wwwroot folder or is someplace else? If it's someplace else make sure ASPNET and IUSR_<YOUR_MACHINENAME> have access to the folder.

Also, have you included _ALL_ of your BO's assemblies along with the Csls.dll assembly in your web project? This is required.

Can you post the first few lines you get back when you try the following in your address bar, it might help. http://localhost/MyRemoringTest/RemotingPortal.rem?wsdl

Step #4 http://forums.lhotka.net/forums/post/6131.aspx

dan72 replied on Tuesday, October 31, 2006

Yes - a virtual directory under wwwroot - I had to add ASPNET account but that made no difference.

To my web project I've referenced one other project used by my single business object assembly. I have also signed these assemblies just in case. Here's the ?wsdl output

<?xml version="1.0" encoding="UTF-8" ?>

- <definitions name="RemotingPortal" targetNamespace="http://schemas.microsoft.com/clr/nsassem/Csla.Server.Hosts/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns="http://schemas.xmlsoap.org/wsdl/" xmlns:tns="http://schemas.microsoft.com/clr/nsassem/Csla.Server.Hosts/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:suds="http://www.w3.org/2000/wsdl/suds" xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/" xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/" xmlns:ns2="http://schemas.microsoft.com/clr/nsassem/Csla.Server/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns:ns3="http://schemas.microsoft.com/clr/nsassem/Csla.Server.Hosts.RemotingPortal/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns:ns0="http://schemas.microsoft.com/clr/nsassem/Csla.Server.Hosts/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns:ns1="http://schemas.microsoft.com/clr/ns/System" xmlns:ns4="http://schemas.microsoft.com/clr/nsassem/Csla.Server.IDataPortalServer/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns:ns5="http://schemas.microsoft.com/clr/nsassem/System.Collections.Specialized/System%2C%20Version%3D2.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089" xmlns:ns6="http://schemas.microsoft.com/clr/nsassem/Csla.Server.DataPortalResult/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns:ns7="http://schemas.microsoft.com/clr/ns/System.Security.Principal" xmlns:ns8="http://schemas.microsoft.com/clr/nsassem/Csla.Server.DataPortalContext/Csla%2C%20Version%3D2.0.3.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3D93be5fdc093e4c30" xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/">

- <message name="RemotingPortal.CreateInput">

guyroch replied on Tuesday, October 31, 2006

That settles it then, remoting does work given this output.

The next thing I guess would be to make sure that _all_ of your classes are serializable. Make sure you have the serializable attributes on all classes, even embeded classes such as the Criteria class.

I'm running out of ideas here... :(