This is a migrated thread and some comments may be shown as answers.

Persister and security

4 Answers 90 Views
Grid
This is a migrated thread and some comments may be shown as answers.
John Roes
Top achievements
Rank 1
John Roes asked on 29 Apr 2011, 04:50 PM
I have the Persister code working perfectly on a dev server.
GridSettingsPersister.vb located in the app_code directory.
I can get and save the session persisted value to an MSSQL database.
Click a "save" button to update a user database, load them into a session variable upon login and apply the session variable after page is loaded.
Everything works perfectly on dev server.

When I moved the code to production, the system hangs when I click the "save" button.
So, I then copied the grid persister values from the dev database to the production database.
Then when the value is retrieved and I try to apply it in the on page loaded code, I get a Security Exception error.

Any ideas what may be causing this?
Is this an "unmanaged" code error?


Security Exception

Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   System.Runtime.Serialization.Formatters.Binary.ObjectReader.CheckSecurity(ParseRecord pr) +7547187
   System.Runtime.Serialization.Formatters.Binary.ObjectReader.ParseObject(ParseRecord pr) +223
   System.Runtime.Serialization.Formatters.Binary.ObjectReader.Parse(ParseRecord pr) +34
   System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryObjectWithMapTyped record) +519
   System.Runtime.Serialization.Formatters.Binary.__BinaryParser.ReadObjectWithMapTyped(BinaryHeaderEnum binaryHeaderEnum) +61
   System.Runtime.Serialization.Formatters.Binary.__BinaryParser.Run() +253
   System.Runtime.Serialization.Formatters.Binary.ObjectReader.Deserialize(HeaderHandler handler, __BinaryParser serParser, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage) +168
   System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream, HeaderHandler handler, Boolean fCheck, Boolean isCrossAppDomain, IMethodCallMessage methodCallMessage) +203
   System.Runtime.Serialization.Formatters.Binary.BinaryFormatter.Deserialize(Stream serializationStream) +12
   System.Web.UI.ObjectStateFormatter.DeserializeValue(SerializerBinaryReader reader) +968
   System.Web.UI.ObjectStateFormatter.Deserialize(Stream inputStream) +135

4 Answers, 1 is accepted

Sort by
0
John Roes
Top achievements
Rank 1
answered on 02 May 2011, 12:29 PM
I've been working on this and have been able to determine that it only works if the .Net Trust level is set to Full(Internal).
Any other setting, even setting the site as trusted in IE, causes the error.

It appears that this error is due to the serialization done by the losFormatter, or some particular setting is causing it to invoke the binary formatter.

That said, since I am only trying to save column settings, can you tell me which of the grid settings in the gridsettingspersister would cause it to force it to binary, or provide some example on how to change the losFormatter to XML versus binary.

Thanks!
0
Veli
Telerik team
answered on 05 May 2011, 08:47 AM
Hi John,

It really seems your server's security policy does not allow your application to use binary serialization. Here is the current state of binary serialization and security with respect to the GridSettingsPersister:

The default GridSettingsPersister implementation in the RadGrid persisting settings on a per-user basis demo uses the LosFormatter for serialization and deserialization purposes. As the documentation state, the LosFormatter is primarily used for ViewState serialization. And while it works in medium trust environments (where binary serialization is disallowed by default), its greatest limitation is that it cannot de/serialize object data between different assembly versions. This means that you cannot deserialize object data into objects from assembly version 2 that have been serialized from assembly version 1. Internally, the LosFormatter uses the ObjectStateFormatter for serialization and deserialization. As stated above, this should be working under default medium trust security settings.

Alternatively, you can modify the GridSettingsPersister to use the BinaryFormatter. With the BinaryFormatter, you can even deserialize objects from previous versions of the executing assembly (setting BinaryFormatter.AssemblyFormat = FormatterAssemblyStyle.Simple). The caveat to this approach is that default medium trust security settings do not allow usage of the BinaryFormatter for binary serialization.

Yet another option is to use the XmlSerializer for object-to-XML serialization. It should also work under default medium trust and you shouldn't run into assembly versioning issues here.

Now, based on your stack trace, you are using the first type of serialization - the ObjectStateFormatter. I do not have any information about your server's security settings, but the ObjectStateFormatter failing due to security permissions indicates that either you are in a trust level lower than medium, or you have custom security settings preventing serialization. Alternatively, if your assembly runs from a network share or a mapped drive,  the exception you are getting may indicate your application is not granted permission to run from network.

Finally, on the GridSettingsPersister and changing the serializer. The GridSettingsCollection class has a ToString() and ToArray() methods that serialize the object and an overloaded LoadFromSerializedData method for deserialization.  You need to modify these to change the serialization type.

Further info: MSDN Security & Serialization

Veli
the Telerik team

Browse the vast support resources we have to jump start your development with RadControls for ASP.NET AJAX. See how to integrate our AJAX controls seamlessly in SharePoint 2007/2010 visiting our common SharePoint portal.

0
byoung
Top achievements
Rank 1
answered on 07 Dec 2012, 04:07 PM
Attempting to convert the Gridsettingspersister to use xmlserializer. I am getting an error :There was an error generating the XML document. The innerexception of this error reads {"The type System.Collections.ArrayList may not be used in this context."}

I cannot determine where this arraylist issue is coming from or how to get around it. What more do I need to change to make this work? Any ideas would be greatly appreciated.

 

Public Overloads Overrides Function ToString() As String
Dim formatter As New XmlSerializer(Me.GetType())

 

Dim writer As New StringWriter()

 

formatter.Serialize(writer, Me)

 

Return writer.ToString()

 

End Function

0
Antonio Stoilkov
Telerik team
answered on 12 Dec 2012, 12:08 PM
Hi Brian,

The experienced behavior is caused from the SortExpressionState property which holds an ArrayList of GridSortExpression objects which causes the exception. Note that the GridSettingsPersistor is not designed for XML serialization. However, you could achieve your scenario by updating the SaveSortExpressions method with the code shown below.
Protected Overridable Sub SaveSortExpressions()
    Dim formatter As New LosFormatter()
    Dim writer As New StringWriter()
    formatter.Serialize(writer, DirectCast(Grid.MasterTableView.SortExpressions, IStateManager).SaveViewState())
    Settings.SortExpressionsState = writer.ToString()
End Sub


Kind regards,
Antonio Stoilkov
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the RadControls for ASP.NET AJAX, subscribe to their blog feed now.
Tags
Grid
Asked by
John Roes
Top achievements
Rank 1
Answers by
John Roes
Top achievements
Rank 1
Veli
Telerik team
byoung
Top achievements
Rank 1
Antonio Stoilkov
Telerik team
Share this question
or