Silverlight 5 – Trusted applications

http://www.pitorque.de/MisterGoodcat/post/Silverlight-5-Tidbits-Trusted-applications.aspx

Silverlight 5 Tidbits–Trusted applications

by Mister Goodcat24. April 2011 14:30

Edit 2011-12-11: This article is compatible with the final version of Silverlight 5 (5.0.61118.0).

This post is part of a mini series about Silverlight 5:

One of the interesting features for enterprise use of Silverlight 5 is the possibility to have trusted applications running in browser. This further simplifies distribution and maintenance of Silverlight applications without giving up the option to use “trusted-only” features. In this article we’ll also see what has changed for trusted applications in general compared to Silverlight 4.

The situation so far

Trusted applications are already available in Silverlight, and they add the possibility to do things that weren’t possible due to security restrictions before. Features like COM Automation also enable a whole new field of scenarios, for example to interact with legacy or native applications and local hardware.

However trusted applications require that Silverlight runs out of browser, and even if the user confirmed the trust request, there were several restrictions in place, for example regarding file system access. Oddly enough, some of these restrictions only were applied to the managed API but could be worked around using COM Automation.

What’s new in Silverlight 5

For the next release of Silverlight, Microsoft has straightened some of the remaining restrictions for trusted applications, and it’s also possible to run trusted applications in the browser now. We’ll see how this works in a second.

In-browser trusted apps

One thing to understand first is that this feature obviously is not meant for random internet applications. It requires signed XAPs, locally installed certificates and a certain registry key to be set, which e.g. can be managed through Group Policy. This makes it pretty difficult to use for applications outside a closed environment like an enterprise.

The first thing to do to use this feature is to enable in-browser elevated trust support in the project settings, an option that is new for Silverlight 5 applications.

image

Now add some code that tries to do something that requires elevated trust, for example writing to the file system without user consent:

private void WriteFileButton_Click(object sender, RoutedEventArgs e)
{
    // check if we can actually do this
    if (!Application.Current.HasElevatedPermissions)
    {
        MessageBox.Show("Application requires elevated trust for this!");
        return;
    }

    // create a directory if necessary
    var tempDirectory = @"c:\temp";
    if (!Directory.Exists(tempDirectory))
    {
        Directory.CreateDirectory(tempDirectory);
    }

    // build the full filename
    var filename = string.Format("tempFile-{0}.txt", _rnd.Next(0, 65536));
    var fullPath = Path.Combine(tempDirectory, filename);

    // write a new file
    using (FileStream fs = File.Create(fullPath))
    using (StreamWriter sr = new StreamWriter(fs, Encoding.UTF8))
    {
        sr.WriteLine("Hallo from a trusted app!");
    }

    // Notify the user
    MessageBox.Show("File has been created.");
}

Interestingly, if you run your application and click the button, a file is actually written to the c:\temp folder! But we didn’t even set any registry key, let alone sign the XAP? The reason it works is that none of this is required when the application is started from a “localhost” url🙂. This simplifies testing in your development environment without the need to change your system settings. If you try to access the same page e.g. through the machine name, “HasElevatedPermissions” will return false, or you will receive a security exception (operation not permitted) if you don’t do this check.

Note: to enable access to your application other than through “localhost”, you may need to host it in IIS or add a binding for that to the configuration of IIS Express.

Ok, now we know the background, but how do we actually set up the application to work from other locations than “localhost”?

Adding the required registry setting

Information about the registry setting in question can be found here. In particular, you need to add the following information:

  • Value name: AllowElevatedTrustAppsInBrowser
  • Value type: DWORD
  • Possible values: 0x00000000 (disabled) or 0x00000001 (enabled)

The path to that value depends on the operating system and is different for 32-bit and 64-bit:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\ (for 32-bit) or
  • HKEY_LOCAL_MACHINE\Software\Wow6432Node\Microsoft\Silverlight (for 64-bit)

Signing your XAP file

The next requirement is that you sign your XAP file. You can do that directly from Visual Studio and select an existing certificate from a file or store as well as issuing a test certificate (which I did in the screenshot below):

image

Deploying the certificate

Once again, for testing you can do this directly from Visual Studio. Normally this is something that would be set up by an enterprise/company administrator for the users.

Click on “More Details…” on the “Signing” tab of your project settings (see screenshot above). There you can install the certificate locally:

image

In the next step, select the store manually and choose “Trusted Publishers”:

image

Repeat the same process and this time choose “Trusted Root Certification Authorities” if necessary, for example when you’re working with a self-signed test certificate.

Once both deployment steps are finished, recompile your application and run it, using the machine name to access the page. This time you will successfully be able to create the files:

image

Troubleshooting

One thing to keep in mind is that even if your application runs as trusted in-browser app, it is still subject to the security restrictions the browser itself imposes. That means that its possibilities may be much more restricted than if they ran out of browser, for example by Internet Explorer’s Protected Mode. In addition, the Silverlight runtime itself restricts use of certain features for in-browser trusted apps, for example you cannot use the Window class and/or create additional windows when you’re running in the browser.

If none of the above applies to you and you still run into problems, one thing to do is check whether your certificate(s) have been installed correctly. There’s a snap-in for the management console for this. Here is an article that describes how to get there (note that you should add a snap-in for your user account, not the computer account as in this description).

You can also check whether your registry key is actually and successfully queried, for example by using a tool like Process Monitor from the Sysinternals Suite. Watch for operations of type “ReqQueryValue” of your browser executable that access the key we created above, and make sure the Result is “SUCCESS”.

Further information about trusted apps in Silverlight 5 can be found here, particular information about enabling in-browser trusted apps here.

Further improvements

The above sample already shows one improvement of trusted applications in Silverlight 5: we were able to write to an arbitrary folder on the hard disk, which would have failed in Silverlight 4 even for trusted applications. In detail, the improvements are:

  • “Full” access to the file system. The documentation says “unlimited access to the local file system”, however this is only half the truth. You can still not write to certain system folders (like the Windows folder), and in-browser trusted apps are in addition restricted by browser security settings (see above).
  • Some full-screen mode improvements are added. Particularly interesting is that in-browser trusted apps can use the full screen mode without limitations (all keys etc.).
  • User consent and initiation. Trusted apps can now freely trigger certain actions which previously required user consent or had to be user-initiated. An exception to that is the use of the microphone and camera, for example.
  • Relaxed cross-domain access restrictions: Networking and socket communication has been changed so trusted apps are not subject to cross-domain and/or cross-schema restrictions anymore. Some people will be very pleased to learn that in addition, the destination ports of TCP connections are not restricted to a certain range any longer.
  • Trusted in-browser apps can now use the web browser control to show HTML content, and in addition also notification windows.

Limitations

The obvious limitation is that in-browser trusted apps require quite some work to be set up (signed XAP, locally installed certificate, registry settings). But taken into consideration that this is meant to be an enterprise feature this doesn’t come as a surprise; also, with the additional easing of restrictions for trusted apps and the fact that trusted in-browser apps are updated silently just like normal ones, it’s important that it’s not too easy for malicious apps to achieve this trust level (think simple confirmation dialog).

One major issue with in-browser trusted apps at the moment is that the use of the web browser control is restricted to Internet Explorer only. When you try to run the application in a different browser, you’ll receive the following message:

WebBrowser is enabled only for Out-of-Browser applications and applications running with elevated permissions in Internet Explorer.

I suspect that this will cause disappointment for some people; However, after speaking with Nick Kramer at MIX about this, I understand the problems here, and I hope that people will be fair and understand this is not solely an issue with Microsoft but a general problem with the different browser architectures and prerequisites.

Most of the other annoying or hard to justify restrictions for elevated trust applications of Silverlight 4 will be removed in version 5, and with features like P/Invoke even more possibilities will be added. At the moment I cannot see any huge obstacles that are still in effect to create sophisticated business applications in Silverlight 5, from a trust level point of view.

 

 

Silverlight Trusted Applications

Silverlight allows users to install out of browser applications via the Install dialog. Silverlight supports two kinds of out of browser applications, sandboxed applications which run with the same security restrictions as in browser, and trusted applications which run with additional permissions. Trusted applications are only available in Silverlight 4 and later. A trusted application can read and write user data, run other programs, and run without cross domain networking restrictions. Much like running a .exe, trusted apps should only be installed if it’s from a website you trust.

Silverlight provides settings to disable support for trusted applications, which is particularly useful for locked down environments. To provide additional control, Silverlight provides two different settings, one to control the installation of trusted applications, and the second to control the running of trusted apps that were previously installed. Neither setting affects sandboxed out of browser applications.

Both of these settings are available in the custom ADM or ADMX file you create using the text provided at the bottom of this page. The registry setting for trusted application installation that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowInstallOfElevatedTrustApps
Value Type: DWORD
Valid Values:
Disabled — 0x00000000
Enabled — 0x00000001

The registry setting for running trusted applications that the administrative template files contain is:

Key path: HKEY_LOCAL_MACHINE\Software\Microsoft\Silverlight\
Value Name: AllowLaunchOfElevatedTrustApps
Value Type: DWORD
Valid Values:
Disabled — 0x00000000
Enabled — 0x00000001

 

http://stackoverflow.com/questions/11029399/silverlight-5-with-elevated-privileges-in-browser-using-clientaccesspolicy-xml

There is a good summary on how to enable in-browser elevated trust by Mister Goodcat here, where he also provides some troubleshooting tips:

  • One thing to keep in mind is that even if your application runs as trusted in-browser app, it is still subject to the security restrictions the browser itself imposes. That means that its possibilities may be much more restricted than if they ran out of browser, for example by Internet Explorer’s Protected Mode. In addition, the Silverlight runtime itself restricts use of certain features for in-browser trusted apps, for example you cannot use the Window class and/or create additional windows when you’re running in the browser.
  • If none of the above applies to you and you still run into problems, one thing to do is check whether your certificate(s) have been installed correctly. There’s a snap-in for the management console for this. Here is an article that describes how to get there (note that you should add a snap-in for your user account, not the computer account as in this description).
  • You can also check whether your registry key is actually and successfully queried, for example by using a tool like Process Monitor from the Sysinternals Suite. Watch for operations of type “ReqQueryValue” of your browser executable that access the key we created above, and make sure the Result is “SUCCESS”.
answered Jun 14 at 9:04
Brilliant! I was missing the step where you put the certificate in “Trusted Root Certification Authorities”. Thanks for the extra hints on certificates and registry key as well. – ruffen Jun 14 at 9:27

 

 

 

This entry was posted in ASP.NET, IDE, UI. Bookmark the permalink.

发表评论

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / 更改 )

Twitter picture

You are commenting using your Twitter account. Log Out / 更改 )

Facebook photo

You are commenting using your Facebook account. Log Out / 更改 )

Google+ photo

You are commenting using your Google+ account. Log Out / 更改 )

Connecting to %s