HOW TO: Alter the "SetSecurity" project to grant full trust to the add-in installation folder instead of the add-in assembly


Its better late than never, I have been wanting to write this post for a long time now and looks like the time has finally come! This is about adapting the "SetSecurity" project to grant Full Trust to the add-in installation folder instead of just the add-in assembly.

What is "SetSecurity"? This is a sample project that comes with the Deploying Office Solutions Using Windows Installer Version 3 Sample. This project is used to Grant trust to the customization assembly using a custom action. Want to know more? Read the following articles about Deploying Visual Studio 2005 Tools for Office Second Edition Solutions and Granting Permissions.

Deploying Visual Studio 2005 Tools for Office Second Edition Solutions Using Windows Installer (Part 1 of 2)
http://msdn.microsoft.com/en-us/library/bb332051.aspx

Deploying Visual Studio 2005 Tools for Office Second Edition Solutions Using Windows Installer: Walkthroughs (Part 2 of 2)
http://msdn.microsoft.com/en-us/library/bb332052.aspx

How to: Grant Permissions to Folders and Assemblies
http://msdn.microsoft.com/en-us/library/zdc263t0(VS.80).aspx

Why do I need to grant full trust to an add-in installation folder instead of the assembly? If you add-in is simple and contains only one assembly then this is not required. You will need to do this in case you have other assemblies that are referenced in you project and they are deployed in the Installation folder along with your add-in assembly.

If only the add-in assembly is trusted you add-in with throw a security exception when it tries to load the other assemblies because they are not trusted. if we trust the installation folder all the assemblies in that folder are trusted and the add-in works fine.

There is very small change we that we need to make and it need to made to the AddSecurityPolicy method in the "CaspolSecurityPoliceCreator.cs" file.

Below are the changes:

1)Replace the following line:

string arguments = policyLevel + " -q -ag " + parentCodeGroup + " -url \"" + solutionInstallationUrl + "\" Nothing -n \"" + solutionCodeGroupName + "\" -d \"" + solutionCodeGroupDescription + "\"";

With

string arguments = policyLevel + " -q -ag " + parentCodeGroup + " -url \"" + solutionInstallationUrl + "\" FullTrust -n \"" + solutionCodeGroupName + "\" -d \"" + solutionCodeGroupDescription + "\"";

2) Comment out or delete the following try..catch block:

 
// Add the assembly code group. Grant FullTrust permissions to the main assembly.
try
{
    // Use the assembly strong name as the membership condition.
    // Ensure that the assembly is strong-named to give it full trust.
    AssemblyName assemblyName = Assembly.LoadFile(assemblyPath).GetName();
    arguments = policyLevel + " -q -ag \"" + solutionCodeGroupName + "\" -strong -file \"" + assemblyPath + "\" \"" 
           + assemblyName.Name + "\" \"" + assemblyName.Version.ToString(4) + "\" FullTrust -n \"" 
           + assemblyCodeGroupName + "\" -d \"" + assemblyCodeGroupDescription + "\"";

    RunCaspolCommand(frameworkFolder, arguments);
}
catch (Exception ex)
{
    try
    {
        // Clean the solutionCodeGroupName.
        RemoveSecurityPolicy(machinePolicyLevel, solutionCodeGroupName);
    }
    catch { }

    string error = String.Format("Cannot create the security code group '{0}'.", assemblyCodeGroupName);
    throw new Exception(error, ex);
}

These are the only two changes we need to make. The first change grants the solutioninstallationUrl "FullTrust" instead of "Nothing" and the second change deletes the code that grants trust to the add-in assembly.

The rest is covered in the Deploying Visual Studio 2005 Tools for Office Second Edition Solutions Using Windows Installer: Walkthroughs (Part 2 of 2) article mentioned above.

Comments (5)

  1. Mehul says:

    Good Article.

    I tried lot to solve error in my Project. but finally i found this and it worked.

    Thanks!!!!

  2. David says:

    Thankyou for the post, has saved me a lot of hair pulling 🙂

    Note:  Remember to uninstall previous versions so that the secruity policy is re-created with the new folder (Rather than assembly) permissions.

  3. Sri.Net says:

    Thank you for the Post…Thank You very much

    I have a small problem with the uninstall

    everything from the install to the usage of the addin is working fine

    when i uninstall …the folder and the addin is getting deleted but the code access security entry in the .net framework configuration is not getting deleted

    and every time i install it a new entry is getting created

    what to do???

  4. Akashb says:

    Do you have the custom action set for the uninstall?

    you need to pass in the solutionCodeGroupName for the installer to be able to remove it.

  5. sri.net says:

    sorry for the trouble

    my problem was not the custom action alone…

    i commented an additional line

       stateSaver.Add("allUsers", allUsers);

    which caused all the trouble

    ne way…thanks for the response

Skip to main content