.Net Remoting – Changes for .Net 1.1 / Visual Studio 2003

在测试Ingo RammerAdvance .Net Remoting》第6章的内容时,出现了一些异常。这些主要是因为.Net Remoting Framework 1.11.0版本进行了安全限制的修改。<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" />

如果在.Net Framework 1.1版本上使用CAO对象、eventsdelegates时,程序抛出如下异常:

System.Security.SecurityException.

Type System.DelegateSerializationHolder and the types derived from it (such as System.DelegateSerializationHolder) are not permitted to be deserialized at this security level.

System.Runtime.Serialization.SerializationException

Because of security restrictions, the type System.Runtime.Remoting.ObjRef cannot be accessed.

 

原因是.Net Framework 1.1版本进行了一些安全设置方面的变化,具体改变可以参考下面Reference 2

Any remoting system that relies on run-time type validation must deserialize a remote stream to begin using it, and malicious clients could use the moment of serialization or deserialization to the detriment of your application. To protect against such clients, .NET remoting provides two levels of automatic deserialization, Low and Full. Low is the default value, and enables most basic remoting functionality, such as automatic deserialization of remoting infrastructure types, and a limited set of system-implemented types. Full supports automatic deserialization of all types that remoting supports in all situations. See below for a complete description of the settings.

Do not assume that controlling deserialization is the only security your application needs. In distributed applications even a high degree of control over serialization will not prevent malicious clients from intercepting the communication and using that in some way. Therefore, although the Low deserialization level will protect the remoting server from being directly exploited, you must still use authentication and encryption to completely protect your investment in your data.

 

为了防止来自Client恶意攻击,.Net Framework 1.1缺省关闭了自动序列化定制类型的功能。

 

解决办法:

1,通过程序来设置序列化级别

To set the serialization level programmatically, pass the following property to the SoapServerFormatterSinkProvider or BinaryServerFormatterSinkProvider on creation. The remoting system will then set the value on the formatter when it is inserted into the sink chain.
[C#]
IDictionary props = new Hashtable();
props["typeFilterLevel"] = "Full";
BinaryServerFormatterSinkProvider formatterProvider = new BinaryServerFormatterSinkProvider(props, null);

 

2,通过configuration配置文件来设置序列化级别(比较简单)

.Net Remoting配置文件中,需要显式设定<formatter>元素的typeFilterLevel属性。尽管一般情况只要在Server端进行设置,但是如果需要控制Client端信道的序列化级别,这些信道注册用来监听回调(callback),你也需要在Client端配置文件进行相应的设置。

如下配置文件设置SoapFormmaterBinaryFormatter的序列化级别为Full

<configuration>

<system.runtime.remoting>

<application>

<service>

<wellknown

type="ServiceType, common" objectUri=" ServiceType.soap" mode="Singleton"

/>

</service>

 

<channels>

<channel ref="http">

<serverProviders>

<provider ref="wsdl" />

          <formatter ref="soap" typeFilterLevel="Full" />

<formatter ref="binary" typeFilterLevel="Full" />

</serverProviders>

</channel>

</channels>

</application>

</configuration>

 

 

Reference:

1. Ingo Rammer,  http://www.thinktecture.com/Resources/RemotingFAQ/changes2003.html

2. www.gotdotnet.com, http://www.gotdotnet.com/team/changeinfo/Backwards1.0to1.1/default.aspx#00000153

3. Ingo Rammer, Advanced .Net Remoting

转载于:https://www.cnblogs.com/rickie/archive/2004/10/12/51072.html

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值