Question

我们遇到了命令行（批处理）应用程序和完全/部分信任的问题。

我们以前的版本（版本号7.13.0.63）运行正常，但是，当我们安装新版本（7.13.0.249）时，我们得到一个“该程序集不允许部分信任的调用者。”

例外：

Stack Trace (edited):
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
   at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean skipCheckThis, Boolean fillCache)
   at System.Activator.CreateInstance[T]()
   at <Company>.Service.<Product>.Proxy.Factories.ControllerProxyFactory.Create[T]()
   <Stack Trace that leads to creation of a WCF client> ...

Inner Exception:
An error occurred creating the configuration section handler for system.serviceModel/behaviors: That assembly does not allow partially trusted callers. (C:\Program Files (x86)\InsuranceLine\ListLoader\InsuranceLine.ListLoader.Launcher.exe.Config line 53)
Stack Trace:
   at System.Configuration.BaseConfigurationRecord.EvaluateOne(String[] keys, SectionInput input, Boolean isTrusted, FactoryRecord factoryRecord, SectionRecordsectionRecord, Object parentResult)
   at System.Configuration.BaseConfigurationRecord.Evaluate(FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentResult, Boolean getLkg, Boolean getRuntimeObject, Object& result, Object& resultRuntimeObject)
   at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
   at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
   at System.Configuration.BaseConfigurationRecord.GetSectionRecursive(String configKey, Boolean getLkg, Boolean checkPermission, Boolean getRuntimeObject, Boolean requestIsHere, Object& result, Object& resultRuntimeObject)
   at System.Configuration.BaseConfigurationRecord.GetSection(String configKey)
   at System.Configuration.ClientConfigurationSystem.System.Configuration.Internal.IInternalConfigSystem.GetSection(String sectionName)
   at System.Configuration.ConfigurationManager.GetSection(String sectionName)
   at System.ServiceModel.Activation.AspNetEnvironment.UnsafeGetSectionFromConfigurationManager(String sectionPath)
   at System.ServiceModel.Activation.AspNetEnvironment.UnsafeGetConfigurationSection(String sectionPath)
   at System.ServiceModel.Configuration.ConfigurationHelpers.UnsafeGetAssociatedSection(ContextInformation evalContext, String sectionPath)
   at System.ServiceModel.Description.ConfigLoader.LookupChannel(ContextInformation configurationContext, String configurationName, ContractDescription contract, EndpointAddress address, Boolean wildcard, Boolean useChannelElementKind, ServiceEndpoint& serviceEndpoint)
   at System.ServiceModel.ChannelFactory.InitializeEndpoint(String configurationName, EndpointAddress address)
   at System.ServiceModel.ChannelFactory`1..ctor(String endpointConfigurationName, EndpointAddress remoteAddress)
   <Stack Trace that determines the correct WCF factory to create>

Inner Exception:
That assembly does not allow partially trusted callers.
Stack Trace:
   at System.Security.CodeAccessSecurityEngine.ThrowSecurityException(RuntimeAssembly asm, PermissionSet granted, PermissionSet refused, RuntimeMethodHandleInternal rmh, SecurityAction action, Object demand, IPermission permThatFailed)
   at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandleInternal& ctor, Boolean& bNeedSecurityCheck)
   at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean skipCheckThis, Boolean fillCache)
   at System.RuntimeType.CreateInstanceDefaultCtor(Boolean publicOnly, Boolean skipVisibilityChecks, Boolean skipCheckThis, Boolean fillCache)
   at System.Activator.CreateInstance(Type type, Boolean nonPublic)
   at System.ServiceModel.Configuration.ServiceModelExtensionCollectionElement`1.CreateNewSection(String name)
   at System.ServiceModel.Configuration.ServiceModelExtensionCollectionElement`1.DeserializeElementCore(XmlReader reader)
   at System.ServiceModel.Configuration.ServiceModelExtensionCollectionElement`1.DeserializeElement(XmlReader reader, Boolean serializeCollectionKey)
   at System.Configuration.ConfigurationElementCollection.OnDeserializeUnrecognizedElement(String elementName, XmlReader reader)
   at System.Configuration.ConfigurationElement.DeserializeElement(XmlReader reader, Boolean serializeCollectionKey)
   at System.Configuration.ConfigurationElement.DeserializeElement(XmlReader reader, Boolean serializeCollectionKey)
   at System.Configuration.ConfigurationSection.DeserializeSection(XmlReader reader)
   at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactory.CreateSectionImpl(RuntimeConfigurationRecord configRecord, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentConfig, ConfigXmlReader reader)
   at System.Configuration.RuntimeConfigurationRecord.RuntimeConfigurationFactory.CreateSectionWithRestrictedPermissions(RuntimeConfigurationRecord configRecord, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentConfig, ConfigXmlReader reader)
   at System.Configuration.RuntimeConfigurationRecord.CreateSection(Boolean inputIsTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentConfig, ConfigXmlReader reader)
   at System.Configuration.BaseConfigurationRecord.CallCreateSection(Boolean inputIsTrusted, FactoryRecord factoryRecord, SectionRecord sectionRecord, Object parentConfig, ConfigXmlReader reader, String filename, Int32 line)

关于我们用于部署产品的流程，我们使用通过WiX创建的MSI。我们执行以下步骤：

卸载以前版本的产品
从网络共享中复制msi（两个版本相同的共享，基于版本的不同子目录）
以管理员身份安装msi
- 此安装到C：\ Program Files（x86）

两个版本之间的唯一变化是：

在app.config文件（myapp.exe.config）中包含额外的AppSettings项以指定事务超时
将“使用新的TransactionScope（）”更改为“使用新的TransactionScope（TransactionScopeOption.Required，timeoutValueReadFromAppSettingsAndStoredInLocalVariable）”
- WCF客户端的创建不在此交易范围内。

其他信息：

我们的dev / staging / qa / pre生产环境中不会发生异常。它只发生在我们的生产应用程序服务器上。
我们正在向您的组织推出Windows 7，因此企业政策可能已发生变化。
该应用程序面向.Net Framework 4.0
如果我们卸载新版本，并重新安装旧版本（包括来自网络共享的副本）旧版本仍可以正常工作
正在安装的计算机是Windows Server 2008 R2
该计算机是托管在VMWare环境中的虚拟机

理想情况下，我想知道一些事情：

如何更改程序集（或安装后设置权限）以便它可以以完全信任模式运行
如何在dev / staging / QA环境中复制问题
- 明确地“不信任”程序集可能会重现它，但我希望以与生产相同的方式重现它，以便在安装时它被识别为不可信任，在我看来，这样做的方法会有所改变与“untrusting”网络共享有关，我从MSI /程序集中复制MSI，或者可能“不信任”发布者信息。
如何配置生产应用程序服务器/安全策略，以便将来的安装完全受信任（答案项2最有可能回答这个问题）

由于

Answer 1

这非常奇怪，因为.NET 4.0 CLR默认情况下不应用CAS安全策略，因此您实际上必须进行某种（希望）故意更改才能获得本地安装的命令行应用程序部分信任。

在尝试深入挖掘潜在原因之前，请您验证以下内容：

您的app.config文件是否包含NetFx40_LegacySecurityPolicy元素？
您的应用程序是否实际在问题机器上的4.0 CLR下运行？（如果在抛出异常之前无法修改源以输出Environment.Version的值，则Process Explorer应该允许您确定正在运行的CLR版本。）

如何使我的应用程序以完全信任模式运行 - .NET 4.0控制台应用程序

1 个答案: