Owin - Startup is throwing error - owin

While trying to integrate the below example in my solution I am getting the below issue.
https://github.com/AzureADSamples/NativeClient-WindowsStore
Attempt to access method System.Management.Instrumentation.InstrumentedAttribute..ctor(System.String) in violation of security transparency rules failed.
tried to add the key <trust level="Full" /> but it doesn't work.
Any help/pointers will be highly appreciated

I had the same problem, but I resolved it.
I had this code in one of my assemblies (it is a custom implementation for Enterprise Library):
[assembly: Instrumented(#"root\EnterpriseLibrary")]
For some reason, the search for Owin Startup attribute does not like this

Related

What does the owin:AppStartup key in the ASP.Net Identity Samples Web.Config do?

I am using the code from the
Microsoft ASP.NET Identity Samples 2.1.0-alpha1
There's one area of the code that I do not understand and that is the web.config entry below:
<appSettings>
<add key="owin:AppStartup" value="IdentitySample.Startup,WebApplication3" />
My code does work without this but I am wondering if I should have something like this.
Can anyone explain to me what this does?
Basically this tells OWIN what method to execute on the application start. And IdentitySample.Startup method contains code that bootstraps your application.
You can specify this class via an attribute [assembly: OwinStartup(typeof(StartupDemo.TestStartup))] if you wish.
But this one is web.config so it can be changed for different deployment strategies without recompiling the project.
See more details in documentation.

What is the role of the startup.cs file?

I was trying to explore some ASP.NET-5 applications where I found the startup.cs file. Where we set out routing and all (of course not only for routing). I also see some demo where has shown the use of dependency injection here. So, I'm looking for answers to the below questions:
Why this startup.cs is? What it does?
What are the uses of this file?
What is the advantages of this?
And is there any good documentation to know the use of startup.cs in details. And why the application does not work if we change the class name 'Startup' to something else?
I do have very elementary idea about OWIN and pipeline. Please help me to find these answers.
Just repeating here what it's said in Getting started with vNext
By default, the vNext hosting environment expects to find a startup class named Startup.
This class must contain a Configure method that takes an IBuilder parameter, and you configure the HTTP pipeline inside this Configure method. The empty project creates the class with nothing in the Configure method.
I would recommend you to take a look on vNext Moving Parts by Louis Dejardin since it explains a bit more about OWIN pipeline and vNext.
Sorry for not being of much help!

Dependency injection in OWIN without using System.Web

I am exploring on the use of Dependency injection in my OWIN project. I have gone through the code referred here.
When I go through the code, I find dependency in the System.Web.Http dll. As far as I am concerned, we should be doing the dependency injection without the use of System.Web dlls, as OWIN does not depend on the heavy lifting by using System.Web.
Can anyone let me know if this can be achieved without using system.web. like having a middleware load the containers and then all the services being resolved via this container. If I can be given some expert opinion and explanation of how this can be achieved, I will be able to develop and share the code.

Struts2 + Classloader Vulnerability + How to reproduce

How to reproduce the security issue CVE-2014-0094. I googled but couldn't able to find any reference to the same.
Got it working.
I have to enable logging (for ognl package) to see the error.
Pass in parameter like class.classLoader.resource.dircontext.docBase=someText to the struts2 application.
localhost:8080/sampleApp/showlogin.do?class.classLoader.resource.diretext.docBase=someText
Then in the log I would see something like this.
java.lang.IllegalArgumentException: Document base base does not exist or is not a readable directory
at org.apache.naming.resources.FileDirContext.setDocBase(FileDirContext.java:136)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
After applying the workaround then I don't see above error in the log.
Reference:
http://www.brentron.com/safe/web/9248.html
http://isayan.cocolog-nifty.com/diary/2014/04/s2-020.html
To get a better help, I suggest you to follow the guidelines in the official Struts2 Security Bulletins.
The bug you are refering to has been reported in S2-020, and has both a workaround without upgrading, and a patch in Struts 2.3.16.1.
WARNING: the above patch is not enough, as reported in S2-021, so there are both a new workaround (for users that can't immediately upgrade) and a definitive patch in Struts 2.3.16.2.
To reproduce the issue just send
http://host/struts2-blank/example/X.action?class.classLoader
The issue is documented under S2-020.

Attempt by security transparent method X to access security critical method Y failed

I have a fairly stable server application version that's been deployed for nearly a year at dozens of customers.
One new customer recently setup the application and is getting the following error:
System.MethodAccessException: Attempt by security transparent method
[SomeMethod] to access security critical method [SomeOtherMethod]
failed.
Both SomeMethod and SomeOtherMethod are methods in assemblies that I wrote, that are built against .NET 4, and that are running inside a Windows Service. If it makes a difference, SomeOtherMethod does reference a type from a 3rd party assembly (EntLib 4.1) built against .NET 2.0. Looking at the code for EntLib 4.1, I do see that they use both SecurityTransparent and APTC attributes, but this has never caused issues at other clients.
These assemblies were upgraded from the .NET 2.0 CLR, but a long time ago. This exact code is running on other customers just fine, and I'm not explicitly using the APTC attribute nor am I using the SecurityCritical attribute anywhere.
This leads me to the conclusion that it's a configuration issue or perhaps .NET Framework patch issue. Has there been a patch released for .NET that would cause this breaking change? Is there a configuration setting some where that enforces this type of check which is off by default but that my customer may have enabled?
One last point. My service utilizes SSRS RDLCs to generate PDFs. Due to some changes in .NET 4, I must force the service to use the legacy security policy via the following config:
<runtime>
<NetFx40_LegacySecurityPolicy enabled="true" />
</runtime>
For more details on why I need to do this, see this stackoverflow post: Very High Memory Usage in .NET 4.0
The important point is that I do this at all my other customers as well. Only this one customer is having issues.
Sigh, the patterns and practices employed by the Microsoft Patterns And Practices team that's responsible for the Enterprise libraries are pretty deplorable. Well, the exception is accurate, you cannot call a method that's decorated as "I'll definitely check security" from code that's decorated with "Meh, I won't check security so don't bother burning the cpu cycles to check it". Which scales about as well as exception specifications as used in Java. CAS is incredibly useful, but diagnosing the exceptions is a major headache and often involves code that you don't own and can't fix. Big reason it got deprecated in .NET 4.
Editorial done. Taking a pot-shot at the problem, you need to find out why CAS is being enforced here. The simplest explanation for that is that the service doesn't run in full trust. The simplest explanation for that is that the client didn't install the service on the local hard drive. Or is generally running code in don't-trust-it mode even on local assemblies, a very paranoid admin could well prefer that. That needs to be configured with Caspol.exe, a tool whose command line options are as mysterious as CAS. Pot-shooting at the non-trusted location explanation, your client needs to run Caspol as shown in this blog post. Or just simply deploy the service locally so the default "I trust thee" applies.
Editing in the real reason as discovered by the OP: beware of the alternate data stream that gets added to a file when it is downloaded from an untrusted Internet or network location. The file will get a stream named "Zone.Identifier" that keeps track of where it came from with the "ZoneId" value. It is that value that overrides the trust derived from the storage location. Usually putting it in the Internet zone. Use Explorer, right-click the file and click "Unblock" to remove that stream. After you're sure you can trust the file :)
I was facing the similar issue while running the downloaded WCF sample from http://www.idesign.net/ while using their ServiceModelEx library.
I commented out the below line in AssemblyInfo.cs in ServiceModelEx project
//[assembly: AllowPartiallyTrustedCallers]
and it worked for me.
In case it helps others i post my solution for this issue:
1) On the AssemblyInfo.cs, removed/commented the [assembly: SecurityTransparent] line.
2) The Class and the Method that does the actual Job was marked as [SecuritySafeCritical], in my case establishing a Network Connection:
[SecuritySafeCritical]
public class NetworkConnection : IDisposable
{
[SecuritySafeCritical]
public NetworkConnection(string networkName, NetworkCredential credentials)
{
.............
}
}
3) The Caller Class and Method was market as [SecurityCritical]:
[SecurityCritical]
public class DBF_DAO : AbstractDAO
{
[SecurityCritical]
public bool DBF_EsAccesoExclusivo(string pTabla, ref ArrayList exepciones)
{
....
using (new NetworkConnection(DBF_PATH, readCredentials))
{
....
}
}
}
In my case it was an issue when I managed a NuGet packages in the solution some package overrides System.Web.Mvc assembly version binding in main web site project. Set back to 4.0.0.0 (I had 5.0 installed). I didn't change notice the change because Mvc v4.0 was installed and accessible via GAC. Set back

Resources