在测试Ingo Rammer《Advance .Net Remoting》第6章的内容时,出现了一些异常。这些主要是因为.Net Remoting Framework 1.1对1.0版本进行了安全限制的修改。
如果在.Net Framework 1.1版本上使用CAO对象、events或delegates时,程序抛出如下异常:
System.Security.SecurityException.
Type System.DelegateSerializationHolder and the types derived from it (such as System.DelegateSerializationHolder) are not permitted to be deserialized at this security level.
System.Runtime.Serialization.SerializationException
Because of security restrictions, the type System.Runtime.Remoting.ObjRef cannot be accessed.
原因是.Net Framework 1.1版本进行了一些安全设置方面的变化,具体改变可以参考下面Reference 2。
Any remoting system that relies on run-time type validation must deserialize a remote stream to begin using it, and malicious clients could use the moment of serialization or deserialization to the detriment of your application. To protect against such clients, .NET remoting provides two levels of automatic deserialization, Low and Full. Low is the default value, and enables most basic remoting functionality, such as automatic deserialization of remoting infrastructure types, and a limited set of system-implemented types. Full supports automatic deserialization of all types that remoting supports in all situations. See below for a complete description of the settings.
Do not assume that controlling deserialization is the only security your application needs. In distributed applications even a high degree of control over serialization will not prevent malicious clients from intercepting the communication and using that in some way. Therefore, although the Low deserialization level will protect the remoting server from being directly exploited, you must still use authentication and encryption to completely protect your investment in your data.
为了防止来自Client恶意攻击,.Net Framework 1.1缺省关闭了自动序列化定制类型的功能。
解决办法:
1,通过程序来设置序列化级别
To set the serialization level programmatically, pass the following property to the SoapServerFormatterSinkProvider or BinaryServerFormatterSinkProvider on creation. The remoting system will then set the value on the formatter when it is inserted into the sink chain.
[C#]
IDictionary props = new Hashtable();
props["typeFilterLevel"] = "Full";
BinaryServerFormatterSinkProvider formatterProvider = new BinaryServerFormatterSinkProvider(props, null);
2,通过configuration配置文件来设置序列化级别(比较简单)
在.Net Remoting配置文件中,需要显式设定<formatter>元素的typeFilterLevel属性。尽管一般情况只要在Server端进行设置,但是如果需要控制Client端信道的序列化级别,这些信道注册用来监听回调(callback),你也需要在Client端配置文件进行相应的设置。
如下配置文件设置SoapFormmater和BinaryFormatter的序列化级别为Full:
<configuration>
<system.runtime.remoting>
<application>
<service>
<wellknown
type="ServiceType, common" objectUri=" ServiceType.soap" mode="Singleton"
/>
</service>
<channels>
<channel ref="http">
<serverProviders>
<provider ref="wsdl" />
<formatter ref="soap" typeFilterLevel="Full" />
<formatter ref="binary" typeFilterLevel="Full" />
</serverProviders>
</channel>
</channels>
</application>
</configuration>
Reference:
1. Ingo Rammer, http://www.thinktecture.com/Resources/RemotingFAQ/changes2003.html
2. www.gotdotnet.com, http://www.gotdotnet.com/team/changeinfo/Backwards1.0to1.1/default.aspx#00000153
3. Ingo Rammer, Advanced .Net Remoting