IT:AD:ClickOnce:HowTo:Security
Summary
Long story short, the default Visual Studio settings is to create a Full Trust app depending from where it is installed from will prompt the user to grant permissions to the application. ie: not a great user experience.
- Installed from the internet zone, will be prompted
- Installed from the intranet will be prompted, unless AD administrators adjust things
- Installed from a CD-ROM, won't be prompted.
Hence MS recommends you always take the time to set up security for the application correctly.
Process
- In Visual Studio
- In Solution Explorer
- Select the Project Designer
- Set Enable ClickOnce Security Settings
- this adds security permission requests to the application's deployment manifest
- at installation time, the user will be prompted to grant permissions if the request permissions exceed the default permission for the zone from which the application is deployed.
Debugging
If you Run/Start Debug the application, if your app uses resources that require higher privileges than what the app was zoned for, the end user will get an Exception.
You can see this by setting the application Zone to Internet, and add a FileOpenDialog which will cause an exception:
Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
Process
Example:
- In Visual Studio
- If you create a WinForm,
- In the Solution Explorer, select the projects Properties folder
- Set Security Tab to:
- Enable ClickOnce Security Settings=Checked
- This is a Partial Trust Application=Checked
- Zone=Internet
- Select
Advanced...and- set
Debug this Application with the selected permission set=Checked - set
Grant this Application access to its site of origin=Checked
* Add to the WinForm something that will require higher access – such as a FileOpen dialog, you'll get: