PowerBuilder applications and components can run in partial trust environments when they are constrained by .NET code access security (CAS) configurations. PowerBuilder lets you configure CAS security zones (sandboxes) for .NET Web Forms, .NET Web Service, .NET Windows Forms and smart client projects to minimize the amount of trust required before application or component code is run by an end user.
For .NET Web Forms and Web Service projects, you can also modify the Web.config file to support security zones after you deploy the project. The .NET assemblies that you create by building and deploying .NET Assembly projects are run with the security permissions of the calling application or component.
A radio button group field on the Project painter’s Security tab allows you to select full trust or a customized trust option. For Windows Forms applications, you can also select local intranet trust or internet trust. A list box below the radio button group allows you to select or display the permissions you want to include or exclude when you select local intranet trust, internet trust, or the custom option. (If you select full trust, the list box is disabled.)
Viewing default permissions in the .NET Framework Configuration tool The list of permissions that display in the Security tab list box is the same as the list in the .NET Framework 2.0 SDK Configuration tool that you open from the Administrative Tools folder in the Control Panel for your computer. To see the permission settings in the configuration tool, select My Computer>Runtime Security Policy>Machine>Permission Sets>Everything in the treeview in the left pane of the configuration tool, then if the list is not already displayed, click View Permissions in the right pane. To import permissions to this list, see “About the .NET security settings”.
For Windows Forms applications, if you modify a permission after selecting the local intranet or internet trust options, PowerBuilder automatically treats the selected permissions as custom selections, but does not modify the selected radio button option. This allows you to click the Reset button above the list box to change back to the default local intranet or internet permission settings. Clicking the Detail button (to the left of the Reset button) opens the Custom Permissions dialog box that allows you to enter custom permissions in XML format. The Reset and Detail buttons are disabled only when you select the Full Trust radio button option.
For smart client applications, the permission information is stored in the manifest file that you deploy with your application. When users run a smart client application, the application loader process loads the manifest file and creates a sandbox where the application is hosted.
For standard Windows Forms applications, the sandbox allows you to run the application with the permissions you define on the Project painter Security tab when the applications are run from the PowerBuilder IDE. When a user starts Windows Forms applications from a file explorer or by entering a UNC address (such as \\server\myapp\myapp.exe), the security policies set by the current user’s system are applied and the Security tab permission settings are ignored.
For information on custom security permissions, see Appendix A, “Custom Permission Settings” and the Microsoft Web site.
If your .NET application attempts to perform an operation that is not allowed by the security policy, the Microsoft .NET Framework throws a runtime exception. For example, the default local intranet trust level has no file input or output (File IO) permissions. If your application runs with this security setting and tries to perform a File IO operation, the .NET Framework issues a File Operation exception.
You can catch .NET security exceptions using .NET interoperability code blocks in your PowerScript code:
#if defined PBDOTNET then
try
ClassDefinition cd_windef
cd_windef = FindClassDefinition("w_1") messagebox("w_1's class definition",cd_windef.DataTypeOf)
catch(System.Security.SecurityException ex)
messagebox("",ex.Message)
end try
#end if
All .NET targets must include a reference to the mscorlib.dll .NET Framework assembly in order to catch a System.Security.SecurityException exception. The PBTrace.log files that PowerBuilder Windows Forms and Web Forms applications generate by default contain detailed descriptions of any security exceptions that occur while the applications are running. PowerBuilder .NET Web Service components also generate PBTrace.log files that log critical security exceptions by default.
If you do not catch the exception when it is thrown, the PowerScript SystemError event is triggered. For Windows Forms applications, a default .NET exception message displays if you do not catch the exception or include code to handle the SystemError event. The exception message includes buttons enabling the user to show details of the error, continue running the application, or immediately quit the application. Under the same conditions for Web Forms applications, a system error dialog box displays instead of the .NET exception dialog box, and the application is terminated.
For more information about handling .NET exceptions, see “Handling exceptions in the .NET environment”.
You can debug and run .NET applications and components from the PowerBuilder IDE with specified security settings. To support this capability in Windows Forms applications, PowerBuilder creates a hosting process in the same directory as the application executable. The hosting process creates a domain with the CAS setting before it loads the application assemblies. (The CAS settings generated in the Web.config file determine the security permissions used by .NET Web Forms applications and .NET Web Service components.)
If your .NET application attempts to perform an operation not allowed by the specified security setting, an exception is issued in the IDE.
For more information about debugging .NET applications and components, see Chapter 17, “Compiling and Debugging.”