carl_bevil
8/13/2007 4:32:00 PM
I've written a serviced component in C# that interacts with some COM
components (in a separate process). All components are run on the
same machine (currently under the Administrator account). I've
enabled role-based security on the serviced component (at the
component level) through attributes in C#. This component implements
the standard IConnectionPointContainer interface. It looks like this:
In assembly.cs:
[assembly: ApplicationActivation(ActivationOption.Server)]
[assembly: ApplicationAccessControl(Value = true,
Authentication = AuthenticationOption.Integrity,
ImpersonationLevel = ImpersonationLevelOption.Identify,
AccessChecksLevel =
AccessChecksLevelOption.ApplicationComponent)]
[assembly: SecurityRole("MyRole")]
In the class's .cs file:
using System.Runtime.InteropServices;
using System.Runtime.InteropServices.ComTypes;
using System.EnterpriseServices;
[ComVisible(true)]
[ComponentAccessControl(true)]
[Guid("XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX")]
[ProgId("MyComponent.MyObject.1")]
public class MyObject: ServicedComponent, /* Other interfaces... */,
IConnectionPointContainer
{
[SecurityRole("MyRole")]
void IConnectionPointContainer.EnumConnectionPoints(out
IEnumConnectionPoints ppEnum)
{
// Implementation
}
[SecurityRole("MyRole")]
void IConnectionPointContainer.FindConnectionPoint(ref Guid riid, out
IConnectionPoint ppCP)
{
// Implementation
}
// Other interface implementations...
}
I can CoCreate my component using this IID, and call
IConnectionPointContainer's methods on it. However, if I have role-
based security enabled, the calls always fail with E_ACCESSDENIED.
The client code is run under a user account that is included within
"MyRole". In fact, the same client code can call other methods on
this component that are restricted to "MyRole".
If I remove the role restrictions from these specific methods (by
commenting out the SecurityRole attribute), it still does not work.
If I turn off role-based security on this component (by commenting out
the ComponentAccessControl attribute), it *does* work. So it seems
there is something odd going on with the IConnectionPointContainer
interface and role-based security.
One thing I am seeing is that IConnectionPointContainer does not
appear in the list of interfaces in the COM+ application GUI (in
Component Services) -- even though I am explicitly implementing the
interface and can CoCreate using that interface. I suspect this is
somehow related to my problem; maybe this interface is somehow being
treated "special" by the interop layer (I know that connection point
implementations are converted to .NET events, so I am guessing
something similar might happen with IConnectionPointContainers).
Any ideas on what is going on here, or how I can fix it? I really
don't care if the interface appears in the COM+ application as long as
I can use it with the object. But the security problem is a real
issue for me. How can I get these methods to work properly with role-
based security?
Thanks,
Carl