如何從沙箱中調用Apache NMS？

Question

我想從我的代碼（'IntPub'）中調用Apache ActiveMQ NMS版本1.6.0，該代碼必須在.NET 4.0環境的沙箱中運行，出於安​​全原因。創建沙盒的程序使我的代碼「部分可信」，因此「安全透明」，這似乎意味着它不能創建ConnectionFactory（請參閱下面的錯誤日誌），因爲NMS似乎是'安全關鍵'。下面是導致此錯誤代碼：

connecturi = new Uri("tcp://my.server.com:61616"); 
var connectionFactory = new ConnectionFactory(connecturi); 

我也試圖與替代類似的結果：

connecturi = new Uri("activemq:tcp://my.server.com:61616"); 
var connectionFactory = NMSConnectionFactory.CreateConnectionFactory(connecturi); 

既然我不能改變我的程序集的安全級別（沙箱阻止它）是有一種方法可以使NMS運行爲「安全關鍵」，因此可以通過「安全透明」代碼調用它？我是否必須重新編譯它才能這樣做，還是NMS做了一些永遠不會被認爲是「安全關鍵」的操作？

我明白任何幫助或建議......

---

Assembly 'IntPub, Version=1.0.0.0, Culture=neutral, PublicKeyToken=6fa620743b8dc60a' is partially trusted, which causes the CLR to make it entirely security transparent regardless of any transparency annotations in the assembly itself. In order to access security critical code, this assembly must be fully trusted.Detail: 
<OrganizationServiceFault xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/xrm/2011/Contracts"> 
    <ErrorCode>-2147220956</ErrorCode> 
    <ErrorDetails xmlns:d2p1="http://schemas.datacontract.org/2004/07/System.Collections.Generic" /> 
    <Message>Unexpected exception from plug-in (Execute): Test.Client: System.MethodAccessException: Attempt by security transparent method 'Test.Client.Execute(System.IServiceProvider)' to access security critical method 'Apache.NMS.ActiveMQ.ConnectionFactory..ctor(System.Uri)' failed. 

Answer 1

從錯誤信息的屬性，它看起來像你正在運行在沙盒模式下的動態CRM 2011的插件，其中有一些非常具體的關於你可以做什麼和不可以做什麼的規則。特別是，你只能通過HTTP和HTTPS建立網絡連接，所以嘗試原始的TCP套接字肯定會失敗。

看看這個MSDN頁Plug-in Isolation, Trusts, and Statistics。看起來好像有一種方法可以通過修改系統註冊表項來將tcp等包含在regex值中來放寬網絡限制。以下是該頁面的摘錄。 注意：我自己沒有這樣做，所以不能肯定它會工作。

Sandboxed plug-ins and custom workflow activities can access the network through the HTTP and HTTPS protocols. This capability provides support for accessing popular web resources like social sites, news feeds, web services, and more. The following web access restrictions apply to this sandbox capability.

• Only the HTTP and HTTPS protocols are allowed.
• Access to localhost (loopback) is not permitted.
• IP addresses cannot be used. You must use a named web address that requires DNS name resolution.
• Anonymous authentication is supported and recommended. There is no provision for prompting the logged on user for credentials or saving those credentials.

These default web access restrictions are defined in a registry key on the server that is running the Microsoft.Crm.Sandbox.HostService.exe process. The value of the registry key can be changed by the System Administrator according to business and security needs. The registry key path on the server is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSCRM\SandboxWorkerOutboundUriPattern

The key value is a regular expression string that defines the web access restrictions. The default key value is:

"^http[s]?://(?!((localhost[:/])|([.])|([0-9]+[:/])|(0x[0-9a-f]+[:/])|(((([0-9]+)|(0x[0-9A-F]+)).){3}(([0-9]+)|(0x[0-9A-F]+))[:/]))).+";*

By changing this registry key value, you can change the web access for sandboxed plug-ins.