.NET Remoting security exception and cure/workaround

Got this question a while ago and answered it today:

”I wrote a .NET Remoting application and get the following error when trying to make a connection to the server app. How come?”

Ah, one of the changes from .NET 1.0 to 1.1 is a more secure mechanism to control serialization and deserialization of .NET types across a remoting boundary. When a remote object is created (for example through Activator.CreateInstance), a local Transparent proxy is created, which is hooked up to a RealProxy object. Now, this first proxy is acquired by serializing an ObjRef object on the server and deserializing it on the client. Each type is sent like that from the server application (domain) across the remoting boundary. The security restrictions do not permit just any object to be (de)serialized. It used to be in .NET 1.0, but this was a potential weak spot in your app’s security.

To fix this error, you can tell your formatter objects that are used for the (de)serialization that all types are allowed. Adjust your config file to include a typeFilterLevel attribute in the <formatter> elements. Here’s a fragment:


or set a corresponding dictionary property when creating the server’s formatter objects programmatically.

IDictionary props = new Hashtable();
props[“typeFilterLevel”] = “Full”;
SoapServerFormatterSinkProvider formatterProvider;
formatterProvider = new SoapServerFormatterSinkProvider(props, null);

Read more about it here.

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s