[IronPython] PythonEngine in separate AppDomain?

michael_sweeney at agilent.com michael_sweeney at agilent.com
Tue May 22 21:37:15 CEST 2007

Hi All,


I have been using the PythonEngine to host IronPython in my application, it works great. I have a need to host the PythonEngine in a separate AppDomain and then provide an API back to the default app domain. I am running into the black-hole of Security issues. I get the following  FileIOPermission inner-exception during the PythonEngine creation:


   at System.Runtime.CompilerServices.RuntimeHelpers._RunClassConstructor(IntPtr type)

   at System.Runtime.CompilerServices.RuntimeHelpers.RunClassConstructor(RuntimeTypeHandle type)

   at IronPython.Hosting.PythonEngine.Initialize(EngineOptions engineOptions) in C:\tfs\Fusion\Main\Source\IronPython\IronPython\Hosting\PythonEngine.cs:line 175

   at IronPython.Hosting.PythonEngine..ctor(EngineOptions engineOptions) in C:\tfs\Fusion\Main\Source\IronPython\IronPython\Hosting\PythonEngine.cs:line 141

   at ConsoleApplication1.PythonInstance..ctor() in C:\temp\ConsoleApplication1\Program.cs:line 27


It appears that the PythonEngine is trying to create an assembly file in the OutputGenerator.cs file.  I would like to know the magic to give the separate AppDomain the ability to write files. 


I have also gone as far as configuring the separate AppDomain with special security permissions, with no impact... that code is also below...


I have trimmed down the application into the following test code:


using System;

using System.Collections.Generic;

using System.Text;

using System.IO;

using System.Reflection;


using IronPython.Hosting;

using IronPython.Runtime;

using IronPython.Runtime.Operations;

using IronPython.Modules;


namespace ConsoleApplication1



    public class PythonInstance


        // IronPython Modules

        private static PythonEngine _python;


        public PythonInstance()


            // Create Python Engine

            EngineOptions options = new EngineOptions();

            options.ExceptionDetail = true;

            options.ClrDebuggingEnabled = true;


            PythonInstance._python = new PythonEngine(options);



        public void AddPythonPath(string path)






    class Program


        static void Main(string[] args)


            AppDomainSetup setup = new AppDomainSetup();

            setup.ApplicationName = Assembly.GetEntryAssembly().FullName;

            setup.ApplicationBase = Path.GetDirectoryName(typeof(Program).Assembly.Location);


            AppDomain domain = AppDomain.CreateDomain("PythonDomain", null, setup);


            // Create Test Engine in remote domain

            object obj = domain.CreateInstanceAndUnwrap("ConsoleApplication1",


            PythonInstance python = obj as PythonInstance;








Code to give the app domain special permissions:


        private void SetAppDomainPolicy(AppDomain appDomain)


            // Create an AppDomain policy level.

            PolicyLevel pLevel = PolicyLevel.CreateAppDomainLevel();

            // The root code group of the policy level combines all

            // permissions of its children.


            PermissionSet ps = new PermissionSet(PermissionState.Unrestricted);

            ps.AddPermission(new SecurityPermission(SecurityPermissionFlag.AllFlags));

            UnionCodeGroup rootCodeGroup = 

                new UnionCodeGroup(new AllMembershipCondition(),

                                   new PolicyStatement(ps, PolicyStatementAttribute.Nothing));

            NamedPermissionSet localIntranet = FindNamedPermissionSet("LocalIntranet");


            // The following code limits all code on this machine to local intranet permissions

            // when running in this application domain.

            UnionCodeGroup virtualIntranet = 

                new UnionCodeGroup(new ZoneMembershipCondition(SecurityZone.MyComputer),

                                   new PolicyStatement(localIntranet, PolicyStatementAttribute.Nothing));

            virtualIntranet.Name = "Virtual Intranet";


            // Add the code groups to the policy level.


            pLevel.RootCodeGroup = rootCodeGroup;




        private NamedPermissionSet FindNamedPermissionSet(string name)


            IEnumerator policyEnumerator = SecurityManager.PolicyHierarchy();

            while (policyEnumerator.MoveNext())


                PolicyLevel currentLevel = (PolicyLevel)policyEnumerator.Current;

                if (currentLevel.Label == "Machine")


                    IList namedPermissions = currentLevel.NamedPermissionSets;

                    IEnumerator namedPermission = namedPermissions.GetEnumerator();

                    while (namedPermission.MoveNext())


                        if (((NamedPermissionSet)namedPermission.Current).Name == name)


                            return ((NamedPermissionSet)namedPermission.Current);





            return null;



Thanks in advance...






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/ironpython-users/attachments/20070522/ad880470/attachment.html>

More information about the Ironpython-users mailing list