Created On:
06/03/2007
Author:
Aaron Robson
Tags:
aspnet

Aspnet 2.0 with Partial Trust... is tricky

Recently I've been setting up my site to work under a Partial Trust scenario. Hence posts like this and this.

It hasn't been easy, and every library I consider using will now have to be carefully tested to ensure it doesn't require too many permissions. (PermCalc.exe is a useful tool).

Many shared libraries will need updating to minimize the set of permissions they require - it could take a while before your favourite libraries will work correctly.

You can test on local dev box by setting <trust level="High"> or <trust level="Medium"> in the system\web section of web.config.

Also, you can modify the actual permission sets available at each level by modifying the files such as \windows\microsoft.net\framework\v2.x.xxxxx\config\web_hightrust.config.

If you're running under shared hosting, it may be worth speaking to your host to find out the trust level, and if they have or will make any modifications to the default level to help you get things working. Anything which requires UnmanagedCode is generally out of the question.

One tricky issue I had was related to the presence of a System.Diagnostics section in my web.config. By using reflector I was able to find out that the existence of this config section ended up resulting in a call to ListenerElementsCollection.GetRuntimeObject() whenever any diagnostics Trace.Write call was made (which in aspnet 2.0 can include a call to Page.Trace) this requires SecurityPermissionFlag.UnmanagedCode and causes a SecurityException.
The solution for me was just to delete the System.Diagnostics section, as I wasn't using it for anything useful. However, I expect some people are using it for useful switches etc. Interested to find out if anyone else can replicate this issue... calling all aspnet gurus :)

Several libs / tools caused issues too:

Log4net:

Cannot call ConfigureAndWatch without UnmanagedCode Permission - Call Configure instead.

Rolling file Appender (and possibly any file appenders) require SecurityPermission Permission with Infrastructure flag.

Also, using a TraceAppender causes the strange issue mentioned above when a system.diagnostics section exists in the web.config.

ViewStateAnalyzer seems to stop any partial trust site working in IE even when not active... 

PageMethods requires handler methods to be public - related to Reflection.

Comments

Boris Yeltsin -
Thanks for the tips. About to start moving our stuff to a lower trust level for security reasons.
Aaron -
You're welcome. If you come across any other useful tips with this, let me know - its always nice to have them on hand as its the type of thing that can eat up hours trying to get to the bottom of.