test your medium trust config

Stephen

US Operations
Staff member
Attached is the medium trust config that we run, test your ASP.NET 2 applications locally against this.

You need to set in your machine web.config to disallow override, and to use this file as the medium trust, then set the ASP.NET to run in medium trust, I will post a web.config sample shortly.
 

Attachments

  • mediumtrust.zip
    1.6 KB · Views: 1,105
Here is what the system web.config found in:
%sysdir%\microsoft.net\framework\v2.0.50727\config\web.config should have in the section(that look just like this only portions modified):

<location allowOverride="false">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
</securityPolicy>
<trust level="Medium" originUrl="" />
</system.web>
</location>
 
Stephen,

For those of us who haven't jumped into the
ASP.NET much yet, could you give a brief description of what this is about and why we would use it.

I think it would be helpful for the newere .NET folks.

Thanks
 
Well it allows you to test in the same enviroment that is run on the servers here(and many hosts, but maybe not exactly this config).

ASP.NEt allows some options to be disabled to prevent hacking, kernel debugging, etc. And this is an example template with those features disabled to test against.
 
I assume that the .zip file contains your actual medium trust configuration for use in testing. Unfortunately whenever I try to download the file I find that the .zip is corrupted. I've tried from a couple different machines.

If it is indeed corrupted can you please repost. Otherwise can you email it to me at sthamilton\@/comcast.net (remove slashes)

Thanks!
 
I did not know of this, thanks for making me aware. I don't have the files I bundled in their with me now as I am in Miami on my laptop. I will repost it for you after I get back to Texas.
 
I did not know of this, thanks for making me aware. I don't have the files I bundled in their with me now as I am in Miami on my laptop. I will repost it for you after I get back to Texas.

Thanks for the reply. I'm hoping you will be back in Texas sooner rather than later. I'm still fighting a Commerce Starter Kit site that was due two weeks ago due to this medium trust issue.
 
Here is the file in Text form:
Code:
<configuration>
    <mscorlib>
        <security>
            <policy>
                <PolicyLevel version="1">
                    <SecurityClasses>
                        <SecurityClass Name="AllMembershipCondition" Description="System.Security.Policy.AllMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="AspNetHostingPermission" Description="System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="ConfigurationPermission" Description="System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
                        <SecurityClass Name="DnsPermission" Description="System.Net.DnsPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="EnvironmentPermission" Description="System.Security.Permissions.EnvironmentPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="FileIOPermission" Description="System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="FirstMatchCodeGroup" Description="System.Security.Policy.FirstMatchCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="IsolatedStorageFilePermission" Description="System.Security.Permissions.IsolatedStorageFilePermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="NamedPermissionSet" Description="System.Security.NamedPermissionSet"/>
                        <SecurityClass Name="PrintingPermission" Description="System.Drawing.Printing.PrintingPermission, System.Drawing, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
                        <SecurityClass Name="ReflectionPermission" Description="System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="RegistryPermission" Description="System.Security.Permissions.RegistryPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="SecurityPermission" Description="System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="SmtpPermission" Description="System.Net.Mail.SmtpPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="SqlClientPermission" Description="System.Data.SqlClient.SqlClientPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="StrongNameMembershipCondition" Description="System.Security.Policy.StrongNameMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="UnionCodeGroup" Description="System.Security.Policy.UnionCodeGroup, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="UrlMembershipCondition" Description="System.Security.Policy.UrlMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="WebPermission" Description="System.Net.WebPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                        <SecurityClass Name="ZoneMembershipCondition" Description="System.Security.Policy.ZoneMembershipCondition, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
			<SecurityClass Name="OleDbPermission" Description="System.Data.OleDb.OleDbPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
			<SecurityClass Name="OdbcPermission" Description="System.Data.Odbc.OdbcPermission, System.Data, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
			<SecurityClass Name="OraclePermission" Description="System.Data.OracleClient.OraclePermission, System.Data.OracleClient, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
                    </SecurityClasses>
                    <NamedPermissionSets>
                        <PermissionSet
                                class="NamedPermissionSet"
                                version="1"
                                Unrestricted="true"
                                Name="FullTrust"
                                Description="Allows full access to all resources"
                        />
                        <PermissionSet
                                class="NamedPermissionSet"
                                version="1"
                                Name="Nothing"
                                Description="Denies all resources, including the right to execute"
                        />
                        <PermissionSet
                                class="NamedPermissionSet"
                                version="1"
                                Name="ASP.Net">
                            <IPermission
                                    class="AspNetHostingPermission"
                                    version="1"
                                    Level="High"
                            />
                            <IPermission
                                    class="ConfigurationPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="DnsPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="EnvironmentPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="FileIOPermission"
                                    version="1"
                                    Read="$AppDir$"
                                    Write="$AppDir$"
                                    Append="$AppDir$"
                                    PathDiscovery="$AppDir$"
                            />
                            <IPermission
                                    class="IsolatedStorageFilePermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="PrintingPermission"
                                    version="1"
                                    Level="DefaultPrinting"
                            />
                            <IPermission
                                    class="ReflectionPermission"
                                    version="1"
                                    Flags="ReflectionEmit"
                            />
                            <IPermission
                                    class="RegistryPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="SecurityPermission"
                                    version="1"
                                    Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration"
                            />
                            <IPermission
                                    class="SmtpPermission"
                                    version="1"
                                    Access="Connect"
                            />
                            <IPermission
                                    class="SocketPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="SqlClientPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
                            <IPermission
                                    class="WebPermission"
                                    version="1"
                                    Unrestricted="true"
                            />
			    <IPermission class="OleDbPermission" 
                  		    version="1" 
				    Unrestricted="true"
			    />

			    <IPermission class="OdbcPermission"
				    version="1"
				    Unrestricted="true"
			    />

			    <IPermission class="OraclePermission"
				    version="1"
				    Unrestricted="true"
			    />
                        </PermissionSet>
                    </NamedPermissionSets>
                    <CodeGroup
                            class="FirstMatchCodeGroup"
                            version="1"
                            PermissionSetName="Nothing">
                        <IMembershipCondition
                                class="AllMembershipCondition"
                                version="1"
                        />
                        <CodeGroup
                                class="UnionCodeGroup"
                                version="1"
                                PermissionSetName="ASP.Net">
                            <IMembershipCondition
                                    class="UrlMembershipCondition"
                                    version="1"
                                    Url="$AppDirUrl$/*"
                            />
                        </CodeGroup>
                        <CodeGroup
                                class="UnionCodeGroup"
                                version="1"
                                PermissionSetName="ASP.Net">
                            <IMembershipCondition
                                    class="UrlMembershipCondition"
                                    version="1"
                                    Url="$CodeGen$/*"
                            />
                        </CodeGroup>
                        <CodeGroup class="UnionCodeGroup" version="1" PermissionSetName="Nothing">
                        	<IMembershipCondition
                                class="ZoneMembershipCondition"
                                version="1"
                                Zone="MyComputer" />
                            <CodeGroup
                                    class="UnionCodeGroup"
                                    version="1"
                                    PermissionSetName="FullTrust"
                                    Name="Microsoft_Strong_Name"
                                    Description="This code group grants code signed with the Microsoft strong name full trust. ">
                                <IMembershipCondition
                                        class="StrongNameMembershipCondition"
                                        version="1"
                                        PublicKeyBlob="002400000480000094000000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4963D261C8A12436518206DC093344D5AD293"
                                />
                            </CodeGroup>
                            <CodeGroup
                                    class="UnionCodeGroup"
                                    version="1"
                                    PermissionSetName="FullTrust"
                                    Name="Ecma_Strong_Name"
                                    Description="This code group grants code signed with the ECMA strong name full trust. ">
                                <IMembershipCondition
                                        class="StrongNameMembershipCondition"
                                        version="1"
                                        PublicKeyBlob="00000000000000000400000000000000"
                                />
                            </CodeGroup>
                        </CodeGroup>
                    </CodeGroup>
                </PolicyLevel>
            </policy>
        </security>
    </mscorlib>
</configuration>
 

Attachments

  • mediumtrust.config.txt
    13.3 KB · Views: 619
I think I need a little bit instructions.
Should I replace that file for the one here? :
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web_mediumtrust.config

How do I configure "ASP.NET to run in medium trust" ?
 
You got it, I think you got it function as well from the replies in the other thread :)
 
HEllo, i have a .Net 2.0 app running in other server, but when i install in my account in Jodohost (prueba.arte12.es) don?t work.

Neeraj from Jodo host say to me that i must compiled my application in medium trust, but i don know what i mus modify in web.config (Below) for this method.

Can you help me please?

Thanks in advanced

I had to remove your web.config it had passwords all over it. It was not letting me just edit the password out.
 
p32megaj,

I saw your web.config, it had a numberof items but posting the web.config doesn't help a lot. What was the error you were getting?
The most likley thing is you have a DLL not compiled to "AllowPartiallyTrustCallers"
 
Sorry for the inconveniece, but i try during a lot of time install my app in the server, and i can?t.

I running this app in another servers, but i put my app here i only get error.

My clients are a bit angry, they don?t undestand why i rent this server if .NET not run.

Please i need compiled in "AllowPartiallyTrustCallers", but when i put this code (below) in my web.config, i can't complie

Again sorry for my awkwardness

Best regard, and happy new year



<location allowOverride="false">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
</securityPolicy>
<trust level="Medium" originUrl="" />
</system.web>
</location>
 
I understand what you are saying, but I am asking what is the error?
What you are giving is just config, not the error itself. Seeing the stack trace of the error will help greatly.
 
I can't create new folders and files from asp.net pages on the server. I have created tickets and chatted with the support team for days and couldn't get it to work. My ticket number is [JH #FHX-15414-314]: permission to folders. So I decided to post it here. The support member told me that all I have to do is set my app to compile in medium trust and upload it, but it didn't work.

This is what I did:
I set up my environment as recommended to run it in medium trust level by changing the machine.config. In this security level, as expected I couldn't create folders from asp.net pages. The error message is listed below.

I did some research and found that "in medium trust, FileIOPermission is restricted. This means I can only access files in my application's virtual directory hierarchy" from MSDN. So, I asked the support to make sure a virtual directory is created for my app, but this also didsn't work.

Another way to get around is to create a custom trust configuration that enables file i/o, but support wouldn't do.

There must be a very common problem in shared host environment, but I just couldn't find a solution. Can anyone help?

Thanks in advance.


Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
 
the most likely cause for this the the mthod you re using, if you have specified in code d:\hshome\user\domain.com anywhere it won't work, you need to use virtual pathing.

also we don't and won't do the custom trust, sorry.

as long as you are in the domain root folder, you are an application folder by default, all subdomains and domain are by default an application folder.



I can't create new folders and files from asp.net pages on the server. I have created tickets and chatted with the support team for days and couldn't get it to work. My ticket number is [JH #FHX-15414-314]: permission to folders. So I decided to post it here. The support member told me that all I have to do is set my app to compile in medium trust and upload it, but it didn't work.

This is what I did:
I set up my environment as recommended to run it in medium trust level by changing the machine.config. In this security level, as expected I couldn't create folders from asp.net pages. The error message is listed below.

I did some research and found that "in medium trust, FileIOPermission is restricted. This means I can only access files in my application's virtual directory hierarchy" from MSDN. So, I asked the support to make sure a virtual directory is created for my app, but this also didsn't work.

Another way to get around is to create a custom trust configuration that enables file i/o, but support wouldn't do.

There must be a very common problem in shared host environment, but I just couldn't find a solution. Can anyone help?

Thanks in advance.


Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
 
not sure if I understand what you meant by "virtual path" and d:\hshome\user\domain.com.

Here is the code for the test:

protected void Page_Load(object sender, EventArgs e)
{
try
{
string LocalVideoDir = "./Videos/Users";
string VideoDirOnServer = Server.MapPath(LocalVideoDir);
// change to video directory
Directory.SetCurrentDirectory(VideoDirOnServer);
// create a new directory
Directory.CreateDirectory("FileCreation");
}
catch (Exception ex)
{
Response.Write(ex.Message);
}
}

can you explain what I am doing wrong?
 
I had a play and reproduced your problem. It seems to be related to Directory.SetCurrentDirectory(). I don't think you really need to use that.

Directory.CreateDirectory() works just fine if you give it an absolute path. Its also nice that you can give it a long path and it creates the directories in-between. You don't need to create each level.

Try something like this: Before I run this, Videos does not exist. After it runs, Videos/Users/FileCreation exists.

string LocalVideoDir = "./Videos/Users";
string VideoDirOnServer = Server.MapPath(LocalVideoDir);

string fileCreatePath = Path.Combine(VideoDirOnServer, "FileCreation");

if (!Directory.Exists(fileCreatePath))
{
Directory.CreateDirectory(fileCreatePath);
}

Cheers
Ross
 
Hey Ross,

I don't know how to thank you. All along I thought it was medium trust issue and spent too many days on this :( I couldn't believe the problem was so simple. Thanks to you my asp.net user controls/role managers are working correctly.

You're awesome.
 
Back
Top