12 August 2008

Allow partially trusted callers – using ASP.NET in shared hosting

The problem: using ASP.NET in medium trust on shared hosting environments

Developing ASP.NET applications for shared commercial web hosting space can give rise to a security issue that will restrict your options as a developer. If you developing an ASP.NET application that works fine in your development environment any attempt to run it in the live environment may well give rise to the following error:

System.Security.SecurityException: That assembly does not allow partially trusted callers.

This is being caused by the security level that your application is being forced to run under. Most commercial shared hosting operations lock down the server space to stop your code from doing anything that may interfere with other sites or the server itself.

This security level is known as the trust level in .NET and it can be set to one of the following values:

  • Full trust – your code can do anything that the account running it can do.
  • High trust – same as above except your code cannot call into unmanaged code. i.e. Win32 APIs, COM interop.
  • Medium trust – same as above except your code cannot see any part of the file system except its application directory. This is the most common trust level that is used in shared hosting environments.
  • Low trust – same as above except your code cannot make any out-of-process calls. i.e. calls to a database, network, etc.
  • Minimal trust - code is restricted from anything but the most trival processing (calculating algorithms).

Medium trust is the level most commonly used by shared hosting environments and it places severe restrictions on what your code can do – i.e. you cannot call unmanaged code, such as Win32 APIs and COM components and you cannot do anything with the file system or system registry.

Medium trust also prevents your assemblies from running unless they are marked with a strong name and installed into the server’s Global Assembly Cache (GAC). However, this becomes a problem in a hosted environment where you have no direct access to the GAC.

The solution – Allowing partially trusted callers

To ensure that your assemblies will work in a medium trusted environment, you need to give them a strong name and mark them with an attribute that tells the .NET security runtime to allow the code.

To allow partially trusted callers from your code, add the following attribute to the assembly’s AssemblyInfo.cs file:

[assembly: AllowPartiallyTrustedCallers]

You will also need to ensure that the file references the System.Security namespace.

In addition, you will also need to give your assembly a strong name by signing the assembly though the project properties dialog. An explanation of how to do this can be found here: http://msdn.microsoft.com/en-us/library/ms247123(VS.80).aspx.

Limitations and exceptions

You will have to be careful what assemblies in the .NET framework that you use in partially trusted assemblies, as a number of them cannot be called from partially trusted code. This includes pretty much anything that could be regarded as a major security risk, i,e, access to the file system, event log and system settings.

For example, if you have incorporated logging functionality that uses System.Diagnotics to write to the event log, you will always get a Security Exception when you try to run this code as a partially trusted caller. This is because this is one of the assemblies that requires a higher level of trust before they can be used.

This can be quite a limitation on your application – the full list of assemblies that cannot be called by partially trusted callers can be found here: http://msdn.microsoft.com/en-us/library/aa302328.aspx.

Developing in a medium trust environment

It’s always best practice to be aware of the security context that your application will be running in and to try and develop for it. For public-facing sites, medium trust should be considered a baseline that all web sites should use. After all, it does serve to minimise the risk to other applications and your hosting environment if an application is compromised.

At the most basic level, you can set your web application to run in a medium trust environment, by adding the following line to your web.config file:

<trust level=”Medium”/>

Filed under ASP.NET, C#.