SYSK 188: Understanding AspNetHostingPermission…
If you’ve ever seen “insufficient trust for...” types of error message, this blog post may be interesting to you…
AspNetHostingPermissionAttribute is a CodeAccessSecurityAttribute which controls access permissions in ASP.NET hosted environments. For example, all public types in the System.Web and System.Web.Mobile are protected with demands for the Minimum level of this permission. This risk mitigation strategy is designed to ensure that Web application code cannot be used in other partial-trust environments without specific policy configuration by an administrator.
High -- indicates that features protected with a demand for any level less than or equal to the High trust level will succeed. This level is intended for highly trusted managed-code applications that need to use most of the managed permissions that support semi-trusted access. It does not grant some of the highest permissions (for example, the ability to call into native code), but it does provide a way to run trusted applications with least privilege or to provide some level of constraints for highly trusted applications. This level is granted by configuring at least the High trust level in the trust section in a configuration file.
For example,
- HttpApplication.Modules
- HttpException.Results
- HttpException.SourceCode
- HttpRuntime.AppDomainAppId
- HttpRuntime.AppDomainId
- ProcessModelInfo.GetCurrentProcessInfo ProcessModelInfo.GetHistory
are examples of methods protected with
[AspNetHostingPermission(SecurityAction.Demand, Level=AspNetHostingPermissionLevel.High)]
Low -- indicates that features protected with a demand for any level less than or equal to the Low level will succeed. This level is intended to allow read-only access to limited resources in a constrained environment. This level is granted by specifying the Low trust level in the trust section in a configuration file.
For example,
- HttpWebRequest.Params
- HttpWebRequest.ServerVariables
- HttpRuntime.IsOnUNCShare
are examples of methods protected with
[AspNetHostingPermission(SecurityAction.Demand, Level=AspNetHostingPermissionLevel.Low)]
Medium -- indicates that features protected with a demand for any level less than or equal to the Medium level will succeed. This level is granted by configuring at least the Medium trust level in the trust section in a configuration file.
For example,
- HttpRequest.LogonUserIdentity
- HttpResponse.AppendToLog
- HttpRuntime.ProcessRequest
are examples of methods protected with
AspNetHostingPermissionLevel.Medium
In addition, some methods may alter the execution path based on the hosting permission level. The following pseudo-code demonstrates the logic of outputting error info:
// Write error info, excluding sensitive info like call stack
if (HttpRuntime.HasAspNetHostingPermission(AspNetHostingPermissionLevel.Medium))
{
// dump call stack
}
Minimal -- indicates that features protected with a demand for the Minimal level will succeed. This level allows code to execute but not to interact with resources present on the system. This level is granted by configuring at least the Minimal trust level using the trust section in a configuration file.
For example,
- The entire HttpApplication, HttpCacheVaryByParams, HttpCachePolicy, HttpClientCertificate, HttpContext, HttpPostedFile, HttpRuntime, HttpServerUtility classes, and many others
are examples of methods protected with
AspNetHostingPermissionLevel.Minimal
None -- indicates that no permission is granted. All demands for AspNetHostingPermission will fail.
At this time, I’m not aware of any ASP.NET framework classes protected with AspNetHostingPermissionLevel.None.
Unrestricted -- indicates that all demands for permission to use all features of an application will be granted. This is equivalent to granting Full trust level in the trust section in a configuration file.
At this time, I’m not aware of any ASP.NET framework classes protected with AspNetHostingPermissionLevel.Unrestricted.
Sources:
http://msdn2.microsoft.com/en-us/library/system.web.aspnethostingpermission.aspx
http://msdn2.microsoft.com/en-us/library/system.web.aspnethostingpermissionlevel.aspx
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh09.asp
Comments
- Anonymous
September 15, 2006
Useful info. But would be nice if you indicated how to fix these types of error i.e. what to change and where?
Thanks. - Anonymous
September 22, 2006
Check out the "ASP.NET Trust Levels and Policy Files" article at http://msdn2.microsoft.com/en-us/library/wyts434y.aspx
Also, this might be of help: http://msdn2.microsoft.com/en-us/library/tkscy493.aspx - Anonymous
May 14, 2007
Hasn't ANYBODY come up with a work-around to the HttpWebRequest trust issue in asp.net 2.0 when your hosting company won't/can't change the trust level on their shared server to full????