nGallery and ASP.NET Medium Trust
Today I decided to create a family photo album web site. I settled on using nGallery (from www.nGallery.org).
The hoster I am using has a fairly locked down environment so nGallery didn’t work out of the box. Here are the things I had to do to make it work:
- My hoster has ASP.NET running in medium trust mode, with customerrors set to override=false and outbound web services enabled through proxy. This is configured in machine.config for all sites on the machine. This means functions allowed in Medium will work, but those only available in Full Trust will not.
Access to the following is blocked by Medium trust, you can test this by running your own test machine in Medium Trust mode, edit C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CONFIG:
• UI
• OleDb
• EventLog
• ODBC
• Oracle
• MessageQueue
• ServiceController
• DirectoryService
• Performance Counter
• Win32 calls required for User Impersonation
Access to the following is blocked by our policy and should NOT be configured in your web.config:
• Customerrors
• Tracing
• Trust level
- The web directory is only writable by my uploading login account. The web application cannot write to the filesystem.
- I had to change the Authentication mode for the admin pages from Forms to Windows so that I could login as my hosting upload account for the admin pages. This is required to allow photos to be uploaded.
<authentication mode="Windows" />
<!-- <authentication mode="Forms" >
<forms name="nGalleryAuth" loginUrl="adminLogin.aspx" protection="All" timeout="30" path="/" />
</authentication> -->
-
- I still have a problem here since nGallery writes out cache files now and then and all these have to be done while I am logged on with the uploading user account. I wish nGallery had a function somewhere in the admin pages to create all the image file caches, but it doesn’t. So whenever I see a bad image in the gallery I change my web.config configuration so that I have to log in.
<authorization>
<!-- <allow users="*" /> -->
<!-- <deny users="?" /> -->
</authorization>
- I have SQL Server database hosting but I’m not DBO for the database
- Have to ensure all Tables and Stored Procedures are owned by my WINISP database login instead of DBO since I don’t have access to the DBO user. This is almost a search and replace of DBO for my user name on the script.
CREATE TABLE [MyUser].[ALBUM]
CREATE PROCEDURE MyUser.ngCreateComment
-
- I don’t have access to GRANT EXECUTE. Actually these can be left in and I just get errors in those parts of the sql script.
- All the admin pages use an implementation of Master Pages that falls afoul of Medium Trust. So I removed it all since I don’t care what my admin pages look like – only I see them.
- Remove the server control tag registration:
<%@ Register TagPrefix="mp" Namespace="MetaBuilders.WebControls.MasterPages" Assembly="MetaBuilders.WebControls.MasterPages" %>
-
- And I had to remove the master pages tags <mp:contentContaner etc
Comments
- Anonymous
November 25, 2004
The comment has been removed