Partial Trust Feature Compatibility
Windows Communication Foundation (WCF) supports a limited subset of functionality when running in a partially-trusted environment. The features supported in partial trust are designed around a specific set of scenarios as described in the Supported Deployment Scenarios topic.
Minimum Permission Requirements
WCF supports a subset of features in applications running under either of the following standard named permission sets:
Medium Trust permissions
Internet Zone permissions
Attempting to use WCF in partially-trusted applications with more restrictive permissions may result in security exceptions at run time.
Contracts
Contracts are subject to the following restrictions when running under partial trust:
The service class that implements the
[ServiceContract]
interface must bepublic
and have apublic
constructor. If it defines[OperationContract]
methods, these must bepublic
. If it instead implements a[ServiceContract]
interface, those method implementations can be explicit orprivate
, provided that the[ServiceContract]
interface ispublic
.When using the
[ServiceKnownType]
attribute, the method specified must bepublic
.[MessageContract]
classes and their members can bepublic
. If the[MessageContract]
class is defined in the application assembly it can beinternal
and haveinternal
members.
System-Provided Bindings
The BasicHttpBinding and WebHttpBinding are fully supported in a partial trust environment. The WSHttpBinding is supported for Transport security mode only.
Bindings that use transports other than HTTP, such as the NetTcpBinding, the NetNamedPipeBinding, or the NetMsmqBinding, are not supported when running in a partial trust environment.
Custom Bindings
Custom bindings can be created and used in a partial trust environment, but must follow the restrictions specified in this section.
Transports
The only allowed transport binding elements are HttpTransportBindingElement and HttpsTransportBindingElement.
Encoders
The following encoders are allowed:
The text encoder (TextMessageEncodingBindingElement).
The binary encoder (BinaryMessageEncodingBindingElement).
The Web Message encoder (WebMessageEncodingBindingElement).
The Message Transmission Optimization Mechanism (MTOM) encoders are not supported.
Security
Partially-trusted applications can use WCF's transport-level security features for securing their communication. Message-level security is not supported. Configuring a binding to use message-level security results in an exception at run time.
Unsupported Bindings
Bindings that use reliable messaging, transactions, or message-level security are not supported.
Serialization
Both the DataContractSerializer and the XmlSerializer are supported in a partial trust environment. However, use of the DataContractSerializer is subject to the following conditions:
All serializable
[DataContract]
types must bepublic
.All serializable
[DataMember]
fields or properties in a[DataContract]
type must be public and read/write. The serialization and deserialization ofreadonly
fields is not supported when running WCF in a partially trusted application.The
[Serializable]
/ISerializable programming model is not supported in a partial trust environment.Known types must be specified in code or machine-level configuration (machine.config). Known types cannot be specified in application-level configuration for security reasons.
Types that implement IObjectReference throw an exception in a partially-trusted environment.
See the Serialization section in Partial Trust Best Practices for more information about security when using DataContractSerializer safely in a partially-trusted application.
Collection Types
Some collection types implement both IEnumerable<T> and IEnumerable. Examples include types that implement ICollection<T>. Such types can implement a public
implementation of GetEnumerator()
, and an explicit implementation of GetEnumerator()
. In this case, DataContractSerializer invokes the public
implementation of GetEnumerator()
, and not the explicit implementation of GetEnumerator()
. If none of the GetEnumerator()
implementations are public
and all are explicit implementations, then DataContractSerializer invokes IEnumerable.GetEnumerator()
.
For collection types when WCF is running in a partial trust environment, if none of the GetEnumerator()
implementations are public
, or none of them are explicit interface implementations, then a security exception is thrown.
NetDataContractSerializer
Many .NET Framework collection types such as List<T>, ArrayList, Dictionary<TKey,TValue> and Hashtable are not supported by the NetDataContractSerializer in partial trust. These types have the [Serializable]
attribute set, and as stated previously in the Serialization section, this attribute is not supported in partial trust. The DataContractSerializer treats collections in a special way and is thus able to get around this restriction, but the NetDataContractSerializer has no such mechanism to circumvent this restriction.
The DateTimeOffset type is not supported by the NetDataContractSerializer in partial trust.
A surrogate cannot be used with the NetDataContractSerializer (using the SurrogateSelector mechanism) when running in partial trust. Note that this restriction applies to using a surrogate, not to serializing it.
Enabling Common Behaviors to Run
Service or endpoint behaviors not marked with the AllowPartiallyTrustedCallersAttribute attribute (APTCA) that are added to the <commonBehaviors> section of a configuration file are not run when the application runs in a partial trust environment and no exception is thrown when this occurs. To enforce the running of common behaviors, you must do one of the following options:
Mark your common behavior with the AllowPartiallyTrustedCallersAttribute attribute so that it can run when deployed as a partial trust application. Note that a registry entry can be set on the computer to prevent APTCA-marked assemblies from running. .
Ensure that if the application is deployed as a fully-trusted application that users cannot modify the code-access security settings to run the application in a partial trust environment. If they can do so, the behavior does not run and no exception is thrown. To ensure this, see the levelfinal option using Caspol.exe (Code Access Security Policy Tool).
For an example of a common behavior, see How to: Lock Down Endpoints in the Enterprise.
Configuration
With one exception, partially-trusted code can only load WCF configuration sections in the local app.config
file. To load WCF configuration sections that reference WCF sections in machine.config or in a root web.config file requires ConfigurationPermission(Unrestricted). Without this permission, references to WCF configuration sections (behaviors, bindings) outside of the local configuration file results in an exception when the configuration is loaded.
The one exception is known-type configuration for serialization, as described in the Serialization section of this topic.
Important
Configuration extensions are only supported when running under Full Trust.
Diagnostics
Event Logging
Limited event logging is supported under partial trust. Only service activation faults and tracing/message logging failures are logged to the Event Log. The maximum number of events that can be logged by a process is 5, to avoid writing excessive messages to the Event Log.
Message Logging
Message logging does not work when WCF is run in a partial trust environment. If enabled under partial trust, it does not fail service activation, but no message is logged.
Tracing
Restricted tracing functionality is available when running in a partial trust environment. In the <listeners>
element in the configuration file, the only types that you can add are TextWriterTraceListener and the new EventSchemaTraceListener. Use of the standard XmlWriterTraceListener may result in incomplete or incorrect logs.
Supported trace sources are:
System.IdentityModel.Claims, System.IdentityModel.Policy, System.IdentityModel.Selectors, and System.IdentityModel.Tokens.
The following trace sources are not supported:
The following members of the TraceOptions enumeration should not be specified:
When using tracing in a partial trust environment, ensure that the application has sufficient permissions to store the output of the trace listener. For example, when using the TextWriterTraceListener to write trace output to a text file, ensure that the application has the necessary FileIOPermission required to successfully write to the trace file.
Note
To avoid flooding the trace files with duplicate errors, WCF disables tracing of the resource or action after the first security failure. There is one exception trace for each failed resource access, the first time an attempt is made to access the resource or perform the action.
WCF Service Host
WCF service host does not support partial trust. If you want to use a WCF service in partial trust, do not use the WCF Service Library Project template in Visual Studio to build your service. Instead, create a new Web site in Visual Studio by choosing the WCF service Web site template, which can host the service in a Web server on which WCF partial trust is supported.
Other Limitations
WCF is generally limited to the security considerations imposed upon it by the hosting application. For example, if WCF is hosted in a XAML Browser Application (XBAP), it is subject to XBAP limitations, as described in Windows Presentation Foundation Partial Trust Security.
The following additional features are not enabled when running indigo2 in a partial trust environment:
Windows Management Instrumentation (WMI)
Event logging is only partially enabled (see discussion in Diagnostics section).
Performance counters
Use of WCF features that are not supported in a partial trust environment may result in exceptions at run time.
Unlisted Features
The best way to discover that a piece of information or action is unavailable when running in a partial trust environment is to try to access the resource or do the action inside of a try
block, and then catch
the failure. To avoid flooding the trace files with duplicate errors, WCF disables tracing of the resource or action after the first security failure. There is one exception trace for each failed resource access, the first time an attempt is made to access the resource or perform the action.