I'm doing shared hosting with GoDaddy and I developed a sample ASP.NET MVC app using Castle Windsor and unfortunately, it didn't work in a medium trust setting. Specifically, I got this error: "[SecurityException: That assembly does not allow partially trusted callers"... etc. GoDaddy is sadly not flexible in their trust policy.
I'm not tied to Windsor and would like to try another one that will work under Medium Trust. I'd actually like to use NInject, but I've read people having mixed success. The only one I've read that works with no problem is Microsoft's Unity.
My question is, does NInject work in medium trust? If not, what are my options?
Some DI frameworks use lightweight code generation and don't work in medium trust. NInject is one of them. You may try setting the UseReflectionBasedInjection switch to true which will use reflection which might be worth a try if performance is not an issue for you.
If you want Windsor working under partial trust you currently have to build it from source with the AllowPartiallyTrustedCallersAttribute. The easiest way to do this is using horn, see this thread.
Otherwise take a look at Unity or AutoFac, I think they have the APTCA by default.
Related
I've inherited a project which was running on a host who had set up Full Trust, as this is required for the Castle Windsor IoC. The new host, however, will only run in Medium Trust (as do most shared hosting providers), so I need to replace Windsor with another IoC.
Being fairly new to IoC, I'm not sure which framework(s) are best to use under Medium Trust and with the Service Locator model.
An example of existing registration code is as follows:
IWindsorContainer container = new WindsorContainer();
ControllerBuilder.Current.SetControllerFactory(new WindsorControllerFactory(container));
container.RegisterControllers(typeof(HomeController).Assembly);
container.Register(
Component.For(typeof(IEntityDuplicateChecker))
.ImplementedBy(typeof(EntityDuplicateChecker))
.Named("entityDuplicateChecker"));
container.Register(
AllTypes
.FromAssemblyNamed("Salient.Website.Data")
.Pick()
.WithService.FirstNonGenericCoreInterface("Salient.Website.Core"));
container.Register(
AllTypes
.FromThisAssembly()
.Pick()
.WithService.FirstNonGenericCoreInterface("Salient.Website.ApplicationServices"));
ServiceLocator.SetLocatorProvider(() => new WindsorServiceLocator(container));
It would save me a lot of trial-and-error with each framework, if I had some guidance of which ones will be suitable, work under medium trust shared hosting, and hopefully an example of translating the above to get started.
The partial trust requirement of your hoster is odd, since Microsoft has provided guidance to hosters that they should migrate away from Medium Trust and use proper OS-level isolation instead (see here and here and here). The official position of the ASP.NET team is that Medium Trust is obsolete, which means that new features and frameworks wont be tested for partial trust support and bugs in that area won't get fixed.
Nevertheless, there are other frameworks that will run in partial trust:
Simple Injector (which I maintain) is designed and tested for partial trust scenarios.
Ninject has special builds for medium trust environments.
There might be others, but these are the ones I know of.
I started developing a new MVC app with Entity Framework code-first and Unity for dependency injection. I used EF5 and Unity because I thought they were supposed to work in Medium Trust. However, when I threw the <trust level="Medium" /> tag in my web.config, I started getting Reflection Permission exceptions.
It always seems like whenever I go beyond using built-in things like the System.Data.SqlClient ADO.net stuff I always run into problems in Medium Trust. Auto-Mapper: fail. NHibernate: fail. MySQL: fail. EF5 Code-first: fail. IOC: fail.
Am I just chasing a pipe-dream? Is it possible to achieve a well-architected and testable web application using modern technology that will run in Medium Trust?
In the age of VMs/Virtual Servers/Cloud Computing (and even a few shared hosts that will set your application pools to Full Trust) has anyone found developing for Medium Trust to be worth the effort?
The official position of the ASP.NET team is that Medium Trust is obsolete. This means a few things:
We are automatically resolving all Medium Trust-related bugs reported to us as "won't fix".
We have provided guidance to hosters that they should migrate away from Medium Trust and use proper OS-level isolation instead (http://support.microsoft.com/kb/2698981).
We are removing Medium Trust support from the frameworks we develop (MVC, WebAPI, SignalR, and so on). Going forward, applications built on these frameworks will require Full Trust.
Here, the term "Medium Trust" above to refers to all non-Full Trust configurations in ASP.NET, including use of the built-in trust levels (Minimal, Low, Medium, High) or any custom trust levels.
Edit 26 May 2015: The .NET Framework as a whole has deprecated partial trust, and customers are advised not to rely on it as a security boundary. From MSDN:
Code Access Security in .NET Framework should not be used as a
security boundary with partially trusted code, especially code of
unknown origin. We advise against loading and executing code of
unknown origins without putting alternative security measures in
place.
In general everything that needs Reflection in deep way can't run on Medium Trust
In your case:
Automapper: use reflection to discover matching properties and memory stream to clone them (there is a version around that actually works in medium trust with some limitation)
NHIbernate: use reflection emit to allow Lazy Loading becase the lazy loading in NH is implemented by proxies (to avoid this you can disable Lazy Loading or to use a the NHibernate ProxyGenerator that is an utility that help to pre-create Proxies)
Nhibernate ProxyGenerator
EF: Actually I didn't find big issues with EF and Medium Trust....is don't serialize object with associations or collections
IoC: IoC is the Killer Application of reflection :) you can try AutoFac that works on Medium Trust
AutoFac
In general Medium Trust is a big limitation...but it all depends on what kind of project you are working on.
Consider also to use some Full Trust hosting like Arvixe
Hope this helps
I have created a simple bare web site with NHibernate running under Medium Trust and despite all the research I have done saying it should work I can not get the simplest of examples working. Here are my steps
Create new web site in VS2012 targeting .Net 4.0.
Add FluentNHibernate via NuGet. Also add NHibernate.DependencyInjection package. Also installs NHibernate 3.3.3.
Configure web.config to run in Medium Trust.
Create simple session factory. Connect to a MSSQL database. Use CurrentSessionContext(typeof(ManagedWebSessionContext).FullName)
At this point, everyone seems to suggest all you have to do in Application_Start is call
NHibernate.DependencyInjection.Initializer.RegisterBytecodeProvider();
But when I do that I get the dreaded System.Security.Permissions.ReflectionPermission. Looking at the source of DependencyInjection it suggests that ReflectionPermission is supposed to be granted for the injection stuff to work. But Medium Trust explicitly forbids ReflectionPermission. If I just skip the DependencyInjection stuff and try to use NHibernate as-is (which some people seem to suggest might just work) then I still get the same SecurityExceptions.
So you see the catch-22 that I am in. It sounds like I need to use DependencyInjection to get Medium Trust to work, yet DependencyInjection requires permission that Medium Trust doesn't provide.
IIRC, NH3 will not run in a default Medium Trust environment.
It can run in customized "medium trust" configurations that some shared hosting providers use. You need to test with the specific policy you will be targeting.
I am in the planning stages of developing a large web application written in Flex and was wondering if anyone has actually used FluorineFX in a large production environment?
The documentation and online community makes it seem like it could be abandoned in the years to come and I have yet to read about it being used in production.
I have been assessing Weborb as well, but the costs are extremely high and I'm not entirely satisfied with the general workflow/setup of it. Are there any other solutions out there that I should consider?
I've used FlourineFx with great success in a large product with a Flex 3 client, and it actually works better than the ColdFusion (Adobe LiveCycle) product it replaced. It does require some configuration to work correctly, but it seems to work quite well once your config files are set up -- then again, its the same config files that Adobe LiveCycle need.
Not sure about FlourineFX. It looks like it is either just getting started or ending.
Working with DotNet and Flex, I would recommend writing the Flex Client and using ASP.NET web services to communicate. Microsoft ASP.NET MVC is a wonderful framework that is free and well supported. See: http://www.asp.net/mvc
The advantage of using a web service is that the client can change so that if you decide against Flex in the future or decide to use a Mobile Client then the service will remain the same. Plus, ASP.NET MVC has been proven on some very large sites like SO here.
Hope this helps.
Disclaimer: I have limited ASP.Net skills
I have a couple of websites which I am transferring from my current hosting onto the Mosso hosting service. When I tried transferring one of the websites, I got the error "System.Security.SecurityException: That assembly does not allow partially trusted callers.", which appears to have to do with the fact that Mosso runs on Medium Trust for ASP.Net apps, and the code in the website appears to require full-trust.
Unfortunately, I don't have access to the full source code for the app, and the original developer is not available. Is there any easy workaround to porting these websites? I tried adding in web.config but that didn't work.
I don't think asking Mosso to adjust the security level is an option, because they had refused when I asked them.
Does anybody have any ideas?
Is your assembly strong named? Does it call strong named assemblies?
You should apply the 'AllowPartiallyTrustedCallers` attribute to the Assembly. More information about this attribute is available here.
From the docs:
By default, a strong-named assembly
that does not explicitly apply this
attribute at assembly level to allow
its use by partially trusted code can
be called only by other assemblies
that are granted full trust by
security policy. This restriction is
enforced by placing a LinkDemand for
FullTrust on every public or protected
method on every publicly accessible
class in the assembly. Assemblies that
are intended to be called by partially
trusted code can declare their intent
through the use of the
AllowPartiallyTrustedCallersAttribute.
See this MSDN article for more information.
Edit:
Some information that confirms my suspicions that the APTCA attribute is a possible solution to the problem:
https://support.isqsolutions.com/article.aspx?id=10334
http://bloggingabout.net/blogs/rick/archive/2006/04/07/11929.aspx
Sorry to say but unless they allow you to set the trust level, you could have big issues. You could have a look here.
Professional ASP.NET 2.0 Security, Membership, and Role Management
Almost exactly the same thing happened to me, except the my hosting company changed their trust policy after I a number of websites running on their servers for a couple of years. In the end I had to give up and move to DiscountASP as they overrode <trust level="Full" /> in my congfig file.
Here was my original question.
ASP.NET WebPermission Security Exception
Good luck
I know this is old, but I thought I'd add something to it that might help. Mosso's change to Medium trust caused us some issues as well.
We use BlogEngine.NET and access MySQL for its backend. We had the MySQL dll in our bin directory and that was causing issues with medium trust. Once Mosso added a MySQL dll to the GAC, we were able to use it successfully.
Obviously, I don't know your particular details and what you are trying to do, but if it is related to MySQL, let me know.