Security Exception

Feb 24, 2009 at 12:25 PM
Edited Feb 24, 2009 at 12:25 PM
I have used the XmlProvider for my website to control membership and roles.  Recently, I completed a profile viewing and updating page.  It works fine in VS 2008 but when uploaded to the server, a security exception error is generated.  Is this natural?  Is there anyway around it (my host refuses to up the trust level of any hosted apps)?

Thanks in advance.

CapnAhab
Feb 25, 2009 at 7:17 AM
I don't think this is directly related to ASP.NET XmlProviders.
However, you probably have to add in your project's AssemblyInfo.cs the attribute AllowPartiallyTrustedCallers like this:

[assembly: AllowPartiallyTrustedCallers]

Regards
Feb 25, 2009 at 1:35 PM
Thanks for responding so quickly, but I'm not 100% sure I know what to do here.  First off, I only use VB - I'm not very good at all with C!

My (limited) understanding is that if I use an AssemblyInfo.vb does that not mean I have to precompile my website before deployment?  I've never done that before - I have always just uploaded *normal* files to the server.

Also, is [assembly: AllowPartiallyTrustedCallers] the same as <Assembly: System.Security.AllowPartiallyTrustedCallers()> .  That is the only way VS would accept the input as valid.

Lastly, was I correct to just copy Artem.XmlProviders.dll and Artem.XmlProviders.pdb into the /bin folder or should I have added something in a .config file somewhere etc.?
Like I said - it works fine on my development PC, just not on the server, so I thought I had done everything correctly. 
BTW - thank you so much from everyone who uses these providers for writing them.

Thanks again,

CapnAhab
Jun 2, 2010 at 11:12 PM

I'm running into this same problem, and I don't have control over the server to where I can adjust the security settings. Currently, my account can only handle up to "Medium" trust settings, not "Full". Why does the Profile provider require more trust than the the Membership and Role providers? What exactly is it doing differently? The problems seems to stem from the "PrepareDataForSaving" function.

 

Server Error in '/' Application.

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

Line 584:            allNames = builder1.ToString();
Line 585:            allValues = builder2.ToString();
Line 586:        }
Line 587:        #endregion
Line 588:


Source File: e:\kunden\homepages\28\d241331304\App_Code\Artem.XmlProviders\XmlProfileProvider.cs    Line: 586

Stack Trace:

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   Artem.Web.Security.XmlProfileProvider.PrepareDataForSaving(String& allNames, String& allValues, Byte[]& buf, Boolean binarySupported, SettingsPropertyValueCollection properties, Boolean userIsAuthenticated) in e:\kunden\homepages\28\d241331304\App_Code\Artem.XmlProviders\XmlProfileProvider.cs:586
   Artem.Web.Security.XmlProfileProvider.SetPropertyValues(SettingsContext context, SettingsPropertyValueCollection collection) in e:\kunden\homepages\28\d241331304\App_Code\Artem.XmlProviders\XmlProfileProvider.cs:400
   System.Configuration.SettingsBase.SaveCore() +375
   System.Configuration.SettingsBase.Save() +93
   System.Web.Profile.ProfileBase.SaveWithAssert() +31
   System.Web.Profile.ProfileBase.Save() +63
   System.Web.Profile.ProfileModule.OnLeave(Object source, EventArgs eventArgs) +8774796
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +68
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
Jun 4, 2010 at 3:41 PM
Edited Jun 4, 2010 at 4:09 PM

After doing some digging, I found that the problem has to do with "SettingsPropertyValue.SerializedValue" which requires more permissions to use than typical shared servers provide. More information can be found:

http://msdn.microsoft.com/en-us/library/system.configuration.settingspropertyvalue.serializedvalue.aspx

I'm not really sure whats going on when this property gets called, but I'm currently trying to figure out what the code is doing so I can re-write it without its use. If we can get around this, I suspect it will work on the server.

Jun 4, 2010 at 4:56 PM

Got it!

For a week I've been searching all over the web trying to figure out what this problem is, and once I found out, I spent yesterday and today trying to understand and find a way around.

The solution: In your web.config file, make all of your profile values strings. This will keep it serialized without having to convert value types. You'll just have to do any conversions in the webpages that use the profile. Since everything is a string, you can just use "PropertyValue" in place of the calls to "SerializedValue." There's 3 places this must be done in XmlProfileProvider.cs: lines 484, 489, and 542.

Works awesome! I hope me posting my process and solution can help others. I know I was frustrated looking for one.

Jun 9, 2010 at 6:53 AM

Hi guys,

Greate contribution.
Thanks a lot.
As soon as I find some time, I will update the code and issue a release.

Regards