ASP.NET MVC Application has SecurityException
I am trying to get an ASP.NET MVC application to work ... I should have known it would not be easy. The first few pages work, but they are all static. The first time I execute the checker, I get the below exception.
Here's how the controller works:
[AcceptVerbs(HttpVerbs.Get)]
public ActionResult Index(Section? section, int? parent)
{
if (section == null)
{
return RedirectToAction("Index", "Questions", new {section = Section.Section0});
}
IPagedList<Question> questions = _surveyService.FetchQuestions(User.Identity.Name, section.Value, parent);
// ...
ViewResult result = View("Index", questions);
result.ViewData.Add("CurrentSection", section.Value);
result.ViewData.Add("Parent", parent);
result.ViewData.Add("IsLastPage", questions.IsLastPage);
return result;
}
An exception was thrown on the second line of the method in RedirectToAction()
.
Background:
- I followed the instructions in this answer .
- I am not using reflection or requiring security explicitly in my code.
- I am using MVC , LINQ to SQL , Elmah > and PagedList .
- I am using IIS 7 with Built in .
- I added [ assembly: AllowPartiallyTrustedCallers ] to my AssemblyInfo.cs. I did this because I found another Stack Overflow question that had an answer recommending it (I can't find it now, otherwise I would provide a link). I've also strongly named my builds as suggested by Rex M below.
What am I missing to make this work?
An exception:
Server Error in '/surveys/objectification' Application.
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application trust level in the configuration file.
Exception Details: System.Security.SecurityException: That assembly does not allow partially trusted callers.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[SecurityException: That assembly does not allow partially trusted callers.]
SelfObjectificationSurvey.Web.Controllers.QuestionsController.Index(Nullable`1 section, Nullable`1 parent) +0
lambda_method(ExecutionScope , ControllerBase , Object[] ) +123
System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +17
System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +178
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +24
System.Web.Mvc.<>c__DisplayClassa.<InvokeActionMethodWithFilters>b__7()
+53
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +258
System.Web.Mvc.<>c__DisplayClassc.<InvokeActionMethodWithFilters>b__9()
+20
System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +193
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
+382
System.Web.Mvc.Controller.ExecuteCore()
+123
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +23
System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +7
System.Web.Mvc.MvcHandler.ProcessRequest(HttpContextBase httpContext) +144
System.Web.Mvc.MvcHandler.ProcessRequest(HttpContext httpContext) +54
System.Web.Mvc.MvcHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext httpContext) +7
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+181
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
+75
Version Information: Microsoft .NET Framework Version:2.0.50727.3074; ASP.NET Version:2.0.50727.4049
source to share
Another thing you can check is that according to this article, there are several .NET types that cannot be used in a partially trusted assembly, even though it has been decorated with the AllowPartiallyTrustedCallersAttribute.
For a complete list, see. . .NET Framework Assemblies and the AllowPartiallyTrustedCallers Attribute .
Update 2 Are you sure all third party assemblies you call are also decorated with the AllowPartiallyTrustedCallers attribute?
for example looking at AssemblyInfo.cs for PagedList 1.1 it doesn't seem to contain this attribute.
Update 1 . You are correct, this list of unusable types looks very outdated.
This LINQ to SQL FAQ has some interesting information about using in a partial trust environment:
APTCA
Q. Is System.Data.Linq flagged for use by partially trusted code?
and. Yes, the System.Data.Linq.dll assembly is among those .NET Framework assemblies that are marked with the AllowPartiallyTrustedCallersAttribute attribute. Without this mark, assemblies in the .NET Framework are intended to be used only by fully trusted code.
The main scenario in LINQ to SQL for providing partially trusted subscribers is to enable the LINQ to SQL assembly to access web applications where the trust configuration is Medium.
source to share
Are your builds strong-named ?
The AllowPartiallyTrustedCallersAttribute is only effective when a strong-named assembly is applied at the assembly level.
source to share
You may need full trust mode to run your code. Most hosts only allow trust on the environment, like GoDaddy does. You may need to switch host to another, which will give you complete trust.
While MVC itself shouldn't require more than trusting the environment, your other code might. You only need to check the runtime type in your code to accept reflection, which in turn has full trust.