Publish Article
Go Freelance

Check Code Access Security Permissions Granted to your asp.net web application

Last week a developer sent me a question asking how can I change the trust level for my web application? I immediately asked, why do you care? And he told me that he has a web site hosted in shared environment and application is running under partially trusted settings. And I was still adamant on the same question, why do you care?

If you look at the common tasks that a typical web application performs in its lige time, they can be classified some thing like following.

  • Connect to a database and manipulate data.
  • Access some files for reading and at times may be writing.
  • Call into a web service
  • Use some third party component which may be using some legacy unamanaged code and calling into it through interop.

So if you look at these operations and the security configurations lets you perform these tasks, then it should not matter to you if your web application is running under partial trust. .Net framework controls the access to different operations that an application perform or resources it can access by Code Access Security policies. These policies are configured to allow or deny an application access to resources. In case of web applications, this is controlled by trust configuration settings in system.web block. If you look in machine.config file on your system, you will find the following configuration setting.

<section name="trust" 
    System.Web, Version=, Culture=neutral, 
    allowDefinition="MachineToApplication" />

And then in web.config file of your machine you will find the following entries.

        <trustLevel name="Full" policyFile="internal" />
        <trustLevel name="High" policyFile="web_hightrust.config" />
        <trustLevel name="Medium" policyFile="web_mediumtrust.config" />
        <trustLevel name="Low"  policyFile="web_lowtrust.config" />
        <trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
     <trust level="Full" originUrl="" />

You can see that the default trust level is set to "Full" which means complete unrestricted access to all resources for all web applications. But if your web site is hosted on a shared server with some ISP then this would not be the case. The service provider may have set the trust level of all application to some value othr than "Full" and in that case the permissions sepcified in "policyLevel" of that level apply. You can that each trust level configuration has different policyFile value set. You can find these files in CONFIG folder under SYSTEM/Windows/Microsoft.Net/{.Net Version Folder}. You can look at these files to see what kind of permissions are granted for different trust levels.

In Microsoft documentation on best practices you will find the following diagram which describes typical permissions that a web application may need depending on the type of operations it need to do.

To check what kind of unrestricted permissions have been granted to the web application, I created a small code snippet along with a table control to display the allowed and denied permissions. The following images show typical permissions for three different trust levels.

Low Trust Medium Trust High Trust

So if you run into a situation where your hosting provider is running your web application under trust level that does not fullfil your needs, then create a minimum permission plan for your application, change the trust configuration file on your machine first, test it. And then talk to your hosting provider and explain him what your minimum permission needs are and give them your config file. And I am sure that they will accomodate your needs and may create a separate configuration for your site's location.

Sample Code

if (SecurityManager.IsGranted(new SqlClientPermission(PermissionState.Unrestricted)))
    ctlSqlClientPermission.Text = "Yes";

if (SecurityManager.IsGranted(new RegistryPermission(PermissionState.Unrestricted)))
    ctlRegistryPermission.Text = "Yes";

if (SecurityManager.IsGranted(new DnsPermission(PermissionState.Unrestricted)))
	this.ctlDnsPermission.Text = "Yes";

if (SecurityManager.IsGranted(new EnvironmentPermission(PermissionState.Unrestricted)))
	this.ctlEnvironmentPermission.Text = "Yes";

if (SecurityManager.IsGranted(new OleDbPermission(PermissionState.Unrestricted)))
	this.ctlOleDbPermission.Text = "Yes";

if (SecurityManager.IsGranted(new SecurityPermission(PermissionState.Unrestricted)))
	this.ctlSecurityPermission.Text = "Yes";

if (SecurityManager.IsGranted(new SocketPermission(PermissionState.Unrestricted)))
	this.ctlSocketsPermission.Text = "Yes";

if (SecurityManager.IsGranted(new FileIOPermission(PermissionState.Unrestricted)))
	this.ctlFileIOPermission.Text = "Yes";

if (SecurityManager.IsGranted(new EventLogPermission(PermissionState.Unrestricted)))
	this.ctlEventLogPermissions.Text = "Yes";

if (SecurityManager.IsGranted(new WebPermission(PermissionState.Unrestricted)))
	this.ctlWebPermission.Text = "Yes";

To try different scenarios you can add the following line in web.config of your application. If you set the trust level to anything other than "Full" you will not be be able to run the application in debug mode. You will have to set "debug" value in web.config to "false".

<trust level="Low"></trust>						

If you have any questions, feel free to contact us.

Go Freelance
Home     About us     Contact us    Copyright    Privacy Policy    Return Policy    Advertisers
Copyright © Netomatix