Specifying the Custom Trust Level in the Application
The final step is to specify the new custom trust level you created for the ASP.NET application, or for all ASP.NET applications running on the machine. To specify that an application should run under the new custom trust level, named CustomMedium
, you add this attribute to its Web.config
<trust level="CustomMedium" originUrl="" />
To specify that all ASP.NET applications on the machine should run under the new CustomMedium
trust level, edit the <trust>
element immediately after the closing </securityPolicy>
element in your root Web.config
file (in the %WINDIR%\Microsoft.NET\Framework\v2.0.50727\CONFIG
folder) to specify this trust level:
Running an ASP.NET Application in Custom Medium Trust Mode
<trust level="CustomMedium" originUrl="" />
After you configure a suitable trust mode, and specify it in your Web.config
file, you can add the Enterprise Library blocks you want to use in your application. Run the Enterprise Library Configuration Console from your Start menu and open the Web.config
file for your site or application into the console. Use the right-click context menus to add the blocks, and configure them using the properties displayed in the right-hand window of the console. When complete, save the updated Web.config
|Author's Note: For details of using the Configuration Console to configure an ASP.NET application, and how the example used in this section uses the Enterprise Library application blocks, see the article "Working with Enterprise Library in ASP.NET."
To run in any of the partial trust modes, Enterprise Library requires you to add the attribute requirePermission="false"
to the individual <section>
elements in the <configSections>
section of the configuration file. While you need to add it only to the entries for blocks that you use, and that require special permissions in partial trust mode, it is actually easier to add it to all of the <section>
<!-- must manually add: requirePermission="false" -->
<section name="loggingConfiguration" requirePermission="false"
Culture=neutral, PublicKeyToken=null" />
<section name="exceptionHandling" requirePermission="false"
type="Microsoft.Practices...ExceptionHandlingSettings, ..." />
<section name="dataConfiguration" requirePermission="false"
type="Microsoft.Practices...DatabaseSettings, ..." />
<section name="instrumentationConfiguration" requirePermission="false"
type="Microsoft.Practices...CryptographySettings, ..." />
<section name="cachingConfiguration" requirePermission="false"
type="Microsoft.Practices...CacheManagerSettings, ..." />
|Author's Note: In the preceding code, some type names and assembly names have been removed or abridged for clarity.
However, one issue to be aware of is that you must manually edit the Web.config
file after creating it with the Enterprise Library Configuration Console, and every time you update it using the Configuration Console, to add the requirePermission="false"
attribute. In the current version of Enterprise Library (the January 2006 release), the Configuration Console removes the requirePermission="false"
attribute from each <section>
element in the <configSections>
section of the Web.config
file when it saves the file; therefore you must open the file in a text editor or Visual Studio 2005 and add this attribute to every <section>
element after saving your Web.config
All applications should guard against the effects of exceptions arising (including security permission exceptions) for reasons not directly connected with the trust mode. For example, your code may reference a folder that has incorrect file read/write permissions set in the Access Control List (ACL), or attempt to access a network resource for which it does not have permission because the server has been reconfigured.
However, permission exceptions are more likely to occur when you run in a partial trust mode. The major changes you may need to make to your application when using Enterprise Library in less than Full Trust mode are to ensure you handle all possible security (and other) exceptions, and manage them gracefully.
Running the Example Application in Partial Trust Mode
To see the effects of partial trust on the Enterprise Library application block features, and how a custom trust level allows Enterprise Library to run in partial trust modes, the following shows an example application
that uses the Caching Application Block, Data Access Application Block, Logging Application Block, and Cryptography Application Block.
|Figure 2. Security Exception in Medium Trust Mode: Medium Trust mode causes a security exception for the OLE-DB provider in the Data Access Application Block and for the Logging Application Block.|
The first stage is to add a <trust>
element to the application's Web.config
file that forces it to run in the standard Medium Trust mode:
<!-- RUN IN MEDUIM TRUST MODE -->
<trust level="Medium" originUrl="" />
Running the application now generates a security exception because the right-hand list box uses the OLE-DB provider to access a database and populate the list. In Medium Trust mode, the OLE-DB provider does not have permission to execute, and raises an OleDbPermission exception (see Figure 2
Notice also that the error message indicates a second exception. The code to populate the right-hand list box contains in the Catch section a call to the methods of the Logging Application Block. This should create an entry in Windows Event Log if an error occurs. However, in Medium Trust mode, Enterprise Library does not have permission to write to the Event Log, and so the .NET code access security mechanism raises an EventLogPermission exception.
The example lets you create and cache a DataSet generated from a table in the database by the Data Access Application Block. The code to generate the DataSet uses the SqlClient provider, and so will run in Medium Trust mode. However, the Caching Application Block is configured to use the Isolated Storage cache backing store in this example, which uses the .NET serialization features to serialize the data to disk. In Medium Trust mode, attempting to use serialization creates a SecurityPermission exception, as you can see in Figure 3
|Author's Note: Isolated Storage is not an ideal caching mechanism for ASP.NET applications, but it serves to demonstrate the behaviour of trust modes for this example. In a future article, I'll show you how to create your own custom cache backing store provider that can store the cached data using a more suitable mechanism.
|Figure 3. No Serialization in Medium Trust Mode: The Caching Application Block cannot serialize data in Medium Trust mode.|
|Figure 4. No Encryption in Medium Trust Mode: The Cryptography Application Block cannot encrypt data in Medium Trust mode.||
The example page also demonstrates use of the Cryptography Application Block by allowing you to generate a hash for a string value, and encrypt and decrypt a string value using the Rijndael algorithm. While you can create hash values in Medium Trust mode, you cannot encrypt or decrypt data. Figure 4
shows the result of attempting to encrypt the string in the text box above the Get Hash, Encrypt, and Decrypt buttons. The .NET Framework code access security system raises a DataProtectionPermission exception.