Cause for ASP.NET Security Exception

Question

My application is throwing a Security Exception with the following details:

Description: The application attempted to perform an operation not allowed by the security policy

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
   System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
   System.Security.CodeAccessPermission.Demand() +58
   System.Net.ServicePointManager.set_CertificatePolicy(ICertificatePolicy value) +54
   com.paypal.sdk.core.APICallerBase.SetTrustManager() +114

The application's trust level is set to medium and I've added to the [assembly: AllowPartiallyTrustedCallers] attribute to my project's assembly.

What can I do to address this issue? Does the System.dll allow partial trusted callers?

Answer 1

In digging a bit, the paypal method SetTrustManager() may attempt to reassign the ServicePointManager's Certificate Policy. This is OK, but it requires UnmanagedCode permission for the underlying code group.

I suggest you provide this permission in the .Net Framework Config console, and see if that helps.

Alternatively you can set the application's config "TrustAll" parameter to False so that SetTrustManager doesn't mess with the Certificate policy (assuming of course that the said Certificate policy is readily ok for whatever certs you'll need to use, in other words, this TrustAll thing may move past this permission error, but fail later if the Certificates)

In similar situations, I've found that the tools on this MDSN page can be very useful.

(in resp. to javacavaj note) To allow calls to unmanaged code for some assemblies:

Disclosure: I'm not an expert on .NET security model; the following should allow you alter permissions granted to some of your assemblies for diagnostic purposes for the issue at hand. For production purposes, please have your .NET configuration reviewed by a qualified admin as he/she may both ensure that the configuration is safe and suggest some way to structure the code groups, permission sets and other elements in ways that facilitate administration and deployment.

You can alter the .NET security policy with Mscorcfg.msc, i.e. the .Net Framework Configuration console. The details may vary with the .NET version and Windows host, but in general:

• start mscorcfg (Ctrl panel | Admin Tools | Msft .Net Framework Configuration)
• Run Time Policy node, then Manchine (or Enterprise, but better mess w/ local cfg first...)
• Permission Sets node, Click "Create New Permission Set) on right panel
• Provide name/description, next
• Security | Add
• Select Enable Assy execution, Allow calls to unmanaged assemblies and other permissions you may need | OK
• Pick Code Groups Nodes, and navigate down to the group the assembly in question may belong (easier, yet create a group for it; in general you know who qualifies for a given group by seeing the "membership condition" tab in the group properties. Try and use Strong Name or GAC when possible.
• In the Code Group properties's select the desired Permission set; optinally verify that this set is as desired for a given permission with the "View Permission" button.

Et voila...

Rather than the above, I wish I knew of a web site where such procedure can be [better] described. Maybe this Overview of the .NET Security Model can be of help. Googling several of the keywords provided can probably yield relevant pointers as well.