tags:

views:

687

answers:

5
+1  Q: 

ASP.NET MVC app hosted on GoDaddy has SecurityException

I'm trying to get an ASP.NET MVC app working on GoDaddy ... I should have known it wouldn't be easy. The first few pages work, but they are all static. The first time a Controller is executed I get the exception below.

Here is the Controller action method:

[AcceptVerbs(HttpVerbs.Get)]
public ActionResult Index(Section? section, int? parent)
{
    if (section == null)
    {
        return RedirectToAction("Index", "Questions", new {section = Section.Section0});
    }

    IPagedList<Question> questions = _surveyService.FetchQuestions(User.Identity.Name, section.Value, parent);

    // ...

    ViewResult result = View("Index", questions);
    result.ViewData.Add("CurrentSection", section.Value);
    result.ViewData.Add("Parent", parent);
    result.ViewData.Add("IsLastPage", questions.IsLastPage);

    return result;
}

The exception is thrown in the second line of the method at RedirectToAction().

Background:

  • I've followed the instructions in this answer.
  • I'm not using reflection or demanding security explicitly in my code.
  • I'm using MVC, LINQ to SQL, Elmah, and PagedList.
  • I'm using IIS 7 with Integrated mode.
  • I added [assembly: AllowPartiallyTrustedCallers] to my AssemblyInfo.cs. I did this because I found another SO question that had an answer recommending it (I can't find it now, or else I would provide a link). I also strong named my assemblies as suggested by Rex M's answer below.

What am I missing to make this work?

The exception:

Server Error in '/surveys/objectification' Application.
    Security Exception
    Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

    Exception Details: System.Security.SecurityException: That assembly does not allow partially trusted callers.

    Source Error:

    An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

    Stack Trace:

    [SecurityException: That assembly does not allow partially trusted callers.]
       SelfObjectificationSurvey.Web.Controllers.QuestionsController.Index(Nullable`1 section, Nullable`1 parent) +0
       lambda_method(ExecutionScope , ControllerBase , Object[] ) +123
       System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) +17
       System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary`2 parameters) +178
       System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +24
       System.Web.Mvc.<>c__DisplayClassa.<InvokeActionMethodWithFilters>b__7()
+53
       System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodFilter(IActionFilter filter, ActionExecutingContext preContext, Func`1 continuation) +258
       System.Web.Mvc.<>c__DisplayClassc.<InvokeActionMethodWithFilters>b__9()
+20
       System.Web.Mvc.ControllerActionInvoker.InvokeActionMethodWithFilters(ControllerContext controllerContext, IList`1 filters, ActionDescriptor actionDescriptor, IDictionary`2 parameters) +193
       System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)
+382
       System.Web.Mvc.Controller.ExecuteCore()
+123
       System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +23
       System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +7
       System.Web.Mvc.MvcHandler.ProcessRequest(HttpContextBase httpContext) +144
       System.Web.Mvc.MvcHandler.ProcessRequest(HttpContext httpContext) +54
       System.Web.Mvc.MvcHandler.System.Web.IHttpHandler.ProcessRequest(HttpContext httpContext) +7
       System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
+181
       System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
+75


    Version Information: Microsoft .NET Framework Version:2.0.50727.3074; ASP.NET Version:2.0.50727.4049
+2  A: 

Are your assemblies strong-named?

AllowPartiallyTrustedCallersAttribute is only effective when applied by a strong-named assembly at the assembly level.

Rex M  2009-09-27 20:48:49
No, they are not. I'll give that a try.
jrummell  2009-09-27 20:52:28
I added a strong name key, recompiled, uploaded and tried it again. It gave the same exception =/
jrummell  2009-09-27 21:07:01
+1  A: 

One other thing you may want to check is that, according to this article, there are some .NET Types that can not be used within a partially trusted assembly, even if it has been decorated with AllowPartiallyTrustedCallersAttribute.

See .NET Framework Assemblies and the AllowPartiallyTrustedCallers Attribute for a full list.

Update 2 Are you sure all the third-party assemblies you are calling are also decorated with the AllowPartiallyTrustedCallers attribute?

eg looking at the AssemblyInfo.cs for PagedList 1.1 it does not seem to contain this attribute.

Update 1: You are right, that list of unusable types does look very dated.

This LINQ to SQL FAQ has some interesting information regarding its usage in a partial trust environment:

APTCA

Q. Is System.Data.Linq marked for use by partially trusted code?

A. Yes, the System.Data.Linq.dll assembly is among those .NET Framework assemblies marked with the AllowPartiallyTrustedCallersAttribute attribute. Without this marking, assemblies in the .NET Framework are intended for use only by fully trusted code.

The principal scenario in LINQ to SQL for allowing partially trusted callers is to enable the LINQ to SQL assembly to be accessed from Web applications, where the trust configuration is Medium.

Amal Sirisena  2009-09-27 21:00:04
That's an old list (.NET 1.1), and I would hope that System.Data.SqlClient isn't still on it.
jrummell  2009-09-27 21:59:44
So far I've removed elmah and I still got the exception, PagedList is next ...
jrummell  2009-09-27 23:48:01
PagedList was the problem, thanks! I recompiled it with the AllowPartiallyTrustedCallers attribute and it worked. I'll log an issue for this on the codeplex in case others get tripped up on this.
jrummell  2009-09-28 00:00:31
+1  A: 

You may have to need the full trust mode to run your code. Most hosts only allow medium trust, as GoDaddy also does. You may have to switch your host to another one that will give you the full trust.

Although MVC on its own should not require more than medium trust, your other code however may. It will suffice you to have run-time type check somewhere in your code in order to enact reflection which in its turn will want to have the full trust.

Developer Art  2009-09-27 21:34:52
According to this answer, http://stackoverflow.com/questions/266205/is-there-a-way-that-i-can-run-a-asp-net-mvc-project-on-godaddy-com-shared-web-hos/299339#299339, you can host ASP.NET MVC in medium trust with GoDaddy. The only things I've added is LINQ to SQL and PagedList. As much as I loathe GoDaddy, I don't want to switch before my account expires next year.
jrummell  2009-09-27 21:58:22
A: 

LINQ to SQL may the issue - LINQ to SQL usually generates a stored procedure. If your code is trying to do that in medium trust it could be causing the APTCA exception.

 2009-09-27 22:25:18
LINQ to SQL does not generate stored procedures ... at lease not in my project.
jrummell  2009-09-27 22:42:12
+1  A: 

Back out your assemblies one-by-one to see who the culprit is. No need in guessing. I had this issue with the Microsoft Enterprise Libraries.

rick schott  2009-09-27 22:59:13
So far I've removed elmah and I still got the exception, PagedList is next ...
jrummell  2009-09-27 23:55:18
Saw you got it resolved, glad this helped.
rick schott  2009-09-28 00:14:46
It did! If could accept multiple answers, I would accept this one too.
jrummell  2009-09-28 03:44:04

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps