Subtext install gives error in Medium trust level.

Question

I am trying to install Subtext in a medium trust level environment (host: Crystaltech) and am getting the following error (see below). I was able to do the administration setup but when it tries to go to the blog for actual use, boom.

I know I could "upgrade" the environment to a full trust level but I want to understand why the error is happening and the ramifications of that moving to fUll trust before I do it.

To expand upon this question; what are the "Trust Levels"?

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of type 'System.Security.Permissions.SecurityPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.]
System.Web.Security.UrlAuthorizationModule.CheckUrlAccessForPrincipal(String virtualPath, IPrincipal user, String verb) +47
Subtext.Framework.UrlManager.UrlReWriteHandlerFactory.GetHandlerForUrl(String url) +66
Subtext.Framework.UrlManager.UrlReWriteHandlerFactory.ProcessHandlerTypePage(HttpHandler item, HttpContext context) +143
Subtext.Framework.UrlManager.UrlReWriteHandlerFactory.GetHandler(HttpContext context, String requestType, String url, String path) +340
System.Web.HttpApplication.MapHttpHandler(HttpContext context, String requestType, VirtualPath path, String pathTranslated, Boolean useAppConfig) +175 System.Web.MapHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +128 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +161

Answer 1

Trust levels are really just pointers to some security.config files. The dafault trust levels are defined in C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\web.config, "Medium" trust pointing to web_mediumtrust.config.

As for the exception, taking a look at System.Web.Security.UrlAuthorizationModule.CheckUrlAccessForPrincipal() with reflector reveals that the method is attributed with [SecurityPermission(SecurityAction.Demand, Unrestricted=true)], meaning that it requires an unrestricted security permission, which it does not have running under medium trust.

Answer 2

More grist to add to the mill from csgero:

http://www.kowitz.net/archive/2008/08/15/upgrading-to-subtext-2.0-fail.aspx

There's a wee comment from Phil Haack, I guess he's busy with other stuff right now :)

Answer 3

I don't think there is another way to get around the error other than moving to full trust or removing the call to CheckUrlAccessForPrincipal() and recompiling.

But by the looks of things, this particular issue has already been corrected in the subtext SVN (revision 3290). They have also added a new build task for subtext 2.0.1 which should include the fix. I guess that will be released when it's ready.