Need help with Security Exception in ASP.Net MVC web application

Question

Hi.

I have written 3 ASP.net MVC web applications, and all are deployed on shared hosting servers with my ISP.

All 3 applications are very similar in configuration and settings. The 1st application is deployed to a different server than the 2nd and 3rd. The 1st application gives me no errors.

The 2nd and 3rd applications spit out the following SecurityException somewhat: randomly:

Link

Exception Text:

 Security Exception
Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of type 'System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' failed.]
   System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0
   System.Security.CodeAccessPermission.Demand() +58
   System.Configuration.BaseConfigurationRecord.CheckPermissionAllowed(String configKey, Boolean requirePermission, Boolean isTrustedWithoutAptca) +99


Version Information: Microsoft .NET Framework Version:2.0.50727.3603; ASP.NET Version:2.0.50727.3082 

I get the above error the first time I hit the page after deploying or editing the web.config. However, on subsequent page reloads I don't get it. The 2 websites will be fine again for the rest of the day, but then the next morning I get the same error again.

The errors do appear consistently after I edit the web.config, which I am assuming is forcing a recompile?

Please help. I'm not sure what the problem is. Sounds like it is related to security settings in IIS. All 3 web apps are set up and deployed in a very similar way, except that the 1st web app which doesn't give the error is on a completely different server.

Answer 1

So it turns out that the reason for the above SecurityException is 3-fold

• my ISP has ASP.net configured to run in medium trust mode on it's newer servers, and full trust mode on its older servers. My Web Applications are split between these 2 servers, which is why I am getting different behaviour between the applications even though they are configured exactly the same

• I am using log4net for error logging, and in my Global.asax file, I have the following:

  protected void Application_Start()
  {
      RegisterRoutes(RouteTable.Routes);
      log4net.Config.XmlConfigurator.Configure();
      log.Debug("Logging Initialized.");
  }
  

  This line - log4net.Config.XmlConfigurator.Configure(); is what is throwing the above exception. It only happens once when the application is started, or restarted if they web.config is modified. That is why I couldn't figure out where the problem was coming from.

• I had to add a requirePermission="false" to the log4net configSection in the web.config:

  <section name="log4net" requirePermission="false" type="log4net.Config.Log4NetConfigurationSectionHandler, log4net"/>
  

Now if I was developing in medium trust mode, I would have picked these problems up. You can force your app to run in medium trust mode by adding the following to my web.config:

  <system.web>
     <trust level="Medium"/>
  </system.web>

By forcing my app to run in medium trust mode, I picked up the source exception in dev exactly where it originated, and figured out what was wrong from there on..