This great MSDN article: "How To: Use Medium Trust in ASP.NET 2.0" will probably answer nearly all of your questions about how to work in medium trust and how to customize medium trust permissions. Here are a few extracts from this document that serve as a sort of "quick start" to medium trust.
- By default, ASP.NET 2.0 Web applications and Web services run with full trust and applications can perform privileged operations and access resources subject only to operating system security and Windows access control lists (ACLs). You can use code access security (CAS) to restrict access to certain resources by using the trust element of the web.config. You can set full, high, medium, low, and minimal trust.
- Medium restricts you from using OldDbPermission, EventLogPermission, ReflectionPermission, RegistryPermission, calling unmanaged code, and using Enterprise Services. Also WebPermission (you can only communicate with address(es) defined in the trust element) and FileIOPermission (You can only access files in your applications virtual directory hierarchy) are restricted.
- To turn on medium trust, set the trust level to medium in your app-level or machine-level web.config (<trust level="Medium" />). Consider the originUrl attribute for the trust element, which allows you to limit what Urls the web application(s) can access.
- You can customize medium trust restrictions (e.g., modify FileIOPermission to allow access to a specific directory outside of the applications virtual directory hierarchy) by creating a custom policy file and custom policy level. There is a great example of this provided in the article.
Note: machine.config can be found in the "%windir%\Microsoft.Net\Framework\xxx\config" directory.
How all this applies to IP*Works! and IBiz products:
- In general, all /n software .Net components will need the following permissions, all of which are granted by default in Medium trust except SocketPermission:
- FileIOPermission - all components, for licensing and file access.
- ReflectionPermission - all components, for licensing.
- SocketPermission - all components that use socket communication.
- DnsPermission - anytime a hostname is used instead of a dotted IP address.
To add SocketPermission to your custom medium trust, just add the following security class and ipermission to your custom policy config:
<SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=126.96.36.199, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
<IPermission class="SocketPermission" version="1" Unrestricted="true" />
- If you build with nsoftware.System.dll or if you're using a product that uses unsafe or unmanaged code (like SSL which uses pinvokes to security libraries installed on Windows machines), you'll need to set the SkipVerification flags and ManagedCode flags (respectively) of SecurityPermission in your custom policy file.
- You may wish to alter the WebPermission permission to allow access to any Uri.
- You could use CodeGroups with the IMembershipCondition (StrongNameMembershipCondition) to restrict custom config settings specifically to code signed by /n software.