Saqib Ullah

BootStrapper Know How
  Home  |   Contact  |   Syndication    |   Login
  93 Posts | 1 Stories | 343 Comments | 15 Trackbacks

News



Article Categories

Archives

Post Categories

Blogging websites

Favourite Blogs

Private Links

Sites

Web Application trust

Full trust

By default, Web applications run with full trust. Full-trust applications are granted unrestricted code access permissions like calling unmanaged code, windows service, event logging, open database connection and Microsoft Messaging queues. When application trust level is set to “Full” it means that the web application only can’t access through the resource that is restricted by the operating system level-security. .Net framework allows us to configure the trust level at the machine and application level <trust>, but in default ASP.Net application it is run under Full trust.

Partial trust

Partial trust applications have restricted permissions, which limit their ability to access secured resources and their trust level set other than “Full”. When trust level is set to Full code, access security is effectively disabled because permission demands do not come in the way of resource access attempts, in other words code access security doesn’t checkl from where the code comes.

 

Following are the ASP.Net Policy Files

Machine.Config in .net 1.1

            <location allowOverride="true">

               <system.web>

                 <securityPolicy>

                   <trustLevel name="Full" policyFile="internal"/>

                   <trustLevel name="High" policyFile="web_hightrust.config"/>

                   <trustLevel name="Medium" policyFile="web_mediumtrust.config"/>

                   <trustLevel name="Low" policyFile="web_lowtrust.config"/>

                   <trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>

                 </securityPolicy>

               <--  level="[Full|High|Medium|Low|Minimal]" -->

                <trust level="Full" originUrl=""/>

               </system.web>

            </location>

Web.Config in .net 2.0
    <location allowOverride="true">
        <system.web>
            <securityPolicy>
                <trustLevel name="Full" policyFile="internal" />
                <trustLevel name="High" policyFile="web_hightrust.config" />
                <trustLevel name="Medium" policyFile="web_mediumtrust.config" />
                <trustLevel name="Low"  policyFile="web_lowtrust.config" />
                <trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
            </securityPolicy>
            <trust level="Full" originUrl="" />
        </system.web>
    </location>

Both version of .net framework allow us to customized the trust level depend upon the environment conditions. Both allow the overriding of the tag in application web.config file. If you want to lock the trust level at machine level simply set false in location tag and now code access security is enable and your application behave depend upon the security policy setting.

I will discuss how to call full trust assembly from partial trust in the next blog.

 

posted on Wednesday, April 11, 2007 12:03 PM

Feedback

# re: Web Application trust 3/24/2009 6:03 AM RMILI
Error message :

This configuration section cannot be used at this path. This happens when the site administrator has locked access to this section using <location allowOverride="false"> from an inherited configuration file.

Post A Comment
Title:
Name:
Email:
Website:
Comment:
Verification: