Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8
This is the forum to discuss the Wrox book Professional ASP.NET 2.0 Security, Membership, and Role Management by Stefan Schackow; ISBN: 9780764596988
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Display Modes
  #1 (permalink)  
Old October 27th, 2007, 11:07 PM
Authorized User
 
Join Date: Oct 2007
Location: , , .
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default Trust Level for App_Data folder

Greetings,
I'm not sure if this is the righ forum but I have a question.

I've created a custom "medium" trust level as outlined in the ASP.Net 2.0 Security book.

I created a virtual folder under App_Data directory and pointed it to another drive/directory which holds an Access database.

When I try to access the databse from my site, I get a security error and a message telling me to adjust the "trust".

If I move the Access databse to a virtual directory outside of App_Data, I can then access the database from my web page.

Can you tell me what to do the gain access to the database from a virtual directory inside App_Data when I have a trust level set at medium?

I appreciate your input very much.

Thanks

Reply With Quote
  #2 (permalink)  
Old October 29th, 2007, 08:29 PM
Wrox Author
 
Join Date: Feb 2006
Location: Redmond, Washington, USA.
Posts: 76
Thanks: 0
Thanked 0 Times in 0 Posts
Default

When you say that you move the Access file to another virtual directory and it works - do you mean that if the file is moved to another virtual directory within the directory structure of your application that it works?

I'm guessing that what is happening with Access is that somewhere in the OleDb call stack there is a file I/O call which is failing on a FileIOPermission demand. Medium trust only grants file read/write access to directories at, or below, the root of your web application's physical directory.

You could try tweaking the web_mediumtrust.config file to include additional file paths in the existing <IPermission /> element. The section in my book on the FileIOPermission covers what this syntax looks like - basically you put additional file paths into the Read/Write/Append attributes, separated by semicolons.


-Stefan
Reply With Quote
  #3 (permalink)  
Old October 30th, 2007, 08:35 AM
Authorized User
 
Join Date: Oct 2007
Location: , , .
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Thanks Stefan,

Sorry. I meant that if I put the virtual directory under the website root and then point it to the physical directory that holds the Access database, I can then gain access to the database.

When the virtual directory is under App_Data, I get the file in/out exception.

I followed your guideline for constructing a "custom trust level" and it works great when the virtual directory is under the root. The problem is when I put the virtual directory inside App_Data.

When you said "Medium trust only grants file read/write access to directories at, or below, the root of your web application's physical directory", do you mean the directory must be at the root level of the site and not inside another directory such as App_Data?

Many thanks for your help and "Great Book" you wrote.

Reply With Quote
  #4 (permalink)  
Old October 30th, 2007, 04:13 PM
Wrox Author
 
Join Date: Feb 2006
Location: Redmond, Washington, USA.
Posts: 76
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I tried creating a virtual directory within App_Data that pointed back out to "C:\". Then in a test application I have a line of code like this:

string foo = File.ReadAllText(Server.MapPath("~/App_Data/outside/test.txt"));

In this sample "/App_Data/outside" actually points to c:\ on my system.

I then modified the web_mediumtrust.config file like this:

<IPermission class="FileIOPermission" version="1" Read="$AppDir$;c:\" Write="$AppDir$" Append="$AppDir$" PathDiscovery="$AppDir$;c:\"/>

Basically I just tweaked the Read and PathDiscovery attributes to include my root hard drive (of course not something I would ever do on a production server unless I was feeling lucky -) ).

With those modifications I was able to read the text file from a Medium trust web appplication, even though the underlying file was outside the directory structure of my web application. However, without the tweaks to the medium trust configuration file, my sample code errors out with a FileIOPermission - which is expected.

You can see that the default setting for Medium trust though only grants physical file access to files that are located somewhere with the physical directory structure of your web application (that's the $AppDir$ variable). Since App_Data is within the physical directory structure of your web application (assuming it hasn't been remapped somewhere else), anything located in App_Data, or a physical sub-directory thereof will work.

Virtual directories are a different matter though since you can point a virtual directory at any physical location you want. From a code access security perspective what matters is the true physical location of the file you are attempting to access. That is why in the sample above I had to explicitly include "C:\" in the file permission even though the virtual directory was located underneath App_Data.

-Stefan
Reply With Quote
  #5 (permalink)  
Old October 30th, 2007, 07:10 PM
Authorized User
 
Join Date: Oct 2007
Location: , , .
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Stefan, Thanks very much for your help and patience. I gave you some erroneous info above because I was writing from memory too far after the fact.

I just now re-tried everyhing and here's the result:

With Server 2003 and IIS running on D:

The Access database is in a physical dirctory on C: with my website virtual directory pointing to that physical directory on C:.

With my "Custom Medium Trust" in place...I can not access the Access database from a virtual directory under App_Data or from a virtual directory at the root of the site.

The "Custom Medium Trust" level works great when everything is at the root or in physical directories under the root. I did have to tweak the code in the custom file (like you said in the book) to get Access database to open.

My dilema is that I want to protect the sensitve database info. That's why I'm putting it outside the website on another drive. And I would like to use "Medium Trust" but don't know how to get this trust level to work securely with the database on another drive.

Here's the exceptim I'm getting with the file on another drive at "Medium Trust":

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Can you give me any pointers to get the database secure on another drive while keeping "Medium Trust"?

I really do appreciate your helping me out with this.

Also, are you working on any more security books for the future?

Many Thanks!



Reply With Quote
  #6 (permalink)  
Old October 31st, 2007, 01:44 AM
Authorized User
 
Join Date: Oct 2007
Location: , , .
Posts: 10
Thanks: 0
Thanked 0 Times in 0 Posts
Default

I tried this and it works. I don't know of thge implications tey though. Man do I feel like a greenhorn here. LOL!

<IPermission class="FileIOPermission"
    version="1"
    Read="$AppDir$;c:\myDir\data.mdb"
    Write="$AppDir$;c:\myDir\data.mdb"
Append="$AppDir$;c:\myDir\data.mdb" PathDiscovery="$AppDir$;c:\myFolder\data.mdb"
                            />

<IPermission class="OleDbPermission"
    version="1">
    <add ConnectionString=
    "Provider=Microsoft.Jet.OLEDB.4.0;Data Source=C:\myFolder\Thunit.mdb"
    KeyRestrictions=""
    KeyRestrictionBehavior="AllowOnly"/>
</IPermission>

Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Full Trust vs Partial Trust Problem dparsons C# 1 May 11th, 2007 11:10 AM
Can't access local file in App_Data folder VictorVictor ASP.NET 2.0 Professional 8 January 23rd, 2007 10:15 AM
MasterPage in different folder / level bananas ASP.NET 2.0 Basics 0 January 3rd, 2007 12:37 PM
Custom Membership Provider and Medium Trust level mosi_asgari BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 3 December 24th, 2006 11:11 AM
Security Exception - application trust level gordonz BOOK: ASP.NET Website Programming Problem-Design-Solution 1 November 24th, 2004 02:49 PM



All times are GMT -4. The time now is 04:29 PM.


Powered by vBulletin® Version 3.7.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.