You are currently viewing the BOOK: Professional ASP.NET 2.0 Security, Membership, and Role Management ISBN: 978-0-7645-9698-8 section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developersí questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
When you say that you move the Access file to another virtual directory and it works - do you mean that if the file is moved to another virtual directory within the directory structure of your application that it works?
I'm guessing that what is happening with Access is that somewhere in the OleDb call stack there is a file I/O call which is failing on a FileIOPermission demand. Medium trust only grants file read/write access to directories at, or below, the root of your web application's physical directory.
You could try tweaking the web_mediumtrust.config file to include additional file paths in the existing <IPermission /> element. The section in my book on the FileIOPermission covers what this syntax looks like - basically you put additional file paths into the Read/Write/Append attributes, separated by semicolons.
Sorry. I meant that if I put the virtual directory under the website root and then point it to the physical directory that holds the Access database, I can then gain access to the database.
When the virtual directory is under App_Data, I get the file in/out exception.
I followed your guideline for constructing a "custom trust level" and it works great when the virtual directory is under the root. The problem is when I put the virtual directory inside App_Data.
When you said "Medium trust only grants file read/write access to directories at, or below, the root of your web application's physical directory", do you mean the directory must be at the root level of the site and not inside another directory such as App_Data?
Many thanks for your help and "Great Book" you wrote.
Basically I just tweaked the Read and PathDiscovery attributes to include my root hard drive (of course not something I would ever do on a production server unless I was feeling lucky -) ).
With those modifications I was able to read the text file from a Medium trust web appplication, even though the underlying file was outside the directory structure of my web application. However, without the tweaks to the medium trust configuration file, my sample code errors out with a FileIOPermission - which is expected.
You can see that the default setting for Medium trust though only grants physical file access to files that are located somewhere with the physical directory structure of your web application (that's the $AppDir$ variable). Since App_Data is within the physical directory structure of your web application (assuming it hasn't been remapped somewhere else), anything located in App_Data, or a physical sub-directory thereof will work.
Virtual directories are a different matter though since you can point a virtual directory at any physical location you want. From a code access security perspective what matters is the true physical location of the file you are attempting to access. That is why in the sample above I had to explicitly include "C:\" in the file permission even though the virtual directory was located underneath App_Data.
Stefan, Thanks very much for your help and patience. I gave you some erroneous info above because I was writing from memory too far after the fact.
I just now re-tried everyhing and here's the result:
With Server 2003 and IIS running on D:
The Access database is in a physical dirctory on C: with my website virtual directory pointing to that physical directory on C:.
With my "Custom Medium Trust" in place...I can not access the Access database from a virtual directory under App_Data or from a virtual directory at the root of the site.
The "Custom Medium Trust" level works great when everything is at the root or in physical directories under the root. I did have to tweak the code in the custom file (like you said in the book) to get Access database to open.
My dilema is that I want to protect the sensitve database info. That's why I'm putting it outside the website on another drive. And I would like to use "Medium Trust" but don't know how to get this trust level to work securely with the database on another drive.
Here's the exceptim I'm getting with the file on another drive at "Medium Trust":
Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.FileIOPermission, mscorlib, Version=220.127.116.11, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.
Can you give me any pointers to get the database secure on another drive while keeping "Medium Trust"?
I really do appreciate your helping me out with this.
Also, are you working on any more security books for the future?