Infosys Microsoft Alliance and Solutions blog

« Blog Ahoy! | Main | Document your BizTalk Installation »

Undocumented Code Access Security change in .NET 2.0

I was attempting to deploy a simple Windows Application by publishing it over the Web. While it worked in its plain-vanilla form, it started behaving awkwardly after I had a number of Enterprise Library components with its related config stuff going into the App.Config file. After much toil, I finally discovered the reason behind it, which actually seems to be a security-enhancing mechanism whose workaround seems to have gone undocumented in MSDN.

Now, its something like this. During the days of .NET 1.1, an application could load the configuration nodes in App.Config or Web.Config (the section providers) under Medium Trust. Come .NET 2.0, and the Code Access level permissions required to load the various configuration settings of the config file are extended.

In the new way, Medium Trust checks a requirePermission attribute on the configuration section declaration - the section at the top of your config file.  For example,

<section name="exceptionManagement" requirePermission="false" type="MyNamespace.MyExceptionHandler, ExceptionManager"  />
<section name="logger" requirePermission="true" type="MyNamespace.MyLogger, Logger"/>

If they are declared as above then access to the "exceptionManagement" provider section is allowed but access to the "logger" section is not (under Medium Trust). By default, requirePermission is set to true, and we need to explicitly add the requirePermission="false" attribute to the element. And in the case of click-once deployment that made me stumble on this, I had to add this additional piece in App.Config to get it all going.

<system.web>                                                                                                                                                  

<trust level="Medium" originUrl=""/>                                                                                                                    </system.web>

And this thing about requirePermission doesn’t seem to be a documented fact and in fact if you add the attribute to the section element of your config file, intellisense tells you it is not a valid attribute for the element. But then, that's the way it works!

Posted by Kishore Gopalan on September 15, 2006 02:29 AM |

TrackBack

TrackBack URL for this entry:
http://www.infosysblogs.com/microsoft-mt/mt-tb.fcgi/15

Comments

Haven't tried this myself so can't comment on intellisence, but why do you call this undocumented? Check this at http://msdn2.microsoft.com/en-us/library/system.configuration.sectioninformation.requirepermission.aspx

Posted by: Atul Gupta | September 15, 2006 09:53 AM

Oops! An oversight, may be because I was searching in the context of ClickOnce and it didnt have anything about this particular issue.

Posted by: Kishore Gopalan | September 15, 2006 10:33 AM

hi all. nice blog. its very ineresting article.

Posted by: robert | March 18, 2007 10:54 PM

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)