Do not trust your ASP.NET code

A lot of news group entries describe how to solve CAS policy issues: Set the trust level to full in web.config.

This seems like a quick solution but is rather a quick and dirty work-around.

But what can you do if you want to be a little bit more ambitious?

I use the following methods – depending on the situation – to narrow down the required permissions for the code:

  1. Use permcalc.exe to determine the delcarative CAS policies on some code. The tool is shipped with Visual Studio but it is only helpful if there are CAS policy attributes used explicitly in the code.
  2. If I get a DLL without the source code and want to deploy it to the bin folder of a SharePoint application I use wspbuilder, config files and it’s CustomCAS property. See below.
  3. In case I have access to the assemblies source code I use the AssemblyInfo.cs to add the permission attributes. If the exception does not give you the missing permission I follow the advice of one of my colleagues: Give the assembly full trust like permissions (see below) and remove half of the attributes over and over again until the code fails.

When you are working with SharePoint and wspbuilder remember to upgrade your wsp solution after you changed either the CustomCAS file or AssemblyInfo.cs. Simply deploying the assembly will give you a "Request for the permission … failed" exception.

I use the following local wspbuilder configuration file (WspBuilder.exe.config) to give all assemblies deployed to the bin folder the permissions given in the CustomCAS.xml file. You can simply include it in your setup project. This works from version 830.

<?xml version="1.0" encoding="utf-8" ?>
    <add key="BuildCAS" value="true" />
    <add key="CustomCAS" value="CustomCAS.xml" />
    <add key="PermissionSetLevel" value="none" />

The following shows the CustomCAS.xml file for full trust like permission:

<IPermission class="AspNetHostingPermission"
  version="1" Level="Unrestricted"/>
<IPermission class="ConfigurationPermission"
  version="1" Unrestricted="true"/>
<IPermission class="DnsPermission"
  version="1" Unrestricted="true"/>
<IPermission class="EnvironmentPermission"
  version="1" Unrestricted="true"/>
<IPermission class="FileIOPermission"
  version="1" Unrestricted="true"/>
<IPermission class="IsolatedStorageFilePermission"
  version="1" Unrestricted="true"/>
<IPermission class="PrintingPermission"
  version="1" Level="DefaultPrinting"/>
<IPermission class="ReflectionPermission"
  version="1" Unrestricted="true"/>
<IPermission class="RegistryPermission"
  version="1" Unrestricted="true"/>
<IPermission class="StorePermission"
  version="1" Unrestricted="true"/>
<IPermission class="SecurityPermission"
  version="1" Unrestricted="true"/>
<IPermission class="SmtpPermission"
  version="1" Access="Connect"/>
<IPermission class="SocketPermission"
  version="1" Unrestricted="true"/>
<IPermission class="SqlClientPermission"
  version="1" Unrestricted="true"/>
<IPermission class="WebPermission"
  version="1" Unrestricted="true"/>
<IPermission class="SharePointPermission"
  version="1" Unrestricted="true"/>

For the AssemblyInfo.cs I use the following for full trust like permissions (only the PrintingPermission is missing here):

using System.Configuration;
using System.Data.SqlClient;
using System.Net;
using System.Net.Mail;
using System.Reflection;
using System.Runtime.CompilerServices;
using System.Runtime.InteropServices;
using System.Security;
using System.Security.Permissions;
using System.Web;

using Microsoft.SharePoint.Security;

// …

[assembly: AllowPartiallyTrustedCallers()]
[assembly: ReflectionPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: SqlClientPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: SharePointPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: SecurityPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: AspNetHostingPermission(SecurityAction.RequestMinimum, 
[assembly: ConfigurationPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: DnsPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: EnvironmentPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: FileIOPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: IsolatedStorageFilePermission 
   (SecurityAction.RequestMinimum, Unrestricted = true)]
[assembly: RegistryPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: StorePermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: SmtpPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: SocketPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]
[assembly: WebPermission(SecurityAction.RequestMinimum,
  Unrestricted = true)]

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.