Login/Register
Is trying to develop for Medium Trust a lost cause?
Asked Answered
Solved asp.netasp.net-mvcmedium-trust
R

2

45

I started developing a new MVC app with Entity Framework code-first and Unity for dependency injection. I used EF5 and Unity because I thought they were supposed to work in Medium Trust. However, when I threw the <trust level="Medium" /> tag in my web.config, I started getting Reflection Permission exceptions.

It always seems like whenever I go beyond using built-in things like the System.Data.SqlClient ADO.net stuff I always run into problems in Medium Trust. Auto-Mapper: fail. NHibernate: fail. MySQL: fail. EF5 Code-first: fail. IOC: fail.

Am I just chasing a pipe-dream? Is it possible to achieve a well-architected and testable web application using modern technology that will run in Medium Trust?

In the age of VMs/Virtual Servers/Cloud Computing (and even a few shared hosts that will set your application pools to Full Trust) has anyone found developing for Medium Trust to be worth the effort?

Retinoscopy answered 31/5, 2013 at 4:31 Comment(0)
E
69

The official position of the ASP.NET team is that Medium Trust is obsolete. This means a few things:

  • We are automatically resolving all Medium Trust-related bugs reported to us as "won't fix".
  • We have provided guidance to hosters that they should migrate away from Medium Trust and use proper OS-level isolation instead (http://support.microsoft.com/kb/2698981).
  • We are removing Medium Trust support from the frameworks we develop (MVC, WebAPI, SignalR, and so on). Going forward, applications built on these frameworks will require Full Trust.

Here, the term "Medium Trust" above to refers to all non-Full Trust configurations in ASP.NET, including use of the built-in trust levels (Minimal, Low, Medium, High) or any custom trust levels.

Edit 26 May 2015: The .NET Framework as a whole has deprecated partial trust, and customers are advised not to rely on it as a security boundary. From MSDN:

Code Access Security in .NET Framework should not be used as a security boundary with partially trusted code, especially code of unknown origin. We advise against loading and executing code of unknown origins without putting alternative security measures in place.

Eastertide answered 20/6, 2013 at 15:57 Comment(3)
Can you add a link to an article that states this official position?Endophyte
Steven: support.microsoft.com/kb/2698981 is the main article. There are a handful of others, such as asp.net/aspnet/overview/web-development-best-practices/….Eastertide
I know this is late, but thank you, this cleared up a lot. This is still very relevant, even now in 2018. I'm discovering that there are a lot of server hosting providers who still enforce partial trust (at least on shared servers for small-scale projects). I'd been looking for a provider, and so far I've tried four different companies, all of which mandated "Medium" trust on all applications on their server. Of course, as per your article and the question, projects built using newer versions of ASP.NET don't even compile on partial permissions. This can be annoying, to say the leastPilliwinks
P
8

In general everything that needs Reflection in deep way can't run on Medium Trust

In your case:

Automapper: use reflection to discover matching properties and memory stream to clone them (there is a version around that actually works in medium trust with some limitation)

NHIbernate: use reflection emit to allow Lazy Loading becase the lazy loading in NH is implemented by proxies (to avoid this you can disable Lazy Loading or to use a the NHibernate ProxyGenerator that is an utility that help to pre-create Proxies)

Nhibernate ProxyGenerator

EF: Actually I didn't find big issues with EF and Medium Trust....is don't serialize object with associations or collections

IoC: IoC is the Killer Application of reflection :) you can try AutoFac that works on Medium Trust

AutoFac

In general Medium Trust is a big limitation...but it all depends on what kind of project you are working on. Consider also to use some Full Trust hosting like Arvixe

Hope this helps

Puppis answered 5/6, 2013 at 17:37 Comment(1)
Thanks for your response. In EF5, you can get around MT issues by having public getters and setters on all properties to be persisted to the database. The problem is that there are some properties you don't want users to be able to set. Supposedly this is being fixed in EF6. Unity seems to work in Medium Trust as well. I guess in the end I'm wondering if developing for Medium Trust is worth all the effort? Is anyone making money developing web apps that run on shared hosting? If customers are using cheap hosting, what are the chances they will pony up for your app?Retinoscopy

© 2022 - 2024 — McMap. All rights reserved.