Rick Strahl's Web Log

Wind, waves, code and everything in between...
ASP.NET • C# • HTML5 • JavaScript • AngularJs
Contact   •   Articles   •   Products   •   Support   •   Search
Ad-free experience sponsored by:
ASPOSE - the market leader of .NET and Java APIs for file formats – natively work with DOCX, XLSX, PPT, PDF, images and more

ConfigSection Security


:P
On this page:

I am cleaning up my localization provider code for my presentation tomorrow at PADNUG  (uh, today I guess <g>) and while I'm at it checking for proper operation in medium trust. This is the sort of thing I should be doing right from the start - start with Medium trust and then fix things as they come up. There are few problems here and there and It's a real bitch to find some of the problems later on because security exceptions have a way of reporting errors up the chain where it's hard to exactly see where the error originated.

So one thing that blew up immediately is that I'm using a custom configuration section. By default configuration settings are not accessible in medium trust. Hmmm... if you actually define a custom configuration section in web.config WTF would you ever NOT want to access it and restrict access to it? This really seems an odd default.

Now the actual exception that shows up in ASP.NET in the yellow screen of death is not really conducive to fixing the problem:

System.Security.SecurityException: Request for the permission of type 'System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' failed.

along with a stack trace that doesn't have any user code lines or ASP.NET level code... The only way to trace this back then is to actually run the debugger. Maybe that could be improved somehow. Certainly optionally seeing the innerException might be handy in the page.

However, I was PLEASANTLY surprised by the inner exception once I got off my ass:

Request for ConfigurationPermission failed while attempting to access configuration section 'wwDbResourceProvider'. To allow all callers to access the data for this section, set section attribute 'requirePermission' equal 'false' in the configuration file where this section is declared.

Now that's a clear error message that actually helps you correct the problem! To be honest I wouldn't have thought of this right away and in fact before I drilled into the InnerException in the debugger I was trying to find out what the permissions requirements are.

Anyway, the fix for this particular problem is simple enough. The ConfigurationSection can be set with a requirePermission attribute set to false:

    <configSections>
        <section name="wwDbResourceProvider" 
type="Westwind.Globalization.wwDbResourceProviderSection" requirePermission="false"/> </configSections>
Problem solved, but kudos to whoever is responsible for putting that error message together!
Posted in ASP.NET  

The Voices of Reason


 

Peter
June 27, 2007

# re: ConfigSection Security

Are you going to be providing your PPTs here for those of use not able to attend your presentation? I'm in Ottawa, ON, CA, but enjoy reading your blog and got excited when I read this cause this is exactly what we want to do with our localization. We're currently using MS' LocalizationToolkit and it's rather painful. :<

Thanks.

Rick Strahl
June 27, 2007

# re: ConfigSection Security

Yes. I've started writing this into an article - was hoping to have that done today but it's not even close <s>. Hopefully by next week.

Carl Nelson
June 30, 2007

# re: ConfigSection Security

Hi, Rick.

You might want to correct the link to the wwDbResourceProvider code. In the article at http://west-wind.com/weblog/posts/9120.aspx and at http://softlogger.com/5937/asp-net/strongly-typed-resources-in-asp-net.aspx the address shown is http://www.west-wind.com/files/confererences/conn_Localization.zip. The actual location is http://www.west-wind.com/files/conferences/conn_Localization.zip (the word "conferences" is misspelled).

Is that code still current?

Thanks,
Carl

Win
February 19, 2009

# re: ConfigSection Security

Although this article is quite old, still very useful... You save my time...

Thank you so much!!!

Wesley Bakker
May 17, 2010

# re: ConfigSection Security

Thanks! Saved my day...

Paul Taylor
November 29, 2010

# re: ConfigSection Security

Thank you Rick. Your article was the end of a hour of head-scratching and googling!

Anibal
July 14, 2011

# re: ConfigSection Security

Rick, You are a life saver!!!
 

West Wind  © Rick Strahl, West Wind Technologies, 2005 - 2019