I’ve been going over some final code tweaks to my West Wind Web Store for a new release and one thing I’ve been fretting over is a couple of Trust issues related to Http permissions and Socket/SMTP permissions. The West Wind Web Store’s main operation runs without any issues in medium trust however there are two consistent issues that require some elevated rights:
Http Access for Credit Card Validation
If using a credit card provider that uses HTTP access such as Authorize.NET, AccessPoint, BluePay etc. HTTP access is required. Medium doesn’t allow Web Permissions although you can override the basic setting via the <trust orignUrl> in Web.config like this:
<trust level="Medium" originUrl="https://www.authorize.net/.*" />
Or even more generically:
<trust level="Medium" originUrl=".*" />
(kinda defeats the whole issue of no Web Permission doesn’t it? <s>)
Note that the value you specify is a RegEx expression not a wildcard value – that had tripped me up a few months back (just noticed that the same happened to Haacked. When you look at samples you often see the * and assume wildcard <g>.
IAC, this works fine in the default Medium trust environment, but it can and usually is overridden for major ISPs for reasons described in detail here.
Smtp or Socket for SMTP Confirmations
The West Wind Web Store sends out confirmation emails after orders are completed as well as using email for password retrieval and also for admin notifications of errors to the Administrator.
Currently the store uses a custom SMTP implementation mainly because the 1.1 version of System.Web.Mail didn’t support async operation and couldn’t connect send a few emails and disconnect. I haven’t gotten around to porting/extending the class to use the new System.Net.Mail client.
So currently I’m stuck with Socket connections that are outbound to a mail server. Again this is not supported by Medium trust. For kicks I did wrap the System.Net.Mail class as well and tried that but it too fails with System.Net.Mail.SmtpPermission errors.
I don’t extensively deal with big hosting companies. My server sits with a small ISP that I personally know and they trust me enough to never have worried about locking me down thankfully. Most of the customers I work with use internal servers that they control so they typically run in environments where trust is not a huge issue either.
So… what is the common scenario for Webhosts and how hard is it convince them to open up these permissions in a way to make SMTP and Web Permissions to at least one site work? Any experience?
Other Posts you might also like