ASP.NET Security Exception Error

[Edwin Alexander]

I'm new tothe ASP.NET framework and my first task is to create a web
interface for an n-tier application. I'm getting the following error
when trying to authenticate a forms-based login:

"The application attempted to perform an operation not allowed by the
security policy. To grant this application the required permission
please contact your system administrator or change the application's
trust level in the configuration file."

I've seen a number of people posting this error in the newsgroup and
have examined the solutions. Some are assuming a technical prowess
with .NET that I just don't have yet while others are akin to reading
Swahili.

Tracing through the program I've found that the error occurs on the
line of code

currentDomain.SetPrincipalPolicy(PrincipalPolicy.UnauthenticatedPrincipal);

and yields the following stack trace:

[SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.]

System.Security.CodeAccessSecurityEngine.CheckTokenBasedSetHelper(Boolean
ignoreGrants, TokenBasedSet grants, TokenBasedSet denied, TokenBasedSet
demands) +503

System.Security.CodeAccessSecurityEngine.CheckSetHelper(PermissionSet
grants, PermissionSet denied, PermissionSet demands) +144
System.AppDomain.SetPrincipalPolicy(PrincipalPolicy policy) +0
[...]..ctor(String userID, String password, Boolean usePassword) in
[...]principal.cs:51
[...]Principal.Login(String userName, String password) in
[...]principal.cs:45
[...]tryLogin(String userName, String userPassword) in
[...]login.aspx.cs:53
ASP.Login_aspx.btnLogin_Click(Object sender, EventArgs E) in
[...]Login.aspx:7
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String
eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
+33
System.Web.UI.Page.ProcessRequestMain() +2112
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
+179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +87

If ignorance is bliss then I'm ecstatic right now. Can anyone help
make sense out of this? I got the hint that it's a trust problem and
that the Web.config file might be involved, but I don't want to be a
Mad Bomber and create more problems than I solve.

Thanks,
Edwin

 

[Nicole Calinoiu]

Setting the AppDomain principal policy requires
SecurityPermissions\ControlPrincipal, which your application would appear to
lack. This limitation may be the result of either the CAS (code access
security) policy on the machine or the ASP.NET trust level at which your
application is running. Before you start modifying either policy, might you
be able to answer the following questions:

1. Is this happening on your development machine or a server? If the
latter, is the problem server configuration expected to mirror the
production server?

2. Would you be permitted to dictate that your application run with
elevated CAS privileges in its production environment?

3. Do you have any idea why the relevant CAS policy or ASP.NET trust levels
might have been altered from their defaults in the first place?

I'm new tothe ASP.NET framework and my first task is to create a web
interface for an n-tier application. I'm getting the following error
when trying to authenticate a forms-based login:

"The application attempted to perform an operation not allowed by the
security policy. To grant this application the required permission
please contact your system administrator or change the application's
trust level in the configuration file."

I've seen a number of people posting this error in the newsgroup and
have examined the solutions. Some are assuming a technical prowess
with .NET that I just don't have yet while others are akin to reading
Swahili.

Tracing through the program I've found that the error occurs on the
line of code

currentDomain.SetPrincipalPolicy(PrincipalPolicy.UnauthenticatedPrincipal);

and yields the following stack trace:

[SecurityException: Request for the permission of type
System.Security.Permissions.SecurityPermission, mscorlib,
Version=1.0.5000.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
failed.]

System.Security.CodeAccessSecurityEngine.CheckTokenBasedSetHelper(Boolean
ignoreGrants, TokenBasedSet grants, TokenBasedSet denied, TokenBasedSet
demands) +503

System.Security.CodeAccessSecurityEngine.CheckSetHelper(PermissionSet
grants, PermissionSet denied, PermissionSet demands) +144
System.AppDomain.SetPrincipalPolicy(PrincipalPolicy policy) +0
[...]..ctor(String userID, String password, Boolean usePassword) in
[...]principal.cs:51
[...]Principal.Login(String userName, String password) in
[...]principal.cs:45
[...]tryLogin(String userName, String userPassword) in
[...]login.aspx.cs:53
ASP.Login_aspx.btnLogin_Click(Object sender, EventArgs E) in
[...]Login.aspx:7
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +108

System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String
eventArgument) +57
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler
sourceControl, String eventArgument) +18
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData)
+33
System.Web.UI.Page.ProcessRequestMain() +2112
System.Web.UI.Page.ProcessRequest() +218
System.Web.UI.Page.ProcessRequest(HttpContext context) +18

System.Web.CallHandlerExecutionStep.System.Web.HttpApplication+IExecutionStep.Execute()
+179
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&
completedSynchronously) +87

If ignorance is bliss then I'm ecstatic right now. Can anyone help
make sense out of this? I got the hint that it's a trust problem and
that the Web.config file might be involved, but I don't want to be a
Mad Bomber and create more problems than I solve.

Thanks,
Edwin

 

[Edwin Alexander]

Thanks for the offer of help. To answer your questions...

1. It's occuring on a development machine, not on a server.
2. That would probably be a reasonable requirement.
3. No, I don't. A number of things were quickly configured on my
first few days here to get this PC up and running and I don't recall
the nature or extent of all of the configurations since a lot was done
that first day or so.

Thanks,
Edwin

 

[Nicole Calinoiu]

Hmm... Sounds like configuration changes might be due to an application of
company policy. If so, I'm guessing that it was the CAS policy rather than
the ASP.NET trust level that was altered, and that the change might have
involved removing permissions from local assemblies that don't have
appropriate identifying information (e.g.: assemblies that aren't signed
with one of a selection of strong naming keys). You might need
administrator help to revert this sort of change, and/or you might need to
apply a change after each reboot/login if a GPO is being used to propagate
the company policy. At any rate, if the CAS policy has been altered, your
first step should probably be to talk to the folks that changed it in the
first place to find out how and why it was done.

While alteration of the ASP.NET trust level seems a bit less likely, it's
still possible. To verify whether it's been changed, take a look at the
configuration\location\system.web\trust element in the
<windows>\Microsoft.NET\Framework\<version>\CONFIG\machine.config file. If
you see something other than "full" (for "full trust"), what is it?
(SecurityPermission\Control Principal should be granted un default
configurations of both the high and medium trust levels.)