Asp. NET medium security Mode Some experience sharing _ practical tips

Source: Internet
Author: User
Tags emit response write safe mode sqlite
Non-generic web programs or products typically do not deal with ASP.net medium security mode because the user community is fixed, or the deployment environment can be determined by the program provider.
But in doing general-purpose web products, you have to deal with a variety of people, and some webmaster use foreign space, such as GoDaddy, foreign space merchants will often put ASP.net code execution rights control in the medium security mode.
In the medium Safe mode, a lot of things we are accustomed to can not do.

what is the medium Safe mode?
There may be a lot of people who haven't been in the middle-safe mode, and I didn't know there was a medium security model before I joined the Bbsmax project.
In simple terms, ASP. NET provides a simple scenario for setting code execution permissions, called "trust level."
It provides 5 levels of trust by default: FullTrust, High, Medium, low, and minimal.
Each trust level setting corresponds to a set of code permission settings.
This scenario allows site Deployer to quickly set up the site's managed code execution permissions through web.config.
You can set the ASP.net program to a different trust level by setting the value of the level property of the Web.config <system.web>/<trust> node.
Asp. NET installed, all Web sites are FullTrust trust level and highest trust level by default.
The "Medium security mode" described in this article corresponds to the Medium trust level.
Because the managed code execution permission model is not the focus of this article, I only do a simple description here, do not delve into the implementation principle of the ASP.net security level setting, and the implementation principle can refer to the several connections given at the end of this article.

What are the effects of medium safe mode?
Here are some of the questions that I and my colleagues have encountered in ASP.net medium safe mode:
1. The VirtualPathProvider template mechanism is not available because the VirtualPathProvider needs to run at least in high mode.
2. BuildProvider can not be used, meaning that you want to add your own language implementation is not used, but most of the project will not use such a high level of things.
3. CodeDom, emit can not be used, this is miserable, what the IOC, AOP, dynamic injection of High-tech gadgets, are all abolished, these are not based on the CodeDom is based on emit.
4. The use of ASPX pages to take over the file download is also dying, response write file streaming to the client requires higher code execution permissions.
5. Large file upload also don't think, because large file upload million change httpworkrequst, get Httpworkrequst code needs FullTrust mode.
6. SQLite cannot be used because there is no unmanaged code invocation permission in medium Safe mode, so in addition to SQLite, the unmanaged code calls are discarded.
7. Access data cannot be connected with OLE DB because Oledbclient is not available in medium Safe mode and you can only use an ODBC data source.
So, if you want to consider allowing users to deploy programs to Medium Safe mode, the sooner you do a compatibility test in medium-safe mode, the better.
Because a lot of things that can't be used are related to the infrastructure.
For example, SQLite and access can not be used, your program if just happen to do the version of these two databases, do?
For example, file download can not response write file flow of the way, your program happens to be so do anti-theft chain, do?

Medium Safe Mode is so demanding, how to deal with it?
can only detour, otherwise what to do? There are ways to keep trying.
VirtualPathProvider can not be used, BuildProvider also can not use, but also need to have their own set of template syntax. Then you have to generate the ASPX page before the page access, and then do the URL rewrite.
It's easy to say, just a word. But I don't know how much code to write and how many tests I have done before I find the best solution.
So your method still has to be found by yourself.
The following is a code that determines whether a program is running in medium Safe mode:
Copy Code code as follows:

if (securitymanager.isgranted (new AspNetHostingPermission (Aspnethostingpermissionlevel.medium))
{
}

If you encounter a logic that does not have to be executed, such as acquiring a program's memory footprint or uploading a large file, then you can decide whether to call it or not.
According to the data, it is possible to deploy the assembly to the GAC to get FullTrust level privileges, but I haven't actually tried it.

Appendix A

Reference Links:

MSDN "The trust element (asp.net setup architecture)"

MSDN "How To:use Medium trust in asp.net 2.0"

"Check Code Access Security Permissions granted to your asp.net Web application"

Appendix B


The file download scheme provided by Chen:
Copy Code code as follows:

protected override void OnInit (EventArgs e)
{
Response.ContentType = "Application/octet-stream";
using (FileStream stream = File.Open (Server.MapPath ("~/test.txt"), FileMode.Open))
{
BinaryWriter writer = New BinaryWriter (Response.outputstream);
byte[] buffer = new byte[1024];
int l = 0;
while (L = stream. Read (buffer, 0, buffer.) Length)) > 0)
{
Writer. Write (buffer, 0, L);
}
}
}
Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.