有些時候我們寫的asp.net應用程式是運行在虛擬機器主機上。有一些虛擬機器主機可能是由於安全的考慮,對asp.net做了使用權限設定,會導致我們的應用程式無法正常運行。
問題現象:
由於某種原因,asp.net不能載入某些dll檔案,出現如下錯誤提示:
Server Error in '/' Application.
--------------------------------------------------------------------------------
Required permissions cannot be acquired.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Policy.PolicyException: Required permissions cannot be acquired.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[PolicyException: Required permissions cannot be acquired.]
System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Boolean checkExecutionPermission) +2738293
System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Int32& securitySpecialFlags, Boolean checkExecutionPermission) +57
[FileLoadException: Could not load file or assembly 'Microsoft.Practices.ObjectBuilder, Version=1.0.51205.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417)]
System.Reflection.Assembly.nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection) +0
System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection) +211
System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection) +141
System.Reflection.Assembly.Load(String assemblyString) +25
System.Web.Configuration.CompilationSection.LoadAssemblyHelper(String assemblyName, Boolean starDirective) +32
問題分析:
根據我的觀察,asp.net應用程式直接產生的dll可以正常載入,由asp.net直接調用的外部dll也可以正常載入,但是僅被外部dll引用的其他外部dll不能載入。我的猜想是:由於許可權是不完全的,asp.net應用本身產生的dll和直接引用的dll可以通過許可權的繼承獲得許可權,而僅被外部dll引用的其他外部dll因為許可權的限制不能繼承許可權,因此出現了許可權不足的問題。
問題解決:
通過在我電腦的實驗,推測虛擬機器主機上修改了根web.config(在我電腦上其位置為C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG)的設定.
預設web.config的使用權限設定節如下:<location allowOverride="true">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="web_mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
</securityPolicy>
<trust level="Full" originUrl="" />
</system.web>
</location>
推測虛擬機器主機上修改之後的設定:
<location allowOverride="false">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="web_mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config" />
</securityPolicy>
<trust level="High" originUrl="" />
</system.web>
</location>
他首先設定了allowOverride為false,這就阻止了在使用者web.config中重新定義許可權的能力。然後,他定義trust level為High,而不是預設的Full。經我測試,只要trust level不為Full,僅被外部dll引用的其他外部dll就不能被載入。 因此,我建議支援人員將allowOverride節設定為true。這樣我就可以在web.config中重新指定許可權了。
例:<trust level="Full" originUrl="" />
最近已經不研究aps.net了,因此也沒有認真去尋找深層的原因,或許我的認識還有誤。希望那位高手可以道出深層的原因,或指正我的錯誤。
