Developing ASP.NET in Partial Trust


Apr 11, 2008

Recently I developed a lab for our Writing Secure Code - ASP.NET training course where students modify Hacme Bank to run in Partial Trust rather than Full Trust.

A lot has been written about Partial Trust. It's not going to solve every security problem, but it's a smart thing to do. I wanted to show students that it was easy to take an existing application and get it to run with only the privileges it needed.

Turns out, there is more than one way to skin a cat. And, depending on your architecture, you may be spinning your wheels needlessly, as I learned the hard way.

Hacme Bank is based on the older .asmx web service architecture, with the web front-end calling a service layer, which calls the database.

If we configure the site to run in the default Medium Trust level, it does not have access to the Hacme Bank web service (a WebPermission error is thrown).

After a few hours of tinkering, reading, debugging, and throwing my innocent wireless mouse across the room (my preferred method of stress management), I discovered a couple of different methods that I could use to get this working. Thanks to Dominick Baier and Rudolph Araujo for seeding the clouds of this brainstorm.

The four options are:

  1. Set the originUrl attribute in the trust element of the web.config file
  2. Create a new custom trust level
  3. Partition the privileged code into an assembly and install in the Global Assembly Cache
  4. Partition the privileged code into an assembly and create a new custom trust level

And, for those of you who aren't into reading longish blog posts, here's a summary of what I found:

Approach

Pros

Cons

Set the originUrl attribute in the trust element of the web.config file

 Really easy

Only works for web permissions (like calling a web service)

Create a new custom trust level

Only necessary permissions are granted

All code runs with the extra permissions

Partition the privileged code into an assembly and install in the Global Assembly Cache

Only a small amount of code gets elevated privileges

The code that gets elevated privileges runs in Full Trust

Partition the privileged code into an assembly and create a new custom trust level

Only necessary permissions are granted and only a small amount of code gets elevated privileges

Difficult