Keith Platter - 336 - Dec 31, 2013

After deploying SSv4 to a Windows IIS hosted environment with Medium Security, I am receiving an error during the Application_Start, I may be out of luck with deploying to this environment but wanted to see if there was anything I could do to avoid the error:

Server Error in ‘/’ Application.

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request failed.]
ServiceStack.PlatformExtensions.AddAttributes(Type type, Attribute[] attrs) +0
ServiceStack.Host.ServiceController.AfterInit() +219
ServiceStack.ServiceStackHost.AfterPluginsLoaded(String specifiedContentType) +102
ServiceStack.ServiceStackHost.OnAfterInit() +1556
ServiceStack.ServiceStackHost.Init() +428
Global.Application_Start(Object sender, EventArgs e) in Global.asax.cs:521

Version Information: Microsoft .NET Framework Version:4.0.30319; ASP.NET Version:4.0.30319.18055


From what I have been able to determine it looks like this

Add Code-first Attributes at runtime, de-coupled from POCO’s

Inspection of all Metadata attributes in ServiceStack now uses ServiceStack.Text’s attribute reflection API’s which support adding of type and property metadata attributes dynamically. This now lets you add the same behavior normally only available via attributes, dynamically at StartUp. Some benefits of this include: being able to keep unattributed data model POCOs in OrmLite or to extend built-in and external Request DTOs and Services with enhanced functionality that was previously only available using attributes.

Is using reflection which is not supported by Medium Trust…

Keith Platter:

After further testing, it appears to be caused by loading Plugins related to Authentication, Loading plugins in general does not cause the problem as I am able to load the Razor plugin successfully like so:

            Plugins.Add(new RazorFormat());

But loading either of these

Plugins.Add(new AuthFeature(() => new AuthUserSession(),
                new IAuthProvider[] {
                new BasicAuthProvider()

Plugins.Add(new RegistrationFeature());

Causes the error…

It sounds like a medium trust issue as we never throw a SecurityException in the ServiceStack code-base.  

Keith Platter:

I believe so, but is it something that I should be able to disable or fix with a patch or should I assume that SSv4 does not work in medium trust and find a new environment?

Best to assume medium trust is not supported given medium trust is obsolete and being removed in ASP.NET web frameworks:

Nabil Alhusail:

is there a way to run SS under medium trust ?
I don’t really need to add attributes at runtime, so is there a configuration or something that change the trust level along with the functionality provided ?