Hi there,

With V3, when I do "adapter.OpenConnection();" in a Medium Trust environment I get...

Security Exception Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

[SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.] System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0 System.Security.CodeAccessPermission.Demand() +61 System.Reflection.Emit.DynamicMethod.PerformSecurityCheck(Type owner, StackCrawlMark& stackMark, Boolean skipVisibility) +7590241 System.Reflection.Emit.DynamicMethod..ctor(String name, Type returnType, Type[] parameterTypes, Type owner, Boolean skipVisibility) +40 SD.LLBLGen.Pro.ORMSupportClasses.Miscellaneous.DynamicMethodCompiler.CreateSetDynamicMethod(Type type) +186 SD.LLBLGen.Pro.ORMSupportClasses.Miscellaneous.DynamicMethodCompiler.CreateSetHandler(Type type, PropertyInfo propertyInfo) +74 SD.LLBLGen.Pro.ORMSupportClasses.DbProviderFactoryInfo.InitializeEnumTypeCache() +962 SD.LLBLGen.Pro.ORMSupportClasses.DbProviderFactoryInfo.SetDbProviderFactoryParameterData(String dbProviderFactoryInvariantName, Type dbProviderSpecificEnumType, String dbProviderSpecificEnumTypePropertyName) +100 SD.LLBLGen.Pro.DQE.SqlServer.SqlServerSpecificCreator.SetDbProviderFactoryParameterData(String dbProviderFactoryInvariantName, Type dbProviderSpecificEnumType, String dbProviderSpecificEnumTypePropertyName) +48 SD.LLBLGen.Pro.DQE.SqlServer.DynamicQueryEngine.SetDbProviderFactoryInvariantNameToUse() +159 SD.LLBLGen.Pro.DQE.SqlServer.DynamicQueryEngine..cctor() +858

Any ideas?

Cheers, Ian.

Do you use a standard medium trust or is it a custom medium trust?

I'm not sure about the live server but I managed to get the same result with the following on my dev machine and with using one of the LLBLGen V3 demo projects.

<trust level="Medium" originUrl="" />

A part from that addition to web.config I'm not aware of having modified the trust settings in any other way. (In other words, I'm not sure what you mean )

Are you using a commercial shared hosting?

Related threads: http://www.llblgen.com/TinyForum/Messages.aspx?ThreadID=13134 http://www.llblgen.com/TinyForum/Messages.aspx?ThreadID=15694

Where does 'requiresPermission="false"' go?

Also the thread that suggests this is from 2008. So why would I only get this issue now?

Just to be sure, this doesn't fire when using a Linq query, just by opening a connection, right?

Have you read the second newest thread: http://www.llblgen.com/TinyForum/Messages.aspx?ThreadID=15694

Haven't you found any help there?

I'll build a testbuild of the ormsupportclasses for you which will use a different CTor on the DynamicMethod class, to see whether that helps or not. Although it's odd that you run into this and others don't.... MSDN documentation also doesn't explain whether the method called is a security issue. If there are trustlevel issues they will be popping up later on

Could you try the attached dll? It uses a different CTor on DynamicMethod, which is only usable for public properties/methods, but as we only use it for that purpose, it should be ok. please make sure your website uses this ormsupportclasses dll (build 10112010)

Otis wrote:

Could you try the attached dll? It uses a different CTor on DynamicMethod, which is only usable for public properties/methods, but as we only use it for that purpose, it should be ok. please make sure your website uses this ormsupportclasses dll (build 10112010)

I've double checked that all the projects are referencing that dll on my desktop but the problem's still there.

Just to be sure, this doesn't fire when using a Linq query, just by opening a connection, right?

Have you read the second newest thread: http://www.llblgen.com/TinyForum/Messages.aspx?ThreadID=15694

Haven't you found any help there?

Yes... just from opening the connection! I'm already quite careful with Linq queries because I know that anything fancy doesn't work on our live server.

There's a lot going on in that thread...

Ian wrote:

Otis wrote:

Could you try the attached dll? It uses a different CTor on DynamicMethod, which is only usable for public properties/methods, but as we only use it for that purpose, it should be ok. please make sure your website uses this ormsupportclasses dll (build 10112010)

I've double checked that all the projects are referencing that dll on my desktop but the problem's still there.

Just to be sure, this doesn't fire when using a Linq query, just by opening a connection, right?

Have you read the second newest thread: http://www.llblgen.com/TinyForum/Messages.aspx?ThreadID=15694

Haven't you found any help there?

Yes... just from opening the connection! I'm already quite careful with Linq queries because I know that anything fancy doesn't work on our live server.

There's a lot going on in that thread...

Do you get the exact same stacktrace?

Here it is...

[SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.] System.Security.CodeAccessSecurityEngine.Check(Object demand, StackCrawlMark& stackMark, Boolean isPermSet) +0 System.Security.CodeAccessPermission.Demand() +61 System.Reflection.Emit.DynamicMethod.PerformSecurityCheck(Type owner, StackCrawlMark& stackMark, Boolean skipVisibility) +160 System.Reflection.Emit.DynamicMethod..ctor(String name, Type returnType, Type[] parameterTypes, Type owner) +37 SD.LLBLGen.Pro.ORMSupportClasses.Miscellaneous.DynamicMethodCompiler.CreateSetDynamicMethod(Type type) +184 SD.LLBLGen.Pro.ORMSupportClasses.Miscellaneous.DynamicMethodCompiler.CreateSetHandler(Type type, PropertyInfo propertyInfo) +74 SD.LLBLGen.Pro.ORMSupportClasses.DbProviderFactoryInfo.InitializeEnumTypeCache() +962 SD.LLBLGen.Pro.ORMSupportClasses.DbProviderFactoryInfo.SetDbProviderFactoryParameterData(String dbProviderFactoryInvariantName, Type dbProviderSpecificEnumType, String dbProviderSpecificEnumTypePropertyName) +100 SD.LLBLGen.Pro.DQE.SqlServer.SqlServerSpecificCreator.SetDbProviderFactoryParameterData(String dbProviderFactoryInvariantName, Type dbProviderSpecificEnumType, String dbProviderSpecificEnumTypePropertyName) +48 SD.LLBLGen.Pro.DQE.SqlServer.DynamicQueryEngine.SetDbProviderFactoryInvariantNameToUse() +159 SD.LLBLGen.Pro.DQE.SqlServer.DynamicQueryEngine..cctor() +858

Hmm...

Looking at the docs, the problem seems to be this: we call the Ctor: DynamicMethod(String, Type, array<Type >[], Type), which has this in the docs:

For backward compatibility, this constructor demands SecurityPermission with the SecurityPermissionFlag ..::.ControlEvidence flag if the following conditions are both true: owner is in a module other than the calling module, and the demand for ReflectionPermission with the ReflectionPermissionFlag ..::.MemberAccess flag has failed. If the demand for SecurityPermission succeeds, the operation is allowed.

and

Starting with the .NET Framework version 2.0 Service Pack 1, this member no longer requires ReflectionPermission with the ReflectionPermissionFlag ..::.ReflectionEmit flag. (See Security Issues in Reflection Emit.) To use this functionality, your application should target the .NET Framework version 3.5 or later.

This is only true for .net 2, as .net 3.5 introduces a different ctor which allows working around this. I'm not sure if you're using .NET 2 still...

Anyway, it therefore should work if you manually add the security permission to the web.config for SecurityPermissionFlag.ControlEvidence. I'm not sure how to do that, as I'm not an asp.net guru, but if the app is granted that permission, the app should work in medium trust. Please let us know we have to assist further.

Hi,

All of my projects are 3.5 or 4. Does this mean that configuring SecurityPermissionFlag.ControlEvidence is not going to be relevant?

This seems strange that I'm the only one getting this problem. Have you tried running LLBLGenProCRUDDemo with...

<trust level="Medium" originUrl="" />

...in web.config? Does this work for you?

Cheers, Ian.

For some unknown reason you should try adding the security permission to the web.config for SecurityPermissionFlag.ControlEvidence.

Report back the outcome, please.

We'll see if we can reproduce it and if so, fiddle with asp.net settings to see if we can get it to work with a web.config setting. Reminder: we're not asp.net gurus so it might be we fail, while there is a solution.

We can reproduce it. Looking into working around it.

Ok, please do the following: - from the WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG folder copy the web_mediumtrust.config file to your website project folder and include it in your project - rename it to web_mediumcustomtrust.config - add to the web.config file, in the system.web section:

<securityPolicy>
    <trustLevel name="CustomMedium" policyFile="web_mediumcustomtrust.config"/>
</securityPolicy>
<trust level="CustomMedium" />

• in web_mediumcustomtrust.config, look up the line <IPermission class="SecurityPermission" version="1" Flags=".... and add to the list of flags 'ControlEvidence', so it looks like:

<IPermission class="SecurityPermission" version="1" Flags="Assertion, Execution, ControlEvidence, ControlThread, ControlPrincipal, RemotingConfiguration"/>

• in web_mediumcustomtrust.config, look up the line <IPermission class="ReflectionPermission" version="1" Flags="... and add to the list of flags 'MemberAccess' so it looks like:

<IPermission class="ReflectionPermission" version="1" Flags="MemberAccess, RestrictedMemberAccess"/>

Build your website. The custom trust config file is as medium trust, you just granted some extra rights to the code, namely access members on a type which isn't in the calling module (which is required for reflecting over a type from an ADO.NET provider, as we do). Ship the custom trust file with your webapp, as it's just a config file located in the website's folder similar to web.config. You might have to look into the IIS configuration to hide this file from the outside world, although I think it automatically disallows reading .config files, but you should check regardless.

Hope this helps!

OK I will give it a go. The problem is probably going to be with the hosting company who use a strict configuration.

Ian wrote:

OK I will give it a go. The problem is probably going to be with the hosting company who use a strict configuration.

that doesn't matter IMHO: with your own web.config file, you can override that with the description I gave. If they have other limits in place, it's IMHO really too restrictive as the restrictions I removed by adding the permissions I specified, are not harmful to their servers. (i.e. I'm not adding registry rights and the like)

I am getting the same exception with exactly the same stack trace. I have tried your solution to change medium trust settings. It didn't work. I even tried setting full trust like this:

<trust level="Full" />

It didn't work either. Don't know what else could I do.

Deividas wrote:

I am getting the same exception with exactly the same stack trace. I have tried your solution to change medium trust settings. It didn't work. I even tried setting full trust like this:

<trust level="Full" />

It didn't work either. Don't know what else could I do.

that's odd. Also, what I described only works if you define a different trustlevel (e.g. custommedium) and set that as the trustlevel. I was able to make the exception go away when I did that, hence my suggestion to follow that.

It might be that the hosting provider forces a trustlevel on you, but I don't know if that's possible (IMHO it should be possible to override that trustlevel in the config file, according to documentation)

that's odd. Also, what I described only works if you define a different trustlevel (e.g. custommedium) and set that as the trustlevel. I was able to make the exception go away when I did that, hence my suggestion to follow that.

It didn't work for me. I know that the security policy file was read, because otherwise exception would have been thrown.

It might be that the hosting provider forces a trustlevel on you, but I don't know if that's possible (IMHO it should be possible to override that trustlevel in the config file, according to documentation)

I don't use a hosting provider. It's a machine used for development purposes with default settings. Also I don't know if that changes anything but I use WCF.

Also don't you think that requiring your customers to change trust levels is a little bit too much? I don't think any other ORM tools do that. Otherwise, a great product.

Deividas wrote:

that's odd. Also, what I described only works if you define a different trustlevel (e.g. custommedium) and set that as the trustlevel. I was able to make the exception go away when I did that, hence my suggestion to follow that.

It didn't work for me. I know that the security policy file was read, because otherwise exception would have been thrown.

well, there must have been something wrong, as it did work here. The problem is that you have to make sure the additional flags are indeed added. It also might be the runtime lib you're using is outdated, but if you're using the one I attached today to your bugreport, it is the latest build. I had a hard time getting it to work as well, but eventually when I did everything I described above, it worked out.

It might be that the hosting provider forces a trustlevel on you, but I don't know if that's possible (IMHO it should be possible to override that trustlevel in the config file, according to documentation)

I don't use a hosting provider. It's a machine used for development purposes with default settings. Also I don't know if that changes anything but I use WCF.

No idea. You specified full trust in the config file and still it didn't work, which IMHO means the trust level in the config file wasn't read. What trust level did you set in IIS?

Also don't you think that requiring your customers to change trust levels is a little bit too much? I don't think any other ORM tools do that. Otherwise, a great product.

The problem is that our code is now using DBProviderFactory. This means that we've to set the ado.net provider specific dbtype enum property on the parameter object somehow without a reference to the particular ado.net assembly (otherwise, why bother with providerfactory). This is doable, but that can be done only by using a delegate. As our code is compiled on .net 2.0 to make it work on .net 2.0 as well, we can't use a func<>, so we have to use a real delegate on a type coming from another assembly (the ado.net assembly we grab from the factory). A delegate is really slow compared to a dynamic method generated at runtime, so we use that instead. This has the downside that we have to create a dynamic method on a type coming from outside the codebase, which gives the security exception. When I add the flag to the trustlevel as described to allow that, it works.

So it's not really something we can fix without a serious compromise (and the delegate will be called a lot (every parameter created) which means it has significant impact)...

Otis wrote:

Deividas wrote:

that's odd. Also, what I described only works if you define a different trustlevel (e.g. custommedium) and set that as the trustlevel. I was able to make the exception go away when I did that, hence my suggestion to follow that.

It didn't work for me. I know that the security policy file was read, because otherwise exception would have been thrown.

well, there must have been something wrong, as it did work here. The problem is that you have to make sure the additional flags are indeed added. It also might be the runtime lib you're using is outdated, but if you're using the one I attached today to your bugreport, it is the latest build. I had a hard time getting it to work as well, but eventually when I did everything I described above, it worked out.

It might be that the hosting provider forces a trustlevel on you, but I don't know if that's possible (IMHO it should be possible to override that trustlevel in the config file, according to documentation)

I don't use a hosting provider. It's a machine used for development purposes with default settings. Also I don't know if that changes anything but I use WCF.

No idea. You specified full trust in the config file and still it didn't work, which IMHO means the trust level in the config file wasn't read. What trust level did you set in IIS?

I've done some googling and find out that "by default, Web applications are configured to run with full trust". And indeed Web.config files in \Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG and in \Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG are configured to use full trust. So in theory I shouldn't need to change anything for my application to work. And giving my application full trust does nothing, because it already has full trust. Could this be an OS problem? I'm using Windows Server 2008 R2 Standard.

I think I found the cause of the problem. It is probably the fact that I downloaded the runtime lib from the forum. Therefore it was marked as untrusted. More info here: http://blogs.msdn.com/b/friis/archive/2010/06/09/system-security-securityexception-request-for-the-permission-of-type-system-web-aspnethostingpermission-failed.aspx . Although unblocking the file didn't solve my problem, setting the application pool to LocalService did (NetworkService also works), which is an acceptable solution for me.

So the moral here is that you use a bad practice - attaching dlls to forum posts. Although that is nothing to be ashamed of, I guess. I didn't know about it before either.