Hello,

my ASP .NET web application runs perfectly on my laptop, and I'm impressed by the functionality NHibernate offers.

Unfortunately, on my shared webspace (hosted by 1&1 Germany), I got a SecurityException. I recompiled NHibernate manually and copied all debug symbols. Suddenly it seemed to work! But then I got a SecurityException again somewhere else. This time I managed to obtain a stack trace:



Log4net doesn't work either, only locally.

According to my hoster's German FAQ, it is very likely that this is due to an assembly with a strong name lacking the AllowPartiallyTrustedCallers attribute.

And indeed, this would make sense to me:
I recompiled the NHibernate assembly manually (and had to remove the signing directive), thereby removing its strong name (I guess) -> suddenly it worked.

Later one, a dependency (Castle.DynamicProxy or something else) was loaded by NHibernate, which had a strong name - but no AllowPartiallyTrustedCallers attribute.

Log4net themselves added that attribute in the beginning of 2004.

Could you please add this attribute, also in the dependencies?

Or is there a different solution?

Regards,

Marvin

Please create a JIRA issue for this.

I looked at the AssemblyInfo.cs and it is missing some attributes that should be there for strong named assemblies I would recommend these:

[assembly: SecurityPermission(SecurityAction.RequestMinimum, Execution=true, SerializationFormatter=true)]
[assembly: ReflectionPermission(SecurityAction.RequestMinimum, TypeInformation=true, MemberAccess=true)]
[assembly:SecurityPermissionAttribute(SecurityAction.RequestMinimum, UnmanagedCode=true)]

Forgot to mention, the last one is only needed if the nhibernate ever needs to deal with calls to unmanaged assemblies it references. Otherwise it could be removed.

Hi,

I am looking at using NHibernate in a partially trusted hosting environment but it looks like there could be problems...has anyone had any luck in achieving this? If so, can you please let me know what steps need to be undertaken?

The AllowPartiallyTrustedCallers attribute seems to be missing from the 1.0.2 src and there are dependencies like CastleProject.DynamicProxy that are also missing this attribute so I am guessing that it might not be possible.

Thanks,

Jason

As more and more shared hosting environments are running under medium trust, this has been becoming a showstoper for a lot of developers.

Damn...I was hoping that it wasn't going to be a showstopper as I really don't want to go back to the old way of doing things (without NHibernate) on this project!!

Is it really the APTCA that you're missing? That attribute would only be required if NHibernate has full trust and the rest of your application has medium trust, as far as I understand. If you really have such a situation, then I guess you will have to recompile NHibernate to include the attribute.

I'm hesitant to add the attribute myself because it's security-related and I'm not 100% sure of what consequences it will have (though it looks like it shouldn't open any security holes).

Hi Sergey,

To be honest, I don't know the consequences of adding APTCA so I wouldn't like to comment. The information that our ISP has provided explicitly states that the attribute must be set for all strongly named assemblies because they do not allow sites to run in full trust mode.

The following MS article seems to support this too:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/aptcatypes.asp

However, just adding it to the NHibernate/Contrib projects may not be enough as there are other referenced assemblies that would need the attribute set too, e.g. CastleProject.DynamicProxy.

It does appear to be a significant issue for NH in a hosted environment though so I do feel that it needs to be resolved. At this stage, it looks like we are going to have to drop NH for this project, which is a right pain because it is so damned good that we really rely on it for all of our projects now :-(

Sorry I can't be of too much help here...I am just fumbling my way around this issue myself!

Cheers,

Jason