-->
These old forums are deprecated now and set to read-only. We are waiting for you on our new forums!
More modern, Discourse-based and with GitHub/Google/Twitter authentication built-in.

All times are UTC - 5 hours [ DST ]



Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 
Author Message
 Post subject: AllowPartiallyTrustedCallers
PostPosted: Fri Oct 21, 2005 8:43 pm 
Newbie

Joined: Tue Jun 14, 2005 10:01 am
Posts: 3
Location: Berlin, Germany / Oslo, Norway
Hello,

my ASP .NET web application runs perfectly on my laptop, and I'm impressed by the functionality NHibernate offers.

Unfortunately, on my shared webspace (hosted by 1&1 Germany), I got a SecurityException. I recompiled NHibernate manually and copied all debug symbols. Suddenly it seemed to work! But then I got a SecurityException again somewhere else. This time I managed to obtain a stack trace:

Code:
System.Security.SecurityException: Security error.
   at NHibernate.Cfg.Configuration.SecondPassCompile()
   at NHibernate.Cfg.Configuration.BuildSessionFactory() in [...]\NHibernate\Cfg\Configuration.cs:line 896


Log4net doesn't work either, only locally.

According to my hoster's German FAQ, it is very likely that this is due to an assembly with a strong name lacking the AllowPartiallyTrustedCallers attribute.

And indeed, this would make sense to me:
I recompiled the NHibernate assembly manually (and had to remove the signing directive), thereby removing its strong name (I guess) -> suddenly it worked.

Later one, a dependency (Castle.DynamicProxy or something else) was loaded by NHibernate, which had a strong name - but no AllowPartiallyTrustedCallers attribute.

Log4net themselves added that attribute in the beginning of 2004.

Could you please add this attribute, also in the dependencies?

Or is there a different solution?

Regards,

Marvin


Top
 Profile  
 
 Post subject:
PostPosted: Sat Oct 22, 2005 5:53 am 
Contributor
Contributor

Joined: Wed May 11, 2005 4:59 pm
Posts: 1766
Location: Prague, Czech Republic
Please create a JIRA issue for this.


Top
 Profile  
 
 Post subject: security
PostPosted: Fri Nov 04, 2005 10:40 am 
Newbie

Joined: Sun Oct 19, 2003 1:58 pm
Posts: 8
Location: Brentwood, TN
I looked at the AssemblyInfo.cs and it is missing some attributes that should be there for strong named assemblies I would recommend these:

[assembly: SecurityPermission(SecurityAction.RequestMinimum, Execution=true, SerializationFormatter=true)]
[assembly: ReflectionPermission(SecurityAction.RequestMinimum, TypeInformation=true, MemberAccess=true)]
[assembly:SecurityPermissionAttribute(SecurityAction.RequestMinimum, UnmanagedCode=true)]

_________________
Don Eddleman


Top
 Profile  
 
 Post subject: security on Assembly
PostPosted: Fri Nov 04, 2005 10:42 am 
Newbie

Joined: Sun Oct 19, 2003 1:58 pm
Posts: 8
Location: Brentwood, TN
Forgot to mention, the last one is only needed if the nhibernate ever needs to deal with calls to unmanaged assemblies it references. Otherwise it could be removed.

_________________
Don Eddleman


Top
 Profile  
 
 Post subject:
PostPosted: Thu May 11, 2006 2:46 am 
Senior
Senior

Joined: Sat Sep 03, 2005 12:54 am
Posts: 139
Hi,

I am looking at using NHibernate in a partially trusted hosting environment but it looks like there could be problems...has anyone had any luck in achieving this? If so, can you please let me know what steps need to be undertaken?

The AllowPartiallyTrustedCallers attribute seems to be missing from the 1.0.2 src and there are dependencies like CastleProject.DynamicProxy that are also missing this attribute so I am guessing that it might not be possible.

Thanks,

Jason


Top
 Profile  
 
 Post subject:
PostPosted: Thu May 11, 2006 8:06 pm 
Beginner
Beginner

Joined: Thu Nov 03, 2005 1:52 am
Posts: 21
As more and more shared hosting environments are running under medium trust, this has been becoming a showstoper for a lot of developers.


Top
 Profile  
 
 Post subject:
PostPosted: Thu May 11, 2006 10:09 pm 
Senior
Senior

Joined: Sat Sep 03, 2005 12:54 am
Posts: 139
Damn...I was hoping that it wasn't going to be a showstopper as I really don't want to go back to the old way of doing things (without NHibernate) on this project!!


Top
 Profile  
 
 Post subject:
PostPosted: Fri May 12, 2006 4:26 am 
Contributor
Contributor

Joined: Wed May 11, 2005 4:59 pm
Posts: 1766
Location: Prague, Czech Republic
Is it really the APTCA that you're missing? That attribute would only be required if NHibernate has full trust and the rest of your application has medium trust, as far as I understand. If you really have such a situation, then I guess you will have to recompile NHibernate to include the attribute.

I'm hesitant to add the attribute myself because it's security-related and I'm not 100% sure of what consequences it will have (though it looks like it shouldn't open any security holes).


Top
 Profile  
 
 Post subject:
PostPosted: Fri May 12, 2006 7:48 am 
Senior
Senior

Joined: Sat Sep 03, 2005 12:54 am
Posts: 139
Hi Sergey,

To be honest, I don't know the consequences of adding APTCA so I wouldn't like to comment. The information that our ISP has provided explicitly states that the attribute must be set for all strongly named assemblies because they do not allow sites to run in full trust mode.

The following MS article seems to support this too:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/aptcatypes.asp

However, just adding it to the NHibernate/Contrib projects may not be enough as there are other referenced assemblies that would need the attribute set too, e.g. CastleProject.DynamicProxy.

It does appear to be a significant issue for NH in a hosted environment though so I do feel that it needs to be resolved. At this stage, it looks like we are going to have to drop NH for this project, which is a right pain because it is so damned good that we really rely on it for all of our projects now :-(

Sorry I can't be of too much help here...I am just fumbling my way around this issue myself!

Cheers,

Jason


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 9 posts ] 

All times are UTC - 5 hours [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
cron
© Copyright 2014, Red Hat Inc. All rights reserved. JBoss and Hibernate are registered trademarks and servicemarks of Red Hat, Inc.