More on locking down Partial Trust ASP.NET

This is a follow up to an earlier post.

I found a much easier way to lock down trust levels for individual applications. Still the scenario is that you have multiple web applications on a server, some should run in partial trust, some should run in full trust (and maybe also different levels of partial trust).

The rule of thumb is, that you have to lock down the configuration at least one level higher in the hierarchy than the application you want to lock down. For our scenario this could be site or machine level config. The following web.config in your site root will do the trick (works for relative paths under the root and vdirs):

<configuration>

  <location path=App1 allowOverride=false>

    <system.web>

      <trust level=High/>

    </system.web>

  </location>

 

  <location path=App2 allowOverride=false>

    <system.web>

      <trust level=Medium />

     </system.web>

  </location>

</configuration>

This sets the trust level for individual applications and the allowOverride prevents those applications from changing the settings. With the new configuration granularity we have in 2.0 it is even possible to partially lock down settings, e.g. the next sample locks the the trust level but still allows the individual applications to set the originUrl attribute.

<location path=AppWebService allowOverride=true>

  <system.web>

    <trust level=Medium lockAllAttributesExcept=originUrl/>

  </system.web>

</location>

It is even possible to set this in global web.config by including the site name (don’t know if this is a new feature in 2.0, it was new to me at least). This allows some interesting scenarios…

<location path=Default Web Site/AppDomainFun allowOverride=false>

  <system.web>

    <trust level=Medium/>

  </system.web>

</location>

This makes it a much smoother story than the single policy file approach I described in my previous entry.

 

This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s