This is a migrated thread and some comments may be shown as answers.

Support for medium trust environment

23 Answers 284 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
cprieto
Top achievements
Rank 1
cprieto asked on 19 Aug 2008, 02:14 AM
Are there any plans to support mid-trust environments in a near future? many of the host enviroments people use are shared hosting, and they don't support full trust environments.

23 Answers, 1 is accepted

Sort by
0
Steve
Telerik team
answered on 21 Aug 2008, 08:49 AM
Hello kementeus,

I am afraid that for the time being Telerik Reporting cannot operate in a restricted environment. The reason is that the current implementation relies extensively on things that the Medium Trust security level prohibits. This means that we have to trade some functionality for the Medium Trust which is not acceptable at this stage of the product evolvement.

This does not mean that we will ban our product from working in Medium Trust, but our current goal is to cover all reporting functionality that other products offer, which seems to be much more important for our customers.
 
If we are able to fulfil our plans for 2008, we may be to look into Medium Trust in 2009. We're sorry for not being able to be more specific at this time.

All the best,
Steve
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Mattias
Top achievements
Rank 1
answered on 11 Sep 2008, 06:37 AM
Hi,
what changes in medium trust config is necessary to make it work?

Current stack trace:
[PolicyException: Required permissions cannot be acquired.] 
   System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Boolean checkExecutionPermission) +7602199 
   System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Int32& securitySpecialFlags, Boolean checkExecutionPermission) +57 
 
[FileLoadException: Could not load file or assembly 'Telerik.ReportConverter.ActiveReports, Version=2.8.8.828, Culture=neutralPublicKeyToken=a9d7983dfcc261be' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417)] 
   System.Reflection.Assembly._nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection) +0 
   System.Reflection.Assembly.nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection) +43 
   System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection) +127 
   System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection) +142 
   System.Reflection.Assembly.Load(String assemblyString) +28 
   System.Web.Configuration.CompilationSection.LoadAssemblyHelper(String assemblyName, Boolean starDirective) +46 
 
[ConfigurationErrorsException: Could not load file or assembly 'Telerik.ReportConverter.ActiveReports, Version=2.8.8.828, Culture=neutralPublicKeyToken=a9d7983dfcc261be' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417)] 
   System.Web.Configuration.CompilationSection.LoadAssemblyHelper(String assemblyName, Boolean starDirective) +613 
   System.Web.Configuration.CompilationSection.LoadAllAssembliesFromAppDomainBinDirectory() +203 
   System.Web.Configuration.CompilationSection.LoadAssembly(AssemblyInfo ai) +105 
   System.Web.Compilation.BuildManager.GetReferencedAssemblies(CompilationSection compConfig) +178 
   System.Web.Compilation.BuildProvidersCompiler..ctor(VirtualPath configPath, Boolean supportLocalization, String outputAssemblyName) +54 
   System.Web.Compilation.ApplicationBuildProvider.GetGlobalAsaxBuildResult(Boolean isPrecompiledApp) +227 
   System.Web.Compilation.BuildManager.CompileGlobalAsax() +52 
   System.Web.Compilation.BuildManager.EnsureTopLevelFilesCompiled() +337 
 
[HttpException (0x80004005): Could not load file or assembly 'Telerik.ReportConverter.ActiveReports, Version=2.8.8.828, Culture=neutralPublicKeyToken=a9d7983dfcc261be' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417)] 
   System.Web.Compilation.BuildManager.ReportTopLevelCompilationException() +58 
   System.Web.Compilation.BuildManager.EnsureTopLevelFilesCompiled() +512 
   System.Web.Hosting.HostingEnvironment.Initialize(ApplicationManager appManager, IApplicationHost appHost, IConfigMapPathFactory configMapPathFactory, HostingEnvironmentParameters hostingParameters) +729 
 
[HttpException (0x80004005): Could not load file or assembly 'Telerik.ReportConverter.ActiveReports, Version=2.8.8.828, Culture=neutralPublicKeyToken=a9d7983dfcc261be' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417)] 
   System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +8886319 
   System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +85 
   System.Web.HttpRuntime.ProcessRequestInternal(HttpWorkerRequest wr) +259 
 

0
Steve
Telerik team
answered on 11 Sep 2008, 07:51 AM
Hello Mattias,

As we've stated in our previous reply, you need full trust in order to have the Reporting working on your server. If you have <trust level="Medium"/> in your application config file you should delete that or modify it to Full. On shared hosting the security level restrictions are usually implemented on an upper level (machine.config), so you would not be able to run it on shared hosting, unless explicitly specified by the hosting company.

Sincerely yours,
Steve
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Mattias
Top achievements
Rank 1
answered on 11 Sep 2008, 08:27 AM
Yes, I know all that!
But I have a good relationship with the hosting company and if I just tell them what sections in the medium trust machine.config that needs to be changed maybe they will change it for me (they have done it before).
But for that I need to know what sections to change, cause they will not set the server to run with full trust.
 
0
Steve
Telerik team
answered on 11 Sep 2008, 08:54 AM
Hello Mattias,

They (as a hosting company) should know what needs to be changed on their end in order for your app to have full trust level enabled, depending on their server configurations. There is nothing that has to be changed in the code on our end. Here is the MSDN article explaining about the changes to the security policies.

Greetings,
Steve
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Mattias
Top achievements
Rank 1
answered on 11 Sep 2008, 09:14 AM
Is it my bad English or just you that don't want to understand! :)

I cannot say to the host company:
- Change my app to run with full trust.
They will never do that.

I need to say:
- Modify that line and that line in the medium machine config so one of my third party component will work in my app.


It is your component so you should know how it works and what permissions it needs, right?!
The host company doesn't know anything about it and I don't think they have the time to start investigate your products for me.

If I would give it a try with my basic skills and when looking at the stack trace I would say it need some kind of Policy permission, but what kind and what else?


0
Steve
Telerik team
answered on 11 Sep 2008, 11:57 AM
Hello Mattias,

I am afraid that it is neither of those. What we're trying to stress is that we do not work in medium trust. Our current goal is to cover all reporting functionality that other products offer, which seems to be much more important for our customers and then we would see if we can do some changes to be able to run under trust level different than medium. We do not know what are the exact security policies, which we are violating as we have never researched this due to the reasons stated above.
The source code for the product is available in your Client.net area, so if you want to try getting it working on shared hosting, you can play around with it and see what are the exact changes needed.

Thank you for the understanding on the matter.

Greetings,
Steve
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Mattias
Top achievements
Rank 1
answered on 11 Sep 2008, 01:11 PM
Ok, that clarified it! :)

If I get some time over I will spend some hours to investigate the permissions needed for an overrided medium config. :)

0
Mattias
Top achievements
Rank 1
answered on 16 Sep 2008, 07:58 PM
Hi again!
I have looked into the medium config now and modify it so reporting will work. :)
These changes need to be made:
... 
<SecurityClasses> 
... 
            <!-- added --> 
            <SecurityClass Name="ConfigurationPermission" Description="System.Configuration.ConfigurationPermission, System.Configuration, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> 
... 
</SecurityClasses> 
 
 
... 
<PermissionSet class="NamedPermissionSet" version="1" Name="ASP.Net"
... 
            <!-- added --> 
            <IPermission class="ConfigurationPermission" version="1" Unrestricted="true"/> 
 
            <!-- modified--> 
            <IPermission class="FileIOPermission" version="1" Unrestricted="true"/> 
 
            <!-- modified--> 
            <IPermission class="SecurityPermission" version="1" Unrestricted="true" /> 
... 
</PermissionSet> 
... 

Good thing: It's not that much to change! :)
Bad thing: I can't send these changes to host company, they will never for example allow FileIOPermission to the whole server.

So Steve and you other guys at Telerik, could you please explain what each permission does in the reporting component and if they can be modified even more, like specify folders in the FileIOPermission for example.




0
Mattias
Top achievements
Rank 1
answered on 16 Sep 2008, 09:15 PM
Two updates:
The SecurityPermission needs flag UnmanagedCode and FileIOPermission needs Read and PathDiscovery to c:\windows
<IPermission class="SecurityPermission" version="1" Flags="Assertion, Execution, ControlThread, ControlPrincipal, RemotingConfiguration, UnmanagedCode"/> 
 
<IPermission class="FileIOPermission" version="1" Read="c:\windows;$AppDir$" Write="$AppDir$" Append="$AppDir$" PathDiscovery="c:\windows;$AppDir$"/> 
What is UnmanagedCode?
Why Read and PathDiscovery to windows?
And what does ConfigurationPermission do in Reporting?
0
Svetoslav
Telerik team
answered on 18 Sep 2008, 11:49 AM
Great work, Mattias!

As we have already explained Telerik Reporting does not operate in a restricted environment, because some modules demand more permissions than the Medium Trust level allows. Unfortunately up until now we haven't got the chance to dive into this problem and we still have no answers to most of the questions related to the secured environments (like why do Telerik Reporting demand the Read and PathDiscovery permissions for the Windows folder).

Anyway our short term plans are to investigate this problem and we will do our best to workaround it without breaking the current functionality.

Sincerely yours,
Svetoslav
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Mattias
Top achievements
Rank 1
answered on 13 Jan 2009, 10:22 AM
Hi again!
Are you making any progress regarding medium trust?

I've just got an email from our host company saying they have modified their medium trust config as I described above except for FileIOPermission.
They wont add read and pathdiscovery permissions to c:\windows.

Why does it needs read and pathdiscovery permission to c:\windows? Can you change that in a future release?

Regards,
Mattias
0
Steve
Telerik team
answered on 13 Jan 2009, 03:25 PM
Hello Mattias,

We have taken your suggestion into consideration and would change that for the Q1 release expected at the end of February.

Thank you for the patience and understanding.

All the best,
Steve
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Mattias
Top achievements
Rank 1
answered on 13 Jan 2009, 03:46 PM
Hi Steve,
that is probably the best news I've got this year! :)

Waiting patiently! 
0
Mattias
Top achievements
Rank 1
answered on 11 Feb 2009, 10:17 AM
Hi again!
I just wanted to check if the updates is still planned to be included in Q1 release?

/Mattias
0
Steve
Telerik team
answered on 11 Feb 2009, 10:41 AM
Hello Mattias,

We have not forgotten about this and would do our best to have it included as part of the Q1 release.

All the best,
Steve
the Telerik team

Check out Telerik Trainer, the state of the art learning tool for Telerik products.
0
Mattias
Top achievements
Rank 1
answered on 23 Mar 2009, 07:42 AM
You didn't include it in 2009 Q1 right?
0
Chavdar
Telerik team
answered on 23 Mar 2009, 02:37 PM
Hello Mattias,

We are still working on this issue. We have found a problem with the current fix and will need some additional time to address it. Hopefully the final solution will be available for the service pack in a few weeks.

We are sorry for the inconvenience.

Best wishes,
Chavdar
the Telerik team

Check out Telerik Trainer , the state of the art learning tool for Telerik products.
0
André
Top achievements
Rank 1
answered on 29 Apr 2009, 09:37 AM
Some months further... Is the medium trust issue solved?
0
Steve
Telerik team
answered on 29 Apr 2009, 09:59 AM
Hi André,

You can find the latest info on the topic in this post.

All the best,
Steve
the Telerik team

Instantly find answers to your questions on the new Telerik Support Portal.
Check out the tips for optimizing your support resource searches.
0
Angelo
Top achievements
Rank 1
answered on 02 Aug 2009, 10:59 PM
Hello Telerik,

Is the medium trust issue solved?
0
Steve
Telerik team
answered on 03 Aug 2009, 11:13 AM
Hello Angelo,

We're in the process of testing at the moment and hope to have it working for the service pack this week.

All the best,
Steve
the Telerik team

Instantly find answers to your questions on the new Telerik Support Portal.
Check out the tips for optimizing your support resource searches.
0
Angelo
Top achievements
Rank 1
answered on 03 Aug 2009, 02:46 PM
great news...

thks...
Tags
General Discussions
Asked by
cprieto
Top achievements
Rank 1
Answers by
Steve
Telerik team
Mattias
Top achievements
Rank 1
Svetoslav
Telerik team
Chavdar
Telerik team
André
Top achievements
Rank 1
Angelo
Top achievements
Rank 1
Share this question
or