Medium trust level Problem

Apr 15, 2009 at 2:10 PM
Most of shared hosting plans work with medium trust level, which don't let KIGG work at all, can you give us a solution for that, may be a smaller version from KIGG.
This link from my hosting company http://help.godaddy.com/article/1039
Coordinator
Apr 15, 2009 at 3:41 PM
It seems the issue is with DotNetOpenID, I will give a try to run it in Medium Trust.
Apr 15, 2009 at 4:46 PM
It will be great great great news if you solved this, will help a lot of Kigg lovers to run on their hosts.

May 11, 2009 at 8:49 PM

There are any good new regard this issue?

Coordinator
May 17, 2009 at 9:41 PM

It seems that supporting Medium trust will require some work.

I tested it, and I found that first of all DotNetOpenId is the first reason. Then Entity Framework (if you are plan to use it) but this can be resolved in no time as I know the reason and will blog about it soon.

And also I found that HtmlForm or httpsomething class is making a call that require security permission, something for certification and SLL.

the most hard to tweak at the moment is DotNetOpenId.

May 17, 2009 at 9:52 PM

First thanks for your effort trying to find the reason,

Second i have a question:

Can we create a smaller version from KIGG doesn't contain DotNetOpenId?

I can do that my self, i am just asking if its possible or not? complex or not?

 

Thanks

 

Coordinator
May 18, 2009 at 7:40 AM
Edited Jul 28, 2009 at 2:42 PM

That was what I thinking of actually but it need to be designed in order not to have 2 codebases for the web project.

The issue is -as I see it- that DotNetOpenId assembly is directly referenced by Kigg.Web assembly. So even if we made another MembershipController that doens't use DotNetOpenId we still reference it and this might still raise the issue.

But here is my suggestion to you! what do you think if you tried the following:

  • Remove reference to DotNetOpenId and remove its support totally from your local Kigg project. This will require that you'll update MembershipController and remove few other classes that depends on DotNetOpenId. You'll need to update Web.config too.
  • Comment this line on HttpForm class under Kigg.Core.Infrastructure.Http:
    ServicePointManager.ServerCertificateValidationCallback += (sender, certificate, chain, sslPolicyErrors) => true;
    You'll find it on the static constructor of the class
  • Remove reference to System.UI.DataVistualization assembly on Kigg.Web (this is also another reason of breaking partial trust). Note that if you did this you'll need to update Web.config to remove handlers and modules related to this assembly.

Currently this is the list I figured out so far that might need to be tracked and resolved in order to support parital trust. However there might be other parts of the code that causes partial trust to fail. This might also be related to IoC that try to resolve none public types or members of any Kigg types.

Let me know if you are going to apply it so that I can save sometime working on it. and based on your results we can decide where we need to move. If you think you might not be able to work on it, also let me know, I think I can schedule some time later to work on it.

I think anyway we should discuss supporting partial trust on v3.0 it is important.

BTW, kigg currently also not working on High level of trust, it must be Full :o)

May 19, 2009 at 11:38 AM

Yes, i will try to do it, and will keep you updated if i did any progress, got any problems or failed to do it.

 

Thanks,

May 24, 2009 at 9:56 AM

I couldn't manage to solve this, and didn't reach a valuable point, seams that i will need to wait till the next version may be this problem solve.

Jul 2, 2009 at 1:09 AM

In the coming KIGG 2.5 version, this trust problem is solved? or still need some work around to solve?

Coordinator
Jul 28, 2009 at 2:55 PM
Edited Jul 28, 2009 at 9:46 PM

Inshallah in KiGG v2.5 partial trust issue will be resolved.

It worth to mention that default medium trust does not allow OpenID to function, since it disallows outgoing HTTP requests. However, some shared hosters like GoDaddy have modified WebPermission in Medium trust to allow outbound http and https traffic -Read this-, which allow OpenID to function.

This will be different from your local development machine. So you'll nee to modify your local machine medium trust level the same way. Or you High Trust instead for testing and development locally.

Development is complete a changeset will be committed tomorrow inshalah

Coordinator
Jul 29, 2009 at 11:45 AM
This discussion has been copied to a work item. Click here to go to the work item and continue the discussion.
Aug 19, 2009 at 1:16 AM

can you update this thread with instructions no what exactly needs to be done to make this application run in medium trust? I've installed it successfully, but when I change trust from High to Medium, the application fails with the following error:

Cannot subset Regex. Only support if both patterns are identical.

I'm not exactly sure what that means, but all of the stack trace references are to the DotNetOpenAuth...

where and how do I disable this?

thanks

Coordinator
Aug 19, 2009 at 2:42 PM
Edited Aug 20, 2009 at 6:42 AM

@SelArom It is first time to see this error too! even before I modify my medium trust on local machine to allow http outbound calls I didn't face this error.

Ok Anyway, if you are working on your local machine, then you need to update your medium trust settings in your local machine

  1. go to "C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG"
  2. take a backup of web_mediumtrust.config (maybe rename it to web_mediumtrust.original.config)
  3. In side KiGG source code package there is a ConfigurationFiles folder, inside that folder you'll find a ready updated web_mediumtrust.config. Take a copy of it an past it under C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG

Try again this should work.

Now what exactly this updated web_mediumtrust.config contains? under PermissionSet I modified this:

<IPermission class="WebPermission" version="1" Unrestricted="true">
  <ConnectAccess>
    <URI uri="$OriginHost$"/>
  </ConnectAccess>
</IPermission>

to be this <IPermission class="WebPermission" version="1" Unrestricted="true"/>

Also added <SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/> under SecurityClasses and this
<IPermission class="SocketPermission" version="1" Unrestricted="true" /> under PermissionSet (this is required for MySQLClient)

 

 

Aug 20, 2009 at 1:37 AM

unfortunately, this isn't an option for me. My medium trust configuration is set to match that of my host, so unless there is a way to remove or disable the offending code, it doesn't look like I'll be able to use kigg :(

please keep me posted if this changes!

Coordinator
Aug 20, 2009 at 6:46 AM

I don't know what is your host name. But godaddy for example support modified medium trust to enable http outbound calls by modifying the WebPermission Security Class.
DotNetShoutout hosted on Orcsweb which also support this! Same thing for DiscountASP

Try to contact your web host to check this out with them. but first give it a test locally. just to be sure of what need to be modified