WestWind Globalization causes security exception

[balchen]

After installing the NuGet package Westwind.Globalization.Web, my MVC site throws System.Security.Permissions.ReflectionPermission on access. After uninstalling the package, the exception goes away.

Obviously this can be remedied by the package installer making a trust level change in web.config. On the other hand, is reflection really necessary for this library?

Full exception below:

Server Error in '/' Application.

Security Exception

Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[SecurityException: Request for the permission of type 'System.Security.Permissions.ReflectionPermission, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.] System.Delegate.DelegateConstruct(Object target, IntPtr slot) +0 Owin.Loader.DefaultLoader..ctor(Func3 next, Func2 activator, IEnumerable1 referencedAssemblies) +169 Owin.Loader.DefaultLoader..ctor(IEnumerable1 referencedAssemblies) +41 Microsoft.Owin.Host.SystemWeb.OwinBuilder.GetAppStartup() +143 Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint() +103 System.Threading.LazyInitializer.EnsureInitializedCore(T& target, Boolean& initialized, Object& syncLock, Func1 valueFactory) +115 System.Threading.LazyInitializer.EnsureInitialized(T& target, Boolean& initialized, Object& syncLock, Func1 valueFactory) +72 Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context) +104 System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +534 System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +172 System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +339 System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +296

[RickStrahl]

That's not going to change - there's a bunch of reflection used in various places and with a number of the support libraries.

FWIW, Microsoft has changed guidance on Medium trust usage and now no longer recommends using Medium (or lower or custom) trust sets (and it's completely gone in ASP.NET Core) but to control security via identity permissions on the IIS Application Pool.

I haven't tested recently but I believe that the tools actually run in Medium trust and it looks like you must be using a custom trust level.

[balchen]

Hi Rick.

OK, I didn't realize that there was a genuine need for reflection in this context.

I was using no particular trust at all -- just the default. To make it run, I had to configure Full trust; Medium -- which I tried first -- wasn't sufficient.

Also, adding trust configuration conflicts with the <trust> tag for translation sites inserted by the NuGet package installer.

I am already using application pool identities, but as far as I've seen, I can only configure file system permissions for an app pool identity. I can't find any mention of being able to give an app pool identity the ReflectionPermission directly.

I do appreciate being able to easily add database localization with an HTML editor to the project; these are just minor bumps in the road.

[RickStrahl]

Medium trust is likely the issue that's causing the Reflection Permissions. If I remember this right it's private Reflection that's not allowed, although I'm pretty sure that's not being used directly. There quite a lot of things that don't work in medium trust - Reflection is a big one, and access to external domains (unless you configure explicit originurls) via HTTP calls is another (for the translation services).

FWIW, the default trust level in .NET 4.0 is Full. The default config is found in:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web.config

which uses:

<trust level="Full" originUrl="" />

Actually - looking at your stack trace looks like your code is not failing in the Westwind.Globalization code at all - it's failing during application startup while initiallizing the OWin security subsystem.

I suspect the actual issue is that you have a new project that uses OWIN which requires Full trust to work (nothing to do with Westwind.Globalization) but your security environment is set to run under Medium Trust and hence the failure.

[balchen]

From the stack trace, I reached the same conclusion that you did, but upon removing WestWind.Globalization from my project, it ran fine. No other changes were made. So obviously whatever caused this, came from that package.

Now that you mention it, though, your (?) package adds a trust level for the translation sites. Perhaps this overrides the default Full trust with a Medium trust for the set of originUrls and so the trust for the application itself reverts to nothing, since originUrl="" is not specified?

So the issue might not be the ReflectionPermission after all, but the implicit removal of full trust by assigning trust to the translation sites.