Is trying to develop for Medium Trust a lost cause?

45
votes

I started developing a new MVC app with Entity Framework code-first and Unity for dependency injection. I used EF5 and Unity because I thought they were supposed to work in Medium Trust. However, when I threw the <trust level="Medium" /> tag in my web.config, I started getting Reflection Permission exceptions.

It always seems like whenever I go beyond using built-in things like the System.Data.SqlClient ADO.net stuff I always run into problems in Medium Trust. Auto-Mapper: fail. NHibernate: fail. MySQL: fail. EF5 Code-first: fail. IOC: fail.

Am I just chasing a pipe-dream? Is it possible to achieve a well-architected and testable web application using modern technology that will run in Medium Trust?

In the age of VMs/Virtual Servers/Cloud Computing (and even a few shared hosts that will set your application pools to Full Trust) has anyone found developing for Medium Trust to be worth the effort?

2
asp.netasp.net-mvcmedium-trust

2 Answers

69
votes

The official position of the ASP.NET team is that Medium Trust is obsolete. This means a few things:

  • We are automatically resolving all Medium Trust-related bugs reported to us as "won't fix".
  • We have provided guidance to hosters that they should migrate away from Medium Trust and use proper OS-level isolation instead (http://support.microsoft.com/kb/2698981).
  • We are removing Medium Trust support from the frameworks we develop (MVC, WebAPI, SignalR, and so on). Going forward, applications built on these frameworks will require Full Trust.

Here, the term "Medium Trust" above to refers to all non-Full Trust configurations in ASP.NET, including use of the built-in trust levels (Minimal, Low, Medium, High) or any custom trust levels.

Edit 26 May 2015: The .NET Framework as a whole has deprecated partial trust, and customers are advised not to rely on it as a security boundary. From MSDN:

Code Access Security in .NET Framework should not be used as a security boundary with partially trusted code, especially code of unknown origin. We advise against loading and executing code of unknown origins without putting alternative security measures in place.

8
votes

In general everything that needs Reflection in deep way can't run on Medium Trust

In your case:

Automapper: use reflection to discover matching properties and memory stream to clone them (there is a version around that actually works in medium trust with some limitation)

NHIbernate: use reflection emit to allow Lazy Loading becase the lazy loading in NH is implemented by proxies (to avoid this you can disable Lazy Loading or to use a the NHibernate ProxyGenerator that is an utility that help to pre-create Proxies)

Nhibernate ProxyGenerator

EF: Actually I didn't find big issues with EF and Medium Trust....is don't serialize object with associations or collections

IoC: IoC is the Killer Application of reflection :) you can try AutoFac that works on Medium Trust

AutoFac

In general Medium Trust is a big limitation...but it all depends on what kind of project you are working on. Consider also to use some Full Trust hosting like Arvixe

Hope this helps