Inheritance security rules violated while overriding member - SecurityRuleSet.Level2

47
votes

I have a class that inherits from Exception. In .NET 4, I started receiving a runtime error:

Inheritance security rules violated while overriding member: MyBusinessException.GetObjectData(System.Runtime.Serialization.SerializationInfo, System.Runtime.Serialization.StreamingContext)'. Security accessibility of the overriding method must match the security accessibility of the method being overriden.

I think the issue is caused by the fact that I am overriding GetObjectData.

I know one answer for resolving the issue is to set the SecurityRuleSet:

[assembly: SecurityRules(SecurityRuleSet.Level1)]

This is not an acceptable answer, I'd like to know how to fix the issue without having to relax the default security rules in .NET 4.

5
.netsecurity

5 Answers

35
votes

Mark GetObjectData with SecurityCriticalAttribute, because it's applied to Exception.GetObjectData. An overridden member should have the same security accessibility (Critical, Safe Critical or Transparent).

Read Security Changes in the .NET Framework 4 and Security Transparent Code, Level 2 from MSDN for more information.

To avoid all potential security runtime exceptions, enable Code Analysis with the Security rule set. You'll get static analysis warnings that might correspond to runtime errors.

22
votes

Had this problem when I was calling an assembly that had AllowPartiallyTrustedCallers attribute:

[assembly: System.Security.AllowPartiallyTrustedCallers]

Removing it solved my problem without switching to SecurityRuleSet.Level1.

13
votes

Regarding this error in shared hosting environments that allow full trust applications. When you bin deploy an application, you often overwrite web.config. Under IIS, when you change the trust settings to something different than the default, your web config section is modified with:

<system.web>
    <trust level="Full" />
<system.web>

Copying a new web.config during deployment often overwrites this setting, however IIS Admin will still show the site as "Full Trust", when in reality the site is running in whatever the default trust level is for your shared host provider (usually medium).

You'll see this error and do what I did - try to figure out why you would see it even though you know the site is running under full trust, when in actuality, it is not. The solution is either to modify your web config as noted above before deployment, or use IIS Admin to set the site to a different trust level (high, for instance), apply it, then set it back to full. Doing so reinserts the necessary config file information and restarts the application pool in full trust.

2
votes

For me, the problem was with the log4net library. I downloaded the source, and added the project file into my solution so that I could step into external libraries. However, log4net needed the NET_4_0 symbol defined for conditional compilation. By default, it had NET_1_0 defined. I went into the log4net project properties and changed NET_1_0 to NET_4_0, and this fixed the problem.

Aside: Perhaps I am not following best practices by including the libraries in my project. If that is the case, I would welcome feedback on different ways to do it, and the pros and cons of each choice. My current thinking is, if there is an error, being able to see the library's source will help me understand what the library is expecting, which will help me clear up the error. Also, seeing how other people write source code is nothing if not a valuable learning experience. Basically, I'm trying to follow the advice of Jeff Atwood found here. But if there is a better way to accomplish this, I'm all ears.

0
votes

I got this error that made no sense for my case ! I used this simple example https://www.c-sharpcorner.com/article/using-autofac-with-web-api

The problem was that I had no space and did not noticed it so I solved this by making space on my drive.

Maybe this will save somebody a few hours of useless investigation.