虚拟主机上asp.net运行权限不足问题及解决
有些时候我们写的asp.net应用程序是运行在虚拟主机上。有一些虚拟主机可能是由于安全的考虑,对asp.net做了权限设置,会导致我们的应用程序无法正常运行。
问题现象:
由于某种原因,asp.net不能加载某些dll文件,出现如下错误提示:
Server Error in '/' Application.
--------------------------------------------------------------------------------
Required permissions cannot be acquired.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Security.Policy.PolicyException: Required permissions cannot be acquired.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[PolicyException: Required permissions cannot be acquired.]
System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Boolean checkExecutionPermission) +2738293
System.Security.SecurityManager.ResolvePolicy(Evidence evidence, PermissionSet reqdPset, PermissionSet optPset, PermissionSet denyPset, PermissionSet& denied, Int32& securitySpecialFlags, Boolean checkExecutionPermission) +57
[FileLoadException: Could not load file or assembly 'Microsoft.Practices.ObjectBuilder, Version=1.0.51205.0, Culture=neutral, PublicKeyToken=null' or one of its dependencies. Failed to grant minimum permission requests. (Exception from HRESULT: 0x80131417)]
System.Reflection.Assembly.nLoad(AssemblyName fileName, String codeBase, Evidence assemblySecurity, Assembly locationHint, StackCrawlMark& stackMark, Boolean throwOnFileNotFound, Boolean forIntrospection) +0
System.Reflection.Assembly.InternalLoad(AssemblyName assemblyRef, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection) +211
System.Reflection.Assembly.InternalLoad(String assemblyString, Evidence assemblySecurity, StackCrawlMark& stackMark, Boolean forIntrospection) +141
System.Reflection.Assembly.Load(String assemblyString) +25
System.Web.Configuration.CompilationSection.LoadAssemblyHelper(String assemblyName, Boolean starDirective) +32
问题分析:
根据我的观察,asp.net应用程序直接生成的dll可以正常加载,由asp.net直接调用的外部dll也可以正常加载,但是仅被外部dll引用的其他外部dll不能加载。我的猜想是:由于权限是不完全的,asp.net应用本身生成的dll和直接引用的dll可以通过权限的继承获得权限,而仅被外部dll引用的其他外部dll因为权限的限制不能继承权限,因此出现了权限不足的问题。
问题解决:
通过在我电脑的试验,推测虚拟主机上修改了根web.config(在我电脑上其位置为
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG
)的设置.
默认web.config的权限设置节如下:
<
location
allowOverride
="true"
>
<
system
.web
>
<
securityPolicy
>
<
trustLevel
name
="Full"
policyFile
="internal"
/>
<
trustLevel
name
="High"
policyFile
="web_hightrust.config"
/>
<
trustLevel
name
="Medium"
policyFile
="web_mediumtrust.config"
/>
<
trustLevel
name
="Low"
policyFile
="web_lowtrust.config"
/>
<
trustLevel
name
="Minimal"
policyFile
="web_minimaltrust.config"
/>
</
securityPolicy
>
<
trust
level
="Full"
originUrl
=""
/>
</
system.web
>
</
location
>
推测虚拟主机上修改之后的设置:
<
location
allowOverride
="false"
>
<
system
.web
>
<
securityPolicy
>
<
trustLevel
name
="Full"
policyFile
="internal"
/>
<
trustLevel
name
="High"
policyFile
="web_hightrust.config"
/>
<
trustLevel
name
="Medium"
policyFile
="web_mediumtrust.config"
/>
<
trustLevel
name
="Low"
policyFile
="web_lowtrust.config"
/>
<
trustLevel
name
="Minimal"
policyFile
="web_minimaltrust.config"
/>
</
securityPolicy
>
<
trust
level
="High"
originUrl
=""
/>
</
system.web
>
</
location
>
他首先设置了
allowOverride
为false,这就阻止了在用户web.config中重新定义权限的能力。然后,他定义trust level为High,而不是默认的Full。经我测试,只要trust level不为Full,仅被外部dll引用的其他外部dll就不能被加载。 因此,我建议技术支持将
allowOverride
节设置为true。这样我就可以在web.config中重新指定权限了。
例:<trust level="Full" originUrl="" />
最近已经不研究aps.net了,因此也没有认真去查找深层的原因,或许我的认识还有误。希望那位高手可以道出深层的原因,或指正我的错误。