Is trying to develop for Medium Trust a lost cause?

asp.net asp.net-mvc medium-trust
Sam picture Sam · May 31, 2013 · Viewed 18.3k times · Source

I started developing a new MVC app with Entity Framework code-first and Unity for dependency injection. I used EF5 and Unity because I thought they were supposed to work in Medium Trust. However, when I threw the <trust level="Medium" /> tag in my web.config, I started getting Reflection Permission exceptions.

It always seems like whenever I go beyond using built-in things like the System.Data.SqlClient ADO.net stuff I always run into problems in Medium Trust. Auto-Mapper: fail. NHibernate: fail. MySQL: fail. EF5 Code-first: fail. IOC: fail.

Am I just chasing a pipe-dream? Is it possible to achieve a well-architected and testable web application using modern technology that will run in Medium Trust?

In the age of VMs/Virtual Servers/Cloud Computing (and even a few shared hosts that will set your application pools to Full Trust) has anyone found developing for Medium Trust to be worth the effort?

Answer

Levi picture Levi · Jun 20, 2013

The official position of the ASP.NET team is that Medium Trust is obsolete. This means a few things:

  • We are automatically resolving all Medium Trust-related bugs reported to us as "won't fix".
  • We have provided guidance to hosters that they should migrate away from Medium Trust and use proper OS-level isolation instead (http://support.microsoft.com/kb/2698981).
  • We are removing Medium Trust support from the frameworks we develop (MVC, WebAPI, SignalR, and so on). Going forward, applications built on these frameworks will require Full Trust.

Here, the term "Medium Trust" above to refers to all non-Full Trust configurations in ASP.NET, including use of the built-in trust levels (Minimal, Low, Medium, High) or any custom trust levels.

Edit 26 May 2015: The .NET Framework as a whole has deprecated partial trust, and customers are advised not to rely on it as a security boundary. From MSDN:

Code Access Security in .NET Framework should not be used as a security boundary with partially trusted code, especially code of unknown origin. We advise against loading and executing code of unknown origins without putting alternative security measures in place.

Related questions

A potentially dangerous Request.Form value was detected from the client

Every time a user posts something containing < or > in a page in my web application, I get this exception thrown. I don't want to go into the discussion about the smartness of throwing an exception or crashing an …

Read More
Can I set an unlimited length for maxJsonLength in web.config?

I am using the autocomplete feature of jQuery. When I try to retrieve the list of more then 17000 records (each won't have more than 10 char length), it's exceeding the length and throws the error: Exception information: Exception type: InvalidOperationException Exception …

Read More
Could not find a part of the path ... bin\roslyn\csc.exe

I am trying to run Asp.net MVC project retrieved from TFS source control. I have added all assembly references and I am able to build and compile successfully without any error or warning. But I get the following error …

Read More