Spec-Zone .ru
спецификации, руководства, описания, API

22.2.5.19. Working with Partial Trust / Medium Trust

.NET applications operate under a given trust level. Normal desktop applications operate under full trust, while web applications that are hosted in shared environments are normally run under the partial trust level (also known as "medium trust"). Some hosting providers host shared applications in their own app pools and allow the application to run under full trust, but this configuration is relatively rare. The Connector/Net support for partial trust has improved over time to simplify the configuration and deployment process for hosting providers.

22.2.5.19.1. Evolution of Partial Trust Support Across Connector/Net Versions

The partial trust support for Connector/Net has improved rapidly throughout the 6.5.x and 6.6.x versions. The latest enhancements do require some configuration changes in existing deployments. Here is a summary of the changes for each version.

6.6.4 and Above: Library Can Be Inside or Outside GAC

Now you can install the MySql.Data.dll library in the Global Assembly Cache (GAC) as explained in Section 22.2.5.19.2, "Configuring Partial Trust with Connector/Net Library Installed in GAC", or in a bin or lib folder inside the project or solution as explained in Section 22.2.5.19.3, "Configuring Partial Trust with Connector/Net Library Not Installed in GAC". If the library is not in the GAC, the only protocol supported is TCP/IP.

6.5.1 and Above: Partial Trust Requires Library in the GAC

Connector/Net 6.5 fully enables our provider to run in a partial trust environment when the library is installed in the Global Assembly Cache (GAC). The new MySqlClientPermission class, derived from the .NET DBDataPermission class, helps to simplify the permission setup.

5.0.8 / 5.1.3 and Above: Partial Trust Requires Socket Permissions

Starting with these versions, Connector/Net can be used under partial trust hosting that has been modified to allow the use of sockets for communication. By default, partial trust does not include SocketPermission. Connector/Net uses sockets to talk with the MySQL server, so the hosting provider must create a new trust level that is an exact clone of partial trust but that has the following permissions added:

  • System.Net.SocketPermission

  • System.Security.Permissions.ReflectionPermission

  • System.Net.DnsPermission

  • System.Security.Permissions.SecurityPermission

Prior to 5.0.8 / 5.1.3: Partial Trust Not Supported

Connector/Net versions prior to 5.0.8 and 5.1.3 were not compatible with partial trust hosting.

22.2.5.19.2. Configuring Partial Trust with Connector/Net Library Installed in GAC

If the library is installed in the GAC, you must include the connection option includesecurityasserts=true in your connection string. This is a new requirement as of Connector/Net 6.6.4.

The following list shows steps and code fragments needed to run a Connector/Net application in a partial trust environment. For illustration purposes, we use the Pipe Connections protocol in this example.

  1. Install Connector/Net: version 6.6.1 or higher, or 6.5.4 or higher.

  2. After installing the library, make the following configuration changes:

    In the SecurityClasses section, add a definition for the MySqlClientPermission class, including the version to use.

    <configuration>  <mscorlib>    <security>      <policy>        <PolicyLevel version="1">          <SecurityClasses>            ....            <SecurityClass Name="MySqlClientPermission" Description="MySql.Data.MySqlClient.MySqlClientPermission, MySql.Data, Version=6.6.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" />

    Scroll down to the ASP.Net section:

    <PermissionSet  class="NamedPermissionSet"  version="1"  Name="ASP.Net">

    Add a new entry for the detailed configuration of the MySqlClientPermission class:

    <IPermission class="MySqlClientPermission" version="1" Unrestricted="true"/>

    Note: This configuration is the most generalized way that includes all keywords.

  3. Configure the MySQL server to accept pipe connections, by adding the --enable-named-pipe option on the command line. If you need more information about this, see Section 2.3, "Installing MySQL on Microsoft Windows".

  4. Confirm that the hosting provider has installed the Connector/Net library (MySql.Data.dll) in the GAC.

  5. Optionally, the hosting provider can avoid granting permissions globally by using the new MySqlClientPermission class in the trust policies. (The alternative is to globally enable the permissions System.Net.SocketPermission, System.Security.Permissions.ReflectionPermission, System.Net.DnsPermission, and System.Security.Permissions.SecurityPermission.)

  6. Create a simple web application using Visual Studio 2010.

  7. Add the reference in your application for the MySql.Data.MySqlClient library.

  8. Edit your web.config file so that your application runs using a Medium trust level:

    <system.web>  <trust level="Medium"/></system.web>
  9. Add the MySql.Data.MySqlClient namespace to your server-code page.

  10. Define the connection string, in slightly different ways depending on the Connector/Net version.

    Only for 6.6.4 or later: To use the connections inside any web application that will run in Medium trust, add the new includesecurityasserts option to the connection string. includesecurityasserts=true that makes the library request the following permissions when required: SocketPermissions, ReflectionPermissions, DnsPermissions, SecurityPermissions among others that are not granted in Medium trust levels.

    For Connector/Net 6.6.3 or earlier: No special setting for security is needed within the connection string.

    MySqlConnectionStringBuilder myconnString = new MySqlConnectionStringBuilder("server=localhost;User Id=root;database=test;");myconnString.PipeName = "MySQL55";myconnString.ConnectionProtocol = MySqlConnectionProtocol.Pipe;// Following attribute is a new requirement when the library is in the GAC.// Could also be done by adding includesecurityasserts=true; to the string literal// in the constructor above.// Not needed with Connector/Net 6.6.3 and earlier.myconnString.IncludeSecurityAsserts = true;
  11. Define the MySqlConnection to use:

    MySqlConnection myconn = new MySqlConnection(myconnString.ConnectionString);myconn.Open();
  12. Retrieve some data from your tables:

    MySqlCommand cmd = new MySqlCommand("Select * from products", myconn);MySqlDataAdapter da = new MySqlDataAdapter(cmd);DataSet1 tds = new DataSet1();da.Fill(tds, tds.Tables[0].TableName);GridView1.DataSource = tds;GridView1.DataBind();myconn.Close()
  13. Run the program. It should execute successfully, without requiring any special code or encountering any security problems.

22.2.5.19.3. Configuring Partial Trust with Connector/Net Library Not Installed inGAC

When deploying a web application to a Shared Hosted environment, where this environment is configured to run all their .NET applications under a partial or medium trust level, you might not be able to install the Connector/Net library in the GAC. Instead, you put a reference to the library in the bin or lib folder inside the project or solution. In this case, you configure the security in a different way than when the library is in the GAC.

Connector/Net is commonly used by applications that run in Windows environments where the default communication for the protocol is used via sockets or by TCP/IP. For this protocol to operate is necessary have the required socket permissions in the web configuration file as follows:

  1. Open the medium trust policy web configuration file, which should be under this folder:

    %windir%\Microsoft.NET\Framework\{version}\CONFIG\web_mediumtrust.config

    Use Framework64 in the path instead of Framework if you are using a 64-bit installation of the framework.

  2. Locate the SecurityClasses tag:

    <SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
  3. Scroll down and look for the following PermissionSet:

    <PermissionSet version="1" Name="ASP.Net">
  4. Add the following inside this PermissionSet:

    <IPermission class="SocketPermission" version="1" Unrestricted="true" />  

    This configuration lets you use the driver with the default Windows protocol TCP/IP without having any security issues. This approach only supports the TCP/IP protocol, so you cannot use any other type of connection.

    Also, since the MySQLClientPermissions class is not added to the medium trust policy, you cannot use it. This configuration is the minimum required in order to work with Connector/Net without the GAC.