Spec-Zone .ru
спецификации, руководства, описания, API
|
|
Spec-Zone .ru
спецификации, руководства, описания, API
|
.NET applications operate under a given trust level. Normal desktop applications operate under full trust, while web applications that are hosted in shared environments are normally run under the partial trust level (also known as "medium trust"). Some hosting providers host shared applications in their own app pools and allow the application to run under full trust, but this configuration is relatively rare. The Connector/Net support for partial trust has improved over time to simplify the configuration and deployment process for hosting providers.
The partial trust support for Connector/Net has improved rapidly throughout the 6.5.x and 6.6.x versions. The latest enhancements do require some configuration changes in existing deployments. Here is a summary of the changes for each version.
Now you can install the MySql.Data.dll library in the Global Assembly Cache
(GAC) as explained in Section
21.2.5.19.2, "Configuring Partial Trust with Connector/Net Library Installed in GAC", or in a bin or lib folder inside the project or solution
as explained in Section
21.2.5.19.3, "Configuring Partial Trust with Connector/Net Library Not Installed in GAC". If the
library is not in the GAC, the only protocol supported is TCP/IP.
Connector/Net 6.5 fully enables our provider to run in a partial trust environment when the library is
installed in the Global Assembly Cache (GAC). The new MySqlClientPermission
class, derived from the .NET DBDataPermission class, helps to simplify the
permission setup.
Starting with these versions, Connector/Net can be used under partial trust hosting that has been modified
to allow the use of sockets for communication. By default, partial trust does not include SocketPermission. Connector/Net uses sockets to talk with the MySQL server,
so the hosting provider must create a new trust level that is an exact clone of partial trust but that has
the following permissions added:
System.Net.SocketPermission
System.Security.Permissions.ReflectionPermission
System.Net.DnsPermission
System.Security.Permissions.SecurityPermission
Connector/Net versions prior to 5.0.8 and 5.1.3 were not compatible with partial trust hosting.
If the library is installed in the GAC, you must include the connection option includesecurityasserts=true
in your connection string. This is a new requirement as of Connector/Net 6.6.4.
The following list shows steps and code fragments needed to run a Connector/Net application in a partial trust environment. For illustration purposes, we use the Pipe Connections protocol in this example.
Install Connector/Net: version 6.6.1 or higher, or 6.5.4 or higher.
After installing the library, make the following configuration changes:
In the SecurityClasses section, add a definition for the MySqlClientPermission class, including the version to use.
<configuration> <mscorlib> <security> <policy> <PolicyLevel version="1"> <SecurityClasses> .... <SecurityClass Name="MySqlClientPermission" Description="MySql.Data.MySqlClient.MySqlClientPermission, MySql.Data, Version=6.6.4.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" />
Scroll down to the ASP.Net section:
<PermissionSet class="NamedPermissionSet" version="1" Name="ASP.Net">
Add a new entry for the detailed configuration of the MySqlClientPermission
class:
<IPermission class="MySqlClientPermission" version="1" Unrestricted="true"/>
Note: This configuration is the most generalized way that includes all keywords.
Configure the MySQL server to accept pipe connections, by adding the --enable-named-pipe option on the command line. If you need more
information about this, see Section 2.3,
"Installing MySQL on Microsoft Windows".
Confirm that the hosting provider has installed the Connector/Net library
(MySql.Data.dll) in the GAC.
Optionally, the hosting provider can avoid granting permissions globally by
using the new MySqlClientPermission class in the trust policies. (The
alternative is to globally enable the permissions System.Net.SocketPermission, System.Security.Permissions.ReflectionPermission,
System.Net.DnsPermission, and System.Security.Permissions.SecurityPermission.)
Create a simple web application using Visual Studio 2010.
Add the reference in your application for the MySql.Data.MySqlClient
library.
Edit your web.config file so that your
application runs using a Medium trust level:
<system.web> <trust level="Medium"/></system.web>
Add the MySql.Data.MySqlClient namespace to your
server-code page.
Define the connection string, in slightly different ways depending on the Connector/Net version.
Only for 6.6.4 or later: To use the connections inside
any web application that will run in Medium trust, add the new includesecurityasserts
option to the connection string. includesecurityasserts=true that
makes the library request the following permissions when required: SocketPermissions,
ReflectionPermissions, DnsPermissions,
SecurityPermissions among others that are not granted in Medium
trust levels.
For Connector/Net 6.6.3 or earlier: No special setting for security is needed within the connection string.
MySqlConnectionStringBuilder myconnString = new MySqlConnectionStringBuilder("server=localhost;User Id=root;database=test;");myconnString.PipeName = "MySQL55";myconnString.ConnectionProtocol = MySqlConnectionProtocol.Pipe;// Following attribute is a new requirement when the library is in the GAC.// Could also be done by adding includesecurityasserts=true; to the string literal// in the constructor above.// Not needed with Connector/Net 6.6.3 and earlier.myconnString.IncludeSecurityAsserts = true;
Define the MySqlConnection to use:
MySqlConnection myconn = new MySqlConnection(myconnString.ConnectionString);myconn.Open();
Retrieve some data from your tables:
MySqlCommand cmd = new MySqlCommand("Select * from products", myconn);MySqlDataAdapter da = new MySqlDataAdapter(cmd);DataSet1 tds = new DataSet1();da.Fill(tds, tds.Tables[0].TableName);GridView1.DataSource = tds;GridView1.DataBind();myconn.Close()
Run the program. It should execute successfully, without requiring any special code or encountering any security problems.
When deploying a web application to a Shared Hosted environment, where this environment is configured to run
all their .NET applications under a partial or medium trust level, you might not be able to install the
Connector/Net library in the GAC. Instead, you put a reference to the library in the bin
or lib folder inside the project or solution. In this case, you configure the
security in a different way than when the library is in the GAC.
Connector/Net is commonly used by applications that run in Windows environments where the default communication for the protocol is used via sockets or by TCP/IP. For this protocol to operate is necessary have the required socket permissions in the web configuration file as follows:
Open the medium trust policy web configuration file, which should be under this folder:
%windir%\Microsoft.NET\Framework\{version}\CONFIG\web_mediumtrust.config
Use Framework64 in the path instead of Framework
if you are using a 64-bit installation of the framework.
Locate the SecurityClasses tag:
<SecurityClass Name="SocketPermission" Description="System.Net.SocketPermission, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"/>
Scroll down and look for the following PermissionSet:
<PermissionSet version="1" Name="ASP.Net">
Add the following inside this PermissionSet:
<IPermission class="SocketPermission" version="1" Unrestricted="true" />
This configuration lets you use the driver with the default Windows protocol TCP/IP without having any security issues. This approach only supports the TCP/IP protocol, so you cannot use any other type of connection.
Also, since the MySQLClientPermissions class is not added to the
medium trust policy, you cannot use it. This configuration is the minimum required in order to
work with Connector/Net without the GAC.