NVelocity in partial trust environment? - Michal Grzegorzewski - Devlicio.us

Michal Grzegorzewski

Home
Contact

The Lounge

Wicked Cool Jobs

Syndication

Archives

Michal Grzegorzewski » NVelocity in partial trust environment?

Images in this post missing? We recently lost them in a site migration. We're working to restore these as you read this. Should you need an image in an emergency, please contact us at imagehelp@codebetter.com

NVelocity in partial trust environment?

The question is: How do you play with nvelocity in shared hosting environments where medium trust is a common standard?
As I mentioned in my previous post, it's not so easy to go around it - even if we would like to disable CAS temporarily using the 'Mutex method', we have no permissions to do this ;).
The problem is mostly because of the ReflectionPermission required by NVelocity itself (this is the only way to instantiate objects referenced in templates).
NVelocity project is dead since October 2003, although we may download from sf.net svn repository sources imported 6 months ago from castleproject. I'm not sure about this, but I think the nvelocity team is not going to take care of the project any more.
I know that some of you use MonoRails with NVelocity as a template engine - don't you have problems with partial trust? Don't you develop any modules for DotNetNuke with some help from NVelocity (I do ;))? Now every one 'good' dnn module has to pass the 'medium trust requirement', so the potential usage of NVelocity in dnn is rather small... :(
Don't you find it as a MS battle against different template engines? We may use heavy asp.net templates, because 'the asp.net engine is good and signed by MS' and we cannot use other engines, because 'it is highly recommended to work on medium trust' and so - we do. Of course we may ask our admin to specify for our app custom policy file, but have you ever tried to do this?

Posted 12-13-2006 6:00 PM by Michal Grzegorzewski

Filed under: ReflectionPermission, Partial Trust, NVelocity

[Advertisement]

Comments

Christopher Bennage wrote re: NVelocity in partial trust environment?

on 12-13-2006 5:35 PM

I ran into this problem when I was trying to use Castle for a small project hosted on a shared server. I did not get around to resolving it due to timelines and competing priorities. I'm interested to hear what others have to say.

Michal Grzegorzewski wrote re: NVelocity in partial trust environment?

on 12-13-2006 6:39 PM

I've seen your post on castle forum and I'm not satisfied with the answer you've got. There was also another post regarding this issue, but the answer was even less informative.

I'm affraid no one can help us and without support from hoster we are not able to use any of template based generators (which have to use reflection and probably compiler services to interpret & execute the template).

Actually I think medium trust should be mandatory in shared environments. This is a great work done by MS on security and isolates our app from others. Even when admin would not secure the server using proper ACLs on ntfs drives/registry/other system objects, we and other users are probably safe because of the CAS restrictions. Few days ago I found a small ( < 1000 accounts) hosted site where without any account I was able to modify any user file found on that server. There was one domain user for all web accounts, no acls, full trust and few open accounts with opportunity to upload my own piece of code - totally anonymously. I've put a 'greeting' file on admin test account and - of course - informed the admin of some problems in security. Actually I was considering establishing basic account on this site, because it was promoted by ... and I was sure there must have been everythig ok. The moral of this story is - be aware of full trust, because your neighbour may be interested in your data, and without proper settings from hoster you cannot do anything to protect yourself.

Christopher Bennage wrote re: NVelocity in partial trust environment?

on 12-13-2006 9:58 PM

I don't think that it is reflection causing the problem. I'm using a relfection based OR/M in a shared environment without a problem.

<sigh /> Perhaps one day soon I'll have some time to investigate deeper.

Michal Grzegorzewski wrote re: NVelocity in partial trust environment?

on 12-14-2006 4:46 AM

Probably you are working in a higher trust level. MSDN Library states clearly (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/thcmch09.asp):

Full: Unrestricted permissions. Applications can access any resource that is subject to operating system security. All privileged operations are supported.

High: Not able to call unmanaged code. Not able to call serviced components. Not able to write to the event log. Not able to access Microsoft Message Queuing queues. Not able to access OLE DB data sources...

Medium: In addition to the above, file access is restricted to the current application directory and registry access is not permitted.

No reflection permissions whatsoever. No sockets permission. Can send e-mail by using SMTP servers.

To check what trust level you are operating in simply use the IsGranted method described in my previous post, against for example RegistryPermission or mentioned ReflectionPermission.

Miroo wrote re: NVelocity in partial trust environment?

on 09-07-2007 2:54 PM

Hi Michal

Did you solve the problem? Did you manage to find any working template engine I could use instead of nVelocity?

Sponsors

The Lounge

Wicked Cool Jobs

Syndication

Recent Posts

Tags

Archives

Comments

Add a Comment