Yesterday I ran into a very interesting problem. In one of my ASP.Net DNN portal web sites, I started getting following exception when I tried to access a folder outside the web site's virtual folder.'System.Security.Permissions.FileIOPermission, mscorlib, Version=184.108.40.206, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed'
The first obvious reaction to this was that since I am trying to access files that are outside this web site's folder, I need to provide right set of access privilege to the windows account that is being used for the web application. The application is hosted on Windows 2008 R2 and is using application pool using ASP.Net 2.0. I check the pool's identity and it was set to use NETWORK SERVICE account. So I gave this account rights to read from that folder. Well that did not help. Then to check if it really is some user rights issue, I gave Everyone group full access to that folder. That did not help either. At that point I narrowed the problem down to following possibilities.
I explored all the switches and settings in IIS7.5 and I did not see anything related to File IO restrictions. So only thing that was left was to check web application's settings and configuration. There was nothing that was obvious at this point. So I went back to basics and opened up Microsoft's article on Code Access Security (CAS) for ASP.Net. There it was the thing that I was looking for.
It was the trust level of the application that caused the problem. I looked in web.config file of the application and trust level was set to MEDIUM. Here is summary of medium trust definition from MS's article.
Notice the last bullet item. It clearly states the problem I am having. After I changed trust level to Full application worked fine.
Now the question you are asking is should I elevate this trust level and what is down side of it. Answer is that it depends on your application and hosting environment. Since DNN can be used to host multiple portals on same server, it is very essential to provide proper security to folders or individual portals. For example if all portals are using same pool identity and you grant IO rights to this account outside web application's folder, that means other applications may be able to sniff around and eventually get to folders of other applications and access secure files. So if you are hosting multiple web sites on a server and you do not control all those sites, then it is important that you configure each site to run under its own application pool and each pool has its own identity. That way if you have to run the application at FULL trust, you can configure individual folder's security to add the required pool identity user.
Default value of trust level is always Full unless you specify otherwise. Therefore most of ASP.Net applications do not run into this kind of problem.
You will need to add following entry in your web.config file to alter trust level of the application.
<trust level="Medium" originUrl="" />
Please read the following article to get more details on Medium trust level usage.