Archive for category Security

ASP.NET MVC – Attribute to analyze calling controller and action

I needed to create an ASP.NET MVC attribute to attach to my controllers and have them affect all actions. The attribute would apply like so:

public class AdvisoriesController : BaseController {
    // Really important business logic

What the attribute needed to do was analyze the controller and action being referenced, look up in a database whether the user actually had access to those actions (a custom role management system), and then grant or deny access based on the results. Here is a bit of that attribute to show how I did that:

public class ScottAuthorizeAttribute : System.Web.Mvc.AuthorizeAttribute {
    protected override bool AuthorizeCore(HttpContextBase httpContext) {
        string controller = httpContext.Request.RequestContext.RouteData.Values["controller"].ToString();
        string action = httpContext.Request.RequestContext.RouteData.Values["action"].ToString();
        // Really important authorization stuff
        return true; // Or false, of course.

If you are so awed by this code that you want to pay me, I’ll give you an address and you can send cash. I only accept pennies from 1970 – 1980 in good condition.


Leave a comment

Dealing with SecurityException in a medium trust environment

I recently deployed a C# / Silverlight / ASP.NET site to a hosting provider. While most of the site worked just fine, I ran into this rather ugly error upon hitting one part of my application:

Security Exception Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type ‘System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.

FileIOPermission? What were they talking about? The part of my application that was throwing the exception didn’t access any files. Or so I thought.

The problem was with my calls to System.Web.Configuration.WebConfigurationManager to access the appSettings tags in the web.config file. After I discovered a post on the forums of, I discovered my error:

Most of the new configuration APIs in System.Configuration require full-trust.

Try debugging the problem in your development server by changing the Web.config so that it matches the trust level in your provider. For example,

<trust level=”Medium” />

Yep, that was it – after I added the trust tag to the web.config file in my development  environment, I was able to reproduce the error locally and successfully diagnose the problem. I had to rewrite how I accessed the configuration settings, using WebConfigurationManager.AppSettings[“ConnString”] instead of the old way, but that was a relatively painless step. And now I know to run my applications that will be hosted by a provider in a medium trust environment.

Leave a comment