4

Closed

SecurityException when ToolkitScriptManager requests ConfigurationPermission for accessing 'system.web/httpHandlers'

description

After upgrading from 4.5.7.607 to version 7.0725, I receive the following Security Exception:
My application runs in medium trust, therefore access to section system.web/httpHandlers is disallowed.

I don't think I can provide access to this section by setting 'requirePermission' to 'false' for this section.
[Exception: Request for ConfigurationPermission failed while attempting to access configuration section 'system.web/httpHandlers'. To allow all callers to access the data for this section, set section attribute 'requirePermission' equal 'false' in the configuration file where this section is declared.]
System.Configuration.BaseConfigurationRecord.CheckPermissionAllowed(configKey As String, requirePermission As Boolean, isTrustedWithoutAptca As Boolean) +815409
System.Configuration.BaseConfigurationRecord.GetSectionRecursive(configKey As String, getLkg As Boole an, checkPermission As Boolean, getRuntimeObject As Boolean, requestIsHere As Boolean, result As Object&, resultRuntimeObject As Object&) +1709
System.Configuration.BaseConfigurationRecord.GetSection(configKey As String) +69
System.Configuration.ConfigurationManager.GetSection(sectionName As String) +140
AjaxControlToolkit.ToolkitScriptManager.OnInit(e As EventArgs) +36
System.Web.UI.Control.InitRecursive(namingContainer As Control) +186
System.Web.UI.Control.InitRecu rsive(namingContainer As Control) +421
System.Web.UI.Control.InitRecursive(namingContainer As Control) +421
System.Web.UI.Control.InitRecursive(namingContainer As Control) +421
System.Web.UI.Page.ProcessRequestMain(includeStages BeforeAsyncPoint As Boolean, includeStagesAfterAsyncPoint As Boolean) +12572367
System.Web.UI.Page.ProcessRequest(includeStagesBeforeAsyncPoint As Boolean, includeStagesAfterAsyncPoint As Boolean) +12571877
System.Web.UI.Page.ProcessRequest() +1 19
System.Web.UI.Page.ProcessRequest(context As HttpContext) +99
ASP.[MYPAGE].ProcessRequest(context As HttpContext) in w:\Windows\Microsoft.NET\Framework64\v4.0.30319\Temporary ASP.NET Files\demarrage2011\73c449a6\eb1cd7fd\App_Web_vwnoc23d.1 .cs:0
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +913
System.Web.HttpApplication.ExecuteStep(step As IExecutionStep, completedSynchronously As Boolean&) +165
Closed Sep 19, 2013 at 3:33 PM by Superexpert
Fixed in September 2013 release. We modified the ToolkitScriptManager to work in Medium Trust.

comments

AneakSpirit wrote Aug 16, 2013 at 4:23 AM

Using AjaxControlToolkit version 7.0725, I encounter this issue also. Currently the only way I'm able to get around it is by setting the trust level to High or Full in the web.config.
<configuration>
  <system.web>
      <trust level="High"/>
  </system.web>
</configuration>
If you have access to the machine.config, then you can add requirePermission="false" to the definition for the httpHandlers section. This is unfortunately not an option for many individuals though.
<configuration>
    <configSections>
        <sectionGroup name="system.web" type="System.Web.Configuration.SystemWebSectionGroup, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a">
            <section name="httpHandlers" type="System.Web.Configuration.HttpHandlersSection, System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" requirePermission="false" />
        </sectionGroup>
    </configSections>
</configuration>

Atrejoe wrote Aug 16, 2013 at 8:49 AM

Unfortunately my production environment is on shared hosting, which runs in medium trust.

Atrejoe wrote Oct 7, 2013 at 9:08 AM

September release seemed to have fixed this issue, but introduced a new one.

See: https://ajaxcontroltoolkit.codeplex.com/workitem/27542