Running Connector/Net 6.5 inside Medium-Trust Level

Medium/Partial trust security scenarios are being used more and more often by web hosting providers since they allow for more secure hosting. Multiple web application hosting services use this level to explicitly set up and isolate applications on shared server resources and also as a way to ensure that applications cannot read each other's data or interfere in any way. By default, web applications that use the .NET framework run in a full level of trust. This allows them to perform some privileges operations and also access operating systems resources. These operations have a potential risk when they are performed inside a multiple application hosting service.  That is why this level is not recommended to be used in these kinds of environments. 

Connector/Net versions prior to 6.5 did not function correctly in partial trust scenarios.  To use the connector, application developers were forced to request application hosts add permissions such as SocketPermission to their medium trust policy.  Starting with 6.5, we have now corrected this and exposed the necessary security classes that enable hosting providers to grant access to Connector/Net securely.

Implementation

There are several permissions that are required for Connector/Net to perform all operations correctly. These are

  • System.Net.SocketPermission
  • System.Security.Permissions.ReflectionPermission
  • System.Net.DnsPermission
  • System.Security.Permissions.SecurityPermission 

All these permission requests are done using the MySqlSecuritPermission class. These permissions also are already included in the medium trust policy web config file for the .Net framework and applies to any web application (%windir%\Microsoft.NET\Framework\{version}\CONFIG path). You should be aware that these are the permissions that Connector/Net needs to run and does not include the security permissions that your application might need. So we highly recommend you that before deploy your application you should test it in your developing environment with this level of trust so you can know if you need to add any other permission demands to the medium trust policy.

How to Configure Medium Trust

To configure any web application to run in a medium level of trust, add the following tag to your web.config application file. This should be done also in the web.config of the virtual root directory or in the machine web config file in case you want to apply a machine based policy to all the web applications running.

<trust level="Medium" />

Also you can build your own custom set of permissions where you can define an even more (or less ) restricted security level, based on the set up you want to use in your hosting services.

It is important to mention that if you are a MySQL hosting service provider you can also lock your trust policy definition using the allowOverride attribute to false. Doing so prevents your users from having a different set up inside their applications, but of course this is optional and depends on each provider.

MySQLClientPermission

Along with the implementation for the MySQLSecurityPermission class every time your application opens a connection to the MySQL server a demand is done of the MySQLClientPermission type, and all your applications running in medium trust should have this permission otherwise you'll get a MySqlClientPermission exception and you won't be able to open any connection to the database. This class is used to define the allowed set of attributes and values to use in all the connection strings done inside your application.  This also gives you a way to have better security control through all your application(s) and it will be checked as part of the process to open any kind of connection. The way you must include the MySQLClientPermissions is as follow:

  1. For the section of the SecurityClasses you should add the definition of the MySQLClientPermission class. Please replace the x in the version field with the exact version of Connector/Net 6.5 you're using.

     <SecurityClass Name="MySqlClientPermission"  Description="MySql.Data.MySqlClient.MySqlClientPermission, MySql.Data, Version=6.5.x.0, Culture=neutral, PublicKeyToken=c5687fc88969c44d" />

  2. For the section of the NamedPermissionSets add:

    <IPermission class="MySqlClientPermission" version="1">
    <add connectionString="Server=;Database=;User=;Password=;Port=;Pooling=;" restrictions="" KeyRestrictionBehavior="PreventUsage" />
    </IPermission>

 

 Notice that this includes all the properties you'll be using in all your connections strings. If you want to use a none restricted you can use:

   <IPermission  class="MySqlClientPermission"   version="1"  Unrestricted="true"  />

We always encourage you to make a back up before doing any changes to avoid any configuration issue after this set up.

This configuration applies only to the hosting services that use Connector/Net version 6.5.x and you should not use any other version if you want to work in a medium trust level. Thus your application must have this MySqlClientPermission regardless of whether the connector library is in the GAC or not.

After these changes are done you can test this configuration using any web application that opens a database connection.

We'll do a short example using a pipe kind connection which needs all the permissions mentioned above.

For this application you need to have a MySQL server up an running.

  1. Create a simple web application using VS 2010
  2. Add the reference in your application for our library. 
  3. Edit your web.config file so your application run using a the Medium trust level policy permissions set.

     <system.web>
              <trust level="Medium"/>
    </system.web>

  4. Add the MySql.Data.MySqlClient namespace to your server-code page.
  5. Define the connection string:
  6. Define the MySqlConnection to use (please replace your password value):

     MySqlConnection myconn = new MySqlConnection("server=localhost; database=sakila; User Id=root;Password=??????;");
     myconn.Open();

  7. Retrieve some data from your tables: 

    MySqlCommand cmd = new MySqlCommand("Select first_name from actor LIMIT 1", myconn);
    MySqlDataReader dr = cmd.ExecuteReader();
     while (dr.Read()) {
         Response.Write(dr[0].ToString());
    }
    myconn.Close()

 

All the security demands that the Connector/Net needs are done inside so you should only take care for the additional security permission your application might need. You can also add a custom policy to use along to restrict the database connections using the MySQLClientPermission class and we'll be doing a special post to show you how you can use it very soon.

Please feel free to ask all your questions related to this new feature or ask for more information if you need so.

I hope you have found this information useful. 

Happy Connector/Net Coding! :)

Some useful references related:

  • Connection to MySql Server  (http://dev.mysql.com/doc/refman/5.1/en/connecting.html)
  • Windows Authentication (http://blogs.oracle.com/mysql_wna_plugin/entry/windows_native_authentication_for_mysql)

 


Comments:

Hey, I have been using the mysqlconnector for a few years now, But wanted to know if you had any good tutorials for using the .net connector with the designer, making queries, using it in code etc. , I'm looking at and am lost :) Thank you

Posted by guest on January 22, 2012 at 05:57 AM PST #

Every time I come back to trying MySQL Connector I find it to be a monumental waste of time and effort. Was starting a new project and using Entity Framework Code First so I could let customers choose their DB Provider by making a single change in the Web.config. Spent about the last 10 hours trying to make it work.

Works flawlessly with SQL Server in Medium Trust. Doesn't work at all with MySQL in modified Medium Trust (SocketPermission granted).

Something in MySql.Data.MySqlClient.MySqlConnection is triggering System.Security.Permissions.SecurityPermission (probably reflection).

I finally got it to somewhat work in Full Trust, but it had all kinds of caveats like: the tables had to be named the same thing as the entity (it ignores the Table attribute), you can't name your entities things that are reserved keywords in MySQL (Password, Group, etc), and there are quirks with different modes in Database.SetInitializer.

I'm excited to see we may actually have a working Medium Trust Connector in 6.5, but I'm not holding my breath--we've already been waiting about 7 years.

What is with requiring a GAC installation? Is this something hosts have really said they will go for? Every experience I've had with shared hosting has been that they don't want to install 3rd party dlls into the GAC. And when they do it is 6 months after the technology has been "proven". By the time they install it the next version is out, which is required to implement the latest technology :(

With Visual Studio making it so easy to get the latest versions libraries using NuGet, in my opinion your goal should have been Medium Trust w/ SocketPermission so people can bin deploy it.

Posted by Sam K. on February 17, 2012 at 02:39 AM PST #

Thank you very much for this but I tried MySql .NET Connector version 6.5.4 in my Godaddy Shared Hosting account which has Medium Trust but as I see it is not working.

ORM: Entity Framework
Application Version: ASP.NET MVC 2
.NET Runtime: 3.5

Posted by guest on March 13, 2012 at 05:07 AM PDT #

Post a Comment:
  • HTML Syntax: NOT allowed
About

Here's where you'll hear about all the new and fun stuff we are doing with MySQL on Windows.

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
5
6
7
8
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today