[RESOLVED]Please confirm this resolution for a security exception due to the trust level when hosting MVC5 on GoDaddy

Hello,

VS2013 update 3, MVC5

When I deployed without modification the standard MVC5 template to GoDaddy I immediately received a security exception.  The security exception basically indicated the environment’s security policy didn’t allow "…ReflectionPermission", which MVC5 evidently
wants to use.

My initial research revealed a lot of posts stating many hosting providers only offer "medium trust" and that would be a show stopper for an MVC5 site.  I eventually found a Stack Overflow post where an individual using GoDaddy simply added the following
line to web.config:

  <system.web>
    ...
    <trust level="Full" />
  </system.web>

This worked, at least for now.  So these are my questions, and if there seem to be other appropriate comments to add, please do so.

1) Is it true that without "full trust" MVC5 cannot effectively be used?

2) Were most of the posts suggesting many hosting providers wouldn’t provide full trust simply a reflection of a changing industry environment?

3) Can we reasonably expect that higher tier hosting providers will support trust levels required for effective MVC5 use?

4) Since I was able to add <"trust level = "Full"/> without getting an error from the hosting provider AND the MVC5 site loaded OK (remember it’s just the default template), can I reasonably expect I won’t run into trust level problems going forward?

I will add for others who may read this thread, I had zero problems deploying to Azure.

Best Regards,

Alan

 

Hi Alan,

Most of hosting provider offer FULL Trust hosting now. As I know, godaddy doesnt offer for Full Trust. You may check it with them. For above issue, it is truly the permission issue. If you require full trust hosting, you can find it on
Microsoft spotlight site, for example asphostportal

If the target is shared hosting, it will be safer to believe in medium trust.

http://www.4guysfromrolla.com/articles/100307-1.aspx

Hi cnranasinghe and Carl,

Carl, I will reach out to GoDaddy.  I am confused because I added the "Full" trust line in my web.config and the hosting server didn’t complain.  I assumed that meant I have "Full" trust.  Maybe not.  I’ll probably post an addendum here after I find out. 
It is odd that the MVC5 site didn’t run without the explicit "Full" trust line, because the spec says the trust level defaults to "Full".  So if I added "Full" to my web.config, I was just defining what already was the default.  Why would that have been necessary?

cnranasinghe, That was a great link to understand the implications.  Thanks!  Can you confirm what I think I read?

It seems as though MVC5 may run in "Medium" trust, but certain methods may not operate if they or their class require "Full", and the only way to really know that is to set "Medium" trust in the development environment and see what works?  Or is there an
easier way to know?

Thanks,

Best Regards,

Alan

Hi Carl,

Thought you and others would be interested to know that GoDaddy does in fact support Full Trust on their shared hosting servers.  Historically this has changed back and forth since ASP.NET 2.0, so that probably explains why there is some confusion over what
is available with GoDaddy.  Additionally, not every one of their support agents is fully aware of this nuance, but it is available.

There are 2 ways to engage Full Trust on GoDaddy.  Web.config can be modified as shown above.  Without that line in web.config, the default of Medium Trust will be applied. 

Alternatively, there is a webpage for each website that permits manual setting for a variety of ASP.NET parameters (at the time of writing this post, the User Interface doesn’t default to show the menus/additional webpages and you have to expand the menu
panel by clicking on the ‘Show More’ tab).   Once on the ASP.NET Settings Page there is a drop down box (currently called Code Access Security) that allows setting the Trust for that particular website (This is where the default Trust setting is set, but only
for that website).  If Full Trust is selected there, then the line in web.config will not be needed.  Interestingly, if web.config has that line, then the web page will change to reflect what’s in web.config.

Best Regards,

Alan

Leave a Reply