trust Element (ASP.NET Settings Schema)
Configures the level of code access security (CAS) that is applied to an application. Use this element, if you want to run a Web application that has less than Full trust.
configuration Element (General Settings Schema)
system.web Element (ASP.NET Settings Schema)
trust Element (ASP.NET Settings Schema)
<trust
level="[Full|High|Medium|Low|Minimal]"
originUrl="URL"
processRequestInApplicationTrust = "[True|False]"
/>
Attributes and Elements
The following sections describe attributes, child elements, and parent elements.
Attributes
Attribute |
Description |
||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
level |
Required String attribute. Specifies the trust level under which the application will run. Each trust level is mapped to an individual XML policy file using a trustLevel element in the configuration file. The policy file lists the set of permissions that are granted by each trust level. For information about ASP.NET and policy files, see ASP.NET Trust Levels and Policy Files. This attribute can be a user-defined value, if there is a matching security policy mapping defined in a trustLevel element in the securityPolicy Element (ASP.NET Settings Schema) element or one of the following possible values, in increasing order of restrictiveness.
The default is Full (no restrictions). |
||||||||||||
originUrl |
Optional String attribute. Specifies a URL for use with the restricted WebPermission permission that is configured in Medium trust. If present, this can be used for some classes, such as HttpWebRequest, that allow connectivity to only specific URLs that are specified by a WebPermission. This allows permissions that rely on the notion of a host to function correctly. |
||||||||||||
processRequestInApplicationTrust |
Optional Boolean attribute. Specifies whether page requests are automatically restricted to the permissions that are configured in the trust policy file that is applied to the ASP.NET application. Trust policy files are specified in trustLevel elements in the securityPolicy element. A single trust policy is applied to an ASP.NET application by using the level attribute of the trust element. If set to False, ASP.NET requests can potentially execute under Full trust, even if the level attribute specifies a different trust level. Unless there are specific reasons for doing this, do not reset this attribute from the default of true. This attribute is new in the .NET Framework version 2.0. The default is True. |
Child Elements
None.
Parent Elements
Element |
Description |
---|---|
configuration |
Specifies the required root element in every configuration file that is used by the common language runtime and the .NET Framework applications. |
system.web |
Specifies the root element for the ASP.NET configuration settings in a configuration file and contains configuration elements that configure ASP.NET Web applications and control how the applications behave. |
Remarks
The trust element configures the level of code access security (CAS) that is applied to an application. Security policy files are mapped to trust level names in the securityPolicy collection element. The policy file lists the set of permissions that are granted by the trust level. The trust element specifies which trust level to apply to the ASP.NET application. For information about ASP.NET and policy files, see ASP.NET Trust Levels and Policy Files.
By default, Web applications run with Full trust. Full-trust applications are granted unrestricted code access permissions by code access security policy. These permissions include built-in system and custom permissions. This means that code access security will not prevent your application from accessing any secured resources. The success or failure of the resource access attempt is determined purely by operating system-level security. If an application is configured with a trust level other than Full, it is referred to as a partial-trust application. Partial-trust applications have restricted permissions, which limit access to secured resources for the application.
For improved security in a hosted environment, use the location element in the root Web.config file to enclose securityPolicy and trust elements for hosted applications and the allowOverride="False" attribute to prevent applications from overriding the settings in a more local Web.config file. You can optionally make use of multiple location elements, each with a different path attribute, if you want to configure different trust levels for different hosted applications. For an example of this kind of configuration, see "Example," later in this topic.
Note
Web applications that are built on the .NET Framework version 1.0 always run with Full trust because the types in System.Web demand full-trust callers. When you upgrade to a newer version of the .NET Framework, do not change the trust level without testing any previously existing applications.
Default Configuration
The following default trust element is configured in the root Web.config file.
<location allowOverride="true">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="web_mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
<trust
level="Full"
originUrl=""
processRequestInApplicationTrust="true"
/>
</system.web>
</location>
Example
The following code example demonstrates how to use a root Web.config file to specify Medium trust level settings for all ASP.NET applications on the server and the location element to lock the settings. Another location element in the same configuration file is used to allow the Web.config file for the Default Web Site/Temp application to override the settings in the root Web.config file.
<location allowOverride="false">
<system.web>
<securityPolicy>
<trustLevel name="Full" policyFile="internal" />
<trustLevel name="High" policyFile="web_hightrust.config" />
<trustLevel name="Medium" policyFile="web_mediumtrust.config" />
<trustLevel name="Low" policyFile="web_lowtrust.config" />
<trustLevel name="Minimal" policyFile="web_minimaltrust.config"/>
</securityPolicy>
</system.web>
</location>
<location allowOverride="false">
<system.web>
<trust level="Medium" originUrl="" />
</system.web>
</location>
<location allowOverride="true" path="Default Web Site/Temp">
<system.web>
<trust level="Medium" originUrl="" />
</system.web>
</location>
Element Information
Configuration section handler |
|
Configuration member |
|
Configurable locations |
Machine.config Root-level Web.config Application-level Web.config |
Requirements |
Microsoft Internet Information Services (IIS) version 5.0, 5.1, or 6.0 The .NET Framework version 1.0, 1.1, or 2.0 Microsoft Visual Studio 2003 or Visual Studio 2005 |
See Also
Tasks
How to: Configure Specific Directories Using Location Settings
How to: Lock ASP.NET Configuration Settings
Concepts
ASP.NET Trust Levels and Policy Files
ASP.NET Trust Levels and Policy Files
Securing ASP.NET Configuration
ASP.NET Configuration Scenarios
Reference
system.web Element (ASP.NET Settings Schema)
configuration Element (General Settings Schema)
trustLevel Element for securityPolicy (ASP.NET Settings Schema)
securityPolicy Element (ASP.NET Settings Schema)
Other Resources
ASP.NET Web Application Security
General Configuration Settings (ASP.NET)
ASP.NET Configuration Settings