We have a website and database that works fine locally and on our test server.
However when handed over to the client, they get exceptions around Entity framework:
"Inheritance security rules violated while overriding member: 'System.Data.Entity.Utilities.TaskExtensions+CultureAwaiter`1.UnsafeOnCompleted(System.Action)'. Security accessibility of the overriding method must match the security accessibility of the method being overriden.","ExceptionType":"System.TypeLoadException","StackTrace":" at System.Data.Entity.Core.Objects.ObjectContext.SaveChangesInternalAsync(SaveOptions options, Boolean executeInExistingTransaction, CancellationToken cancellationToken)\r\n at System.Data.Entity.Core.Objects.ObjectContext.SaveChangesAsync(SaveOptions options, CancellationToken cancellationToken)\r\n at System.Data.Entity.Internal.InternalContext.SaveChangesAsync(CancellationToken cancellationToken)\r\n at System.Data.Entity.Internal.LazyInternalContext.SaveChangesAsync(CancellationToken cancellationToken)\r\n at System.Data.Entity.DbContext.SaveChangesAsync(CancellationToken cancellationToken)\r\n at System.Data.Entity.DbContext.SaveChangesAsync()\r\n
and
The model state is valid.\r\nParameter name: modelState","ExceptionType":"System.ArgumentException","StackTrace":" at System.Web.Http.HttpError..ctor(ModelStateDictionary modelState, Boolean includeErrorDetail)\r\n at System.Web.Http.Results.InvalidModelStateResult.Execute()\r\n at System.Web.Http.Results.InvalidModelStateResult.ExecuteAsync(CancellationToken cancellationToken)\r\n at System.Web.Http.Controllers.ApiControllerActionInvoker.
The second one I might have a lead on, could be an issue with how they are setting up the database (they don't have EF so have installed the DB table through an SQL script, to an exising DB of all things!)
But the first one, I am a bit bamboozled, googling the error implies its an issue with 'private assemblies', I would assume that EF .dlls are set up in a way that allows for easy deployment? We wondered whether it was the asynch?
We sadly don't have a lot of time for back and forth guess work so I was wondering if this is just 'EF on secure Intranet' standard issue?
UPDATE After finding some Q&A around Entity Framework and "Full Trust" asp.net mvc 5 entity framework 6 identity working with trust level = medium?
Which lead to the addition of:
<securityPolicy>
<trustLevel name="Full" policyFile="internal"/>
</securityPolicy>
Within the system.web section.
That lead to a different error of "This configuration can not be used in this path" due to location so we added
location allowOverride="true">
Within our own web.config. This didn't seem to make any difference, presumably because as the error implies it would have to be a change made further up, is this correct?
In the end we felt it was a hole we were not going to get out of without getting the customer to change certain global security settings, of which we didnt even know. At least not in a hurry. As it was one small model, with one table, we ended up dropping EF and using some raw SQL calls, it seemed a shame but at that point, it was just the easiest option (Even so, it was worth starting with EF). I would love to know if there would have been a way around this my assumptions are:
- A parent/ancestor Web.config would have to have been changed to allow override?
- Or A parent/ancestor Web.config would have had to been changed to "full trust"
- Or possibly some kind of white-list exception for our site?
According to documentation, I found EF does not budge on this requirement so I don't think there is anything else we could have done our side? If this is true, would it have been reasonable to ask the client to change this? in future I think we will ask for more details around client security settings!
