|
Configuration for Medium Trust environment |
|
This chapter describes the procedure to run the Kentico CMS in the medium trust level environment and the steps required to configure the system for it. It also describes the Precompilation/Deployment procedure and requirements.
Medium trust level
Medium trust level is often used on shared servers by the providers to limit the applications to access certain resources that could be harmful to other client web sites. Since the version 2.2, Kentico CMS system can be used with default medium trust policy provided with the Microsoft .NET Framework. To run the system with medium trust, you need to follow certain rules. There are two main components that require higher than medium trust and must be considered with this trust level:
Virtual path provider
This class (set of classes) provides the interface to the virtual objects stored in the database that can be compiled such as document transformations, page layouts and web parts with custom code. The system basically references the files with virtual path, and VirtualPathProvider provides the control code to the compiler.
Since the provider cannot run in a medium trust environment (requires AspNetHostingPermission with high trust), you need to provide the physical files to the system. You can export all the virtual objects to the file system in CMSSiteManager -> Administration -> System -> Deployment interface by clicking the button “Save all virtual objects to disk”. This will make the copies of the virtual objects in following folders:
Please note that these files are just copies of the actual virtual object and will not be used by the system until the VirtualPathProvider cannot start. Also the changes to the objects through the administration interface will not affect these files until you save all the objects again by the interface mentioned above.
In the medium trust environment the VirtualPathProvider is stopped automatically. When VirtualPathProvider is stopped, you cannot edit the virtual objects (safety feature) and cannot use custom web part code (Web part properties – Code). This is a limitation of the system running without VirtualPathProvider.
Please not that you should not run the system in medium trust while developing the web site. You should use this trust level only for the live site actually published.
Content staging
Library Microsoft.Web.Services3.dll from the WSE3 package (Web Services Extensions) which is used by the Content staging module requires Full trust permissions because of low level and security operations connected to the communication protocols. To ensure the proper permissions, you need to ensure that the library is present within the GAC (Global Assembly Cache) of the system. The library is provided by Microsoft and most of the providers should Please perform following tasks:
<system.web> ... <compilation debug="false" numRecompilesBeforeAppRestart="100"> <assemblies> ... <add assembly="Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /> ... </assemblies> </compilation> ... </system.web>
Despite the fact that WSE actually increases the security of the application and the library is certified by Microsoft itself, some of the providers may not be willing to install the extensions or allow the library in the Global Assembly Cache. In those cases, you need to manually remove some of the system components to make the system run. See the paragraph Special cases for details
Running the web site
Now the system should work under medium trust level properly. Restart your IIS for configuration changes to take effect and run the web site.
If you use any third-party components within your system that do not support medium trust level by default, you will probably also need to configure the system for those. In these cases contact its author to get the information how to configure the environment to run it in the medium trust environment.
If you experience any trouble running the web site with medium trust level, please feel free to contact us at support@kentico.com.
Special cases
You may not be able to access the GAC or convince your hosting provider to add the web services library to the GAC. In those cases you may still run Kentico CMS in medium trust level, only limited by not being able to use Content staging module. To remove the Microsoft.Web.Services3.dll library binding which requires the permission perform following steps:
<configSections> <section name="microsoft.web.services3" type="Microsoft.Web.Services3.Configuration.WebServicesConfiguration, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> </configSections>
<system.web> <webServices> <soapExtensionImporterTypes> <add type="Microsoft.Web.Services3.Description.WseExtensionImporter, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> </soapExtensionImporterTypes> <soapServerProtocolFactory type="Microsoft.Web.Services3.WseProtocolFactory, Microsoft.Web.Services3, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"/> </webServices> </system.web>
<microsoft.web.services3> <security> <securityTokenManager> <add type="CMS.Staging.WebServiceAuthorization" namespace="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" localName="UsernameToken"/> </securityTokenManager> <x509 allowTestRoot="true" verifyTrust="true"/> </security> <policy fileName="wse3policy.config"/> <diagnostics> <trace enabled="false" input="InputTrace.webinfo" output="OutputTrace.webinfo"/> </diagnostics> </microsoft.web.services3>
Your system will work just fine but you will not be able to use the Content staging operations. |