TargetInvocationException and MethodAccessException in new builds with self host


After updating from nightly 2013 Jul 20 build to 2013 Aug 09 build from myget and I'm receiving this error upon the startup of the host:

using (WebApp.Start<Startup>(serverUrl)

The error is:

"Inheritance security rules violated while overriding member: 'Autofac.Integration.WebApi.AutofacWebApiDependencyResolver.BeginScope()'.
Security accessibility of the overriding method must match the security accessibility of the method being overriden.":"Autofac.Integration.WebApi.AutofacWebApiDependencyResolver.BeginScope()"

What has been changed in terms of added .Net security to the new version and what modification do I've to apply to my host assembly to make it work with the newer builds?

Specifying SecurityTransparent does not work, since then I get this error:

Attempt by security transparent method 'Host.Program.Main(System.String[])' to access security critical method 'Microsoft.Owin.Hosting.WebApp.Start<Host.Startup>(System.String)' failed.

Thanks for the help,
Closed Aug 13, 2013 at 8:28 PM by eilonlipton
Per the discussion with Attilah this was an issue related to partial trust, which is no longer supported in ASP.NET 4.5.


eilonlipton wrote Aug 9, 2013 at 11:48 PM

Hi Attila, is your app running in partial trust? In ASP.NET on .NET 4.5 only Full Trust is supported.

attilah wrote Aug 10, 2013 at 12:26 AM

No, I'm running it on my dev machine, nothing special. As I wrote if I'm using the 0720 version and hit F5 it works, if I use the 0809 version it fails.

attilah wrote Aug 10, 2013 at 1:05 AM

Since the first error was regarding Autofac WebApi component I decided to compile Autofac WebApi against the latest WebApi sources and for .Net 4.5 Framework explicitly, since Autofac only targets 4.0 and the released WebApi.

When I first compiled the original source code against 4.0 Framework since CA was turned on, the compiler reported the possible security problems with method invocations. At that point it made sense why did I get the runtime errors with the Autofac WebApi integration component.

I saw that this component has AllowPartiallyTrustedCallers attribute, so I've removed it, since as you also said, only full trust is possible in .Net 4.5.

So I've changed the Framework version of this component to 4.5, updated the nuget packages to the latest dev copies (0809) and compiled the Autofac WebApi integration project. After updating the references in my solution to this newly built binary and update the nuget packages to 0809, all the runtime errors vanished and the server was up and running.

I hope this thread will help to other brave migrating warriors :-)


bvau001 wrote Aug 14, 2013 at 10:57 PM

Hi Attila,
As far as I can see this is an Autofac issue, the Autofac-WebAPI integration assembly needs the SecurityCritical & SecuritySafeCritical attribute to be added to various classes and methods (rather than removing the APTC attribute.

I have created a clone of the Autofac code where I have added the necessary security attributes to the autofac webapi project which will allow it to work with RC1. You can find it here: https://code.google.com/r/ben-autofac/

Hopefully they will merge it into the main line before too long.

attilah wrote Aug 15, 2013 at 12:40 PM

Hi Ben!

What have you done is another solution, I went for the simpler, quicker one, since WebApi 2.0 only working in Full Trust, so it "does not matter" :-)

However I'll take your solution and waiting for the integration into the core.