Using an External Config File With log4net with ASP.NET 2.0 and IIS7

I started a new project recently and set about adding log4net to it.  I’d upgraded to a new Window 7 workstation over the past month whereas I’d previously been using XP, so the step up to IIS7 was exciting and and a bit anxious all at the same time.  My first hurdle so far has been using log4net.

I tend to be the type of person that likes to separate out the log4net configuration into it’s own file, usually log4net.config.  Setting up this new project; however, I started running into a problem I’d never seen before.  When trying to use the XmlConfiguratior to read my log4net.config, I would see this exception:

[SecurityException: Request for the permission of type ‘System.Security.Permissions.FileIOPermission, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.]

Searching for others with this problem has not yielded much success.  I’ve seen articles stating that it’s an issue with medium trust security (on m local workstation trust was set to full) to problems with some sort of breaking code within log4net itself.  Most of these articles I suspect were not using IIS7, but it was hard to tell.

I ended up digging into the log4net source code to find out what was happening.  The problem would occur on a line of code that tried to access the FullName property of a System.IO.FileInfo object.  That property threw the exception worked fine it I tried to access it from my web project, but once it got down into the log4net guts, it would not.

After a lot of frustration, I finally started looking elsewhere.  I ran across a comment on Stack Overflow that stated they used .xml instead of .config files.  I had dismissed it due since others claimed .config files where fine, but recalling what I’d seen there I decided to try it.  *Poof* it worked!

I didn’t really want to leave the configuration in a file with the .xml extension since that could easily be downloaded from a server.  The discovery told me that it was likely due to something IIS was doing with ASP.NET to hide files, but the odd thing was that it could read from the web.config, so I was a little perplexed.  I started digging into how IIS7 handles these types of protected files. 

IIS7 ManagerIt turns out that there’s a section in the hosting configuration that lists protected files under the name “requestFiltering”.  Hmm…that was an interesting sounding name.  Unfortunately all the entries were only by file extension, not by file name directly so there had to be something else.

Request FilteringI ended up in the IIS7 Manager application and found the Request Filtering area.  I began to poke around in there and discovered another tab called Hidden Segments which had an entry for the web.config!  I clicked the Add Hidden Segment link under Actions and added a new entry for log4net.config and viola, my application worked!

I know that most of the IIS7 configuration settings are stored in various config files, including the web.config, so I started looking in there and found this new element in the <system.webServer> section.

   1: <security>

   2:     <requestFiltering>

   3:         <hiddenSegments>

   4:             <add segment="log4net.config" />

   5:         </hiddenSegments>

   6:     </requestFiltering>

   7: </security>

I believe that including this section will allow the files to work.  I even changed my trust level in my dev environment to Medium and it still ran just fine.

There may be other things that can cause this sort of problem, but this fixed my example.  Hopefully this helps someone else out there as it was a bear to track down!

Advertisements

3 thoughts on “Using an External Config File With log4net with ASP.NET 2.0 and IIS7

  1. Thanks you for this information. Instead of defining any request filter i’ve putted the config file in a separate directory. The security settings are defined, that nobody can access that directory. One thing i don’t understand: why isn’t it possible to read the config file when the name is log4net.config…? I’m realy confused about that behaviour…

    • From what I can ascertain, IIS protects all .config files from being read by default. Only files that show up in the filter section are allowed, therefore any .config files that are not standard need to be added there. I also believe this is only an issue if the web is running in pipleline mode, but I’m not certain about that. It seems (my best guess) that it’s simply another layer of security to avoid having sensitive configuration information leaked.

      • This sounds strange… I mean it is my own code, in global.asax which has not enough rights to read my log4net.config file..? I mean, I’m not in the role of a client from the internet who is trying to access the log4net.config file. But maybe you are right and this is a absolutely volitional behaviour. However this post leads me to the right way. You made my day, thank you so much…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s