Ayende @ Rahien

My name is Oren Eini
Founder of Hibernating Rhinos LTD and RavenDB.
You can reach me by phone or email:


+972 52-548-6969

, @ Q c

Posts: 6,128 | Comments: 45,551

filter by tags archive

Debugging Security Exceptions

time to read 2 min | 224 words

One of the horrible things about SecurityException is just how little information you are given.

For example, let us take a look at:


Yes, that is informative. The real problem is that most security analysis is done at the method level, which means that _something_ in this method caused this problem. Which meant that in order to debug this, I have to change my code to be like this:


Which gives me this:


Just to point out, the first, second, etc are purely artificial method names, meant just to give me some idea about the problem areas for this purpose only.

Then we need to go into the code in the First method and figure out what the problem is there, and so on, and so forth.

Annoying, and I wish that I knew of a better way.


Steve Py

Doesn't the stack trace give you the detail you need to find the offending statement by line #?

The culprit from the original code was Line 166 inside DocumentDatabase.cs After your changes to track it down, the line was 185.

Or was the point that Line 166 was merely pointing at the constructor declaration, not the line that triggered the security exception?


Side note: never ever put anything that could remotely fail in a static constructor. Failing a static constructor causes the entire application to be effectively permanently unavailable until someone recycles the process. Only pure computations are suited for cctors. Use a static threadsafe lazy for anything else (but not the default one because it stores the exception! what an evil design choice).

Damien Guard

Attach to web app, throw on exception?


Ayende Rahien

Steve, Nope, the line number was actually the function header, not any line in the method itself

Ayende Rahien

Tobi, With the exception of things that are actually "if this fails, a restart is required"

Ayende Rahien

Damien, Try that :-) It wouldn't get into the method / line that is causing it. It would stop when the JIT processed the method, not when executing it.

Keith Bloom

Can you catch the exception and use that to help you find the bug?

SecurityException has several properties which should help you to find out why it was raised. This is turn may point to the code which caused it.


Ayende Rahien

It doesn't tell me what caused the error (what line of code in the method)

Steve Py

Hmm, at least from a debugging scenario, could CodeAccessPermissions.Assert possibly loosen up the restrictions enough to get a stack-trace without compromising the security restriction causing the exception? Really not something I've ever been in this situation.


Isn't this by design?

As it is a security exception it could be the result of someone probing trying to footprint the code.

Not giving any details might be annoying but it ticks the securtiy box.

Ayende Rahien

Dirk, Not giving me details means I can't fix this. It is incredibly hard to figure out what is going on

Andre Kraemer

I had a similar problem in a Sharepoint project. The SecurityException was thrown because of a missing permission. In order to find the permission I did the following:

I've surrounded the code that caused the error with a try catch block and caught the security exception. Then I've set a breakpoint in the catch block and had a look at the exception object in the quickwatch window.

The security Exception has a private field called m_demanded (among some other interesting fields), which finally told me what the missing permission was.

Maybe this helps in your case, too.

Comment preview

Comments have been closed on this topic.


  1. The worker pattern - 6 hours from now

There are posts all the way to May 30, 2016


  1. The design of RavenDB 4.0 (14):
    26 May 2016 - The client side
  2. RavenDB 3.5 whirl wind tour (14):
    25 May 2016 - Got anything to declare, ya smuggler?
  3. Tasks for the new comer (2):
    15 Apr 2016 - Quartz.NET with RavenDB
  4. Code through the looking glass (5):
    18 Mar 2016 - And a linear search to rule them
  5. Find the bug (8):
    29 Feb 2016 - When you can't rely on your own identity
View all series


Main feed Feed Stats
Comments feed   Comments Feed Stats