Code access security in .net (CAS) is a better way of implementing application security by controlling authorization to a particular code part of an assembly there by preventing the execution of unauthorized code from unknown origins. You can do authorization for most of the resource like which you do in RBS (Role based security). But more than a role based security; it is based up on controlling what rights a particular code chunk is having. Like whether it can make an HTTP request, whether it should allow or deny IO access etc. in short CAS assigns permission to a code or code group rather than a role or a name. And mostly it will not consider any ACL (Access control list) parameter during its decision.
CAS uses assembly’s evidence to do or make its decision. Evidence tell us the exact identity of the assembly, it’s originating zone, which code group it belongs to etc. each default code group will be having some permission set. We can change these setting either through configuration wizard present in the control panel or through declarative programming which uses attributes in .net to specify the security permissions it requires. So each time when a .net type is loaded, CLR performs a Code Access Security (CAS) check
CAS is applied to a code mainly by configuring security policy. By default there are 3 security policy levels
CAS uses assembly’s evidence to do or make its decision. Evidence tell us the exact identity of the assembly, it’s originating zone, which code group it belongs to etc. each default code group will be having some permission set. We can change these setting either through configuration wizard present in the control panel or through declarative programming which uses attributes in .net to specify the security permissions it requires. So each time when a .net type is loaded, CLR performs a Code Access Security (CAS) check
CAS is applied to a code mainly by configuring security policy. By default there are 3 security policy levels
These are :
Enterprise Level – This is used for setting policy for an entire enterprise
Machine Level – For setting machine level policies
User Level – For setting policy at user level in a machine
Under each policy level there will be code groups which are then configured to grant some permission sets. For a Default configuration Both enterprise and user will be given full trust and Machine level will be having various code groups which will be configured for Local, intranet, internet, restricted and trusted zones. Later you can configure this according to your need.
So a user can control and decide to trust all assemblies published by a particular publisher like Microsoft or not to trust any assemblies downloaded from the Internet etc…
Console commands like Caspol.exe can also be used to control these permissions. Use a command line argument (- ?) to get help on this tool
Console commands like Caspol.exe can also be used to control these permissions. Use a command line argument (- ?) to get help on this tool
No comments:
Post a Comment