Declarative CAS in .NET Framework

Sometime we want to ensure inside our code that we have sufficient privileges to run our application and that we don’t have permission that are too excessive so that entire system can be jeopardized. There are three main specific reasons why we want to use declarative CAS. First, we want to ensure that runtime will never run our application without required security permissions being supplied. Second, we want to further restrict our code so that even if assembly is hacked, it will not lead to greater compromise of entire system. Third, we want to make sure that our application can run with limited CAS permissions and as a result being able to run in partially trusted zone.

Classes for CAS Assembly declaration


ClassRight Access Represented
AspNetHostingPermission Resources in ASP.NET-hosted environments
DataProtectionPermission Encrypted data
DirectoryServicesPermission System.DirectoryServices
DnsPermission Domain Name System
EnvironmentPermission Environment variables
EventLogPermission Event log
FileDialogPermission Selected Files
FileIOPermission Files or directories
GacIdentityPermission Global assembly cache
IsolatedStorageFilePermission Isolated storage
IUnrestrictedPermission Interface
KeyContainerPermission Public key encryption containers
MessageQueuePermission Message queues
OdbcPermission ODBC
OleDbPermission OLE DB
OraclePermission Oracle database
PerformanceCounterPermission Perf. counters
PrincipalPermission Control access
PrintingPermission Printers
ReflectionPermission Discover information about a type
RegistryPermission Registry keys and values
SecurityPermission Unmanaged code
ServiceControllerPermission Services
SiteIdentityPermission Identity permission
SocketPermission Make or accept connections
SqlClientPermission SQL databases
StorePermission Sores containing X.509 certificates
StrongNameIdentityPermission Prmission for strong names
UIPermission User interface functionality
UrlIdentityPermission Ientity permission for the URL
WebPermission Connections on a Web address
ZoneIdentityPermission Zone from which the code originates

Permission attribute classes define the Action property

SecurityAction.RequestMinimum – requires permission to run assembly. Code Access Security must grant permission.

SecurityAction.RequestOptional – permission can be used but is not required. Don’t grant permission unless we request it.

SecurityAction.RequestRefuse – associated permission set must not be granted.

[assembly:FileIOPermissionAttribute(SecurityAction.RequestMinimum, Read=@"C:\bootfile.ini")]
namespace MyDeclarativeExample
    class Program
        static void Main(string[] args)
            Console.WriteLine("Hello, World!");