Declarative CAS in .NET Framework
Sometime we want to ensure inside our code that we have sufficient privileges to run our application and that we don’t have permission that are too excessive so that entire system can be jeopardized. There are three main specific reasons why we want to use declarative CAS. First, we want to ensure that runtime will never run our application without required security permissions being supplied. Second, we want to further restrict our code so that even if assembly is hacked, it will not lead to greater compromise of entire system. Third, we want to make sure that our application can run with limited CAS permissions and as a result being able to run in partially trusted zone.
Classes for CAS Assembly declaration
Class | Right Access Represented |
---|---|
AspNetHostingPermission | Resources in ASP.NET-hosted environments |
DataProtectionPermission | Encrypted data |
DirectoryServicesPermission | System.DirectoryServices |
DnsPermission | Domain Name System |
EnvironmentPermission | Environment variables |
EventLogPermission | Event log |
FileDialogPermission | Selected Files |
FileIOPermission | Files or directories |
GacIdentityPermission | Global assembly cache |
IsolatedStorageFilePermission | Isolated storage |
IUnrestrictedPermission | Interface |
KeyContainerPermission | Public key encryption containers |
MessageQueuePermission | Message queues |
OdbcPermission | ODBC |
OleDbPermission | OLE DB |
OraclePermission | Oracle database |
PerformanceCounterPermission | Perf. counters |
PrincipalPermission | Control access |
PrintingPermission | Printers |
ReflectionPermission | Discover information about a type |
RegistryPermission | Registry keys and values |
SecurityPermission | Unmanaged code |
ServiceControllerPermission | Services |
SiteIdentityPermission | Identity permission |
SocketPermission | Make or accept connections |
SqlClientPermission | SQL databases |
StorePermission | Sores containing X.509 certificates |
StrongNameIdentityPermission | Prmission for strong names |
UIPermission | User interface functionality |
UrlIdentityPermission | Ientity permission for the URL |
WebPermission | Connections on a Web address |
ZoneIdentityPermission | Zone from which the code originates |
Permission attribute classes define the Action property
SecurityAction.RequestMinimum – requires permission to run assembly. Code Access Security must grant permission.
SecurityAction.RequestOptional – permission can be used but is not required. Don’t grant permission unless we request it.
SecurityAction.RequestRefuse – associated permission set must not be granted.
[assembly:FileIOPermissionAttribute(SecurityAction.RequestMinimum, Read=@"C:\bootfile.ini")]
namespace MyDeclarativeExample
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine("Hello, World!");
}
}
}