473,245 Members | 1,770 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,245 software developers and data experts.

Article : Code Access Security Part - 1 (.Net FrameWork Tools Series)

Hey Guys,

Today we are going to look at Code Access Security.

Code access security is a feature of .NET that manages code depending on its
trust level. If the CLS trusts the code enough to allow it ro run then it
will execute, the code execution depends on the permission provided to the
assembly. If the code is not trusted wnough to run or it attempts to perform
an action which doe not have the required permissions then its execution is
stop and the application exits.

Code access security is primarily about protecting resources like your
local disk,netwoek, user interface from malicious code and not a tool for
protecting software from users which is a general misbelief.

Code access security is based upon Code Groups and Permissions.

Code Groups :- In windows we have user groups and every user belongs to a
group. We do not give permissions to users on indiviual basis but rather it
is more convient to create a group and give permissions to this group. In
the same way we have code groups bring code that has similar characteristics
and execution permissions togather.

E.g. One of the predefined code groups is Internet. If we say that this code
belongs to Internet code group this code has only those permissions which
are defined by this group. Like the Internet code group does not have access
to your local access hence all the applications executing under this code
group will not have permissions to access the local hard disk.
Permissions :- They are actions that each code group is allowed to perform
e.g. Permissions to access the user interface. This permission management
can be done at 3 levels Enterprise,Machine and User level.

"All Code" code group is the root group. All the code groups is under this
code group. If an assembly does not match a code group in the hierarchy code
groups below it are not searched.

For an assembly to be a member of any code group it need to fulfill its
membership condition.Each code group has one and only one membership
condition. This is the list of membership conditions in which "All code"
membership condition is at the root.

Let us view all the available code group membership conditions :

1) Go to Visual Studio Command promt and type caspol /help
2) Scroll at the bottom and you will see the following membership or "mship"

where "<mship>" can be:

-allcode All code
-appdir Application directory
-custom <xml_file> Custom membership condition
-hash <hashAlg> {-hex <hashValue>|-file <assembly_name>} Assembly hash
-pub {-cert <cert_file_name> | -file <signed_file_name> | -hex
<hex_string>} Software publisher
-site <website> Site
-strong -file <assemblyfile_name> {<name> | -noname}{<version>
| -noversion} Strong name
-url <url> URL
-zone <zone_name> Zone, where zone can be: (MyComputer,

Zone is the most commonly used membersip condition.These zones are managed
from IE using the security options

3) Go to IE. ... Tools ... Options ... Security Tab ... And you will see all
these options.

Note :- These options are set from IE they apply to the whole machine.

4) Type caspol.exe - lg. This command will list all the code groups without
the descriptions. If you want to see the desriptions
Type caspol.exe -ld.

5) To view the code groups of an assembly e.g. Type caspol -resolvegroups
<DLLName>.dll. It will show a similar output

Level = Enterprise
Code Groups:
1. All code: FullTrust

Level = Machine
Code Groups:
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust

Level = User
Code Groups:
1. All code: FullTrust


6) In order to understand code access security completely we need to
understand Permission sets very well.

Type caspol -lp | more.

You will see an entire list of permissions in the form of xml tags.

We will look a few most frequently used permission sets :

SQLCLientPermission :-- Permission to access SQL Database.
UIPermission :- Permission to access user interface.
FileIOPermission : - Permission to read,writing or append to file as well as
creating folders.
Printing Permission :- Permission to print
WebPermission :- Prmission to make or accept connetions to/from the web.

..Net has provided us with predefined permission sets a.k.a. named permssion
sets. They are :-


Note : Only the last 3 can be modified the first three cannot altered.

You can also view assembly premissions with caspol :-

caspil.exe -rp <Your Assembly>.dll

Note :- In one of my previous articles we had seen hoow to view assembly
permissions with permview.exe.

Now lets view the current permission sets for each code groups at various
policy levels.
CAS policy levels exists either at enterprise, user or machine level.

By deffault when you listgroups using caspol machine level policy details
are displayed to you. If you want to see user and enterprise policy details
type -u or -en as follows :-

caspol -u -lg // for user

caspol -en -lg // for enterprise

By Default .Net gives FullTrust permissions to "ALL Code " Code group at
enterprise and user level.

The question now is ow we determine which policy level will be used. Well
CAS takes an intersection of all the 3 policy levels i.e. user enterprise
and machine. Hence if you have made any changes on your machine's policy you
administrator can easily override it by changing the user or enterprise

Today we have seen the code access groups, permission sets and the
different policy levels. In my tommorrow's article we will create a sample
app and see how we can manage security policy.

-- Please post your queries and comments for my articles in the usergroup
for the benefit of all. I hope this step from my end is helpful to all of


Namratha (Nasha)

Nov 17 '05 #1
0 2053

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

by: John Smith | last post by:
I don't think I have understood the concept of Code Access Security in Dotnet fully. 1) I simply can't appreciate the method - *Permission.Assert that asserts the 'right' and bypasses the...
by: Brian Loesgen | last post by:
The next San Diego .Net User Group meeting is Tuesday, November 25, 2003 at the Scripps Ranch Library. Scripps Ranch Library 10301 Scripps Lake Drive San Diego, CA 92131-1026 Please join us...
by: Namratha Shah \(Nasha\) | last post by:
Hey Guys, Before we start with our sample app we need to view the security configuration files on the machine. You will find them under <drive>\WInNT\Microsoft.NET\FrameWork\<version>\Config ...
by: Ramzey | last post by:
I've looked through the MSDN documentation on code access security and can not seem to find an answer to my question. I have a class XYZCorpWebPage that uses System.Web.UI.Page as it's base...
by: JDeats | last post by:
Does anyone know if it's possible to programmatically modify .NET 1.1 Configuration Code Access security? Our ideal is to have a MSI installer package that the user can run that will adjust the...
by: Namratha Shah \(Nasha\) | last post by:
Hey Guys, Today we are going to look at Code Access Security. Code access security is a feature of .NET that manages code depending on its trust level. If the CLS trusts the code enough to...
by: Jeremy S. | last post by:
..NET's code Access Security enables administrators to restrict the types of things that a .NET application can do on a local computer. For example, a ..NET Windows Forms application can be...
by: Vedo | last post by:
Hi, Is there a way to assign permissions to native applications in Windows? Like app x can only access this and this directories, app y cannot impersonate the remote users, etc. Something...
by: =?Utf-8?B?TWlrZSBNY0FsbGlzdGVy?= | last post by:
First, I'm not an AD Administrator. However, I have an important business need to be able to learn and pass along information about configuring .NET Code Access Security from Active Directory. ...
by: abbasky | last post by:
### Vandf component communication method one: data sharing ​ Vandf components can achieve data exchange through data sharing, state sharing, events, and other methods. Vandf's data exchange method...
by: stefan129 | last post by:
Hey forum members, I'm exploring options for SSL certificates for multiple domains. Has anyone had experience with multi-domain SSL certificates? Any recommendations on reliable providers or specific...
by: egorbl4 | last post by:
Скачал я git, хотел начать настройку, а там вылезло вот это Что это? Что мне с этим делать? ...
by: davi5007 | last post by:
Hi, Basically, I am trying to automate a field named TraceabilityNo into a web page from an access form. I've got the serial held in the variable strSearchString. How can I get this into the...
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
by: Aftab Ahmad | last post by:
So, I have written a code for a cmd called "Send WhatsApp Message" to open and send WhatsApp messaage. The code is given below. Dim IE As Object Set IE =...
by: ryjfgjl | last post by:
ExcelToDatabase: batch import excel into database automatically...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.