Saturday, October 21, 2006

Code Access Security

CAS

@ When you run an unmanaged application in Windows 2003, XP or earlier, that code gets all the privileges your user account has. The application can do anything your user account has permissionos to do. so you are forced to log on with minimal privileges to restrict application permissions.

@ Code Access Security (CAS), a concept that .NET Framework introducted into Windows, enables users to restrict on a very granular level what managed application can do.

@ CAS allows administrators and developers to control applicatoin authorization similar to the way they have always been albe to authorize users.

@ Unfortunately, CAS can be applied only to managed applications that use the .NET Framework runtime. Unmanaged applications run without any CAS restrictions and are limited only by the operating system's RBS.

^ ASP.NET中的Membership和Role Management是对“人”(people, user)的权限管理(authentication和authorization);而CAS则是对“程序”(application,code)进行权限管理。

Evidence

@ Generally, a security system use the username, password, access control lists to identify users and determine what a user can and can't do. However, CAS identifies and assigns permissions to applications ratha than to people, thus, it identifies assembilies using evdience.
@ In CAS, evidence is used just like a person's passport, password, and PIN - information that proves identity and describes an individual as deserving a certain level of trust.

@ Each piece of evidence is a way that an assembly can be identified, such as the location (folder or website) where the assembly is stored and running, a hash of the assembly's code, or the assembly's digital signature.

@ There are 2 types of evidence: host evidence and assembly evidence:

  1. Host evidence describes the assembly's origin, such as the application directory, URL, or site; and also describes the assembly's identity, such as the hash, pulisher, or strong name.
  2. Assembly evidence are ones provided by custom user or developer.

^ I think evidence is the Authentication part of the security process for application or code, just like username and password are the Authentication for people or users.

Permission

@ A permission is a CAS access control entry.

^ A permission set is a CAS ACL (Access Control List).

Posted by Dillone Hailei Wang 王海磊 at 10/21/2006 08:25:00 PM

Labels: , ,