How do I create a custom trust level for ASP.NET?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman

Answer

Create a custom trust file based on the standard trust file that most closely matches your application requirements. Add or remove the permissions in the custom trust file depending upon your requirements. From a security perspective, you should give your applications only the required permissions and nothing more. This is important because even if your application is compromised an attacker won’t be able to access resources other than those permitted by the permissions granted to your application.

To create a custom trust level.

  • Identify the trust level that satisfies most of your application's permission requirements.
  • Copy the trust policy file of that trust level from %windir%\Microsoft.NET\Framework\{version}\CONFIG\ to a file named Web_CustomTrust.config in the same directory.
  • Add or remove permissions from the custom trust policy file such that your requirements are satisfied. For example, to add the registry permission to a custom trust policy file:

Add a <SecurityClass> element.

<SecurityClass Name="RegistryPermission"     
        Description="System.Security.Permissions.RegistryPermission, 
         mscorlib, Version=2.0.0.0, Culture=neutral,  
        PublicKeyToken=b77a5c561934e089"/>

Add an <IPermission> element to the "ASP.Net" named permission set.

<PermissionSet
         class="NamedPermissionSet"
         version="1"
         Name="ASP.Net">
                         . . .
    <IPermission
          class="RegistryPermission"
          version="1"
          Unrestricted="true" />
                           . . .
</PermissionSet>
  • Configure your application's root Web.config file to make your application use the custom trust policy file.
 ...
    <location allowOverride="false">
        <system.web>
             <securityPolicy>
                          <trustLevel name="Custom" policyFile="web_CustomTrust.config" />
             </securityPolicy>
             <trust level="Custom" originUrl="" />
          </system.web>
     </location>

Now your application is ready to use the custom trust policy.

More Information

For more information on code access security, see “How To: Use Code Access Security in ASP.Net 2.0” at http://msdn.microsoft.com/library/en-us/dnpag2/html/PAGHT000017.asp

Personal tools