What's new in ASP.NET 2.0 in terms of Code Access Security?

From Guidance Share

Jump to: navigation, search

J.D. Meier, Prashant Bansode, Alex Mackman


The main differences between ASP.NET 1.1 and ASP.NET 2.0 for code access security are the following:

  • A new class of evidence (GacInstalled) tells you whether an assembly was loaded from the global assembly cache (GAC).
  • The OLEDB managed data provider no longer requires full trust callers - they just need OleDbPermission - now granted to High trust ASP.NET applications.
  • SmtpPermission is available at Connect, ConnectToUnRestrictedPort and None permission levels. This allows applications to send e-mail.
  • A new permision type DataProtectionPermission is used to control the ability to use encryption/decryption with DPAPI.
  • All assemblies installed in the GAC get full trust, regardless of enterprise or machine policy.
  • In .NET 2.0, demands for identity permissions will always succeed in FullTrust, regardless of whether or not the calling assembly satisfies the identity demand.
  • Security transparency. You can now mark assemblies with the SecurityTransparent attribute to let the common language runtime know that your code will not perform security-sensitive code access security operations, such as asserting permissions or using stack walk modifiers to escalate privileges. If your code or any code you call attempts such operations, a security exception is generated. This is particularly useful if your code loads third-party plug-ins.
  • Simple sandboxing. In .NET Framework 1.x, to set up a sandboxed application domain — for example, to host untrusted code — you have to create an application domain policy level, create a series of code groups, and define the permission sets to be granted to each one. In .NET Framework 2.0, you can use a new overload of the static AppDomain.CreateDomain method to help simplify this process.
Personal tools