Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX


Managing .NET Code Access Security (CAS) Policy : Page 4

Toward the end of the project cycle is not the time to figure out Code Access Security. Learning how .NET handles evidence, permissions, code groups, etc. now will put you that much further ahead for your next project.

Figure 6: Exception generated for an assembly without file IO permissions.
Applying CAS Policy
The previous sections described the mechanics and theory of how CAS policy works. Now, I want to demonstrate a scenario where you would want to apply CAS policy. This example takes a simple smart client application, adds logic requiring permissions beyond those granted in the Intranet Zone, and uses a no-touch deployment model.

To get started, create a Windows Forms application in your IDE. Double-click on the form and add the following code to the Load event handler that is generated:

private void Form1_Load( object sender, System.EventArgs e) { using (System.IO.FileStream stream = System.IO.File.Open("SomeFile.txt", System.IO.FileMode.OpenOrCreate)) { // do file I/O } }

After you've compiled the program and verified that it runs without generating an exception, create an IIS virtual directory, referring to the directory where the executable of this program resides.

For the purposes of this discussion, I'll assume that the virtual directory alias is EnvDemo and you've named your sample application WinForm1.exe. You can test the security characteristics of this application in the Intranet Zone by launching Internet Explorer and typing the following address into the address bar and pressing Enter:


When you run this program for the first time, you may receive a JIT Debug error dialog. If the application had a strong name, you wouldn't see this error. For now, select the no button and launch the application again. This time you will receive a Security Exception dialog that states that the assembly was not granted FileIOPermission, which is what you want to see at this point.

.NET raises the SecurityException exception because the evidence resolved during runtime on this application indicates that it is a member of the Intranet Zone. When CAS policy resolved the security on this assembly, it matched the membership condition of the LocalIntranet_Zone code group, which added the .NET LocalIntranet permission set to the assembly's permission grant set. If you recall, an assembly does not have a permission unless it has been explicitly granted. Since the LocalIntranet permission set does not include FileIOPermission, the CLR detected this and raised the SecurityException exception.

To fix this, you need to modify security policy to give this assembly FileIOPermission. In the Microsoft .NET Framework 1.1 Configuration tool, select the All_Code Code Group under Machine Policy Level. Right-click and select New from the context menu, bringing up the Create Code Group dialog box shown in Figure 6. Perform the following steps to create CAS policy for this assembly:

  1. Give the new Code Group a name and description, as shown in Figure 7. Click Next.
  2. Select URL evidence from the drop-down for the Membership Condition, shown in Figure 8. Set the URL to http://localhost/EnvDemo/*. The asterisk in the URL allows you to match any assemblies within the specified directory. You could also choose to replace the asterisk with WinForm1.exe to make the match apply to that one assembly. Click Next.
  3. Since none of the pre-existing permission sets match exactly what we want to do, select the "Create a new permission set" option, shown in Figure 9. Click Next.
  4. Figure 10 shows the beginning of the wizard for creating a new permission set. Give it a name of FileIOPermission, fill in the Description, and click Next.
  5. In the Assign Individual Permissions dialog box in Figure 11, select File IO from the Available Permissions list and click Add. This brings up a Permission Settings dialog box (Figure 12).
  6. The Permission Settings adjust based on the details available for each permission type. For the FileIOPermission, you can specify a file name and each of its permission settings for a fine grained approach. Alternatively, you can select "Grant assemblies unrestricted access to file system" if the application requirements dictate that much freedom. For our purposes, select the "Grant unrestricted" option and click OK. Click Next.
  7. You are now done, as shown in Figure 13. Click Finish.
Figure 7: Setting a code group name and description.
Figure 8: Specifying a membership condition.
Figure 9: Selecting a permission set.
Figure 10: Setting a permission set name and description.
Figure 11: Selecting a permission set.
Figure 12: Setting FileIOPermission details.
Figure 13: Completing code group creation.

If you look at the code groups for the Machine policy level, you'll see a new code group named WinForm1FileIO. Similarly, the permission sets in the Machine policy level will contain a new permission set named FileIOPermission.

Now run the application from Internet Explorer as before. If you have set up CAS policy properly, the application will run without generating a security exception.

Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



Thanks for your registration, follow us on our social networks to keep up-to-date