The SecurityClasses section is perhaps the most straightforward. It lists a set of <SecurityClass> tags for each of the kinds of available permissions. If you open up one of the CAS policy files from the framework directory, as mentioned above, you'll see that there are several <SecurityClass> tags defined and that their format is very simple. They take only two attributes:
- Namethe name of the class to load in processing the rest of the file. The class can be a permission, a membership condition, or a helper class as in the case of the NamedPermissionSet class.
- DescriptionThis is the full name of the assembly that the class is found in. This will include the version number, the culture, and public key token. No path information is typically given to the assembly because they are registered in the GAC.
The best thing to do for security class tags is to use the web_hightrust.config
as a starting point and remove any security classes that you do not need. This will cover the NamedPermissionSet helper class, all of the membership conditions, and the out of box permissions.
Named Permission Sets
Named permission sets allow you to collect up the various permissions that the code may need into a single set of permissions. This single set of permissions can then be referenced from the code groups that identify assemblies and grant them permissions. The <NamedPermissionSets> section contains a set of <PermissionSet> tags, each of which defines an individual named permission that the code group can refer to.
The basic format of the <PermissionSet> tag has the following attributes:
- classThis indicates the class to be instantiated. By default, the class is NamedPermissionSet.
- versionthe version of the policy configuration. This has a value of "1" even in .NET 2.0.
- NameThe name that will be used to refer to this permission set.
- DescriptionThe description for the policy set.
- UnrestrictedAn optional attribute that when set to "true" allows for unrestricted access. Typically this is only used with a Full trust permission set.
In each <PermissionSet> tag there may be zero or more <IPermission> tags, which associate the permission with the permission set. The <IPermission> tag has the following attributes:
- classThis is the class from the <SecurityClasses> group above which bestows the permission. This value should precisely match the name attribute of one of the <SecurityClass> tags in the <SecurityClasses> tag.
- versionAs above, this attribute indicates the version and is always set to "1" even in .NET 2.0.
There are several other attributes that may be added to each of the <IPermission> tags based on the class being referenced. The attributes supported cannot be easily ascertained from the documentation of the classes themselves, however, the additional attributes and the permissions that they relate to can be found in the Patterns and Practices guide "How to: Use Code Access Security in ASP.NET 2.0" available at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag2/html/PAGHT000017.asp
. Refer to Table 4 in the article (linked just above) to find a mapping of individual permission classes and attributes to the trust levels built into ASP.NET 2.0. In doing this the Table enumerates all of the options for the ASP.NET permissions classes.