Unlike RBS, CAS do not have users. CAS asigns permissions acording to evidence, a missnoming concept. Evidence refers to the identity of the application, and .Net recognizes evidence through:
- Application directory
- Hash
- Publisher
- Site
- Strong name
- URL
- Zone
Each permission is a CAS entry. The following are the default permission classes, you can add your own:
- Directory services
- DNS
- Enviroment variables
- Event log
- File dialog
- File IO
- Isolated storage file
- Message queue
- Performance counter
- Printing
- Reflection
- Registry
- Security
- Service controller
- Socket access
- SQL client
- User interface
- Web access
- X509 store
There are also permission sets, the equivalent for RBS access control lists. .Net have seven predefined permission sets:
- Full trust
- Skip verification
- Execution
- Nothing
- LocalIntranet
- Internet
- Everythig
And of course, the equivalent of user groups in RBS: code groups. Each code group can be associated with only one permission set. The pertenence to a code group are determined depending of the acomplishment of certain condition. An assembly can be a member of multiple code groups. The assembly will receive the union of the code group permissions that it belongs to. In addition, code groups can be nested, allowing to asign permision based in more than one type of evidence.
At a higher level, the security policy is the logical agrupation of code groups and permission sets, and is determined by default at four levels:
At a higher level, the security policy is the logical agrupation of code groups and permission sets, and is determined by default at four levels:
- Enterprise
- Machine
- User
- Application domain
The permissions are evaluated through this policy levels. The code grants the minimum permission set available in any of them (the intersection of the permission sets).
CAS doesn't replace RBS, only complements it. No code can have more permissions that the user running it.
To easily configure the CAS, you can use the .Net configuration tool. With this tool you can:
- Increase the assembly's confidence.
- Adjust the security zone.
- Evaluate the assembly.
- Create an implementation pack.
- Reset all directive levels.
Or, if you like working at command prompt, there is the caspol.exe tool, wich have the same functionality of the .Net configuration tool. caspol.exe have an extensive set of parameters, there are the most commonly used:
- -addfulltrust assemblyFile: Grants full trust to an strong named assembly.
- -addgroup parentName membershipCondition permissionSetName [flags]: Creates a new code group.
- -all: Indicates that the following options aplyes for all policy levels.
- -chggrouop name {membershipCondition | permissionSetName | flags }: Changes a code group.
- -list: List the code group hierarchy at the specified policy level.
No comments:
Post a Comment