K
Kevin
have been scouring the internet and reading several .Net security books
trying to get a handle on CAS and how we could easily implement it. Our shop
is small (7 programmers) and we are mainly writing ASP.Net apps. We are in
control of our own intranet and internet servers. Since, we control our own
servers I felt we could create some "templated" assemblyinfo files with only
the permissions we need (declaritive CAS). I believe this is easier than
creating our own permission sets in the .net security configurator because
each app may have a small variation to the template. All a programmer would
have to do is uncomment/add/remove the specific rights they need for that
app. I started by modifying the assemblyinfo.vb file to remove all default
CAS rights and then only adding back what I needed. This seems to be easy,
straight forward and it works in all my tests.
I then wanted to set the trust level to high or medium in the web.config
even if this is a little redundant since I am explicity telling what rights I
want in the assemblyinfo file. However, I am running into a problem that I
don't truly understand how to correct.
If I set the trust to high in the web.config I get an error about
permissions ( of course) but on the machine.config line 198 which is <add
assembly="*"/>. Now I know this section of the machine.config is for
compiling dynamic content and it tells what assemblies to use. I also
realize that "*" in High/medium trust wouldn't be allowed. However, I am not
sure how to correct this? I removed the line and the web app's won't run
even if fully trusted so I know that there are some assemblies I need but I
don't know which ones and if adding them explicity to the machine.config is
good. My thought is no, but I do not know how to fix it?
Have you ran into this? Is setting the trust level any safer since I
explicity tell in the assemblyinfo file what permissions I need/want?
I have been learning the .Net Security model for the past several weeks. I
admit I am probably missing something. Any help would be appreciated.
Thanks!
Kevin
trying to get a handle on CAS and how we could easily implement it. Our shop
is small (7 programmers) and we are mainly writing ASP.Net apps. We are in
control of our own intranet and internet servers. Since, we control our own
servers I felt we could create some "templated" assemblyinfo files with only
the permissions we need (declaritive CAS). I believe this is easier than
creating our own permission sets in the .net security configurator because
each app may have a small variation to the template. All a programmer would
have to do is uncomment/add/remove the specific rights they need for that
app. I started by modifying the assemblyinfo.vb file to remove all default
CAS rights and then only adding back what I needed. This seems to be easy,
straight forward and it works in all my tests.
I then wanted to set the trust level to high or medium in the web.config
even if this is a little redundant since I am explicity telling what rights I
want in the assemblyinfo file. However, I am running into a problem that I
don't truly understand how to correct.
If I set the trust to high in the web.config I get an error about
permissions ( of course) but on the machine.config line 198 which is <add
assembly="*"/>. Now I know this section of the machine.config is for
compiling dynamic content and it tells what assemblies to use. I also
realize that "*" in High/medium trust wouldn't be allowed. However, I am not
sure how to correct this? I removed the line and the web app's won't run
even if fully trusted so I know that there are some assemblies I need but I
don't know which ones and if adding them explicity to the machine.config is
good. My thought is no, but I do not know how to fix it?
Have you ran into this? Is setting the trust level any safer since I
explicity tell in the assemblyinfo file what permissions I need/want?
I have been learning the .Net Security model for the past several weeks. I
admit I am probably missing something. Any help would be appreciated.
Thanks!
Kevin