|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Why CAS doesn't stop things in ASP.NET appsWe've been writing various apps in .NET for a while now without thinking much
about code access security. Now, having looked some into CAS pertaining to smart client apps and reporting services, I'm wondering why CAS doesn't stop some of the things we do. One thing we routinely do is dip into the registry in our global.asax.vbs to read out values. But when I look at the standard CAS setting for the Internet and Intranet zones, these options don't appear to be allowed by default. How does this work? "Aaron" <Aa***@discussions.microsoft.com> wrote in message ASP.NET applications are usually run from the local machine, so they'll be news:A018313E-52DF-40F3-A046-0F5AA8DEDE35@microsoft.com... > We've been writing various apps in .NET for a while now without thinking > much > about code access security. Now, having looked some into CAS pertaining > to > smart client apps and reporting services, I'm wondering why CAS doesn't > stop > some of the things we do. granted unrestricted permissions under default CAS policy. However, it's not necessary to tweak the main CAS policy in order to prevent the full trust grant to ASP.NET applications since ASP.NET adds another policy layer that can be modified instead. For an introduction to the topic, see http://msdn.microsoft.com/library/en-us/cpguide/html/cpconaspnetcodeaccesssecurity.asp. > One thing we routinely do is dip into the registry in our global.asax.vbs Your application is most likely running from the local zone, and your > to > read out values. But when I look at the standard CAS setting for the > Internet and Intranet zones, these options don't appear to be allowed by > default. ASP.NET trust level is probably set to either full or high trust (or someone's been mucking with the policy configuration files). Show quoteHide quote > > How does this work? Remember that your ASP.NET app is installed on the web server and is in the
local machine zone by default, so it gets full trust by default. If you'd like to see CAS in your web app, modify the <securityPolicy/> element in your web.config. Joe K. Show quoteHide quote "Aaron" <Aa***@discussions.microsoft.com> wrote in message news:A018313E-52DF-40F3-A046-0F5AA8DEDE35@microsoft.com... > We've been writing various apps in .NET for a while now without thinking > much > about code access security. Now, having looked some into CAS pertaining > to > smart client apps and reporting services, I'm wondering why CAS doesn't > stop > some of the things we do. > > One thing we routinely do is dip into the registry in our global.asax.vbs > to > read out values. But when I look at the standard CAS setting for the > Internet and Intranet zones, these options don't appear to be allowed by > default. > > How does this work? 
Other interesting topics
RSA Encrypt/Decrypt Problems
User id of a running Windows form app Appliyng Security in assembly. Private member access. Data security/filtering on attribute values does .NET connect to Internet to verify digitally signed assembly certificate? Allow inheritable permissions form the parent to propagate... ASP.NET roles, authentication full trus and 1.1 SP1 Problems calling a Dll... |
|||||||||||||||||||||||
