Configure .NET Code-Access Security
Assign permission sets and experiment with the way .NET classifies different zones.
by Juval Löwy
VSLive! Orlando, September 19, 2002
Note: Juval Löwy presented "Implement .NET Security Techniques" at VBITS Orlando, Wednesday, September 18. This tip is from that session.
I'll show you how to configure .NET code-access security, assign different permission sets to the same zone, and experiment with the way .NET classifies different zones. You will create a Windows Forms application, consume it over the wire, and see how it is affected by the security policy used.
Initial Configuration
I assume you use the default security configuration of .NET 1.1 and later. The default security policy grants the Internet permission set to code coming from the Internet. To verify you have the default policy, bring up the .NET Configuration tool, and expand the Runtime Security Policy folder and the Machine policy. Highlight the Internet Zone code group, right-click, and select Properties from the popup context menu (see Figure 1).
In the Internet code group Properties, select the Permission Set tab, and make sure it is set to the Internet permission set (or set it to Internet if necessary). Figure 2 shows the code group configuration.
Windows Forms Over the Wire
Create a new Windows Forms application called WinFormApp. Add a few controls to the form (no need for any specific logic behind the controls). Build and run the WinFormApp to make sure all is well. Create a new folder called WebFolder in some location such as C:\Temp. Copy the WinFormApp.exe file to the WebFolder folder. Bring up the WebFolder folder properties, select the Web Sharing tab, and click on the Share This Folder radio button to bring up the Edit Alias dialog. Grant Read permission and Application Scripts permissions (see Figure 3). Click on OK and OK in the Web Sharing tab. Bring up Internet Explorer, and type this URL:
http://localhost/WebFolder/WinFormApp.exe
The Windows Forms application will be downloaded and executed.
Security Permission Configuration
With the URL just typed, the WinFormApp executes from the Local Intranet zone. The default configuration of the LocalIntranet_Zone code group granted the LocalIntranet permission set to code coming from the Intranet. Modify the LocalIntranet_Zone code group to use the Nothing permission set, and navigate to http://localhost/WebFolder/WinFormApp.exe again. This time, the execution will fail, and the debugger exception window will show up (click on Cancel). To prove that indeed all code coming from the Intranet is affected, share—using normal file sharing—the WebFolder folder (or disk C as a whole), and type this command in the Run prompt:
\\<machine name>\<share name>\WebFolder\WinFormApp.exe
Again, the execution should fail.
Next, try to access the Web share as an Internet site, by navigating to your own IP:
http://127.0.0.1/WebFolder/WinFormApp.exe
Because code coming from the Internet zone is granted the Internet permission set, it can execute, but with some restrictions—only what the Internet permission set grants. As a result, .NET runs the application, but notifies the user that some functionality might not be available (see Figure 4).
Configure the Internet_Zone code group to use the Execution permission set. The Execution permission set does not have any UI permission, so .NET will refuse to run the Windows Forms application when coming from the Internet zone (try it!).
Finally, reset all security policies to their defaults, by clicking on Reset All… from the context menu of the Runtime Security policy folder.
About the Author
Juval Löwy is a software architect and the principal of IDesign, a consulting and training company focused on .NET design and .NET migration. Juval is Microsoft’s regional director for the Silicon Valley, working with Microsoft on helping the industry adopt .NET. His latest book is Programming .NET Components (O’Reilly & Associates). Juval speaks frequently at software-development conferences. Contact him at www.idesign.net.
Back to top
|
