Step 4. Configure Code Access Security Policy to Constrain File IO

Previous page
Table of content
Next page

Step 4. Configure Code Access Security Policy to Constrain File I/O

In this step, you configure code access security policy for the FileIO assembly and grant it a restricted FileIOPermission so that it is only able to access files from beneath C:\Temp. You start by creating a new permission set that includes a restricted FileIOPermission . You then create a new code group to associate the new permission set with the FileIO assembly by using strong name evidence.

 Task   To create a new permission set

  1. Start the .NET Framework version 1.1 Configuration tool from the Administrative Tools program folder.

  2. Expand the Runtime Security Policy node.

    Three levels of code access security policy are displayed: Enterprise, Machine, and User. The fourth level at which you can configure code access security policy is the application domain level. ASP.NET implements application domain level policy, but this is not maintained using the.NET Framework version 1.1 Configuration tool. To edit ASP.NET policy, you must use a text editor.

    For more information about ASP.NET policy and how to use it, see Chapter 9, "Using Code Access Security with ASP.NET."

  3. Expand the Machine node.

    The Code Groups and Permission Sets folders are displayed. Each policy file contains a hierarchical collection of code groups. Code groups are used to assign permissions to assemblies. A code group consists of two elements:

    • A membership condition ” This is based on evidence, for example an assembly's strong name.

    • A permission set ” The permissions that the permission set contains are granted to assemblies whose evidence matches the membership condition.

    A permission set is a grouping that contains a collection of individual code access security permissions. Individual permissions represent the rights for code to access specific resource types or perform specific types of privileged operations.

  4. Right-click Permission Sets , and then click New .

  5. Enter RestictedFileIO in the Name field, and then click Next .

  6. Select FileIO from the Available Permissions list, and then click Add .

  7. Enter c:\temp in the File Path column and select Read and Path Disc (path discovery.)

    Path discovery permissions are required by the Path.GetFullPath function that is used by the FileIO assembly to canonicalize and validate the supplied filename.

    Read permissions are required by the File.OpenRead method, which is used by the FileIO assembly to open the text file.

  8. Click OK .

  9. Select Security from the Available Permissions list and click Add .

    The FileIO assembly also needs the permission to execute in addition to the FileIOPermission . The permission to execute is represented by SecurityPermission with its Flags property set to SecurityPermissionFlag.Execution .

  10. Click Enable assembly execution , and then click OK .

  11. Click Finish to complete the creation of the permission set.

    You have now created a new permission set called RestrictedFileIO that contains a restricted FileIOPermission , which allows read and path discovery to the C:\Temp directory, and a restricted SecurityPermission , which allows assembly execution.

 Task   To create a new code group

  1. Expand Code Groups , and then expand All_Code .

  2. Right-click All_Code , and then click New .

  3. Enter FileIOAssembly as the code group name, and then click Next .

  4. Select StrongName from the Choose the condition type for this code group dropdown list.

    You use this code group to apply specific permissions as defined by the RestrictedFileIO permission set to the FileIO assembly. A strong name provides cryptographically strong evidence to uniquely identify an assembly.

  5. To specify the FileIO assembly's public key, (which it has because it contains a strong name), click Import , and then browse to the project output folder that contains FileIO.dll. Click Open to extract the public key from the assembly.

  6. Click Next , and then select RestrictedFileIO from the Use existing permission set drop-down list.

  7. Click Next and then Finish to complete the creation of the code group.

    You have now created a new code group that applies the permissions defined by the RestrictedFileIO permission set to the FileIO assembly.

  8. In the right window, select the FileIOAssembly code group, and then click Edit Code Group Properties .

  9. Select This policy level will only have the permissions from the permission set associated with this code group and Policy levels below this level will not be evaluated .

    By selecting these attributes for the code group, you ensure that no other code group, either at the current machine level or from the ASP.NET application domain level, affects the permission set that is granted to the FileIO assembly. This ensures that the assembly is only granted the permissions defined by the RestrictedFileIO permission set that you created earlier.

    Note  

    If you do not select these options, default machine policy grants the assembly full trust because the assembly is installed on the local computer and falls within the My_Computer_Zone setting.

  10. Click OK to close the Properties dialog box.



Previous page
Table of content
Next page
Improving Web Application Security. Threats and Countermeasures
Improving Web Application Security: Threats and Countermeasures
ISBN: 0735618429
EAN: 2147483647
Year: 2003
Pages: 613
Authors: Microsoft Corporation
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
CompTIA Project+ Study Guide: Exam PK0-003
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
Making Sense of Change Management: A Complete Guide to the Models, Tools and Techniques of Organizational Change
InDesign Type: Professional Typography with Adobe InDesign CS2
The Lean Six Sigma Pocket Toolbook. A Quick Reference Guide to Nearly 100 Tools for Improving Process Quality, Speed, and Complexity
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy