13.2 Disable Code Access Security
Problem
You need to turn off all CAS checking.
Solution
From code, set the property SecurityEnabled of the class System.Security.SecurityManager to false and persist the change by calling SecurityManager.Save Policy. Alternatively, use the Code Access Security Policy tool ( Caspol .exe) and execute the command caspol “s off from the command line.
Discussion
CAS is a key element of the .NET runtime's security model, and one that sets it apart from many other computing platforms. Although CAS was implemented with performance in mind and has been used prudently throughout the .NET class library, there is still an overhead associated with each security demand and resulting stack walk that the runtime must execute.
In rare cases, code-level security might not be of interest to you, or the need for performance might outweigh the need for CAS. In these situations, you can completely disable CAS and remove the overhead of code-level security checks. Turning off CAS has the effect of giving all code the ability to perform any action supported by the .NET Framework (equivalent to the FullTrust permission set). This includes the ability to load other code, call native libraries, and use pointers to access memory directly.
| Warning | You should only disable CAS for performance reasons after you have exhausted all other possible measure to achieve the performance characteristics your application requires. Profiling your code will usually identify areas where you can improve performance significantly without the need to disable CAS. In addition, you should ensure that your system resources have appropriate protection using operating system security mechanisms such as Windows ACLs before disabling CAS. |
Caspol.exe is a utility provided with the .NET Framework that allows you to configure all aspects of your code access security policy from the command line. When you enter the command caspol “s off or its counterpart caspol “s on from the command line, the Caspol.exe utility actually sets the SecurityEnabled property of the SecurityManager class. The SecurityManager class contains a set of static methods that provide access to critical security functionality and data. This code demonstrates the use of the SecurityEnabled property to disable and enable CAS.
// Turn off CAS security checks. System.Security.SecurityManager.SecurityEnabled = false; // Persist the configuration change. System.Security.SecurityManager.SavePolicy();
To enable CAS, use the following statements.
// Turn on CAS security checks. System.Security.SecurityManager.SecurityEnabled = true; // Persist the configuration change. System.Security.SecurityManager.SavePolicy();
To disable CAS, your code must have the ControlPolicy element of the permission System.Security.Permissions.SecurityPermission . Naturally, you need no specific permission to enable CAS.
Changing SecurityEnabled won't affect the enforcement of CAS in existing processes, nor will it affect new processes until you call the SavePolicy method, which saves the state of SecurityEnabled to the Windows registry. Unfortunately, the .NET Framework doesn't guarantee that changes to SecurityEnabled will correctly affect the operation of CAS in the current process, so you must change SecurityEnabled and then launch a new process to achieve reliable and expected operation.
| Note | The current on/off state of CAS is stored in the Windows registry in the key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Security\Policy as part of a set of flags contained in the Global Settings value. If the key does not exist, CAS defaults to on. |
![C# Programmer[ap]s Cookbook](/icons/blank_book.jpg "C# Programmer[ap]s Cookbook"){kind=icon}
- Article 332 Mineral-Insulated, Metal-Sheathed Cable Type MI
- Article 390 Underfloor Raceways
- Article 422: Appliances
- Example No. D6 Maximum Demand for Range Loads
- Example No. D10 Feeder Ampacity Determination for Adjustable-Speed Drive Control [See 215.2, 430.24, 620.13, 620.14, 620.61, Tables 430.22(E), and 620.14]