21.5 Creating Code Groups

Previous page
Table of content
Next page
 <  Day Day Up  >  

You want to create a new code group .


Technique

You use the same tools to create code groups that you do to view security policy: the .NET configuration tool, caspol , and editing the XML policy files directly. Modifying the XML files is not recommended, however, because of the risk of corrupting the files, so we consider here only the first two options.

If you are using the .NET Configuration tool, you should navigate to the code group that will be the parent of the new group you want to create. In many cases, it will be the All Code group. Then, you right-click and select New from the context menu that pops up. You see a series of dialog boxes that guide you through the process of creating the new group.

The first dialog, shown in Figure 21.4, offers you the choice between working through the remaining dialogs or simply supplying an XML file that specifies the details of the group. Unless you already have an XML file, it's usually easier to work through the dialogs: The XML file needs to be in a fairly precise format and must specify existing assemblies and managed classes that will implement the code group. You can find documentation on the XML procedure at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconimportingnewsecuritycomponentstosecuritypolicyfromxmlfiles.asp.

Figure 21.4. Creating a new code group.

graphics/21fig04.jpg

Assuming you work through the dialog boxes, a dialog asks you to indicate the membership condition of the group. All the usual choices of membership conditions are possible: You can choose to base the membership condition on the site, the URL, the strong name , the assembly hash, the application directory, or some custom condition for which you separately supply the code to implement the condition.

Figure 21.5 shows the process of creating a code group, which determines permissions granted to code securely downloaded from the Sams publishing site. (Note that we specified a secure HTTPS URL. Using the HTTPS protocol is important when choosing a URL-based membership condition; otherwise , you open a security loophole that is vulnerable to Web site spoofing.) Note that in this dialog, as you choose different permission types in the drop-down list box, the remaining controls change to reflect the different data you need to specify for each condition type.

Figure 21.5. Adding a membership condition to a code group.

graphics/21fig05.jpg

The next dialog box (in Figure 21.6, the last one before the final confirmation dialog) asks you to select the permission set that will be given to all code that qualifies for membership in the new code group.

Figure 21.6. Specifying the permission set for a code group.

graphics/21fig06.jpg

If you prefer to use caspol to create a new code group, then you should specify the addgroup flag and details of the group. The format for the command is 

 
 caspol -addgroup <parent name> <mship> <pset_name> <flags>

<parent_name> is the name of the parent to which the new group will be added, <mship> is the membership condition, <pset_name> is the name of the permission set associated with the group, and <flags> indicates any other flags that you want to specify, supplying more information. (An obvious flag here is the name of the group.) Note that the order of supplying the parent name, membership condition, permission set, and flags is important.

As an example, Listing 21.3 shows how we use caspol to add the same SamsPublishing code group, as shown earlier using the .NET Configuration tool.

Listing 21.3 Adding a Code Group Using caspol 
 C:\>caspol -addgroup All_Code -URL https://www.samspublishing.com/*     LocalIntranet -name "Sams Publishing" Microsoft (R) .NET Framework CasPol 1.1.4322.573 Copyright (C) Microsoft Corporation 1998-2002. All rights reserved. The operation you are performing will alter security policy. Are you sure you want to perform this operation? (yes/no) y Added union code group with "-URL" membership condition to the Machine level. Success

Comments

Adding code groups can be a good way to customize your security policy to provide a framework for code provided in-house ”even if the new code group simply uses an existing permission set. The beauty of the system is that if you later decide you need to modify the permissions that code running in this group requires, you can simply change the permission set that this code group uses, and the changes are automatically applied to all code that satisfies the membership condition for this code group. On the other hand, the security policy supplied out of the box by Microsoft is a carefully designed policy that will be useful in many situations, so you might want to think carefully before you fiddle with it. To avoid creating future security loopholes, make sure that you do not give any more permissions than are required for code to run.

 <  Day Day Up  >  

Previous page
Table of content
Next page
Microsoft Visual C# .Net 2003
Microsoft Visual C *. NET 2003 development skills Daquan
ISBN: 7508427505
EAN: 2147483647
Year: 2003
Pages: 440
Authors: Simon Robinson ZHU Mark Schmidt
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Metrics and Models in Software Quality Engineering (2nd Edition)
A+ Fast Pass
Systematic Software Testing (Artech House Computer Library)
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Oracle SQL*Plus: The Definitive Guide (Definitive Guides)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy