Chapter 19: .NET Security

Previous page
Table of content
Next page

Overview

You’re sitting at your machine, and you click a button on an application you’re using. Behind the scenes, your application responds to the fact that you are attempting to use a feature for which it does not have the relevant module. It connects to the Internet, downloads the module into the Download Assembly Cache, and begins executing - all without prompting you.

This kind of behind-the-scenes upgrade functionality is already used with many .NET applications, but there is a concern here over the security implications relating to what is called mobile code. In clear terms, what evidence do you actually have that you can trust the code your computer is downloading? How do you know that the module you requested is, in fact, the one that you are receiving? What does the CLR do behind the scenes to ensure, for example, that a control on a Web site is not reading your private e-mails?

.NET enforces a security policy around assemblies. It uses the evidence it has about them - where they are from or by whom they are published - to group the assemblies with similar characteristics. For example, the runtime places all code from the local intranet into a specific group. It then uses the security policy (normally defined by a system administrator using the Code Access Security Policy tool (caspol.exe) command-line utility, or the Microsoft Management Console) to decide what permissions the code should be granted at a very granular level. What do you have to do to enable security on a machine or for a specific application? Nothing - all code automatically runs within the security context of the CLR, although you can turn off security if necessary.

In addition to high levels of confidence that the code you are executing can be trusted, it is also important to allow the application users access to the features they need, but nothing more. By virtue of its role-based security, .NET facilitates effective management of users and roles.

This chapter looks through the features available in .NET to help you manage security, including how .NET protects you from malicious code, how to administer security policies, and how to access the security subsystem programmatically. It also looks at deploying .NET applications securely and provides a number of short example applications to solidify the concepts in this chapter for you.



Previous page
Table of content
Next page
Professional C# 2005 with .NET 3.0
Professional C# 2005 with .NET 3.0
ISBN: 470124725
EAN: N/A
Year: 2007
Pages: 427
BUY ON AMAZON
The Complete Cisco VPN Configuration Guide
Visual C# 2005 How to Program (2nd Edition)
The Java Tutorial: A Short Course on the Basics, 4th Edition
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Sap Bw: a Step By Step Guide for Bw 2.0
Quartz Job Scheduling Framework: Building Open Source Enterprise Applications
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy