code-access-security

Seems to me most of developers completely ignore this features. People prefer handling security exceptions as generic ones relying on standard windows roles and rights instead of learning to use CAS ways of enhancing security - probably because CAS is quite confusing in its logic and naming. Can anyone suggest any general rule-of-thumb/best practices for using CAS at his best in a clean way? Yes and no. Unfortunately, you're right - developers rarely use CAS at all, let alone utilize it to it's fullest. In very few situations do I see them actually doing this (okay, its not really the

Languages such as Perl, Pythong, etc are usually considered to have a better security comparing with PHP. Apart from possible security holes, one reason can be (I do not know, I am asking) that we do not put the executable files of Perl and Python within public folder. Since PHP files are not executable, it is safe to keep them within public folder. Is it a wise and practical approach to keep php files outside the public folder to restrict possible access by attackers? If yes, is it common? because I do not see any disadvantage (except a little bit harder handling of file spread in different

I have an assembly marked with the AllowPartiallyTrustedCallersAttribute which contains a custom exception class. I want to make it serializable by overriding GetObjectData . With .NET 4, GetObjectData has become a SecurityCritical method. This means that overrides also need to be SecurityCritical . Since my assembly is marked with the AllowPartiallyTrustedCallersAttribute , all code within is automatically SecurityTransparent unless specified otherwise. Therefore, I apply the SecurityCriticalAttribute to the GetObjectData override: using System; using System.Runtime.Serialization; using

We have an application that we want to make available to the general internet-using public with as few clicks as possible. I'm investigating whether we can use ClickOnce to avoid the confirmation dialog that our existing alternatives entail. My research so far indicates that this ought to be possible as long as (a) the application is AuthentiCode signes, and (b) it comes with a manifest that request a sufficiently innocuous set of permissions. Where can I find a detailed, authoritative list of which permissions are "sufficiently innocuous" to avoid the confirmation dialog? I've clicked around

I was wondering - do any of you actually use the various classes in the System.Security.Permissions namespace? I mainly develop desktop/server-side components (i.e., no web) and the general assumption is that FullTrust is always available and no testing is performed on environments for which this is not the case. Apart from MS source code (EnterpriseLibrary and such), I have yet to see actual, in-use source code that makes use of said constructs. Is this prevalent, or are we the exception? I know, of course, that not doing this kind of testing is a problem on our side... The .NET code access

In a shell application, I need to be able to load and execute other .NET assemblies at runtime, but without giving them full trust. Essentially, I want to limit them (the loaded assemblies) from touching any system resources (threading, networking, etc), with the only exception being isolated storage. However, assemblies which are from "me" need to be executed with full trust. I've been considering Code Access Security, but I'm not quite sure it's what I should use. How would you go about this? CAS is pretty much what you need here. More specifically, you want to load the assembly in its own

In .NET 1.x, you could use the StrongNameIdentityPermissionAttribute on your assembly to ensure that only code signed by you could access your assembly. According to the MSDN documentation, In the .NET Framework version 2.0 and later, demands for identity permissions are ineffective if the calling assembly has full trust. This means that any application with full trust can just bypass my security demands. How can I prevent unauthorized code from accessing my assembly in .NET 2.0? As per Eric's suggestion, I solved it by checking the key myself. In the code I want to protect, I add the

first things first , i have seen nwsnapshot . and its not helping. i am building an inventory management system as a desktop app using node-webkit . the project being built is using compoundjs (mvc javascript library). which have a definite folder structure (you know mvc) and multiple javascript files inside them. the problem is nwsnapshot allows the app to have only a single snapshot file but the logic of application is spread over all the folders in different javascript files. so how do i secure my source code before shipping it to client? Or any other work-around Or smarter way (yes, i know

I have a fairly stable server application version that's been deployed for nearly a year at dozens of customers. One new customer recently setup the application and is getting the following error: System.MethodAccessException: Attempt by security transparent method [SomeMethod] to access security critical method [SomeOtherMethod] failed. Both SomeMethod and SomeOtherMethod are methods in assemblies that I wrote, that are built against .NET 4, and that are running inside a Windows Service. If it makes a difference, SomeOtherMethod does reference a type from a 3rd party assembly (EntLib 4.1)