I was wondering - do any of you actually use the various classes in the System.Security.Permissions namespace? I mainly develop desktop/server-side components (i.e., no web) and the general assumption is that FullTrust is always available and no testing is performed on environments for which this is not the case. Apart from MS source code (EnterpriseLibrary and such), I have yet to see actual, in-use source code that makes use of said constructs.
Is this prevalent, or are we the exception? I know, of course, that not doing this kind of testing is a problem on our side...
The .NET code access security is more relevant when users run code directly off a server over the internet, in which case they can't necessarily trust it to automatically do things such as access the file system. I don't know of anyone who makes their code available like that, though.
I make lots of use of PrincipalPermissionAttribute to demand the user has necessary access rights (using roles) from the Thread's Principal - saves a lot of manual checking in my business code (obviously the UI should check too and disable buttons etc - this is just the double-check at the back-end).
I find Principal-based security to be very versatily, especially with a custom Principal. But I don't use the CAS stuff.
If you deploy your desktop applications with ClickOnce, then the security sandbox can come into play.
I have never seen anyone make use of the permit, assert functionality.
I suspect a number of developers are not actually aware of the functionality.
I think it could be useful to restrict calls to dangerous functions.
Its going to depend on what you are doing but who wants to make a deployment more complex than it already is?
来源:https://stackoverflow.com/questions/169951/using-the-net-framework-security-system