Blog Home  Home Feed your aggregator (RSS 2.0)  
What did you learn today? - 70-551, 70-552, 70-553 Section I, Part XII - Security.Policy
Phil Denoncourt's Technology Rants
 
Archive
<October 2008>
SunMonTueWedThuFriSat
2829301234
567891011
12131415161718
19202122232425
2627282930311
2345678
Navigation
Home
My Website
Microsoft Profile
Linkedin Profile
Users
Categories
 
 
 
 
 
 
 
 
Blogroll
 Benjamin Day
 Chris Reeder
 Jason Haley
 Sam Gentile
 Scott Hanselman
Contact
Send mail to the author(s) Email Me

Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.

Sign In
 Monday, February 13, 2006
70-551, 70-552, 70-553 Section I, Part XII - Security.Policy by phildenoncourt
Control code privileges by using System.Security.Policy classes. (Refer System.Security.Policy namespace)
  • ApplicationSecurityInfo class and ApplicationSecurityManager class
  • ApplicationTrust class and ApplicationTrustCollection class
  • Evidence class and PermissionRequestEvidence class
  • CodeGroup class, FileCodeGroup class, FirstMatchCodeGroup class, NetCodeGroup class, and UnionCodeGroup class
  • Condition classes
  • PolicyLevel class and PolicyStatement class
  • IApplicationTrustManager interface, IMembershipCondition interface, and IIdentityPermissionFactory interface

ApplicationSecurityInfo class - New to 2.0. I've been looking for this class. This class holds information about the evidence belonging to the assembly. It also has the default permission set assigned to the assembly. This will make troubleshooting CAS problems much easier.

ApplicationSecurityManager class - "Manages trust decisions for manifest activated applications"? There has to be a better way to document this class. There is an ApplicationTrustManager property that provides access to the ApplicationTrustManager object for the assembly. People more familiar with Clickonce might recognize where this would be used.

ApplicationTrust class - Encapsulates security decisions for an application. Has properties such as ApplicationIdentity, DefaultGrantSet, IsApplicationTrustedToRun.

ApplicationTrustCollection class - Collection of ApplicationTrusts. Again, I'm not real strong on the clickonce stuff (which is where I think this stuff comes in handy), but I don't see why I would ever have more than one ApplicationTrust?

Evidence class - Holds the evidence that belongs to the assembly. You can enumerate with this object to get all the associated evidence.

PermissionRequestEvidence class - Representation of all the RequiredPermissions, OptionalPermissions, and DeniedPermissions that are needed to run the assembly. These are declaratively stated by the developer.

CodeGroup class - Abtract class that represents a code group.

FileCodeGroup class - generates a set of permission containing  FileIOPermissions that grant read-only access to the application directory .

FirstMatchCodeGroup class - "Allows security policy to be defined by the union of the policy statement of a code group and that of the first child code group that matches."  The .NET Security blog has a tidbit on this class.

NetCodeGroup class - Grants web permission to the site the code was downloaded from. 

UnionCodeGroup class - "Represents a code group whose policy statement is the union of the current code group's policy statement and the policy statement of all its matching child code groups. ".  This is the default and most-often used type of CodeGroup.

Condition classes - There are quite a few condition classes, all implementing IMembershipCondition.  A condition is assigned to a code group which controls whether or not the permission set belonging to the code group is applied.

AllMembershipCondition - This is your 1==1 class.  Always matches.

ApplicationDirectoryMembershipCondition - This matches when the code is located in the application directory.

GACMembershipCondition - New to 2.0. This produces a match if the assembly is located in the GAC.

HashMembershipCondition - Produces a match if a hash matches a hash of the assembly.  The hash can be produced by using the Code Group Wizard.

PublisherMembershipCondition - Produces a match if the assembly was produced by a specific publisher identitified using Authenticode certificates.

SiteMembershipCondition - Produces a match if the assembly is located in a specific site.  The site is basically the domain name.

StrongNameMembershipCondition - Produces a match if the assembly has a specific strong name.

UrlMembershipCondition - Produces a match if the URL of assembly matches a Url.  The Url can have a wildcard in the final position.

ZoneMembershipCondition - Produces a match if the assembly was downloaded from a specific Zone (Internet, Intranet, Trusted Sites...)

PolicyLevel class - Represents the security policy levels for the CLR.  There are four policy levels : Enterprise, Machine, User, and AppDomain.

PolicyStatement class - Represents the set of granted permissions, given a set of evidence.  The Resolve method in the PolicyLevel returns this object.

IApplicationTrustManager interface - New to 2.0.  If you're writing your own Trust Manager, you're required to implement this interface.  This is used to implement Manifest-based Activation (Clickonce)

IMembershipCondition interface - Condition classes (see above) are required to implement this interface.  If you're writing your own custom membership condition, you would implement this interface.

IIdentityPermissionFactory interface - "Defines the method that creates a new identity permission. "  It appears all evidence classes should implement this class.  I don't completely understand the intent of this interface.

Next up -> Security.Principal
Monday, February 13, 2006 4:16:23 PM (GMT Standard Time, UTC+00:00)  #    Comments [0]   Certifications  | 
Comments are closed.
Copyright © 2008 Phil Denoncourt III. All rights reserved.
DasBlog 'Portal' theme by Johnny Hughes.
Pick a theme: