aspnet2securityfaq0011

Question: What's new in ASP.NET 2.0 in terms of Code Access Security?

Answer:

The main differences between ASP.NET 1.1 and ASP.NET 2.0 for code access security are the following:
* A new class of evidence (GacInstalled) tells you whether an assembly was loaded from the global assembly cache (GAC).
* The OLEDB managed data provider no longer requires full trust callers - they just need OleDbPermission - now granted to High trust ASP.NET applications.
* SmtpPermission is available at Connect, ConnectToUnRestrictedPort and None permission levels. This allows applications to send e-mail.
* A new permision type DataProtectionPermission is used to control the ability to use encryption/decryption with DPAPI.
* All assemblies installed in the GAC get full trust, regardless of enterprise or machine policy.
* In .NET 2.0, demands for identity permissions will always succeed in FullTrust, regardless of whether or not the calling assembly satisfies the identity demand.
* Security transparency. You can now mark assemblies with the SecurityTransparent attribute to let the common language runtime know that your code will not perform security-sensitive code access security operations, such as asserting permissions or using stack walk modifiers to escalate privileges. If your code or any code you call attempts such operations, a security exception is generated. This is particularly useful if your code loads third-party plug-ins.
* Simple sandboxing. In .NET Framework 1.x, to set up a sandboxed application domain — for example, to host untrusted code — you have to create an application domain policy level, create a series of code groups, and define the permission sets to be granted to each one. In .NET Framework 2.0, you can use a new overload of the static AppDomain.CreateDomain method to help simplify this process.

Return to HomePage, ASPNET2SecurityFAQs

Return to %5bHomePage%2c%5d %5bASPNET2SecurityFAQs%5d
----
%21%21%21 Question%3a What%27s new in ASP.NET 2.0 in terms of Code Access Security%3f
%21%21%21 Answer%3a
The main differences between ASP.NET 1.1 and ASP.NET 2.0 for code access security are the following%3a 
	* A new class of evidence %5b%28GacInstalled%29%5d tells you whether an assembly was loaded from the global assembly cache %28GAC%29. 
	* The OLEDB managed data provider no longer requires full trust callers - they just need %5bOleDbPermission%5d - now granted to High trust ASP.NET applications. 
	* %5bSmtpPermission%5d is available at Connect%2c %5bConnectToUnRestrictedPort%5d and None permission levels. This allows applications to send e-mail. 
	* A new permision type %5bDataProtectionPermission%5d is used to control the ability to use encryption/decryption with DPAPI.
	* All assemblies installed in the GAC get full trust%2c regardless of enterprise or machine policy.
	* In .NET 2.0%2c demands for identity permissions will always succeed in %5bFullTrust%2c%5d regardless of whether or not the calling assembly satisfies the identity demand. 
	* Security transparency. You can now mark assemblies with the %5bSecurityTransparent%5d attribute to let the common language runtime know that your code will not perform security-sensitive code access security operations%2c such as asserting permissions or using stack walk modifiers to escalate privileges. If your code or any code you call attempts such operations%2c a security exception is generated. This is particularly useful if your code loads third-party plug-ins.
	* Simple sandboxing. In .NET Framework 1.x%2c to set up a sandboxed application domain — for example%2c to host untrusted code — you have to create an application domain policy level%2c create a series of code groups%2c and define the permission sets to be granted to each one. In .NET Framework 2.0%2c you can use a new overload of the static %5bAppDomain.CreateDomain%5d method to help simplify this process.
 
----
Return to %5bHomePage%2c%5d %5bASPNET2SecurityFAQs%5d