aspnet2securityfaq0011

Question: What's new in ASP.NET 2.0 in terms of Code Access Security?

Answer:

The main differences between ASP.NET 1.1 and ASP.NET 2.0 for code access security are the following:
* A new class of evidence (GacInstalled) tells you whether an assembly was loaded from the global assembly cache (GAC).
* The OLEDB managed data provider no longer requires full trust callers - they just need OleDbPermission - now granted to High trust ASP.NET applications.
* SmtpPermission is available at Connect, ConnectToUnRestrictedPort and None permission levels. This allows applications to send e-mail.
* A new permision type DataProtectionPermission is used to control the ability to use encryption/decryption with DPAPI.
* All assemblies installed in the GAC get full trust, regardless of enterprise or machine policy.
* In .NET 2.0, demands for identity permissions will always succeed in FullTrust, regardless of whether or not the calling assembly satisfies the identity demand.
* Security transparency. You can now mark assemblies with the SecurityTransparent attribute to let the common language runtime know that your code will not perform security-sensitive code access security operations, such as asserting permissions or using stack walk modifiers to escalate privileges. If your code or any code you call attempts such operations, a security exception is generated. This is particularly useful if your code loads third-party plug-ins.
* Simple sandboxing. In .NET Framework 1.x, to set up a sandboxed application domain — for example, to host untrusted code — you have to create an application domain policy level, create a series of code groups, and define the permission sets to be granted to each one. In .NET Framework 2.0, you can use a new overload of the static AppDomain.CreateDomain method to help simplify this process.

Return to HomePage, ASPNET2SecurityFAQs