| |   Skin:   
      User: Not logged in 
Newsletter Signup
XSLT Library
Latest XML Blogs
Featured Examples
Featured Articles
Book Chapters
Training Courses
Sign In
My Profile
My Articles
My Examples
My Favorites
My Resources
Add a Resource
About Me
My Blog
HeadGeek Articles
Talking Portfolio
World Trip Pics

Security in Asp.Net
Author: Rajendra Kumar
Published: 6/19/2006 8:06 AM
Category: ASP.NET
Summary: This article Explains Security in


Security in




  1. Overview of Security
  2. Understanding Security in


Code Security


Code Security is Securing your Code From hackers to prevent Hijacking and allows administrators to control what code should be allowed to do.

You have two techniques to achieve Code Security they are


  1. Code Access Security
  2. Evidence Based Security


1. Code Access Security


Code Access Security provides Powerful features to protect against inadvertent or malicious code attacks. The CLR ensures code has enough trust to be able to access protected system resources, for that

 Code must have needed permissions to access protected resources .

 Permissions are granted based on identity and origin of code.




A permission is a set of capabilities the right to interact with given resources.

Permission Types are Orthogonal. A demand for a permission of type X must be satisfied with a grant of permission of type X.


Permissions protects Resources like


? FileIO













?SQLClient etc


Imperative Security:


Permission Class Methods

Code can explicitly use the following methods to manage the security

? Assert

? Demand

? Deny

? PermitOnly

? RevertAll

? RevertDeny

? RevertPermitOnly

Call stack needs to be examined frequently in order to determine its security credentials and needs. A SecurityException is thrown if code accesses resources and doesn’t have the needed permission.


Declarative Security Demand


The following is the example Declaration  



public void obj()





Before implementing this you have to use the following class

using System.Security.Permissions;


You have to remember the following things

1. Security Declaration cannot contain runtime variables.

2. Permissions state must be completely specified at compile time

3. Declarative security is best for use.


Permission Request


Assembly may request Permission

   ?only from granted ones

   ?Minimum – Don’t run W/o these permissions

   ?Optional - Can use Permissions if available

   ?Refused –Never Grant these Permissions  

l       GRANT=((MinÈOpt)ÇALLOWED)-Refused

Ø       May grant < ALLOWED permissions



2. Evidence Based Security


Policy Evaluation in CLR


Policy is the process of determining the set of Permissions to grant code based on Evidence known about that code.

Requiring End users to write program to express policies is a bad idea.

So we need a declarative , administrative model which is supported by .net  




The CLR examines Evidence about code  to determine if it is trustworthy.

Evidence is presented by an assembly at load time .it is location based or Identity based.


Administrative tools


In .net framework configuration there is a tool called Mscorcfg.msc , management console can be used to modify and manage Security policy.

The command line tool caspol.exe also can be used to modify and manage security policy


Hierarchical Policy Levels


l       CLR supports multiple, ordered policy levels for administration

Ø       Enterprise: common policy for organization

§         MSI file push via Group Policy Editor

Ø       Machine: policy for all users of given machine

Ø       User: policy specific to logged in user



                                       Enterprise  Policy

Machine1 Policy

Machine2 Policy

User A               User B

User C                 User D




The Effective policy is the intersection of all the levels.



Strong Naming


Assemblies get their identity from a strong name which is made up of


 Simple Name – the name of the file minus the extension

 Version         – four part version number

 Culture          – used for resource assemblies

 Public key and digital signature – Establishes the validity of the assembly


All references to an assembly include all this information which is known as Strong Binding.





In This Article we came to know the following points

  1. It is better to use Declarative Security rather than Imperative security.
  2. Use Permissions, strong Names and policies
  3. Code and Evidence Based security.






















Fans of "The Office"
Dwight Bobbleheads are here!
  “It's me! I'm the bobblehead! Yes!”

Advertise on XMLPitstop

Advertise on XMLPitstop

EggHead Cafe
Web Servicee development
Buy text ads here!
online file backup
Color Laser Printer
Gucci sunglasses
Skype vs. sipcall
VoIP Internettelefonie
Buy text ads here!

Interested in Text ads?
2,223 Total Members
36 members(last 30 days)
8 members(last 7 days)
2 members(today)

1,609 Total Discussions
12 Posts(last 30 days)
0 Posts(last 7 days)
0 Posts(today)

17,260 Total Blog Posts
1,839 Blogs(last 30 days)
342 Blogs(last 7 days)
49 Blogs(today)

8,699 Newsgroup Posts
0 Posts(last 30 days)
0 Posts(last 7 days)
0 Posts(today)

13,786 Total Resources
5 Resources(last 30 days)
1 Resources(last 7 days)
0 Resources(today)


David Silverlight's| 2801 Florida Ave #225|Miami, FL 33133|Ph:305-447-1139