Community-Credit.com | NonProfitWays.com | SOAPitstop.com   Skin:   
      User: Not logged in 
Home
Newsletter Signup
XSLT Library
Latest XML Blogs
Featured Examples
Presentations
Featured Articles
Book Chapters
Training Courses
Events
NewsGroups
 
Discussions
Examples
Tutorials
Tools
Articles
Resources
Websites
 
Sign In
My Profile
My Articles
My Examples
My Favorites
My Resources
Add a Resource
Logout
 
About Me
My Blog
HeadGeek Articles
Talking Portfolio
Resume
Pictures
World Trip Pics

Security in Asp.Net
Author: Rajendra Kumar
Published: 6/19/2006 8:06 AM
Category: ASP.NET
Summary: This article Explains Security in Asp.net

 

Security in Asp.net

 

Objectives:

 

  1. Overview of Security
  2. Understanding Security in asp.net.

 

Code Security

 

Code Security is Securing your Code From hackers to prevent Hijacking and allows administrators to control what code should be allowed to do.

You have two techniques to achieve Code Security they are

 

  1. Code Access Security
  2. Evidence Based Security

 

1. Code Access Security

 

Code Access Security provides Powerful features to protect against inadvertent or malicious code attacks. The CLR ensures code has enough trust to be able to access protected system resources, for that

 Code must have needed permissions to access protected resources .

 Permissions are granted based on identity and origin of code.

 

Permissions 

 

A permission is a set of capabilities the right to interact with given resources.

Permission Types are Orthogonal. A demand for a permission of type X must be satisfied with a grant of permission of type X.

 

Permissions protects Resources like

 

? FileIO

?FileDialog

?IsolatedStorage

?Environment

?Registry

?UI

?Printing

?Reflection

?Security

?Socket

?Web

?DNS

?Oledb

?SQLClient etc

 

Imperative Security:

 

Permission Class Methods

Code can explicitly use the following methods to manage the security

? Assert

? Demand

? Deny

? PermitOnly

? RevertAll

? RevertDeny

? RevertPermitOnly

Call stack needs to be examined frequently in order to determine its security credentials and needs. A SecurityException is thrown if code accesses resources and doesn’t have the needed permission.

 

Declarative Security Demand

 

The following is the example Declaration  

 

[FileIOPermission(SecurityAction.Demand,Write="c:\\temp")]

public void obj()

{

 

}

 

Before implementing this you have to use the following class

using System.Security.Permissions;

 

You have to remember the following things

1. Security Declaration cannot contain runtime variables.

2. Permissions state must be completely specified at compile time

3. Declarative security is best for use.

 

Permission Request

 

Assembly may request Permission

   ?only from granted ones

   ?Minimum – Don’t run W/o these permissions

   ?Optional - Can use Permissions if available

   ?Refused –Never Grant these Permissions  

l       GRANT=((MinÈOpt)ÇALLOWED)-Refused

Ø       May grant < ALLOWED permissions

 

 

2. Evidence Based Security

 

Policy Evaluation in CLR

                 

Policy is the process of determining the set of Permissions to grant code based on Evidence known about that code.

Requiring End users to write program to express policies is a bad idea.

So we need a declarative , administrative model which is supported by .net  

 

Evidence

 

The CLR examines Evidence about code  to determine if it is trustworthy.

Evidence is presented by an assembly at load time .it is location based or Identity based.

 

Administrative tools

 

In .net framework configuration there is a tool called Mscorcfg.msc , management console can be used to modify and manage Security policy.

The command line tool caspol.exe also can be used to modify and manage security policy

 

Hierarchical Policy Levels

 

l       CLR supports multiple, ordered policy levels for administration

Ø       Enterprise: common policy for organization

§         MSI file push via Group Policy Editor

Ø       Machine: policy for all users of given machine

Ø       User: policy specific to logged in user

 

 

                                       Enterprise  Policy

Machine1 Policy

Machine2 Policy

User A               User B

User C                 User D

 

 

 

The Effective policy is the intersection of all the levels.

 

 

Strong Naming

 

Assemblies get their identity from a strong name which is made up of

 

 Simple Name – the name of the file minus the extension

 Version         – four part version number

 Culture          – used for resource assemblies

 Public key and digital signature – Establishes the validity of the assembly

 

All references to an assembly include all this information which is known as Strong Binding.

 

 

Summary

 

In This Article we came to know the following points

  1. It is better to use Declarative Security rather than Imperative security.
  2. Use Permissions, strong Names and policies
  3. Code and Evidence Based security.

 

                                                                                         

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 


 

 
Fans of "The Office"
Dwight Bobbleheads are here!
  “It's me! I'm the bobblehead! Yes!”



Advertise on XMLPitstop

Advertise on XMLPitstop


EggHead Cafe
Web Servicee development
DotNetSlackers
Buy text ads here!
online file backup
Color Laser Printer
Gucci sunglasses
Skype vs. sipcall
VoIP Internettelefonie
Buy text ads here!

Interested in Text ads?
2,223 Total Members
36 members(last 30 days)
8 members(last 7 days)
2 members(today)

1,609 Total Discussions
12 Posts(last 30 days)
0 Posts(last 7 days)
0 Posts(today)

17,260 Total Blog Posts
1,839 Blogs(last 30 days)
342 Blogs(last 7 days)
49 Blogs(today)

8,699 Newsgroup Posts
0 Posts(last 30 days)
0 Posts(last 7 days)
0 Posts(today)

13,786 Total Resources
5 Resources(last 30 days)
1 Resources(last 7 days)
0 Resources(today)


 

David Silverlight's XMLPitstop.com| 2801 Florida Ave #225|Miami, FL 33133|Ph:305-447-1139