Security in Asp.net
- Overview of Security
- Understanding Security in asp.net.
Code Security is Securing your Code From hackers to prevent Hijacking and allows administrators to control what code should be allowed to do.
You have two techniques to achieve Code Security they are
- Code Access Security
- Evidence Based Security
1. Code Access Security
Code Access Security provides Powerful features to protect against inadvertent or malicious code attacks. The CLR ensures code has enough trust to be able to access protected system resources, for that
Code must have needed permissions to access protected resources .
Permissions are granted based on identity and origin of code.
A permission is a set of capabilities the right to interact with given resources.
Permission Types are Orthogonal. A demand for a permission of type X must be satisfied with a grant of permission of type X.
Permissions protects Resources like
Permission Class Methods
Code can explicitly use the following methods to manage the security
Call stack needs to be examined frequently in order to determine its security credentials and needs. A SecurityException is thrown if code accesses resources and doesn’t have the needed permission.
Declarative Security Demand
The following is the example Declaration
public void obj()
Before implementing this you have to use the following class
You have to remember the following things
1. Security Declaration cannot contain runtime variables.
2. Permissions state must be completely specified at compile time
3. Declarative security is best for use.
Assembly may request Permission
?only from granted ones
?Minimum – Don’t run W/o these permissions
?Optional - Can use Permissions if available
?Refused –Never Grant these Permissions
Ø May grant < ALLOWED permissions
2. Evidence Based Security
Policy Evaluation in CLR
Policy is the process of determining the set of Permissions to grant code based on Evidence known about that code.
Requiring End users to write program to express policies is a bad idea.
So we need a declarative , administrative model which is supported by .net
The CLR examines Evidence about code to determine if it is trustworthy.
Evidence is presented by an assembly at load time .it is location based or Identity based.
In .net framework configuration there is a tool called Mscorcfg.msc , management console can be used to modify and manage Security policy.
The command line tool caspol.exe also can be used to modify and manage security policy
Hierarchical Policy Levels
l CLR supports multiple, ordered policy levels for administration
Ø Enterprise: common policy for organization
§ MSI file push via Group Policy Editor
Ø Machine: policy for all users of given machine
Ø User: policy specific to logged in user
User A User B
User C User D
The Effective policy is the intersection of all the levels.
Assemblies get their identity from a strong name which is made up of
Simple Name – the name of the file minus the extension
Version – four part version number
Culture – used for resource assemblies
Public key and digital signature – Establishes the validity of the assembly
All references to an assembly include all this information which is known as Strong Binding.
In This Article we came to know the following points
- It is better to use Declarative Security rather than Imperative security.
- Use Permissions, strong Names and policies
- Code and Evidence Based security.