RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?
From: Novice (6tc1ATqlinkDOTqueensuDOTca)
Date: 02/26/04
- Next message: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Previous message: MJ: "web.config and forms authentication problem"
- In reply to: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Next in thread: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Reply: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 25 Feb 2004 16:11:06 -0800
Believe it or not, I've actually read a number of technical documents from Microsoft on .NET security - but I do appreciate the additional references.
For clarification:
1.
Would you consider the Code Access Security policy system to be the system that takes evidence and a security policy (set of configurable rules) as input and produces a set of permissions based on those? The common trend I've seen in Microsoft documents is to compare the above to a function that takes two input variables and gives the output of permissions.
2.
a)
Instead of saying "Three Permission Classes" I should say there are "Three Types of Permission Classes"? Since there are many permission classes that belong to each of the three types I mentioned (Code Access Permissions, Identity Permissions and Role Based Security Permissions).
b)
In addition, only Code Access Permissions and Identity Permissions should be thought of as belonging to Code Access Security, correct? However, Role Based Permissions do NOT belong to Code Access Security.
3.
a)
Through the use of Declarative and Imperative Security requests/statements, ONLY two types of permission classes (role-based permission classes and code access permission classes) can restrict access to protected operations like creating, deleting and modifying files and directories. However, these requests can never allow the user to exceed the permissions that the user has provided to them by the OS (hence the whole idea of .NET being built around the OS - I have a nice diagram that displays this). Is that correct?
b)
Through the use of Evidence and the configurable security policy Identity Permission classes can be used to restrict access to protected operations like creating, deleting and modifying files and directories. However, these requests can never allow the user to exceed the permissions that the user has provided to them by the OS (hence the whole idea of .NET being built around the OS - I have a nice diagram that displays this). Is that correct?
4.
a)
You have implied that CAS and Evidence Based Security are different terminology for the same concept - however, wouldn't evidence based security only refer to CAS provided through the use of Identity Permissions?
b)
Also in one of the Microsoft documents I read***, it differentiated between Evidence-based Security and Code Access Security like this:
---------------------------------------------------------
Evidence-Based Security and Code Access Security
Two separate technologies work together to protect managed code:
Evidence-based security determines what permissions to grant to code.
Code access security checks that all code on the stack has the necessary permissions to do something.
Permissions bind these technologies together: a permission is the right to perform a specific protected operation. For example, "to read c:\temp" is a file permission; "to connect to www.msn.com" is a network permission.
[there is more information - please see the document I provide the link to at the bottom of this message]
---------------------------------------------------------
which is different from what I would deduce it is from its wording (I stated my deduction in 4.a) ).
5.
You have said that Role-Based Permission classes do not belong to Code Access Security - however, in O'Reilly's book Programming .NET Security, page 102 it says "CAS supports the following three permission request operations...." Can you not use these permission requests in conjuncture with Role-Based Permissions? Therefore, wouldn't Role Based Permissions be part of Code Access Security?
I have more questions - but if you are able to answer these questions above for me then I will be ecstatic! I hope the above questions don't come across too aggressively, I'm just trying to better understand how all of these concepts interrelate and just when I think I'm starting to understand their relationship to one another I find myself more confused than before.
Thanks very much,
Novice
*** http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/seccodeguide.asp
- Next message: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Previous message: MJ: "web.config and forms authentication problem"
- In reply to: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Next in thread: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Reply: Shawn Farkas: "RE: Do all three permission classes (Identity Permission, Code Access Permission and Role Based Permission) fall under CAS?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
