Security in .net application RRS feed

  • Question

  • Hi All,

    I have to architect a solution which caters to retail industry.
    My query is on what conditions should i think of implementing code access security or role based
    security or both.

    Regarding code access security, i can think of a method in the application class which read and writes
    from files in file system,hence should be protected under code access security.

    Please let me know in what other major scenarios(like one discussed above) should i implement role based and code access
    security as I believe that implementing these security on the whole
    application will ultimately degrade the performance.

    Kindly suggest


    Friday, January 25, 2008 2:30 PM

All replies

  • This is going to seem a bit obvious, but you need to implement them where there is a reason to do so.


    So CAS is used generally to make sure that the accessing of devices is allowed, and role based security is to give used access to various parts of the system.


    So you need to see where those siutations occur, and implement the security as required.  There aren't any shortcuts, as that would mean security holes, but then again, it really depends on what the weakest link in such a system might be.  In the retail industry doesn't tell us what environment the software is to be used in, or how it will be used.


    You would need to find out what you need to limit access to.


    I hope this helps you to get thinking,


    Martin Platt.

    Tuesday, January 29, 2008 3:00 AM
  • Hi Martin,


    Ya,your CAS usage definition is very much near to what is require.This is an .net application which will reside on a USB drive and we will run it after plugging it to a computer.I want to make sure that using this application residing on USB,no application should be able to write files,registry to computer for this whole application.

    How can i set it for whole application,as i can't set it at machine.config level because computers will go on changing.

    Should it be set in app.config of application. Will then this security be applicable to whole application.

    If yes, will then i be able to override it on some method level.






    Friday, February 1, 2008 12:23 PM
  • You would use CAS in your code, typically attributes on methods or classes.


    CAS is code access security, remember, so it is a code based solution.  CAS only allows the code to be trusted to perform particular tasks.  If the code is partially trusted, then the code will be allowed to specify what it is meant to have access to.  CAS is used to stop other code from piggybacking onto it, and using it to gain access to resources that it is not meant to.  This is particularly of use from an internet location, but applications running locally I would expect, would be fully trusted, and so CAS would be ignored.


    I hope this helps,


    Martin Platt.

    Wednesday, February 6, 2008 4:19 AM