I have been immersed in Code Access Security (CAS) this weekend as we ramp up .Net security for an ASP.Net/Enterprise Services (ES) project.
This book Improving Web Application Security: Threats and Countermeasures, among others, has been my resource. Also, John Lam's work a couple of months ago has been very helpful as well.
One design I am looking at is setting up ASP.Net pages with Partial Trust (this is only allowed in 1.1). In order to call Fully Trusted GAC-installed ES/COMPlus components by Partially Trusted ASP.Net pages, I have to use a sandbox wrapper component that is also installed in the GAC with Full Trust, but with the AllowPartiallyTrustedCallersAttribute.
The one item I m wondering about is how to transfer security-roles created using Forms Authentication to the ES/COMPlus roles-based security? According to docs, I know that in 1.0, the security stack is not transfered to ES when the thread switches, but I am not sure about 1.1. That means, to me, I have to re-translate the custom roles from ASP.Net into NT Group Roles created for COMPlus security. Any ideas from anyone on this?