Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

Code Access Security with ASP.Net and ES

Sunday, November 9, 2003 Comments

 .NET  ArchitecturePatterns  ASP.NET  COMPlus EnterpriseServices  Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

I have been immersed in Code Access Security (CAS) this weekend as we ramp up .Net security for an ASP.Net/Enterprise Services (ES) project.

This book Improving Web Application Security: Threats and Countermeasures, among others, has been my resource. Also, John Lam's work a couple of months ago has been very helpful as well.

One design I am looking at is setting up ASP.Net pages with Partial Trust (this is only allowed in 1.1). In order to call Fully Trusted GAC-installed ES/COMPlus components by Partially Trusted ASP.Net pages, I have to use a sandbox wrapper component that is also installed in the GAC with Full Trust, but with the AllowPartiallyTrustedCallersAttribute.

The one item I m wondering about is how to transfer security-roles created using Forms Authentication to the ES/COMPlus roles-based security? According to docs, I know that in 1.0, the security stack is not transfered to ES when the thread switches, but I am not sure about 1.1. That means, to me, I have to re-translate the custom roles from ASP.Net into NT Group Roles created for COMPlus security. Any ideas from anyone on this?

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook