Security Facts

When working with application security, it’s important to understand the difference between authentication and authorization:

• Authentication is the process of ensuring that users are who they say they are. Authentication typically uses a user name and a password.
• Authorization happens after authentication and identifies the level of access allowed to a given user. For example, authorization might identify specific files to which the user has access.

.NET uses two mechanisms for controlling security:

• Code access security allows you to specify what resources your code should and should not be able to access and what operations your code can and cannot perform. Code access security in .NET allows different segments of code to be trusted at different degrees, thus minimizing the need for full trust (which is dangerous) of the system.
• Role-based security allows you to specify what permissions a particular user has, often based on the role (or Windows group) of the user.

  If you get an error like “System.Security.Policy.Exception: Failed to aquire required permissions” you can run the Permissions View Tool (Permview.exe) on the Server to view the permissions required by components you are trying to configure to run…

There are two models of implementing each type of security: declarative and imperative.

• With declarative security, assemblies, classes, and class members are tagged with security attributes that identify the security rules to apply to the assembly, class, or class member. .NET automatically controls access based on the security attributes.
• With imperative security, the permissions and demands are placed directly in the code. They are applied at runtime as the code is encountered. The programmer is responsible for identifying when and how to apply security restrictions.

In general, not only the caller must meet the security criteria, but also the entire call stack is also traced (or walked) and each subsequent caller is required to have the appropriate permissions. This prevents untrusted methods from using more trusted objects and methods to access secure resources. This behavior can be overridden

This entry was posted on Friday, June 13th, 2008 at 11:16 am and is filed under Virus/Security, Windows_Appz. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.