CAS and C#

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Not to start a lang war, but I asked a couple VB.NET people how they resolved
a CAS issue I had using SQL adapters, FileIO operations and the like. I got
some (quite a few) blank looks. Do VB.NET authors not have this issue or is
it possible their code is so benign it never used any secured resources? Most
of it is reading/writing to SQL tables. We're using the 1.1 framework and SDK.

Reading their code I saw and Import statements like these using statements:
using System.Security.Permissions;
using System.Security;

What gives?

TIA,

E.
 
Esteban,

What is the issue that you are having? Not to start a language war
either, but in general, VB is not targeted towards the audience that is
concerned with such things. Right now, MS is marketing VB to the hobbyist
programmer, and in general, programmers on that level are not going to be
concerned with things like CAS.

What specifically is your issue?
 
I'd say it doesn't depend on the language as much as the environment.

ASP.NET web developers using any language are accustomed to having
their code running on the server with full trust, indeed, in 1.0 the
code could only run with full trust, and many people are not aware of
the different trust levels in 1.1.

People writing smart client applications and HREF EXEs have to take
CAS into account regardless of the language. If not, the software
breaks!
 
Thanks for the response Nicholas,

My specific issue is that I'm receiving error messages stating that I have
not assigned sufficient permissions to perform the operations. Reading
through the complexities of CAS, I am over my head trying to get my code to
the users fast. This is due this month and I've got 3 days left before I'm
out "in training" for a week.

The application is a WinForm quick and dirty slide show requiring FullPath,
FileIO, SQL access. I've created the ActiveDirectory groups in SQL Server 2K
and everything works using this role-based Windows security as far as old
school though goes. I'm catching a lot of heat because I can't just code-n-go
like they are. It will eventually be an ASP.NET application used as a new
generator/posting application for these kiosks. I believe if you can access
one path or one database in a domain, you can get to others, so the code
needs to be more secure than normal.

I do think more C-like than VB and picked up C# quickly. Now I just need to
wrestle the requirements like CAS into submission (mentally).

Thanks for the response >>though I won't say anything regarding the toy-like
nature of VB.NET. ;-]

E.

Nicholas Paldino said:
Esteban,

What is the issue that you are having? Not to start a language war
either, but in general, VB is not targeted towards the audience that is
concerned with such things. Right now, MS is marketing VB to the hobbyist
programmer, and in general, programmers on that level are not going to be
concerned with things like CAS.

What specifically is your issue?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
Not to start a lang war, but I asked a couple VB.NET people how they
resolved
a CAS issue I had using SQL adapters, FileIO operations and the like. I
got
some (quite a few) blank looks. Do VB.NET authors not have this issue or
is
it possible their code is so benign it never used any secured resources?
Most
of it is reading/writing to SQL tables. We're using the 1.1 framework and
SDK.

Reading their code I saw and Import statements like these using
statements:
using System.Security.Permissions;
using System.Security;

What gives?

TIA,

E.
Click to expand...
Click to expand...
 
Esteban404,

Are you running this program from a network share? If that is the case,
then you are going to run with limited permissions. You will have to create
a policy on the machine that will allow the assembly to execute. Basically,
you would create a new code group for the machine, and have the condition
for the code group be a hash of the assembly (which is bound to change as
you change the assembly) or a strong name (will allow changes to take place
in the assembly without you having to redefine the code group). Then,
assign the permissions you need (or the Full Trust permission set) to the
group, and it should work fine.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
Thanks for the response Nicholas,

My specific issue is that I'm receiving error messages stating that I have
not assigned sufficient permissions to perform the operations. Reading
through the complexities of CAS, I am over my head trying to get my code
to
the users fast. This is due this month and I've got 3 days left before I'm
out "in training" for a week.

The application is a WinForm quick and dirty slide show requiring
FullPath,
FileIO, SQL access. I've created the ActiveDirectory groups in SQL Server
2K
and everything works using this role-based Windows security as far as old
school though goes. I'm catching a lot of heat because I can't just
code-n-go
like they are. It will eventually be an ASP.NET application used as a new
generator/posting application for these kiosks. I believe if you can
access
one path or one database in a domain, you can get to others, so the code
needs to be more secure than normal.

I do think more C-like than VB and picked up C# quickly. Now I just need
to
wrestle the requirements like CAS into submission (mentally).

Thanks for the response >>though I won't say anything regarding the
toy-like
nature of VB.NET. ;-]

E.

Nicholas Paldino said:
Esteban,

What is the issue that you are having? Not to start a language war
either, but in general, VB is not targeted towards the audience that is
concerned with such things. Right now, MS is marketing VB to the
hobbyist
programmer, and in general, programmers on that level are not going to be
concerned with things like CAS.

What specifically is your issue?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
Not to start a lang war, but I asked a couple VB.NET people how they
resolved
a CAS issue I had using SQL adapters, FileIO operations and the like. I
got
some (quite a few) blank looks. Do VB.NET authors not have this issue
or
is
it possible their code is so benign it never used any secured
resources?
Most
of it is reading/writing to SQL tables. We're using the 1.1 framework
and
SDK.

Reading their code I saw and Import statements like these using
statements:
using System.Security.Permissions;
using System.Security;

What gives?

TIA,

E.
Click to expand...
Click to expand...
Click to expand...
 
The program will run on users machines locally, from a share and on servers
(it's in the startup group). I thought I could use an Enterprise code group
and strong naming to secure it. Will that work?

As a practice, is it wise to create a key group (*.snk) for each app, each
developer, or share one for a group of developers?

Thanks a lot. I'm getting some of my best info here thanks to you and the
other MVPs.

E.

Nicholas Paldino said:
Esteban404,

Are you running this program from a network share? If that is the case,
then you are going to run with limited permissions. You will have to create
a policy on the machine that will allow the assembly to execute. Basically,
you would create a new code group for the machine, and have the condition
for the code group be a hash of the assembly (which is bound to change as
you change the assembly) or a strong name (will allow changes to take place
in the assembly without you having to redefine the code group). Then,
assign the permissions you need (or the Full Trust permission set) to the
group, and it should work fine.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
Thanks for the response Nicholas,

My specific issue is that I'm receiving error messages stating that I have
not assigned sufficient permissions to perform the operations. Reading
through the complexities of CAS, I am over my head trying to get my code
to
the users fast. This is due this month and I've got 3 days left before I'm
out "in training" for a week.

The application is a WinForm quick and dirty slide show requiring
FullPath,
FileIO, SQL access. I've created the ActiveDirectory groups in SQL Server
2K
and everything works using this role-based Windows security as far as old
school though goes. I'm catching a lot of heat because I can't just
code-n-go
like they are. It will eventually be an ASP.NET application used as a new
generator/posting application for these kiosks. I believe if you can
access
one path or one database in a domain, you can get to others, so the code
needs to be more secure than normal.

I do think more C-like than VB and picked up C# quickly. Now I just need
to
wrestle the requirements like CAS into submission (mentally).

Thanks for the response >>though I won't say anything regarding the
toy-like
nature of VB.NET. ;-]

E.

Nicholas Paldino said:
Esteban,

What is the issue that you are having? Not to start a language war
either, but in general, VB is not targeted towards the audience that is
concerned with such things. Right now, MS is marketing VB to the
hobbyist
programmer, and in general, programmers on that level are not going to be
concerned with things like CAS.

What specifically is your issue?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Not to start a lang war, but I asked a couple VB.NET people how they
resolved
a CAS issue I had using SQL adapters, FileIO operations and the like. I
got
some (quite a few) blank looks. Do VB.NET authors not have this issue
or
is
it possible their code is so benign it never used any secured
resources?
Most
of it is reading/writing to SQL tables. We're using the 1.1 framework
and
SDK.

Reading their code I saw and Import statements like these using
statements:
using System.Security.Permissions;
using System.Security;

What gives?

TIA,

E.
Click to expand...
Click to expand...
Click to expand...
 
Thanks, Scott. It looks as though the tide is turning to CAS and anything
written in any language in .NET environment will eventually need to address
it. At least my app is not mission critical so it can bear some delay to the
users.

E.
 
Esteban,

The program might run on users machines locally, but that doesn't mean
that the application comes from the local machine. Because it is run from a
network share, it has limited permissions. You can try and set up the
Enterprise group, but I don't know how effective it is. You should do it on
the User group (you might be able to set this up through AD for the
Enterprise settings, I don't know).

If all else fails, you can use a code group where the Evidence is based
on the strong name and assign rights to that.

I think it is better to have a key group for each distributable package.
In other words, if your app is one cohesive unit (you don't distribute parts
of it somewhere else), then I think that that unit should have one strong
name. However, if your app uses a client, and a library, which can be
shipped separately, then you should have a separate strong name for each.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
The program will run on users machines locally, from a share and on
servers
(it's in the startup group). I thought I could use an Enterprise code
group
and strong naming to secure it. Will that work?

As a practice, is it wise to create a key group (*.snk) for each app, each
developer, or share one for a group of developers?

Thanks a lot. I'm getting some of my best info here thanks to you and the
other MVPs.

E.

Nicholas Paldino said:
Esteban404,

Are you running this program from a network share? If that is the
case,
then you are going to run with limited permissions. You will have to
create
a policy on the machine that will allow the assembly to execute.
Basically,
you would create a new code group for the machine, and have the condition
for the code group be a hash of the assembly (which is bound to change as
you change the assembly) or a strong name (will allow changes to take
place
in the assembly without you having to redefine the code group). Then,
assign the permissions you need (or the Full Trust permission set) to the
group, and it should work fine.


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
Thanks for the response Nicholas,

My specific issue is that I'm receiving error messages stating that I
have
not assigned sufficient permissions to perform the operations. Reading
through the complexities of CAS, I am over my head trying to get my
code
to
the users fast. This is due this month and I've got 3 days left before
I'm
out "in training" for a week.

The application is a WinForm quick and dirty slide show requiring
FullPath,
FileIO, SQL access. I've created the ActiveDirectory groups in SQL
Server
2K
and everything works using this role-based Windows security as far as
old
school though goes. I'm catching a lot of heat because I can't just
code-n-go
like they are. It will eventually be an ASP.NET application used as a
new
generator/posting application for these kiosks. I believe if you can
access
one path or one database in a domain, you can get to others, so the
code
needs to be more secure than normal.

I do think more C-like than VB and picked up C# quickly. Now I just
need
to
wrestle the requirements like CAS into submission (mentally).

Thanks for the response >>though I won't say anything regarding the
toy-like
nature of VB.NET. ;-]

E.

:

Esteban,

What is the issue that you are having? Not to start a language
war
either, but in general, VB is not targeted towards the audience that
is
concerned with such things. Right now, MS is marketing VB to the
hobbyist
programmer, and in general, programmers on that level are not going to
be
concerned with things like CAS.

What specifically is your issue?

--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Not to start a lang war, but I asked a couple VB.NET people how they
resolved
a CAS issue I had using SQL adapters, FileIO operations and the
like. I
got
some (quite a few) blank looks. Do VB.NET authors not have this
issue
or
is
it possible their code is so benign it never used any secured
resources?
Most
of it is reading/writing to SQL tables. We're using the 1.1
framework
and
SDK.

Reading their code I saw and Import statements like these using
statements:
using System.Security.Permissions;
using System.Security;

What gives?

TIA,

E.
Click to expand...
Click to expand...
Click to expand...
 
Sounds like I need to go through the distribution tutorials. My boss wants me
to redo it in VB. I think that'll take longer than figuring out CAS for this
one app.

Thanks for the comments,

E.
 
Esteban,

I would question your boss's reasons for doing it in VB. VB isn't going
to change the security requirements on the project, and you will still have
to do the same things.

If it is already done, why waste time and money doing it again if it
works?
 
Nicholas,

I think it has to do with the fact that he and the other guy who code
haven't had to do this CAS configuration. I don't know why, but they haven't.
Most of their apps are SQL connect/read/write and anything I write with those
capabilities requests proper permissions. They are both using the 1.1
framework and vb.NET 2003. I just don't get the deer in the head lights
reaction. It has to have happened.

I read a few more articles at lunch and understand the recommendation for
keys to assemblies being different. Makes sense. Maybe I'll talk him into
buying the security step-by-step book.

E.

Nicholas Paldino said:
Esteban,

I would question your boss's reasons for doing it in VB. VB isn't going
to change the security requirements on the project, and you will still have
to do the same things.

If it is already done, why waste time and money doing it again if it
works?


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
Sounds like I need to go through the distribution tutorials. My boss wants
me
to redo it in VB. I think that'll take longer than figuring out CAS for
this
one app.

Thanks for the comments,

E.
Click to expand...
Click to expand...
 
Nicholas,

I think the reasoning is that they haven't been faced with CAS yet, so VB is
comfortable. Seems if anyone would run for the hills it'd be me with my
Macintosh background! Everything I've seens seems to indicate they should
have encountered it by now with all the SQL connect/read/write activity.

E.

Nicholas Paldino said:
Esteban,

I would question your boss's reasons for doing it in VB. VB isn't going
to change the security requirements on the project, and you will still have
to do the same things.

If it is already done, why waste time and money doing it again if it
works?


--
- Nicholas Paldino [.NET/C# MVP]
- (e-mail address removed)

Esteban404 said:
Sounds like I need to go through the distribution tutorials. My boss wants
me
to redo it in VB. I think that'll take longer than figuring out CAS for
this
one app.

Thanks for the comments,

E.
Click to expand...
Click to expand...
 
Back
Top