With the advent of the .Net Framework 4, major changes have been made with respect to the code access security structure. The security policy is no more applicable to applications and for all the apps comfortable with desktops; execution is being done in the form of full-trust applications. This includes shared network apps as well as those on the computer. The ones which are partially trusted should be run within a sandbox, for determination of the grant set. Till date, the permission system is being used, the difference being that it is transcended by transparency rules for security.
Changes in the security model of .Net framework
With the .Net Framework 4.5 we have a two-tier security structure for managed applications. A Windows security container is present for running Windows store apps and this ensures limited access to resources. Managed application can be run in a completely trusted manner within the container. So far as the developer is concerned, he has nothing to do for elevation of the privileges from the perspective of CAS or Code Access Security.
Major Security Concepts
The .NET Framework provides security transparency, role-based security and code access security to facilitate handling of security concerns regarding mobile code and to render support that ensures determination of the level of user authorization by the components. These security instruments make use of a consistent, uncomplicated model to enable developers to conveniently use role-based security once they are well-versed with code access security and vice versa. Role-based security and code access security are implemented by means of a common infrastructure that is made available through the common language runtime. Let us discuss some of the major security concepts before we elaborate on role-based and code access security.
- Security permissions: Herein, the runtime makes use of object known as permissions to impose restriction over the managed code. The code is allowed to perform those specific operations for which it has permission.
- Type Security and Safety: Type-safe code accesses only those memory locations for which it has authorization. For instance, the type-safe code is not capable of reading values from the private field of another object. It can access types solely in an allowable, well-defined manner.
- Principal: This implies the role and identity of a user and functions on the behalf of the user. Within the .Net development framework, role based security backs three categories of principals, namely Windows principals, Generic principals and Custom Principals.
- Authentication: It refers to the procedure of discovery and verification of a principal’s identity through examination of the credentials of the users and validation of the same against some kind of authority. The code directly uses the information that is obtained during the authentication process.
- Authorization: This is a process which determines if the principal has permission to carry out a requested action.
In the present scenario, vastly networked computer systems have a continuous exposure to code that originates from a variety of probably unidentified sources. The code can be contained in documents, linked to e-mail, or downloaded from the Internet. Unluckily, numerous computer users have firsthand experience of the impacts of malevolent mobile code like worms and viruses, which are capable of destroying or damaging data, thereby costing money and time.
.NET Framework offers security machinery known as code access security, in order to help safeguard computer systems from malevolent mobile code, to facilitate running of code from unknown origin with protection and to aid the prevention of trusted code from accidentally or intentionally compromising security. The Code access security permits code trusting to varying degrees based on the place of origin of the code and other aspects.
It also imposes different levels of trust on code, thereby minimizing the code amount that should be completely trusted for running. Code access security lessens the chances of the concerned code by error-filled or malicious code. In this way, liability is reduced because the set of operations which the code has permission to perform can be specified.
Role-Based Security
Many a time, roles are used in business or financial applications for enforcement of policy. Role-based security of .Net Framework renders support to authorization through making information regarding the Principal, built from a linked identity, which the current thread has. The security support provided herein is extensible and flexible enough for meeting the requirements of a range of applications. Interoperation with accessible authentication infrastructures like COM+ 1.0 Services is also possible along with the creation of a tailor-made authentication system. This security type is specifically compatible for ASP.NET Web applications, primarily processed over the server. But the role-based security suits both the server and the client.
The security model of the .net application development framework ensures secure coding through effective defense strategies. This enables developers to enjoy a great degree of flexibility without compromising on the productivity.
Expert .net developer India teams can leverage the benefits of this amazing framework and help build applications for you. We provide .net development services. If you would like to discuss with one of our lead developers, please get in touch with us at Mindfire Solutions.
No comments:
Post a Comment