CLR v4 Security Policy Roundup

Over the last few weeks we’ve been taking a look at the updates to the CLR security policy system in the v4 release of the .NET Framework.  Here’s a quick index of those topics:

• Overview
  • Security Policy in the v4 CLR
  • Sandboxing in .NET 4.0
• Updating code to work with the new model
  • Implicit uses of CAS policy part 1 (Assembly.Load with Evidence, AppDomain creation with Evidence)
  • Implicit uses of CAS policy part 2 (loading assemblies from remote sources)
  • Explicit uses of CAS policy (APIs such as SecurityManager which directly use CAS policy)
• Temporarily re-enabling CAS policy during migration
  • The NetFx40_LegacySecurityPolicy config file switch

Comments

• Anonymous
  October 14, 2009
  I am just trying to relearn CAS for the 70-536 .NET Framework - Application Development Foundation Exam (I learned it to pass an exam years ago then had no use of the information.) I think the Security team needs to talk to the exam team to decide if CAS should be in the 70-536 exam and if so define what level of understanding is needed to pass the exam. I have been writing .net software (web and winforms) for many years and  have never had a need to use CAS – unlike the rest of the exam contents.

• Anonymous
  January 10, 2011
  stupid question: what's the story regarding .NET assemblies loaded as ActiveX controls in IE? In .NET 3.5, things weren't complicated: you'd add them to the page and grant the required permissions in the CAS console. How does all this work for .NET 4.0? Any pointers? thanks.

• Anonymous
  January 12, 2011
  IE hosted managed controls are not supported in .NET 4.  They will still work with .NET 3.5, and Silverlight is of course another option.