4 avg. rating (80% score) - 1 votes
Are you in search of Code Access Security (CAS)Jobs? Then you are at the right place. We provide you with the complete Code Access Security (CAS) interview Question and Answers on our page. Code Access Security. Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft's solution to prevent untrusted code from performing privileged actions. There are numerous leading companies that offer various job positions in Code Access Security. Here's our recommendation on the key things to need to prepare for the job interview to achieve your career goals in an easy way.To avoid this confusion, we’ve framed Code Access Security job interview questions and answers to simplify your interview preparation. To know more visit our website Wisdomjobs.com.
CAS is the part of the .NET security model that determines whether or not code is allowed to run, and what resources it can use when it is running. For example, it is CAS that will prevent a .NET web applet from formatting your hard disk.
The CAS security policy revolves around two key concepts - code groups and permissions. Each .NET assembly is a member of a particular code group, and each code group is granted the permissions specified in a named permission set.
For example, using the default security policy, a control downloaded from a web site belongs to the 'Zone - Internet' code group, which adheres to the permissions defined by the 'Internet' named permission set. (Naturally the 'Internet' named permission set represents a very restrictive range of permissions.)
Microsoft defines some default ones, but you can modify these and even create your own. To see the code groups defined on your system, run 'caspol -lg' from the command-line. On my system it looks like this:
Level = Machine
1. All code: Nothing
1.1. Zone - MyComputer: FullTrust
1.1.1. Honor SkipVerification requests: SkipVerification
1.2. Zone - Intranet: LocalIntranet
1.3. Zone - Internet: Internet
1.4. Zone - Untrusted: Nothing
1.5. Zone - Trusted: Internet
1.6. StrongName -
Note the hierarchy of code groups - the top of the hierarchy is the most general ('All code'), which is then sub-divided into several groups, each of which in turn can be sub-divided. Also note that (somewhat counter-intuitively) a sub-group can be associated with a more permissive permission set than its parent.
Use caspol. For example, suppose you trust code from www.mydomain.com and you want it have full access to your system, but you want to keep the default restrictions for all other internet sites. To achieve this, you would add a new code group as a sub-group of the 'Zone - Internet' group, like this:
caspol -ag 1.3 -site www.mydomain.com FullTrust
Now if you run caspol -lg you will see that the new group has been added as group 1.3.1:
1.3. Zone - Internet: Internet
1.3.1. Site - www.mydomain.com: FullTrust
Note that the numeric label (1.3.1) is just a caspol invention to make the code groups easy to manipulate from the command-line. The underlying runtime never sees it.
Use caspol. If you are the machine administrator, you can operate at the 'machine' level - which means not only that the changes you make become the default for the machine, but also that users cannot change the permissions to be more permissive. If you are a normal (non-admin) user you can still modify the permissions, but only to make them more restrictive. For example, to allow intranet code to do what it likes you might do this:
caspol -cg 1.2 FullTrust
Note that because this is more permissive than the default policy (on a standard system), you should only do this at the machine level - doing it at the user level will have no effect.
Yes. Use caspol -ap, specifying an XML file containing the permissions in the permission set. To save you some time, here is a sample file corresponding to the 'Everything' permission set - just edit to suit your needs. When you have edited the sample, add it to the range of available permission sets like this:
caspol -ap samplepermset.xml
Then, to apply the permission set to a code group, do something like this:
caspol -cg 1.3 SamplePermSet
(By default, 1.3 is the 'Internet' code group)
It performs following function:
It’s the core exe which is responsible to assign permission to the assembly. The .NET configuration tool is just a cover which sits on the top of caspol.exe to ease our work. CASPOL.exe commands are cryptic so the .NET configuration tool is more user friendly. In case you are interested in using caspol.exe you can go to visual studio command prompt and type caspol.exe with necessary parameters.
Once you have gathered the evidences about the code you would like to assign permission to the code. There are various permissions which you can assign to the code like Can the code create a file, can we write to registry, can the code execute reflection, can the code open file dialog box etc.
These permissions are collect permission sets and those permission sets are allocated to the code.
Code Access security is a security model which grants or denies permission to your assembly depending on evidences like from where the code has emerged, who the publisher is? , strong names etc.
When you want to execute any code in your environment you would first like to know from where the code came from. Depending from where it came from, you would then would like to give him access rights. For instance a code compiled from your own computer would have greater rights than code downloaded from the internet.
In order to know the same we need to probe the assembly / exe / dll and get evidences like who is the publisher of the code , from which site has this code from , from which zone has it come from ( internet , intranet etc) etc.
Security checks can be applied imperatively or declaratively. Declarative security is applied by associating attribute declarations that specify a security action with classes or methods. Imperative security is applied by calling the appropriate methods of a Permission object that represents the Principal (for role-based security) or system resource (for code access security).
Declarative and imperative are the different syntax schemes used to implement security declarations in .NET Framework. In declarative security, attribute syntax is used. The security constraints are stored in the assembly at compile time. The disadvantage of declarative security is that there are tools which extract security requirements from the metadata in the assembly.
In imperative implementation, the attribute syntax is not used. It is implemented by writing the regular code to provide restrictions
There are two types of code security:
Elements of Code Access Security :
Every security system needs some sort of mechanism (such as user name, password and Access Control List (ACL)) to identify the users and determine what a user can or can't do. However CAS identifies and assigns permissions to application rather than to application users.
CAS identifies assemblies using evidence, there are a few elements by which an assembly can be identified, such as location, hash code and signature of the assembly. Evidence is the information that the runtime gathers about an assembly to determine which code group the assembly belongs to. Code groups in turn grant an assembly a permission set.
Code Group : The evidence provided by an assembly is used as the condition for granting and revoking permissions to it. It is done by putting the code in an appropriate code group. Every code group stipulates a membership condition and has specific conditions attached to it. Any assemblies that meet the condition become a member of the group. Code groups are arranged in a hierarchy and assemblies are nearly always matched to several code groups. The code group at the root of the hierarchy is called All Code and contains all other code groups.
Evidence : In order for the CLR to determine which code group to place assembly information into, the first step is to read supplied evidence. There are two main sources of information, they are internet and intranet. The group internet defines code that is sources from the internet and the group intranet defines code sources from a LAN. The examination of the assembly evidence makes the authentication part of the security process.
Permissions : Permissions are the actions you allow each code group to perform. The system administrator usually manages the permissions at the enterprise, machine and user levels. The CLR Virtual Execution System (VES) loads and runs programs. It provides the functionality required to execute managed code and uses assembly metadata to connect modules together at runtime. When VES loads an assembly, it matches the assembly to one or more code groups. Each code group is assigned to one or more permissions that specify what actions assemblies can do in that code group.
Code Access Security (CAS) Related Tutorials
|ASP.NET Tutorial||MVC Framework Tutorial|
Code Access Security (CAS) Related Interview Questions
|ASP.NET Interview Questions||MVC Framework Interview Questions|
|Framework7 Interview Questions||Microsoft Solutions Framework (MSF) Interview Questions|
|Dot Net Framework Interview Questions||Asp Dot Net Mvc 4 Interview Questions|
|Asp Dot Net Mvc Interview Questions||Asp Dot Net Database Interview Questions|
Introducing Web Portals And Dropthings.com
Architecting The Web Portal And Widgets
Building The Web Layer Using Asp.net Ajax
Building The Data And Business Layers Using .net 3.5
Building Client-side Widgets
Optimizing Asp.net Ajax
Creating Asynchronous, Transactional, Cache-friendly Web Services
Improving Server-side Performance And Scalability
Improving Client-side Performance
Solving Common Deployment, Hosting, And Production Challenges
All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd
Wisdomjobs.com is one of the best job search sites in India.