Improving Web Application Security: Threats and - CGISecurity

Chapter 8: Code Access Security in Practice 187The steps shown in Figure 8.1 are summarized below.1. An assembly is loaded.This operation is performed by an application domain host. On a Web serverloading a Web application assembly, this is the ASP.NET host.2. Evidence is gathered from the assembly and presented by the host.3. Evidence is evaluated against the defined security policy.4. The output from security policy evaluation is one or more named permission setsthat define the permission grant for the assembly.Note An assembly can include permission requests, which can further reduce thepermission grant.5. Code within the assembly demands an appropriate permission prior to accessing arestricted resource or performing a privileged operation.All of the .NET Framework base classes that access resources or performprivileged operations contain the appropriate permission demands. For example,the FileStream class demands the FileIOPermission, the Registry class demandsthe RegistryPermission, and so on.6. If the assembly (and its callers) have been granted the demanded permission, theoperation is allowed to proceed. Otherwise, a security exception is generated.How Is Policy Evaluated?When evidence is run through the policy engine, the output is a permission set thatdefines the set of permissions granted to an assembly. The policy grant is calculatedat each level in the policy hierarchy: Enterprise, Machine, User, and ApplicationDomain. The policy grant resulting from each level is then combined using anintersection operation to yield the final policy grant. An intersection is used to ensurethat policy lower down in the hierarchy cannot add permissions that were notgranted by a higher level. This prevents an individual user or application domainfrom granting additional permissions that are not granted by the Enterpriseadministrator.