Improving Web Application Security: Threats and - CGISecurity

Chapter 9: Using Code Access Security with ASP.NET 243Note Any strong named assembly that is called by an ASP.NET Web application or Web servicemust be installed in the GAC. In this instance, you should install the assembly in the GAC toensure that it is granted full trust.5. Configure your Web application for medium trust. Add the following code toWeb.config or place it in Machine.config inside a element that points toyour application:6. Reference the data access assembly from your ASP.NET Web application.Since a strong named assembly must be in the GAC and not the \bin directory of aWeb application, you must add the assembly to the list of assemblies used in theapplication if you are not using code behind files. You can obtain thePublicKeyToken of your assembly by using the following command:sn -Tp oledbwrapper.dllNote Use a capital –T switch.Then add the following to Machine.config or Web.config:Note In between successive rebuilds of your wrapper assembly, you might need to recycle theASP.NET worker process because your wrapper assembly, which is installed in the GAC is cachedby the ASP.NET process. To recycle the ASP.NET worker process (Aspnet_wp.exe) you can run theIISreset.exe utility.7. Protect the code that calls Assert.The Assert call means that any code that calls the data access wrapper can interactwith the OLE DB data source. To prevent malicious code from calling the dataaccess component and potentially using it to attack the database, you can issue afull demand for a custom permission prior to calling Assert and update themedium-trust policy file to grant your Web application the custom permission.This solution entails a reasonable amount of developer effort.For more information about developing a custom permission, see “How To: Createa Custom Encryption Permission” in the “How To” section of this guide.