Thanks for your response Velvet,
yes, the FxCop is surely applying to all .net code, not specify to ASP.NET,
so it'll apparently display all the warnings or errors if you includes that
certain rules.....
And if you're focus on ASP.NET specific .NET CODE Access security, you may
have a look at the ASP.NET Trust Level setting which control the ASP.NET
application's .net code access security:
#trustLevel Element for securityPolicy (ASP.NET Settings Schema)
http://msdn2.microsoft.com/en-us/library/as399f0x.aspx
Here are some further reference on ASP.NET CAS:
#Chapter 9 ¨C Using Code Access Security with ASP.NET
http://msdn.microsoft.com/library/en-us/dnnetsec/html/THCMCh09.asp?frame=tru
e
#How To: Use Code Access Security in ASP.NET 2.0
http://msdn.microsoft.com/library/en-us/dnpag2/html/paght000017.asp?frame=tr
ue
Hope helps. Thanks,
Steven Cheng
Microsoft Online Support
Get Secure!
www.microsoft.com/security
(This posting is provided "AS IS", with no warranties, and confers no
rights.)
--------------------
| From: "Velvet" <
[email protected]>
| References: <
[email protected]>
<s#
[email protected]>
| Subject: Re: FxCop App Security
| Date: Wed, 18 Jan 2006 13:57:36 -0800
| Lines: 107
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| X-RFC2646: Format=Flowed; Original
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| Message-ID: <#
[email protected]>
| Newsgroups: microsoft.public.dotnet.framework.aspnet
| NNTP-Posting-Host: c-67-182-150-8.hsd1.wa.comcast.net 67.182.150.8
| Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP10.phx.gbl
| Xref: TK2MSFTNGXA02.phx.gbl
microsoft.public.dotnet.framework.aspnet:371900
| X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
|
| The problem is, this applies to normal .NET apps and not ASP.NET apps. I
| need ASP specific information as this need to be executed on the web
server.
|
| I have run some searches on the subject but haven't found any useful
| information on what security settings should be used when running the app
on
| the web server.
|
| Velvet
|
| | > Hi velvet,
| >
| > Welcome to MSDN newsgroup.
| > As for the security related warning you get when using fxcop to validate
| > your assembly, they're just some best practice for develping .net
| > application. .NET use Code Access Security to restrict and validate our
| > code's permission. For the two attributres you mentioend:
| >
| > [assembly: SecurityPermission(SecurityAction.RequestMinimum, Execution =
| > true)]
| > =====================
| > This is used to indicate the minimum permissions your assembly
require...
| > This can help the end user or administrator to get how much permission
| > they
| > need to grant to your assembly.... through .NET CAS policy
| >
| >
| > [assembly: PermissionSet(SecurityAction.RequestOptional, Name =
| > "Nothing")]
| > ========================
| > The SecurityAction.RequestOptional flag allows you to request a set of
| > permissions while refusing all other permissions the runtime otherwise
| > might have been willing to give. By contrast, the RequestRefuse flag
| > allows
| > you to refuse permissions by explicitly specifying which ones your code
| > should not be granted.
| >
| > And here are some other msdn reference discussing on .net CAS:
| >
| > #An Overview of Security in the .NET Framework
| >
http://msdn.microsoft.com/library/en-us/dnnetsec/html/netframesecover.asp?fr
| > ame=true
| >
| > #Programming .NET Code Access Security
| >
http://msdn.microsoft.com/library/en-us/dnhcvs03/html/hcvs03a11.asp?frame=tr
| > ue
| >
| >
http://msdn.microsoft.com/msdnmag/issues/05/11/CodeAccessSecurity/default.as
| > px?side=true#a
| >
| > Hope helps. Thanks,
| >
| > Steven Cheng
| > Microsoft Online Support
| >
| > Get Secure!
www.microsoft.com/security
| > (This posting is provided "AS IS", with no warranties, and confers no
| > rights.)
| >
| > --------------------
| > | From: "Velvet" <
[email protected]>
| > | Subject: FxCop App Security
| > | Date: Thu, 5 Jan 2006 10:31:57 -0800
| > | Lines: 19
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
| > | X-RFC2646: Format=Flowed; Original
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
| > | Message-ID: <
[email protected]>
| > | Newsgroups: microsoft.public.dotnet.framework.aspnet
| > | NNTP-Posting-Host: c-67-182-150-8.hsd1.wa.comcast.net 67.182.150.8
| > | Path: TK2MSFTNGXA02.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP09.phx.gbl
| > | Xref: TK2MSFTNGXA02.phx.gbl
| > microsoft.public.dotnet.framework.aspnet:368825
| > | X-Tomcat-NG: microsoft.public.dotnet.framework.aspnet
| > |
| > | I ran FxCop on one of the components for my web site and the security
| > rules
| > | what me to add "[assembly: Security Permission()] tags like the ones
| > listed
| > | below:
| > |
| > | [assembly: SecurityPermission(SecurityAction.RequestMinimum,
Execution =
| > | true)]
| > |
| > | [assembly: PermissionSet(SecurityAction.RequestOptional, Name =
| > "Nothing")]
| > |
| > |
| > | This breaks my ASP.NET application. So my question is, what should
| > these
| > | tags be when used in a .NET application? I haven't found much
| > information
| > | on this so if I could get more info on it in relation to ASP.NET that
| > would
| > | be great.
| > |
| > | thanks,
| > | Velvet
| > |
| > |
| > |
| >
|
|
|