是“code访问安全性”的任何实际的应用?安全性、实际、code
我在学习的 70-536 .NET框架 - 应用程序开发基础考试,因为我一直在.NET编程多年,这应该不难。
I am in the process of studying for the 70-536 .NET Framework - Application Development Foundation Exam, as I have been programming .net for many years, this should not be hard!
不过,我有了解code访问安全性(CAS),因为我从来没有需要使用或配置它,我想知道是否有人已经找到了现实生活中的使用呢?
However I am having to learn about "Code Access Security" (CAS), As I have never had a need to use or configure it, I was wondering if anyone else has found a real life usage for it?
请提供的例子,当你使用CAS和它一直是解决方案的一部分,而不是问题。
Please provide examples of when you have used CAS and it has been part of the solution rather then the problem.
(到目前为止,一切已经有一些关系的任务,我不得不这样做在我多年的.NET编程的)
(So far everything else has had some relationship to task I have had to do in my years of .NET programming)
相关问题:
为什么要使用CAS($ C C访问安全性$) ? - 这有极少数的现实世界的例子除了微软如何使用它 Anyone真正使用code访问安全性来保护他们的组件和/或方法? 什么是.NET code使用安全 - 定义CAS不错,但并没有给实际例子。 。NET code访问安全性:有用的或只是过于复杂 Why to use CAS (Code Access Security)? - This has very few real world examples apart from how Microsoft uses it. Anyone really using Code Access Security to protect their assemblies and/or methods? What is Code Access Security in .NET - Defines CAS well, but does not give real examples. .NET Code Access Security: Useful or just overcomplicated?结果为止。
当你正在主持第三方code CAS是非常有用的。例如。网络托管公司可以用它来阻止他们的客户的Asp.net code做损害到服务器。 (办事处还利用它当.NET被用作替换VBA)
CAS is useful when you are hosting 3rd party code. E.g. a web hosting company can use it to stop their customer's Asp.net code doing damage to the servers. (Office also make use of it when .NET is used as a replacement for VBA)
它被微软应用程序之外使用的唯一具体的例子到目前为止,主要有:
The only detailed example of it being used outside of a Microsoft application so far are:
最近的一个项目,我也有一些东西 类似:允许用户上传 库,并测试其性能 (谁使最好的算法)。 不用说,我们需要CAS重 在那里。
A recent project I did had something similar: allow the user to upload a library, and test it for performance ("who makes the best algorithm"). Needless to say, we needed CAS heavily there.
CAS似乎是有用的,以获得JITDC认证,就是喜欢辩护美国能源部,但是我不知道CAS是任何真正的价值,或者如果它只是框中打勾。
CAS seems to be useful to get JITDC certification, that is like by the US department of defence, however I don’t know if CAS was of any real value, or if it was just box ticking.
(如果你需要绕过使用CAS的主机,你对他们有管理员权限的机器,你可以把你的程序集在GAC中。)
(If you need to bypass a host that uses CAS and you have admin rights on them machine, you can just put your assemblies in the GAC.)
展望未来, CAS有点在.NET 4 的那么复杂。
Looking forward, CAS is a bit less complex in .net 4.
目前至少它看起来像新的Microsoft考试不会有基础的考试,其中包括CAS。我不知道这是否会使其进入新的WinForms / WPF考试。
At least it looks like the new Microsoft exams will not have a "foundation" exam that includes CAS. I don’t know if it will make it into the new Winforms/WPF exams.
推荐答案
我遇到code访问安全性往往在现实世界,往往当我最不希望的。而且在某种程度上,Silverlight的将是它的一个优秀的现实世界的应用程序,如果不是那SilverLight的的 选择不聘请中科院的都在最后。
I encounter code access security quite often in the "real world", often when I least expect it. And in a way, SilverLight would be an excellent real-world application of it, were it not that SilverLight chose not to employ CAS at all in the end.
在这里你看到它在行动的地方就是需要一个安全的环境:ASP.NET,当然本身,而是ASP.NET主机提供商使用的修改的安全模型的以prevent入侵在他们的precious系统。我知道对于Webhost4Life使用这个事实(在其网站上关于它的任何信息,但我已经与他们合作过,它的存在,真的)。进一步看,其他ASP.NET主机服务商做同样的,但他们不是很清楚,要么:的在godaddy.com线程不的希望(什么是支持的,哪些不是,也没有清晰),以改变或CAS的在1和此相关的讨论; 1 。有些云托管网站(rackspacecloud)把它远一点和与微软合作的修改完全信任级别的任何可能。
The places where you see it in action is where a secured environment is needed: ASP.NET itself of course, but ASP.NET hosting providers use a modified security model to prevent intrusion in their precious systems. I know for a fact that Webhost4Life uses this (no information on their site about it, but I've worked with them, it's there, really). Looking further, other ASP.NET hosting providers do the same, but they are not very clear about it either: thread on godaddy.com not wanting to change the CAS (and no clarity what's supported and what not) or this related discussion on 1&1. Some cloud hosting sites (rackspacecloud) took it a bit further and "worked with Microsoft for a modified full trust level" whatever that may be.
总之:如果你发现一个ASP.NET主机,他们很有可能已经使用中科院prevent你做的事情,他们不希望你做的事。他们甚至可以用它使基本(很多限制)之间的差异托管和企业(限制较少)的主机赋予完全是另外一个意思CAS。
In short: if you find an ASP.NET host, most likely they've used CAS to prevent you from doing things they don't want you to do. They can even use it make difference between "basic" (many restrictions) hosting and "enterprise" (few restrictions) hosting which gives a whole other meaning to CAS.
这么多,我遇到了我一些真实世界的情况。最近的一个项目中,我也有类似的东西:允许用户上传库,并测试它的性能(谁使最好的算法)。不用说,我们需要CAS巨资在那里。其他的例子或有趣的资源:
So much for a few real-world situations that I encountered myself. A recent project I did had something similar: allow the user to upload a library, and test it for performance ("who makes the best algorithm"). Needless to say, we needed CAS heavily there. Other examples or interesting resources:
NAR装载机(A $ C $的CProject应用程序)的使用它自己的CAS LR计算器(也$ C $的CProject应用程序)的使用CAS 的ClickOnce(见下文)使用CAS CAS设计模式的:它是普及假设CAS是使用 了解CAS :更大的普及和一些评论暗示的应用 在微软 SharePoint使用CAS 的一路,似乎(对不起,我不是一个SP专科) NAR Loader (a codeproject application) uses it's own CAS LR Evaluator (also codeproject app) uses CAS ClickOnce (see below) uses CAS CAS Design Patterns: it's popularity "assumes" CAS is being used Understanding CAS: even greater popularity and some comments imply applications Microsoft SharePoint uses CAS all the way, it seems (sorry, I'm not an SP specialist)有关,你只是完全控制自己的任何情况下,你建立你自己的应用程序和code(或有它建),并在你的系统的完全控制,我不认为你需要CAS太频繁。它更是你会使用你从较小的可信来源运行$ C $ C(这基本上是一切,不是在你的完全控制)分钟。
For any situation where you are simply in full control yourself, you build your own app and code (or have it built) and are in complete control of your system, I don't think you'll need CAS too often. It's more something you'd use the minute you get to run code from lesser trusted sources (which is basically everything that's not in your full control).
默认CAS设置限制code运行从网络共享或其他非本地源的能力。这是有道理的,但严格的限制使其难以对分布式应用程序的中央存储库。 .NET 2.0引入的ClickOnce,这是要(这里 讨论),提高了安全性。
Default CAS settings limit the capabilities of code run from a network share or other non-local sources. This makes sense but the stringent restrictions make it hard to have a central repository for distributed application. .NET 2.0 introduced ClickOnce, which was supposed to elevate the security (discussion here).
的ClickOnce本身使用CAS ,以prevent安装程序无法调用到系统功能。因此,我认为这是可以说的依赖于CAS最佳众所周知的应用程序的。
ClickOnce itself uses CAS, to prevent the installer from calling into system functions. As such, I believe it is arguably the best well known application that relies on CAS.
点是:您需要了解CAS才能够创造的东西,可以直接从共享运行,或者你忽略这一切,并使用的ClickOnce
Point being: you need to understand CAS to be able to create something that can run directly from a share, or you ignore it all and use ClickOnce.
在2005年,微软召见了调查以找出为什么CAS是如此不得人心,希望能改进它,使之更好地适用。不幸的是,我无法找到实际的调查结果来看,其他然后这个帖子有些细节为什么CAS被充分利用。
In 2005, Microsoft summoned a survey to find out why CAS was so unpopular, hoping to improve it to make it better applicable. Unfortunately, I couldn't find the actual survey results, other then this post somewhat detailing why CAS is underused.
该职位,但不点一个有趣的利基:CAS适用于另外一个世界:在Unix / Linux操作系统。他们不把它称为CAS,而不是它的 BitFrost 。是如何形成的一个实际的应用:在人人电脑项目,这依赖于BitFrost作为替代传统的Unix安全模型。
That post, however, does point at an intriguing niche: CAS applied to another world: Unix / Linux. They don't call it CAS, instead it's BitFrost. How's that for a real-world application: the "One Laptop Per Child" project, which relies on BitFrost as a replacement for the traditional Unix security model.
更新:在调查部分在CAS中的Unix / Linux作为BitFrost和部分 更新:补充CAS VS的ClickOnce部分 更新:添加使用CAS的资源列表的
Update: section on CAS in Unix/Linux as BitFrost and section on survey. Update: added CAS vs ClickOnce section Update: added list of resources using CAS (and apologies for all these updates in a row!)
