9.5 Code Access Security
Code
access security is a new
.NET runtime feature that can dramatically reduce the likelihood of
applications performing damaging actions by putting significant
restrictions in place on untrusted or partially trusted code. While
using code access security programmatically in an application is well
beyond the scope of this book, even if you never call a single method
related to code access security, your ASP.NET applications still use
it through settings configured in the
machine.config configuration file. The
<trustLevel> element in
machine.config defines the mapping of named
trust levels to policy files that define the code access security
policies associated with a given named trust level. The
<trust> element in
machine.config sets the default trust level to
Full. If you want to restrict the actions that a given application can
take, you can do so by adding a <location>
tag to machine.config that specifies the path to
that application and contains a <trust>
element specifying the desired trust level, as shown in the following
code snippet. Setting the allowOverride attribute
to False will prevent the trust level from being
overridden in the application's
web.config file: <location path="Application1" allowOverride="False">
<system.web>
<trust level="Low"/>
</system.web>
</location>
|
As with web.config , the
<location> tag in
machine.config must be placed outside of the
<system.web> tags, but must also appear
after the <configSections> section, or an
exception will be thrown. |
|
|