There are two aspects to the administration of isolated
storage:
In the following sections, we discuss the administration of isolated
storage, beginning with the configuration of security policy.
1. Configuring Security Policy
You can use both the .NET Framework
Configuration tool (Mscorcfg.msc) and the Code
Access Security Policy tool (Caspol.exe) to
administer security policy to grant access to isolated storage. We describe how to use
Mscorcfg.exe and Caspol.exe
specifically to control access to isolated storage.
1.1. Granting isolated storage permissions with Mscorcfg.msc
To grant code
access
to isolated storage, you must create a named permission set that
grants its members the
IsolateStorageFilePermission class, and you must
assign this permission set to a code group. To create a permission
set containing IsolateStorageFilePermission, you
should follow the process we described in Section 1.1. Figure 1 shows the dialog
box through which you select the permissions to add to the new
permission set. The Isolated Storage File entry (highlighted in the
diagram) represents the
IsolateStorageFilePermission class.
When you press the Add >> button to include the
IsolateStorageFilePermission in your permission
set, the dialog box shown in Figure 2 appears and
allows you to configure the specific level of isolated storage access
to grant.
You can grant unrestricted access to isolated storage by pressing the
bottom radio button, or grant a specific level of access by pressing
the top radio button and choosing the desired level from the Usage
Allowed drop-down list. The configuration maps to the values of the
IsolatedStorageContainment enumeration.
1.2. Granting isolated storage permissions with Caspol.exe
To create a named permission set that grants access to isolated
storage, you must generate an XML file that contains the description
of a System.Security.NamedPermissionSet object
containing a configured
IsolateStorageFilePermission object. Because of
the complexity of the XML description, we recommend that you
don't try to create these XML files manually; you
should create the permission set programmatically, and then write its
XML description to a file, as demonstrated in Example 1:
Example 1. Programmatically creating an XML description of a permission set
# C#
using System;
using System.IO;
using System.Security;
using System.Security.Permissions;
public class WritePermSet {
public static void Main( ) {
// Create an empty NamedPermissionSet
NamedPermissionSet nps =
new NamedPermissionSet("IsoTestSet",PermissionState.None);
// Create an IsolatedStorageFilePermission and add it to the
// NamedPermissionSet
IsolatedStorageFilePermission p =
new IsolatedStorageFilePermission(PermissionState.None);
p.UsageAllowed = IsolatedStorageContainment.DomainIsolationByUser;
p.UserQuota = 2048;
nps.AddPermission(p);
// Write the NamedPermissionSet to a file
StreamWriter sw = new StreamWriter("IsoTestSet.xml");
sw.Write(nps.ToString( ));
sw.Close( );
}
}
# Visual Basic .NET
Imports System
Imports System.IO
Imports System.Security
Imports System.Security.Permissions
Public Class WritePermSet
Public Shared Sub Main( )
' Create an empty NamedPermissionSet
Dim nps As NamedPermissionSet = _
New NamedPermissionSet("IsoTestSet",PermissionState.None)
' Create an IsolatedStorageFilePermission and add it to the
' NamedPermissionSet
Dim p As IsolatedStorageFilePermission = _
New IsolatedStorageFilePermission(PermissionState.None)
p.UsageAllowed = IsolatedStorageContainment.DomainIsolationByUser
p.UserQuota = 2048
nps.AddPermission(p)
' Write the NamedPermissionSet to a file
Dim sw As StreamWriter = new StreamWriter("IsoTestSet.xml")
sw.Write(nps.ToString( ))
sw.Close( )
End Sub
End Class
|
Running this utility produces a file named
IsoTestSet.xml that contains the following XML:
version="1"
Name="IsoTestSet">
version="1"
Allowed="DomainIsolationByUser"
UserQuota="2048"/>
You can use the IsoTestSet.xml file to create a
new permission set in the machine policy level using the following
command:
caspol -machine -addpset IsoTestSet.xml
2. Managing Isolated Storage Stores
The Isolated Storage tool (Storeadm.exe) is
a
command-line tool that comes with the .NET Framework SDK and is
located in the /bin subdirectory of the SDK
installation directory. Storeadm.exe allows you
to list or remove the stores of the current user; no tool lets you
manage isolated storage for all users, and you must manage the
user's roaming and nonroaming stores independently.
To list the nonroaming stores of the current user, use the command
storeadm /list. Specifying the
/roaming flag lists the roaming stores—for
example, storeadm /list /roaming. Either of these
commands displays a list of stores but not content, similar to that
shown here. We have abbreviated the StrongName.Key
and Publisher.X509Certificate elements in the
interest of brevity:
Microsoft (R) .NET Framework Store Admin 1.0.3705.0
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.
Record #1
[Assembly]
Key="002400000480000094000000060200000024000052534131
00040000010001005308669520E62E2E1F08F07B0D5DA0B33C0F82AC093C54E26
852080E8C5B7"
Name=" SomeOtherApp"
Version="1.5.0.0"/>
Size : 0
Record #2
[Domain]
file://C:/Development/projects
[Assembly]
308201713082011BA0030201020210E5D7C7E57FD9B9B347A7EE
AC3221100A39899EB866979DBBB6430F5A52A024FC7FCEE9
Size : 0
The example output contains information about two stores:
Record #1 and Record
#2 (which we have highlighted in boldface).
Record #1 represents a store isolated by user and
assembly; the assembly's
StrongName evidence identifies the creating code.
Record
#2 represents a store
isolated by user, assembly, and application domain; the application
domain's Url evidence and the
assembly's Publisher evidence
identify the creating code.
Storeadm.exe also allows you to remove stores
for the current user. However, you must remove all roaming or
nonroaming stores at once; there is no way to remove individual
stores. To remove all nonroaming stores, use the command
storeadm /remove. To remove all roaming stores, use the
command storeadm /roaming /remove.
|
Storeadm.exe will not prompt you to confirm the
removal of stores, and you cannot recover any stores once you remove
them. |
