3. Building the AuthorMembershipCondition Assembly
For convenience, you could build all of the
Author-related security classes into a single
assembly. This would simplify security administration if you needed
to distribute CAS extensions to third parties, but because the
Author class is evidence, you would need to add
the assembly to the fully trusted assembly list of every policy
level. This would grant the assembly full trust at runtime, which
many people would find unacceptable.
For the purpose of an example, build
AuthorMembershipCondition into its own assembly
using the following command.
# C#
csc /t:library /reference:Author.dll AuthorMembershipCondition.cs
# Visual Basic .NET
vbc /t:library /reference:Author.dll AuthorMembershipCondition.vb
4. Using the AuthorMembershipCondition Membership Condition
The Microsoft
.NET Framework Configuration tool (Mscorcfg.msc)
provides a graphical interface through which you can configure
security policy. Mscorcfg.msc implements
specific support for the standard membership condition classes and
provides user-friendly interfaces through which you can configure
their membership condition parameters. However, the support for using
custom membership conditions is rudimentary, requiring you to import
an XML fragment describing the membership condition to use. This XML
is the result of calling ToXml( ).ToString( ) on a
custom membership condition object.
In this example, we will use the Code Access Security Policy tool
(Caspol.exe) to configure a code group in the
user policy level that uses
AuthorMembershipCondition to evaluate membership.
We will describe the Caspol.exe commands
necessary to perform this configuration.
4.1. Installing security assemblies
Assemblies that
provide CAS extensions (such as the
AuthorMembershipCondition.dll assembly) must be
fully trusted by the policy level in which they are used. To make
AuthorMembershipCondition.dll fully trusted by
the user policy level, execute the following commands from the
directory where the AuthorMembershipCondition is
located:
gacutil -i AuthorMembershipCondition.dll
caspol -user -addfulltrust AuthorMembershipCondition.dll
The first command installs
AuthorMembershipCondition into the global assembly
cache (which you must do before you can make it a fully trusted
assembly). The second command makes
AuthorMembershipCondition a fully trusted assembly
in the user policy level.
4.2. Generating AuthorMembershipCondition XML
You must create an XML representation of the
membership condition you want to assign to the code group. Although
the required XML is simple enough that you could create it manually,
it is much easier and safer to instantiate an
AuthorMembershipCondition object and write the
contents of the SecurityElement returned by the
ToXml to disk.
If you distribute custom membership condition classes to users or
customers, we advise you to create a simple utility to perform the
creation of the required XML fragments. The
CreateAuthorMembership class takes an author name
as a command-line argument, instantiates an
AuthorMembershipCondition object, and writes an
XML representation of it to disk:
# C#
using System;
using System.IO;
using ORA.DotNetSecurity.Policy;
public class CreateAuthorMembership {
public static void Main(string[] args) {
// Create a new AuthorMembershipCondition based
// on the name of the author provided
AuthorMembershipCondition amc =
new AuthorMembershipCondition(args[0]);
// Generate the name of the XML output file
String file = args[0] + ".xml";
// Render the AuthorMembershipCondition to
// XML and write it to a file
StreamWriter strm = new StreamWriter(file);
strm.Write(amc.ToXml( ).ToString( ));
strm.Close( );
// Display result
Console.WriteLine("Created author membership condition : " +
file);
}
}
# Visual Basic .NET
Imports System
Imports System.IO
Imports ORA.DotNetSecurity.Policy
Public Class CreateAuthorMembership
Public Shared Sub Main(ByVal args( ) As String)
' Create a new AuthorMembershipCondition based
' on the name of the author provided
Dim amc As AuthorMembershipCondition = _
New AuthorMembershipCondition(args(0))
' Generate the name of the XML output file
Dim file As String = args(0) + ".xml"
' Render the AuthorMembershipCondition to
' XML and write it to a file
Dim strm As StreamWriter = New StreamWriter(file)
strm.Write(amc.ToXml( ).ToString( ))
strm.Close( )
' Display result
Console.WriteLine("Created author membership condition : " & _
file)
End Sub
End Class
Build the CreateAuthorMembership utility using the
following command, remembering the dependency on the
AuthorMembershipCondition.dll library:
# C#
csc /reference:AuthorMembershipCondition.dll CreateAuthorMembership.cs
# Visual Basic .NET
vbc /reference:AuthorMembershipCondition.dll CreateAuthorMembership.vb
Run the command CreateAuthorMembership Peter to
create the XML representation of an
AuthorMembershipCondition that matches
Author evidence for the author
"Peter." Here is the content of the
Peter.xml file. The
PublicKeyToken value will change based on the keys
you used to give create a strong name:
<IMembershipCondition class="ORA.DotNetSecurity.Policy.
AuthorMembershipCondition, AuthorMembershipCondition,
Version=1.0.0.0, Culture=neutral, PublicKeyToken=cc5e18bc387194b3"
version="1"
name="Peter"/>
4.3. Configuring security policy
With
the Author.dll assembly configured as a fully
trusted assembly in the user policy level, you are ready to create a
code group whose membership condition is based on
Author evidence. Type the following command:
caspol -user -addgroup All_Code -custom Peter.xml FullTrust
-name "Peter's code" -description "Code group grants all
code written by Peter full trust"
Here is a summary of the arguments used in this command:
-user
-
Specifies that the command is to affect the user policy level
-addgroup All_Code
-
Specifies that you want to add a new child code group to the existing
group with the label "All_Code"
-custom Peter.xml FullTrust
-
Specifies that you are adding a custom membership condition contained
in the file Peter.xml and that the permission
set granted by the code group is the named permission set
"FullTrust"
-name "Peter's code"
-
Specifies the name of the new code group
-description "Code group grants all code written by Peter full trust"
-
Specifies a description for the new code group
Depending on how Caspol.exe is configured, it
may prompt you to confirm the change your are about to make with the
following message:
The operation you are performing will alter security policy.
Are you sure you want to perform this operation? (yes/no)
Entering "yes" updates the user
security policy and commits the changes to disk; you will see the
following message:
Added union code group with "-custom" membership condition to the User level.
Success
5. Testing Custom Membership Conditions
The easiest way to test the
extensions to the policy resolution process is to use the
Caspol.exe tool. We embedded Author
evidence in an assembly named HelloWorld.exe. We
can use Caspol.exe and the
HelloWorld.exe assembly to show that the
"Peter's code"
code group does detect Author evidence and
evaluate it correctly. Type the following command from the directory
where HelloWorld.exe is located:
caspol -user -resolvegroup HelloWorld.exe
Caspol.exe produces the following output,
showing that HelloWorld.exe is a member of the
code group "Peter's
code":
Microsoft (R) .NET Framework CasPol 1.0.3705.288
Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.
Level = User
Code Groups:
1. All code: FullTrust
1.1. Author - Peter: FullTrust
Success
