Introducing Code Access Security in .NET Framework


Code Access Security is a feature that enables you to define restrictions on code that would be executing in the managed environment. You can use Code Access Security to restrict access to your code, define policy levels (Enterprise, Machine, User and Application Domain), code groups, and grant or revoke permissions, etc. You can also implement both imperative and declarative security modes in your application. This article takes a look at Code Access Security (CAS) the benefits of the concepts while emphasizeing the new features in CAS in .NET Framework 4.0.

What is Code Access Security?

Code Access Security is a security feature in .NET that provides restrictions on the code that is to be executed based on who the owner of the code is, where it has been downloaded from, the evidences, etc. The CLR would allow your code to only perform operations that are permitted. The Wikipedia states: "Code Access Security (CAS), in the Microsoft .NET framework, is Microsoft's solution to prevent untrusted code from performing privileged actions. When the CLR loads an assembly it will obtain evidence for the assembly and use this to identify the code group that the assembly belongs to. A code group contains a permission set (one or more permissions). Code that performs a privileged action will perform a code access demand which will cause the CLR to walk up the call stack and examine the permission set granted to the assembly of each method in the call stack. The code groups and permission sets are determined by the administrator of the machine who defines the security policy." http://en.wikipedia.org/wiki/Code_Access_Security In essence, you can use Code Access Security to restrict what all your code can do, restrict which code can invoke your code and also identify code. Code Access Security imposes certain restrictions and policies based on which access to protected resources and operations are governed.

Note that Code Access Security is based on two key concepts, namely, Code Groups and Permissions. Each and every .NET assembly belongs to a particular Code Group. Each Code Group in turn is granted a set of permissions that are specified in the permission set to which it is associated. You can use the following command in the command line to see the code groups defined on your system:

  caspol -lg

Code Access Security comprises of the following elements:

  • Permissions - these represent a resource that is protected, or, the ability to perform an operation that is protected.
  • Permission Sets - Permission Sets comprise of a collection of permissions. The built-in permission sets provided by the CLR include: Nothing, Execution, Internet, LocalIntranet, Everything and, FullTrust.
  • Code Groups - Code Groups are defined as logical grouping of code with a specified membership condition.
  • Evidence - This can be defined as information that is associated with an assembly--it denotes the origin of code. The CLR examines the evidence associated with the code and then it checks what all permission sets are associated with the code group. Some typical types of evidence include: site, strong name, publisher, URL and zone. In essence, evidence is typically used to authenticate the code. The various identity permissions that are used to authenticate code include: PublisherIdentityPermission, SiteIdentityPermission, StrongNameIdentityPermission, ZoneIdentityPermission and URLIdentityPermission.
  • Policies - Policies are defined as a configurable set of rules that determine the permissions to grant access to a piece of code. Policies typically represent the user roles. There consist of the following types: Application Domain Policy, User Policy, Machine Policy and Enterprise Policy.

Using Declarative and Imperative Syntax

You can define Code Access Security in your code either using declarative syntax or using imperative syntax. While you use attributes to define Code Access Security declaratively, the imperative syntax used runtime method calls.

Here is how you can implement Code Access Security declaratively:

  [FileIOPermission(SecurityAction.Demand, Unrestricted=true)]
  public class Test
      public void DoWork() 
        //Some code
  Here is how you can implement Code Access Security using imperative syntax:
  public class Test
      public void DoWork() 
         FileIOPermission fileIOPermission = 
            new FileIOPermission(PermissionState.Unrestricted);

Introducing Code Access Security in .NET Framework

Code Access Security in ASP.NET

Your ASP.NET applications run with full trust and have unrestricted permissions by default. However, you can configure the trust levels using the <trust> element in the machine.config file as shown below:

    <!-- level="[Full|High|Medium|Low|Minimal]" -->
    <trust level="Full" originUrl=""/>

You can have any of the following trust levels in ASP.NET:

  • Full
  • High
  • Medium
  • Low
  • Minimal

The policy file in ASP.NET is organized as shown below:

                  <PolicyLevel version="1">
                        ... list of security classes, permission types, 
                          and code group types ...
                        <PermissionSet Name="FullTrust" ... />
                        <PermissionSet Name="Nothing" .../>
                        <PermissionSet Name="ASP.NET" ...
                          ... This is the interesting part ...
                          ... List of individual permissions...
                                      Level="High" />
                                      Unrestricted="true" />
                            ...Continued list of permissions...
                  </PolicyLevel version="1">

Changes in .NET Framework 4

Microsoft .NET Framework 4 is available as part of Microsoft Visual Studio 2010 release. The two major security changes that have come in .NET Framework 4 are:

  • Elimination of machine wide Security Policy
  • Security transparency is now the Default Enforcement Mechanism

Note that Code Access Security has not been eliminated. The Security Policy has been removed but you still have evidence and permissions in effect. To know more on the security changes in .NET Framework 4, you can take a look at the MSDN article, "Security Changes in the .NET Framework 4".


Code Access Security is a security feature in .NET that you can use to impose certain restrictions on the code to be executed. The MSDN states: "Code access security (CAS) is the .NET Framework security mechanism (the "sandbox") that is used by ASP.NET to enforce constraints on the ability to execute code." Reference: http://msdn.microsoft.com/en-us/library/dd984947.aspx

In this article we examined Code Access Security in .NET with special focus on the new features that came up in .NET Framework 4.0. Happy reading!

Suggested Readings


Related Article

This article was originally published on December 9th, 2010

About the Author

Joydip Kanjilal

Microsoft Most Valuable Professional, Author and Speaker. Featured in "MSDN Featured Developer of the Fortnight (India)" a number of times. Winner of Community Credit Awards at www.community-credit.com several times. Authored numerous books and articles in Microsoft .NET and its related technologies. Authored the following books:-- ASP.NET 4.0 Programming (Mc-Graw Hill Publishing) Entity Framework Tutorial (Packt Publishing) Pro Sync Framework (APRESS) Sams Teach Yourself ASP.NET Ajax in 24 Hours (Sams Publishing) ASP.NET Data Presentation Controls Essentials (Packt Publishing)

Close Icon
Thanks for your registration, follow us on our social networks to keep up-to-date