I have piles of magazines that I poke into when I get a chance. Finally, the Nov 05 Security issue of MSDN Mag got pulled up to the top of the pile. As we have come to expect from MSDN, it is filled with fantastic content. One of the articles is called “Are you in the Know? Find out what's new in Code Access Security in .NET 2.0”. It is written by Mike Downen, who is definitely in the know! Here's his bio: Mike Downen is the program manager for security on the CLR team. He works on Code Access Security, the cryptography classes, and the ClickOnce security model. You can read Mike's blog and contact him at blogs.msdn.com/CLRSecurity.).
But don't be fooled by the title. It does not just assume you know all about CAS in 1.x and dive in with the listing and explaining only what's new and. Instead, I think the real focus of the article is about explaining CAS, sandboxing, hosting apps and throughout he makes references to .NET 2.0 things like ClickOnce and then spends some time on a new feature - Security Transparency.
Right up front, Mike addresses the most common misconception with CAS. People identify security and permissions with user roles. E.g. if you are in the “admin“ role, you can edit social security numbers in a program, access the registry on a computer, etc. Because of that people either just assume they grok the basics of CAS and go no further, or get pretty confused when they try to dig deeper because they are coming at it from the wrong perspective. And this is not a guru vs. newbie problem. I remember a discussion of CAS on one of the early DotNetRocks with host Carl Franklin and guest Brent Rector. Carl hadn't done much work with CAS yet and approached it with what was familiar - assuming that it was based on roles. This was fodder for a great explanation of CAS by Brent and probably made a lot of listeners realize that it *is* tough to grok and they weren't just being dopes.
Unfortunately, CAS is something we all need to know and understand. Minimally, I think we should know it at least well enough to know when we need to dig further. Very fortunately, Mike's explanation of CAS is SO clear and SO tangible that even though some of us may get lost at the end with the new hosting method that he touches on (and is dealt with in depth in another article in the same issue) and transparency (or just have to read it a few times), I would recommend this article as must reading for anyone at almost any level of experience who wants to learn about CAS.
Since CAS is one of the “5 scary things about .NET” that I'll be talking about at DevConnections in a 75 minute session, I only have about 15 minutes to cover it. My goal (as with the other 4 topics) is to get attendees comfortable enough with a very basic understanding that they should be eager to follow up with this article instead of daunted by the fact that it has the phrase “Code Access Security“ in the title.