I read today with great excited from Mauro Sant'Anna's blog about how CAS is now DEAD! DEAD! DEAD! DEAD! Dead as a DOOR KNOB! Awesome news! The only thing is, it's only dead in the .NET 1.1, 2.0 sense. Here's hoping MS makes it a bit easier to understand and implement for 4.0!
Not quite sure what CAS is all about? Actually, consider yourself lucky! But if you wanted a bit of a peak, at a VERY high level, it's about limiting access to objects (registry, printers, file systems, networking, clipboard even!). There is Evidence, Zones, Code Groups, Permissions Sets, CASPOL.exe, SecurityPermission attributes or methods (declarative and/or programmatic), SecurityAction, Assert, Demand or Deny... ya, the list goes on and on and on.
Confusing and a bit and actually very mind numbing! In fact, it's been around since .NET 1.0 and people STILL don't use it today, and we're onto version 4.0 soon! I think MS changing it was a smart move!
The key to the new and improved way has only three code type layers, and the key here is everyone can call everyone else EXCEPT Transparent CANNOT call into Critical code. This is protected by the CLR runtime!
Check out the 10m vid from Channel 9 for more information.
So now that you know a bit more about .NET Security, it's time to go grab a coffee and get coding!
Resourcs:
Mauro Sant'Anna: CAS is dead - Official
Channel 9: 10-4 Episode 39: CLR 4 Security and Sandboxing