I have several business layer assemblies that I would like to share in
several different web applications. I plan to strong name them and install
them in the GAC. My understanding is the web applications run with Full
Trust and will be able to call methods in the business layer assemblies. How
can I ensure that these assemblies can only be used by the web applications I
want to have use them? Would this be the proper use for a code group?
Thanks for your help!

Everything running from your local PC is running with full trust by default.
This is unfortunately a setting chosen by MS to lower the "bar" I think.

Anyways - to ensure that only known assemblies are allowed to call your GAC
installed assemblies; you should apply a
StrongNameIdentityPermissionAttribute to the assemblies found in the GAC.
This attribute should include the publickey (NOT PublicKeyToken) of the
assemblies you will accept can call the GAC installed assemblies.

Additional:
And do change your CAS setting for "My-Computer_Zone" to "Everything"
instead of "FullTrust". "Everything" makes CAS take effect instead of just
allowing everything to run fulltrusted.

Do however be prepared for some surprises if you choose to change the
PermissionSet of My_Computer_Zone.
--
rgds.
/Claus Konrad
MCSD.NET (C#)


"Dav" wrote:

Well - since ASP.NET is the client, I would NOT change the local compute
zone. Use a trust level in ASP.NET (see the <trust> element in web.config).

Also StrongNameIdentityPermission is a 1:1 relationship - this does not scale
very well.

To implement what you want you need:

- run the asp.net apps in partial trust
- implement custom CAS permissions to grant access to your components
- grant the permissions to the corresponding asp.net applications

i have described this approach in my book (see below)

-----
Dominick Baier (http://www.leastprivilege.com)

Developing More Secure Microsoft ASP.NET 2.0 Applications (http://www.microsoft.com/mspress/books/9989.asp)