Using evidence, security policy and permissions to prevent assembly from loading on web server

Question

Assume a .NET class library code that, for example, writes to the Windows registry. Then this code has problem to run over internet, because default Internet policy does not give access to write to the registry.

By adding a RequestMinimum statement in the assembly we can specify that the code requires permission to write to write to the registry. This will not alter the fact that the code does not have the permission, but will stop the assembly from loading; the runtime will throw a System.Security.Policy.PolicyException and identify the permission that is required.

Do you now any other examples of using evidence, security policy and permissions (the key elements of code-access security) to prevent an assembly from loading on a web server?

Answer 1

You can prevent any assembly from loading in any context (web server or otherwise) if you deny it SecurityPermission\Execution. In .NET 3.5 and earlier, ASP.NET trust levels are intersected with local CAS policy on the machine in order to determine the final permission grant for any given assembly. Therefore, you can prevent an assembly from being loaded under ASP.NET by denying it execution permission via local CAS policy, using the usual evidence and code group membership condition mechanisms. (This will not hold true in .NET 4.0, where local CAS policy will no longer exist.)