Improving Web Application Security: Threats and Countermeasures

Code access security permissions must derive from System.Security.CodeAccessPermission , which provides an implementation of the Demand method defined by the IPermission interface, together with others such as Assert , Deny , and PermitOnly , which are defined by the IStackWalk interface.

Code access permissions (not identity permissions) also implement the IUnrestrictedPermission interface, to indicate that the permission is part of the unrestricted permission set. This means that the permission is automatically granted to any code that has full trust. The inheritance hierarchy for the custom EncryptionPermission implemented in this How To is shown in Figure 8.

Figure 8: Custom EncryptionPermission inheritance hierarchy

The custom EncryptionPermission class maintains the following states:

• EncryptionPermissionFlag . Determines whether code that is granted this permission is able to encrypt data, decrypt data, or both.

• StorePermissionFlag . Determines whether code that is granted this permission is able to use DPAPI with the machine store, current user store, or both.