Microsoft SQL Server 2005: The Complete Reference: Full Coverage of all New and Improved Features

2017-07-07 02:10:07

A number of mechanisms are in place to secure resources and assemblies from unauthorized users, hostile code, and viruses. Here are the three basic security levels:

ASP.NET Web application security This mechanism provides the means for controlling access to a Web or Internet site through authentication. Credentials are compared against the file system or against an XML file that contains lists of authorized users, authorized roles, and HTTP verbs.

Code access security This mechanism uses permissions to control assembly access to resources and operations. By setting permissions, you can protect the system from malicious code while at the same time allowing bona fide code to run safely This form of evidence-based security is managed by administrators.

Role-based security This mechanism provides access to assemblies based on what it, as the impersonator of the user, is allowed to do. This is determined by user identity, role membership (like the roles you have in SQL Server 2005), or both.

As a SQL Server CLR developer, you need to consider security on a number of levels. You need to determine how your code will run in the target environment, how it will resist attack, and how you can handle security exceptions that are raised when your code is blocked.

Note

We don’t condone writing assemblies for malicious or hostile use, but nevertheless there are developers out there with less than amicable intent who will be reviewing the .NET security model to figure out how they can get assemblies onto the .NET runtime.

Tip

You can protect your assemblies from invasion through the technique of strong naming or digital signing. If your assemblies are going to find their way into the public domain, it is recommended that you both sign and strongly name them. A strong name is a unique name that is generated from the contents of an assembly, such as version numbers, simple names, digital signatures, culture information, and so on.

You should fully investigate both strong-naming techniques and digital signing of the assembly-which is achieved through public key encryption technology via the services of a Public Key Infrastructure (PKI)-because most Chief Technical Officers (CTOs) are going to demand it, and because it is for your own protection.

Категории