4

Is it necessary to learn about Code Access Security (CAS) for desktop application development in C#.

softwarematter
  • 28,015
  • 64
  • 169
  • 263

6 Answers6

7

That’s a pretty broad question to ask, and the answer depends on a number of things. The two most important factors, however, are your target environment your method of deployment.

Most consumer software is installed with an installer (MSI) and gets full-trust on the target machine. If this is your environment and method of delivery, you’ll likely never need to learn or master Code Access Security. On the other hand, enterprise customers generally want more control over what software can and can’t do. Code Access Security provides IT with the ability to lock down applications and the control they can assert of the machine they’re installed on. So if you’re building for Enterprise, understanding CAS may be a requirement.

Regardless of your target market, how you deploy your application may require you to learn about CAS. XBAP applications are by default NOT full-trust and require significant steps to elevate to full-trust. Click-Once deployed applications are also not full-trust but can be elevated to full-trust more easily. So if you plan to deploy software using either of these methods, you’ll likely want to understand CAS.

And finally, Silverlight as a platform by definition is not full-trust. In fact it can never be full-trust. This is not a CAS issue because no depth of understanding CAS will help you overcome the fact that Silverlight does not include code required to perform full-trust activities. The reason I include Silverlight here, however, is that a good understanding of CAS might come in handy when understanding some of the security limitations that exist in the platform by design.

Hope that helps.

Jared Bienz - MSFT
  • 3,550
  • 17
  • 21
4

Yes if you want to get an MCPD. In the real world I have never needed it. I write applications for the Government and they are pretty tight on security and they have never requested it.

ptutt
  • 1,338
  • 3
  • 18
  • 35
3

It is not essential, but it certainly helps to make your application more secure. Implict declarations on methods makes your intentions clear.

Dead account
  • 19,587
  • 13
  • 52
  • 82
2

Ugh, it was a nice idea (I guess), but in real life CAS only rears its ugly head when you try to deploy or read a file off a network drive. It's not difficult to 'learn', but I wouldn't dwell on it.

Dmitri Nesteruk
  • 23,067
  • 22
  • 97
  • 166
2

Desktop Applications are considered "Full Trust", you will never need CAS for full trust applications.

I bought a book on it shortly after .NET 1.0 came out, I'll never get the time I spent reading it back.

Peter Tate
  • 2,178
  • 1
  • 21
  • 32
2

I have never actually run across a situation that required code access security. It is a definite requirement for getting an MCPD or MCSD (or whatever the new cert is), but I think a better idea would be to understand secure coding practices (configuration encryption, dealing with user input, etc.) before going down the route of code access security.

Josh
  • 10,352
  • 12
  • 58
  • 109