Udostępnij za pośrednictwem


Code Groups

Important

In the .NET Framework version 4, the common language runtime (CLR) is moving away from providing security policy for computers. Microsoft is recommending the use of Windows Software Restriction Policies as a replacement for CLR security policy. The information in this topic applies to the .NET Framework version 3.5 and earlier; it does not apply to version 4.0 and later. For more information about this and other changes, see Security Changes in the .NET Framework 4.

A code group is a logical grouping of code that has a specified condition for membership. Any code that meets the membership condition is included in the group. Code groups have associated permission sets that are evaluated during a policy grant. Administrators configure security policy by managing code groups and their associated permission sets.

The following table shows the code group membership conditions provided by the .NET Framework. Membership conditions are implemented as classes.

Membership condition

Condition based on

All code

AllMembershipCondition

Represents a membership condition that matches all code.

Application directory

ApplicationDirectoryMembershipCondition

The application's installation directory.

Cryptographic hash

HashMembershipCondition

An MD5, SHA1, or other cryptographic hash.

Software publisher

PublisherMembershipCondition

The public key of a valid Authenticode signature.

Site membership

SiteMembershipCondition

The HTTP, HTTPS, and FTP site from which code originates.

Strong name

StrongNameMembershipCondition

A cryptographically strong signature.

URL

UrlMembershipCondition

The URL where the code originates, including the final wildcard; for example, http://site/app/*.

Zone

ZoneMembershipCondition

The zone where the code originates.

The common language runtime uses identifying characteristics (evidence) that describe the code to determine whether a group's membership condition has been met. For example, if the membership condition of the group is "Code from the www.microsoft.com Web site", the runtime examines the evidence to determine whether the code originates from www.microsoft.com.

Each code group is associated with a named permission set. Code groups can also have attributes that affect how the code group is used to define security policy.

Enterprise, machine, and user policy levels are represented by a hierarchy of code groups. The application domain level cannot be administratively configured , but it does have a hierarchy of code groups that can be programmatically set. The root of each hierarchy is the group containing all code. The all code group has child nodes, and those child nodes have child nodes, and so on. If code is a member of the parent code group, then the code might be a member of one or more of that group's child code groups. If code is not a member of the parent code group, it cannot be a member of any of the code groups that are descended from that parent.

Code groups have optional description and name attributes that you can view using the .NET Framework Configuration Tool.

See Also

Concepts

Code Group Attributes

Evidence

Named Permission Sets

Other Resources

Security Policy Management