1) Don't trust anything from the client. 2) Revoke fulltrust for the all_code code group on your server. 3) Create a codegroup that allows code with your signature to run with fulltrust (and other signatures/evidence that you trust) 4) Delay sign your assemblies and make sure stringent code review is done before you sign your assemblies. 5) Don't forget to lock the door.
Cheers, Ed -----Original Message----- From: Diego Parolin [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 23, 2003 5:14 AM To: [EMAIL PROTECTED] Subject: [ADVANCED-DOTNET] Prevent the creation of the user from code Hi, in this example Dim ident As New GenericIdentity("Bob") Dim prpal As New GenericPrincipal(ident, New String() {"Level1"}) I create a Bob user, but if I want to create a Principal object by a WindowsFormAuthentication (with User and Password), I don't want to be able to create a Principal object by code, because someone could violate my application. Therefore I want to prevent that someone creates a Bob user or others user by code, how can I do it? I want to make this in a client/server application and not in ASP.NET I want to receive a SecurityException if I try to create the user Bob by code. I want that these lines code: Dim ident As New GenericIdentity("Bob") Dim prpal As New GenericPrincipal(ident, New String() {"Level1"}) Throw me a SecurityException, because the user must be create always with the WindowsFormAuthentication. The problem is that the methods of my assembly are signed with Declarative Security (Attribute that accept a user); so someone could be access to this assembly if he creates a client and then creates an Identity by code: I want to prevent this. TIA, Diego Parolin You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com. You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced DOTNET, or subscribe to other DevelopMentor lists at http://discuss.develop.com.
