The .NET Framework includes a very rich security framework. Applications
can state the permissions that they require, and system or machine
administrators can decide what permissions a piece of code is allowed.
There's been plenty written about how the pieces fit together, but as a
developer, how do you test your code under common permission scenarios?
That's where CAS/Tester comes in.
That's where CAS/Tester comes in. Running as a standalone application or
as an add-in to either VS .NET 2002 or VS .NET 2003, it will launch your
application under a whole bunch of different permission sets (about 80
of them by default) to see what happens. When it's done poking your
application with this permissions stick, you get back a nicely-formatted
report showing which combinations of permissions (if any) caused your
application to throw an exception, and where the exceptions occurred.
Armed with this information, you can engage in some defensive
programming to make sure that your code exits gracefully if it can't get
sufficient permissions to run.
You can let CAS/Tester just instantiate an object for testing, or you
can specify a particular method that should be fired off in every test.
But things don't stop there. There's also a scripting language that lets
you specify functions that CAS/Tester should call, or even to adjust the
permission sets that get tested. You'll also find helper functions to do
things like click buttons, so you can get some sense of GUI security
without having to write your own unmanaged code to click the buttons.
Everything is also callable from the command line, making it possible to
integrate CAS/Tester into an automated build process.
If you've never worked with .NET's Code Access Security before, you may
be shocked at the number of ways that CAS/Tester can find to provoke an
exception out of your application. And remember, any of these permission
sets could be set by a machine administrator. It's up to you to catch
and respond to security issues, rather than just letting your code
crash. To see what I mean, you can download a trial version from the
Desaware Web site.
Mike Gunderloy has been developing software for a quarter-century now, and writing about it for nearly as long. He walked away from a .NET development career in 2006 and has been a happy Rails user ever since. Mike blogs at A Fresh Cup.