The world is changed. In last century, the people who can large-scale code were recognized as a great programmer. However, nowadays, the criteria changed which is: coding with security.
Microsoft is a respected company (at least to me). The reason’s that he can realize his own weakness and make the corresponding changes. And I guess that’s why he’s still the giant right now.
The security of .Net and Windows are different. Principle of Windows to authenticate is ‘role’. Like the ‘Token’ used by an account, process and thread. Microsoft realized that it’ not safe, if an account was cracked. Then every restriction against the role would fall down. Windows always has the bad reputation of insecurity.
New approach of authentication came along with .Net. It’s much less granular. The concept of security is not just about account any more. The assemblies were also involved. The bad reputation did hurt Microsoft badly; you can see it from the facilities what’re used to compose the whole security architecture. It would be a painful thing, if you have no idea about the .Net security when you code with .Net. Even if you happen to avoid the mechanism of security in development, trust me, you can’t escape it from the deployment.
Recently, I was involved into a web part project. As I mentioned, I can’t escape the security neither. Actually, the whole procedure’s not such painfully as I imagined. I understand the whole .NET mechanism of security within 2 day.
Here’s my true story:
First day: An woman told me, obviously, Michael you have no idea about .NET mechanism of security.
Second day: I started to dig into security.
Third day: .NET mechanism of security just likes a bird on my hand.
My learning plan is easy but efficient.
Step 1: Understand the fundamental items about security.
Step 2: Try to learn how to manipulate security in configuration way.
1
3 Step 3: Try to learn how to manipulate security in programmatic way.
Step 2 and 3 are easy, but it requires you truly understand the step 1.
Here’re some key items I think you should know:
Evidence; Permission; Permission Set; Code group; Policy. I don’t intend to explain every item, if so, I would make my article like every article which’s talking about the .NET security in the internet. I would like to bring you something special. One phrase to render their relationships.
If you’re an employee of a company, how could you prove? Yeah, your ID card can prove. That’s your Evidence.
When you enter the office, you do you can do, like drinking the coffee, talking to you colleague and doing your job. Each of them is Permission.
Lots of Permissions compose a Permission Set.
Now you have your ID card and you’re allowed doing several things under permissions. Then that’s your Code group. Which means, you evidence + Permissions Set is your Code group.
If you understand above, then Policy is easy. Some Code groups compose a Policy.