Opting Out of Security Changes in .NET 4 – #5

May 20th 2009 04:05 pm

I decided to provide another tip today since .NET 4 Beta 1 was released! I definitely like the changes that the security team has made to make permissions easier to understand and to improve enforcement of transparency, but there are breaking changes here that require work you may not be ready for. If you need to revert to the old behavior (e.g. using CAS policy, CLR 2.0 transparency, or the old SecurityActions) in order to prepare for migration, then take a look below.

To enable legacy CAS policy, support for the obsolete SecurityActions, and anything else that can make AppDomains heterogeneous, add the NetFx40_LegacySecurityPolicy element to the runtime element of your configuration file. This will enable the legacy behavior only for the application for which you make the configuration change.

<configuration>
  <runtime>
    <NetFx40_LegacySecurityPolicy enabled="true" />
  </runtime>
</configuration>

To revert to CLR 2.0 transparency, add the System.Security.SecurityRulesAttribute to your assembly and specify the Level1 SecurityRuleSet. (Level1 = CLR 2.0, Level2 = CLR 4.0)

[assembly: SecurityRules(SecurityRuleSet.Level1)]

Update June 8, 2009: The configuration switch for enabling legacy CAS policy under .NET 4 Beta 2 has changed to NetFx40_LegacySecurityPolicy, and I’ve updated the post above. In case you are using .NET 4 Beta 1, the switch is legacyCasPolicy, as shown below.

<configuration>
  <runtime>
    <legacyCasPolicy enabled="true" />
  </runtime>
</configuration>

Technorati Tags: security tips,.NET 4.0,CAS policy,transparency,legacy

Posted by David DeWinter under .NET4/VS2010 & Security Tips | 8 Comments »

8 Responses to “Opting Out of Security Changes in .NET 4 – #5”

Ted responded on 01 Aug 2009 at 10:35 am #

I tried the above when I installed VS 2010 Beta1, and it didnt work.
I modified the app.config in my project and also the devenv.exe.config – nothing helped.
I tried both legacyCasPolicy and NetFx40_LegacySecurityPolicy.

The error wont go away…
David DeWinter responded on 03 Aug 2009 at 12:37 pm #

Ted, what error are you seeing? Do you have a message and a stack trace?
Constantin Baciu responded on 19 Jan 2010 at 7:32 am #

Hi there,

I’m having the same problem here. (ASP.Net Web Application on .Net 4.0 beta2 and a DevExpress control that has no .Net 4.0 support and has CAS).
I’ve tried with the NetFx40_LegacySecurityPolicy configuration switch but the error I get is the same:

This method explicitly uses CAS policy, which has been obsoleted by the .NET Framework. In order to enable CAS policy for compatibility reasons, please use the NetFx40_LegacySecurityPolicy configuration switch. Please see http://go.microsoft.com/fwlink/?LinkID=155570 for more information.
David DeWinter responded on 21 Jan 2010 at 11:45 am #

Thanks for bringing this up Constantin. You’ll need to set the legacyCasModel attribute on the trust element in your web.config to “true” in order for ASP.NET to run with this setting.

I will blog about this in more detail later.
Constantin Baciu responded on 27 Jan 2010 at 5:27 am #

Hello again,

Thank you for the tip. It works..

Looking forward for the blog post for details that I might have missed.

Keep up the good work!

Regards,
Costi.
GT responded on 26 Feb 2010 at 2:43 am #

Hi!

I am having this error in my windows forms designer (VS 2010 RC)

I’ve tried setting NetFx40_LegacySecurityPolicy in my: app.config as well as in the lc.exe.config (what i have found in this post: http://stackoverflow.com/questions/1733252/net-4-0-with-code-access-security-netfx40-legacysecuritypolicy-wont-work)

any other ideas for me??

THANKS! regards gerry
GT responded on 26 Feb 2010 at 7:18 am #

i found an solution for my problem i included the XML configuration in the devenv.exe.config, and now also the designer is showing the controls like it should.

so, open:
C:\Program Files\Microsoft Visual Studio 10.0\Common7\IDE\devenv.exe.config
and add:

to the runtime section
Tip #20 – Opting Out of Security Changes in .NET 4 in ASP.NET and Custom AppDomains | David DeWinter responded on 02 Mar 2010 at 8:53 am #

[...] applications running in .NET 4 by adding a switch to the application configuration file. However, Constantin Baciu brought up that even when using this configuration switch in a web.config, ASP.NET still threw the [...]