Chapter 16. Security
In This Chapter
Understanding how CAS used to secure VSTO
Figuring out new security patterns in Office customizations
Working with certificates, manifests, and trust prompt
Secure coding should be forefront in every programmer's mind. Bad people out there are paid well to find weaknesses in software security and create exploits that can be monetized for reasons ranging from simple theft to creation of massive spam networks.
The VSTO team certainly had this on their mind when creating VSTO. The first three versions of VSTO were so secure, they were almost unusable. VSTO 4 doesn't have this problem at all. The common scenarios for VSTO deployment are now much more straightforward.
This straightforwardness isn't to say that there aren't more complex scenarios. There are, and an excellent section in the MSDN library describes them well. This chapter shows how the common scenarios are handled with VSTO and Visual Studio 2010.
Checking Security with CAS
Code Access Security (CAS) is a role-based security system that uses code groups to deal with permissions. In the past, VSTO security relied on CAS policy to determine whether customization was permitted to run. When VSTO shipped with Visual Studio 2005, it required all the assemblies in the customization to be granted full trust in order to run. The tool named caspol provided the evidence that served as a basis for granting full trust.
As evidence, you could use either the location of the assembly, its strong name, or a combination ...
Get VSTO For Dummies now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.