NGWS SDK Documentation  

This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!

Personal Tier Application Security

Downloaded Personal Tier applications are run with the code access permissions granted by the policy on the local computer for the remote domain. When local applications are installed, they are granted permissions based on the URI provided for them at installation time, which can be either local or remote, depending on user preferences.

The Personal Tier host will add policy to the app domain to indicate that any code loaded from the application directory hierarchy is associated with the Personal Tier application's domain of origin. For example, suppose that a Personal Tier application is downloaded and installed from http://www.microsoft.com/myapp. When Personal Tier explicitly loads the code from that application, it provides evidence to the security system that the code is from www.microsoft.com/myapp, so permissions for that domain will apply. In addition, Personal Tier will add a policy so that all code loaded from the application directory, and all subdirectories, are associated with the remote URI www.microsoft.com/myapp. This prevents the application from explicitly loading assemblies from its own directory and bypassing the appropriate domain security.

The Personal Tier host will add additional policy to indicate that network I/O is only allowed to the host of origin, www.microsoft.com in the above example.

Unless the default settings are altered, applications are also completely prohibited from calling native code.

Cookie authentication and authorization are available to Personal Tier applications. Windows authentication, basic authentication, and digest authentication services are not available to Personal Tier applications since ASP+ relies on IIS to provide infrastructure for these authentication services. Passport authentication is also not supported.

File I/O permissions are granted in accordance with policy on the local computer. Unless explicitly changed, these permissions are revoked for both Internet and Intranet applications.

See Also

Browser-hosted ASP+ Applications | ASP+ Web Application Security