Enabling CAS Policy Compatibility Mode for a Project

CLR Team

If you’re migrating a VS project over to VS 2010 Beta1 and you are calling code that is passing Evidence objects to the runtime expecting security policy resolution, or if you’re using a permission Deny, you may run into the following exception:

NotSupportedException: This method uses CAS policy, which has been obsoleted by the .NET Framework. In order to enable CAS policy for compatibility reasons, please use the legacyCasPolicy configuration switch. Please see http://go2.microsoft.com/fwlink/?LinkId=131738 for more information.

What does this mean? In earlier versions of the .NET Framework, Code Access Security (CAS) Policy was the primary mechanism for defining whether or not certain classes of managed applications were able to perform security sensitive operations or not. While powerful, CAS Policy was extremely difficult to use and manage – developers and administrators would have to set up and analyze complicated policy trees to determine what their code would be granted. Furthermore, these restrictions could be circumvented by simply using unmanaged code!

We’ve provided cleaner, more appropriate mechanisms for managed code security in .NET Framework 4; those will be described in detail in future posts. CAS Policy has been rendered obsolete as a result of this, hence the exception messages. It is, however, still there for those migrating apps and projects that still require CAS policy in the meantime.

Note that by enabling CAS for your project, you’re subjecting yourself to the CAS security policy decisions of the runtime. If you made any changes (via caspol.exe, etc) to CAS policy in previous versions of the runtime, these will not be reflected in .NET Framework 4 even with CAS policy turned on. Your custom policy will have to be reconfigured with the .NET Framework 4 caspol.exe.

If you’re using CAS policy implicitly (for example, an Assembly.Load with Evidence) or explicitly (SecurityManager.PolicyHiearchy), check out Shawn Farkas’ blog for guidance on the new, supported mechanisms for sandboxing and running partial trust code.

Follow these steps to enable CAS Policy for your project:

1. Go to “Project” in the menu bar, then “Add New Item…”

clip_image002

2. Select “Application Configuration File” from the list of items available.

clip_image004

3. Enable CAS Policy via the following switch:

<configuration>

<runtime>

<legacyCasPolicy enabled=”true” />

</runtime>

</configuration>

clip_image006

4. CAS Policy is now enabled and enforced for this project.

If you’re simply trying to get loads from remote sources (i.e. Assembly.LoadFrom(@”http://…”)) to work, you don’t need to enable CAS Policy to do this – replace legacyCasPolicy with loadFromRemoteSources in the example above and you’ll be able to load from any location. Please do note that these assemblies will be loaded as fully trusted! You can find more information on this switch here.

0 comments

Discussion is closed.

Feedback usabilla icon