Code Access Security Policy Compatibility and Migration

The policy portion of code access security (CAS) has been made obsolete in the .NET Framework 4. As a result, you may encounter compilation warnings and runtime exceptions if you call the obsolete policy types and members explicitly or implicitly (through other types and members). 

You can avoid the warnings and errors by either:

This topic contains the following sections:

Several assembly loading overloads produce errors because of their implicit use of CAS policy. These overloads take an Evidence parameter that is used to resolve CAS policy and provide a permission grant set for an assembly.

Here are some examples. The obsolete overloads are those that take Evidence as a parameter:

The obsolete types and members produce the following error messages when they are used. Note that the System.Security.Policy.Evidence type itself is not obsolete.

Compile-time warning:

warning CS0618: '<API Name>' is obsolete: 'This method is obsolete and will be removed in a future release of the .NET Framework. Please use <suggested alternate API>. See <link> for more information.'

Run-time exception:

NotSupportedException : This method uses CAS policy, which has been obsoleted by the .NET Framework. In order to enable CAS policy for compatibility reasons, please use the <NetFx40_LegacySecurityPolicy> configuration switch. Please see <link> for more information.

CAS policy is often used to determine an assembly’s or application domain’s permission grant set or trust level. The .NET Framework 4 exposes the following useful properties that do not need to resolve security policy:

The AppDomain.SetAppDomainPolicy method is typically used for sandboxing the assemblies in an application domain. The .NET Framework 4 exposes members that do not have to use PolicyLevel for this purpose. For more information, see How to: Run Partially Trusted Code in a Sandbox.

Hosts often need to determine the permissions that are appropriate for sandboxing hosted code. Before the .NET Framework 4, CAS policy provided a way to do this with the SecurityManager.ResolvePolicy method. As a replacement, .NET Framework 4 provides the SecurityManager.GetStandardSandbox method, which returns a safe, standard permission set for the provided evidence.

The reason for using an assembly load overload might be to use parameters that are not otherwise available, instead of sandboxing the assembly. Starting with the .NET Framework 4, assembly load overloads that do not require a System.Security.Policy.Evidence object as a parameter, for example, AppDomain.ExecuteAssembly(String, String[], Byte[], AssemblyHashAlgorithm), enable this scenario.

If you want to sandbox an assembly, use the AppDomain.CreateDomain(String, Evidence, AppDomainSetup, PermissionSet, StrongName[]) overload.

The <NetFx40_LegacySecurityPolicy> configuration element lets you specify that a process or library uses legacy CAS policy. When you enable this element, the policy and evidence overloads will work as they did in previous versions of the framework.

Note Note

CAS policy behavior is specified on a runtime version basis, so modifying CAS policy for one runtime version does not affect the CAS policy of another version.

<configuration>
   <runtime>
      <NetFx40_LegacySecurityPolicy enabled="true"/>
   </runtime>
</configuration>
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft