Decrypting CardSpace Tokens in Partial Trust

One way to overcome the problem I described in this post would be to run in partial trust. This way you could factor out the code that does the encryption while the rest of your application doesn’t even have file IO access to the private key file.

The problem is that the TokenProcessor code from the SDK has a lot of dependencies on System.ServiceModel/IdentityModel – and they require full trust (no APTCA). After massaging the decryption code a little bit, I was able call it from a partially trusted web app. The necessary steps were:

  • Put the code into a separate assembly
  • Assert full trust
  • Add APTCA
  • Re-implement the ClaimTypes class (so that the web app doesn’t need to use the full-trust only WCF class)
  • Put it in the GAC / write a custom policy

Works fine. (download)


This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s