In the last post I showed you how to use the new CLR security model to do sandboxing in ASP.NET.
One new hook into this system is a custom host security policy resolver. A policy resolver is a class that derives from System.Web.Hosting.HostSecurityPolicyResolver. The idea behind this extensibility point is, that a resolver can decide at runtime (as opposed to the static fullTrustAssemblies configuration element) in which “permission bucket” the assembly should get loaded – AppDomain grant set, full trust or nothing.
A resolver has a single method called ResolvePolicy. ASP.NET hands in the evidence of every application assembly that gets loaded into the resolver, and it is the implementer’s job to decide the “trust level”.
ResolvePolicy returns a HostSecurityPolicyResults enum which can have one of these values: DefaultPolicy, FullTrust, AppDomainTrust or Nothing.
You register the resolver using the following config element:
hostSecurityPolicyResolverType=“Policy.PolicyResolver, …” />
A resolver must be in the GAC – otherwise you may receive a strange exception saying “assembly still being loaded”…