1) What’s the difference between code-based security and role-based security? Which one is better? Code security is the approach of using permissions and permission sets for a given code to run. The admin, for example, can disable running executables off the Internet or restrict access to corporate database to only few applications. Role-based security most of the time involves the code running with the privileges of the current user. This way the code cannot supposedly do more harm than mess up a single user account. There’s no better, or 100% thumbs-up approach, depending on the nature of deployment, both code-based and role-based security could be implemented to an extent.
2)How can you work with permissions from your .NET application? You can request permission to do something and you can demand certain permissions from other apps. You can also refuse permissions so that your app is not inadvertently used to destroy some data.
3)How can C# app request minimum permissions?
using System.Security.Permissions;
[assembly:FileDialogPermissionAttribute(SecurityAction.RequestMinimum, Unrestricted=true)]
4)What’s a code group? A code group is a set of assemblies that share a security context.
5)What’s the difference between authentication and authorization? Authentication happens first. You verify user’s identity based on credentials. Authorization is making sure the user only gets access to the resources he has credentials for.
6)What are the authentication modes in ASP.NET? None, Windows, Forms and Passport.
7)Are the actual permissions for the application defined at run-time or compile-time? The CLR computes actual permissions at runtime based on code group membership and the calling chain of the code.