Are trust levels in ASP.NET 4.0 obsolete?

Question

Microsoft introduced a new security model on .NET 4.0 and above which is a replacement for code access security. Since trust levels are code access security, is this approach obsolete?

If above statement is in the right way, how do you define a PermissionSet for a concrete ASP.NET application in .NET 4.x?

Answer 1

No, ASP.NET trust levels are not obsolete. Your concern that this might be the case seems to be due to a misunderstanding of how CAS has changed in .NET 4.0. CAS has not actually been replaced. Instead, there have been two major changes in how CAS is enforced:

1. The transparency mechanism now plays a key role in code permission enforcement and
2. The "naked" CLR no longer enforces CAS policy.

However, if you read the second linked article above, you will see that it is fully expected that hosts such as ASP.NET will continue to enforce CAS permission restrictions. Unless you see a direct indication that some future version of ASP.NET will handle code permission restrictions differently, you should continue to rely on trust levels just as you have in the past.