What is the purpose CAS (Code Access Security)?

Question

I have been a part of so many web applications but have never used CAS, perhaps have also never felt the need to use the same.

When is the need to use CAS? Do people actually use it in their applications?

Answer 1

CAS is really only useful (so to speak) in desktop applications, where you want to restrict what an application run from over the network (for example) is able to do on the local machine. I've found that fooling with CAS is asking for a big, pointless headache, even in this circumstance. The default configuration is generally the most sensible.

This type of model is obviously much less useful for a web application, since you implicitly trust all of the code in the application.

Answer 2

I guess I have to be the lone voice in the wilderness, and disagree with the other responders here.
As I elaborated in my answer to a similar question a few months ago, there are specific scenarios where CAS is the way to go. Of course, this only applies if you're very security-conscious and dealing with a sensitive system, AND taking into account that this simply provides an additional layer of defense, you're probably not gonna get to the place where you need this till you fix all the other serious issues in your application.
Again, CAS gives you the capability to limit what your APPLICATION can do, not just your users, and in a very granular way.