Understanding Code Access Security in .NET
page 10 of 12
by Joydip Kanjilal
Average Rating: This article has not yet been rated.
Views (Total / Last 10 Days): 52390/ 215

Imperative versus Declarative Security

The code security can be implemented by either using the Declarative Security or the Imperative Security. Let us now understand how these two differ.

Declarative Security

This is accomplished by placing security attributes at the assembly level, class level or member level. The attribute indicates the request type, overrides and demands. Each permission object has a state data, and this needs to be initialized to use that permission. Also, each permission has an attribute to which the type of security action, which is an enumeration called SecurityAction, is passed to the attribute. In the example below, all the members of the class are restricted accessing the "Program Files" folder.

Listing 4

[FileIOPermissionAttribute(SecurityAction.RequestRefuse, "C:\Program Files")]
public class RestrictPF
   public RestrictPF()
      //security call protects the constructor.
   public void SomeMethod()      
            //security call also protects this method.

If you want to restrict the permission on the assembly level, you can use the following.

Listing 5

[assembly: FileIOPermissionAttribute(SecurityAction.RequestRefuse, "C:\Program Files")]

If you want to restrict any registry access from the assembly level, you can use the following.

Listing 6

[assembly: RegistryPermissionAttribute(SecurityAction.RequestRefuse, Unrestricted = true)]

So even though the code runs in an environment that allows access to the registry or perform FileIO operations, the assembly will not be granted any kind of permissions.

Imperative Security

This kind of security could be used to perform demands and overrides. This helps in situations where you want to check the permissions at runtime. However, this kind of security cannot be used to perform requests. In imperative syntax, a new instance of the security permission object needs to be created before calling. Also, you need to initialize the permission set to invoke a security object. A permission set consists of a group of permissions; initializing a permission group provides a means to perform assert calls on multiple permissions in one method. For this purpose you could use the NamedPermissionSet and PermissionSet classes for grouping of permissions. You can then call the required method to invoke the appropriate security call.

Listing 7

public class RestrictPF
  public RestrictPF(){}
  public void SomeMethod()
    //Here the FileIOPermissionAttribute is demanded using the imperative syntax.
    //Method is protected by security call.
    FileIOPermissionAttribute flsIOPerm = new FileIOPermissionAttribute();
  public void SomeOtherMethod()
    //Method not protected by security call.

View Entire Article

User Comments

No comments posted yet.

Community Advice: ASP | SQL | XML | Regular Expressions | Windows

©Copyright 1998-2021 ASPAlliance.com  |  Page Processed at 2021-01-17 2:00:14 PM  AspAlliance Recent Articles RSS Feed
About ASPAlliance | Newsgroups | Advertise | Authors | Email Lists | Feedback | Link To Us | Privacy | Search