Tải bản đầy đủ - 0 (trang)
11-8. Restrict Who Can Extend Your Classes and Override Class Members

11-8. Restrict Who Can Extend Your Classes and Override Class Members

Tải bản đầy đủ - 0trang

CHAPTER 11 ■ SECURITY AND CRYPTOGRAPHY



Solution

Use declarative security statements to apply SecurityAction.InheritanceDemand to the declarations of

the classes and members that you need to protect.



How It Works

Language modifiers such as sealed, public, private, and virtual give you a level of control over the

ability of classes to inherit from your class and override its members. However, these modifiers are

inflexible, providing no selectivity in restricting what code can extend a class or override its members.

For example, you might want to allow only code written by your company or department to extend

business-critical classes. By applying an InheritanceDemand attribute to your class or member

declaration, you can specify runtime permissions that a class must have to extend your class or override

particular members. Remember that the permissions of a class are the permissions of the assembly in

which the class is declared.

Although you can demand any permission or permission set in your InheritanceDemand, it’s more

common to demand identity permissions. Identity permissions represent evidence presented to the

runtime by an assembly. If an assembly presents certain types of evidence at load time, the runtime will

automatically assign the assembly the appropriate identity permission. Identity permissions allow you

to use regular imperative and declarative security statements to base security decisions directly on code

identity, without the need to evaluate evidence objects directly. Table 11-1 lists the type of identity

permission generated for each type of evidence. (Evidence types are members of the

System.Security.Policy namespace, and identity permission types are members of the

System.Security.Permissions namespace.)

Table 11-1. Evidence Classes That Generate Identity Permissions



Evidence Class



Identity Permission



ApplicationDirectory



None



Hash



None



Publisher



PublisherIdentityPermission



Site



SiteIdentityPermission



StrongName



StrongNameIdentityPermission



Url



UrlIdentityPermission



Zone



ZoneIdentityPermission



560



www.it-ebooks.info



CHAPTER 11 ■ SECURITY AND CRYPTOGRAPHY



■ Note The runtime assigns identity permissions to an assembly based on the evidence presented by the

assembly. You cannot assign additional identity permissions to an assembly through the configuration of security

policy.



You must use declarative security syntax to implement an InheritanceDemand, and so you must use

the attribute counterpart of the permission class that you want to demand. All permission classes,

including InheritanceDemand, have an attribute counterpart that you use to construct declarative

security statements. For example, the attribute counterpart of PublisherIdentityPermission is

PublisherIdentityPermissionAttribute, and the attribute counterpart of StrongNameIdentityPermission

is StrongNameIdentityPermissionAttribute. All permissions and their attribute counterparts follow the

same naming convention and are members of the same namespace.

To control which code can extend your class, apply the InheritanceDemand to the class declaration

using one of the permissions listed in Table 11-1. To control which code can override specific members

of a class, apply the InheritanceDemand to the member declaration.



The Code

The following example demonstrates the use of an InheritanceDemand attribute on both a class and a

method. Applying a PublisherIdentityPermissionAttribute to the Recipe11_08 class means that only

classes in assemblies signed by the publisher certificate contained in the pubcert.cer file (or assemblies

granted FullTrust) can extend the class. The contents of the pubcert.cer file are read at compile time,

and the necessary certificate information is built into the assembly metadata. To demonstrate that other

permissions can also be used with an InheritanceDemand, the PermissionSetAttribute is used to allow

only classes granted the FullTrust permission set to override the method SomeProtectedMethod.

using System.Security.Permissions;

namespace Apress.VisualCSharpRecipes.Chapter11

{

[PublisherIdentityPermission(SecurityAction.InheritanceDemand,

CertFile = "pubcert.cer")]

public class Recipe11_08

{

[PermissionSet(SecurityAction.InheritanceDemand, Name="FullTrust")]

public void SomeProtectedMethod ()

{

// Method implementation . . .

}

}

}



561



www.it-ebooks.info



CHAPTER 11 ■ SECURITY AND CRYPTOGRAPHY



11-9. Inspect an Assembly’s Evidence

Problem

You need to inspect the evidence that the runtime assigned to an assembly.



Solution

Obtain a System.Reflection.Assembly object that represents the assembly in which you are interested.

Get the System.Security.Policy.Evidence collection from the Evidence property of the Assembly object,

and access the contained evidence objects using the GetEnumerator, GetHostEnumerator, or

GetAssemblyEnumerator method of the Evidence class.



How It Works

The Evidence class represents a collection of evidence objects. The read-only Evidence property of the

Assembly class returns an Evidence collection object that contains all of the evidence objects that the

runtime assigned to the assembly as the assembly was loaded.

The Evidence class actually contains two collections, representing different types of evidence:





Host evidence includes those evidence objects assigned to the assembly by the

runtime or the trusted code that loaded the assembly.







Assembly evidence represents custom evidence objects embedded into the

assembly at build time.



The Evidence class implements three methods for enumerating the evidence objects it contains:

GetEnumerator, GetHostEnumerator, and GetAssemblyEnumerator. The GetHostEnumerator and

GetAssemblyEnumerator methods return a System.Collections.IEnumerator instance that enumerates

only those evidence objects from the appropriate collection. The GetEnumerator method returns an

IEnumerator instance that enumerates all of the evidence objects contained in the Evidence collection.



■ Note Evidence classes do not extend a standard base class or implement a standard interface. Therefore, when

working with evidence programmatically, you need to test the type of each object and know what particular types

you are seeking. (See recipe 3-11 for details on how to test the type of an object at runtime.)



The Code

The following example demonstrates how to display the host and assembly evidence of an assembly to

the console. The example relies on the fact that all standard evidence classes override the

Object.ToString method to display a useful representation of the evidence object’s state. Although

interesting, this example does not always show the evidence that an assembly would have when loaded



562



www.it-ebooks.info



CHAPTER 11 ■ SECURITY AND CRYPTOGRAPHY



from within your program. The runtime host (such as the Microsoft ASP.NET or Internet Explorer

runtime host) is free to assign additional host evidence as it loads an assembly.

using

using

using

using



System;

System.Reflection;

System.Collections;

System.Security.Policy;



namespace Apress.VisualCSharpRecipes.Chapter11

{

public class Recipe11_09

{

public static void Main(string[] args)

{

// Load the specified assembly.

Assembly a = Assembly.LoadFrom(args[0]);

// Get the Evidence collection from the

// loaded assembly.

Evidence e = a.Evidence;

// Display the host evidence.

IEnumerator x = e.GetHostEnumerator();

Console.WriteLine("HOST EVIDENCE COLLECTION:");

while(x.MoveNext())

{

Console.WriteLine(x.Current.ToString());

Console.WriteLine("Press Enter to see next evidence.");

Console.ReadLine();

}

// Display the assembly evidence.

x = e.GetAssemblyEnumerator();

Console.WriteLine("ASSEMBLY EVIDENCE COLLECTION:");

while(x.MoveNext())

{

Console.WriteLine(x.Current.ToString());

Console.WriteLine("Press Enter to see next evidence.");

Console.ReadLine();

}

// Wait to continue.

Console.WriteLine("Main method complete. Press Enter.");

Console.ReadLine();

}

}

}



563



www.it-ebooks.info



Tài liệu bạn tìm kiếm đã sẵn sàng tải về

11-8. Restrict Who Can Extend Your Classes and Override Class Members

Tải bản đầy đủ ngay(0 tr)

×