Export (0) Print
Expand All

SerializationBinder Class

Allows users to control class loading and mandate what class to load.

System::Object
  System.Runtime.Serialization::SerializationBinder

Namespace:  System.Runtime.Serialization
Assembly:  mscorlib (in mscorlib.dll)

[SerializableAttribute]
[ComVisibleAttribute(true)]
public ref class SerializationBinder abstract

The SerializationBinder type exposes the following members.

  NameDescription
Protected methodSerializationBinderInitializes a new instance of the SerializationBinder class.
Top

  NameDescription
Public methodBindToNameWhen overridden in a derived class, controls the binding of a serialized object to a type.
Public methodBindToTypeWhen overridden in a derived class, controls the binding of a serialized object to a type.
Public methodEquals(Object)Determines whether the specified object is equal to the current object. (Inherited from Object.)
Protected methodFinalizeAllows an object to try to free resources and perform other cleanup operations before it is reclaimed by garbage collection. (Inherited from Object.)
Public methodGetHashCodeServes as the default hash function. (Inherited from Object.)
Public methodGetTypeGets the Type of the current instance. (Inherited from Object.)
Protected methodMemberwiseCloneCreates a shallow copy of the current Object. (Inherited from Object.)
Public methodToStringReturns a string that represents the current object. (Inherited from Object.)
Top

During serialization, a formatter transmits the information required to create an instance of an object of the correct type and version. This information generally includes the full type name and assembly name of the object. The assembly name includes the name, version, and strong name (see Strong-Named Assemblies) hash of the assembly. By default, deserialization uses this information to create an instance of an identical object (with the exception of any assembly loading restricted by the security policy). Some users need to control which class to load, either because the class has moved between assemblies or a different version of the class is required on the server and client.

SerializationBinder can also be used for security. There might be some security exploits when you are trying to deserialize some data from an untrusted source. The binder gives you an opportunity to inspect what types are being loaded in your application domain. You can then either maintain list of denied types or a list of allowed types and restrict which types are being loaded and instantiated. In addition you should be mindful of what information is being put out on the wire, you may want to secure (use transport or message security) when sending type names or other data on the wire.

Caution noteCaution

Only use SerializationBinder if you are completely sure of what information is being serialized. Malicious types can cause unexpected behavior.

This is an abstract base class. All binders extend this class.

Notes to Inheritors

When you inherit from SerializationBinder, you must override the following member: BindToType.

using namespace System;
using namespace System::IO;
using namespace System::Runtime::Serialization;
using namespace System::Runtime::Serialization::Formatters::Binary;
using namespace System::Reflection;
using namespace System::Security::Permissions;
ref class Version1ToVersion2DeserializationBinder;

[Serializable]
ref class Version1Type
{
public:
   Int32 x;
};


[Serializable]
ref class Version2Type: public ISerializable
{
public:
   Int32 x;
   String^ name;

   // The security attribute demands that code that calls   
   // this method have permission to perform serialization.

   [SecurityPermissionAttribute(SecurityAction::Demand,SerializationFormatter=true)]
   virtual void GetObjectData( SerializationInfo^ info, StreamingContext context )
   {
      info->AddValue( "x", x );
      info->AddValue( "name", name );
   }


private:

   // The security attribute demands that code that calls   
   // this method have permission to perform serialization.

   [SecurityPermissionAttribute(SecurityAction::Demand,SerializationFormatter=true)]
   Version2Type( SerializationInfo^ info, StreamingContext context )
   {
      x = info->GetInt32( "x" );
      try
      {
         name = info->GetString( "name" );
      }
      catch ( SerializationException^ ) 
      {
         // The 'name' field was not serialized because Version1Type  
         // did not contain this field. 
         // We will set this field to a reasonable default value.
         name =  "Reasonable default value";
      }
   }
};

ref class Version1ToVersion2DeserializationBinder sealed: public SerializationBinder
{
public:
   virtual Type^ BindToType( String^ assemblyName, String^ typeName ) override
   {
      Type^ typeToDeserialize = nullptr;

      // For each assemblyName/typeName that you want to deserialize to 
      // a different type, set typeToDeserialize to the desired type.
      String^ assemVer1 = Assembly::GetExecutingAssembly()->FullName;
      String^ typeVer1 =  "Version1Type";
      if ( assemblyName->Equals( assemVer1 ) && typeName->Equals( typeVer1 ) )
      {
         // To use a type from a different assembly version,  
         // change the version number using the following line of code. 
         // assemblyName = assemblyName.Replace("1.0.0.0", "2.0.0.0");
         // To use a different type from the same assembly,  
         // change the type name.
         typeName =  "Version2Type";
      }

      // The following line of code returns the type.
      typeToDeserialize = Type::GetType( String::Format(  "{0}, {1}", typeName, assemblyName ) );
      return typeToDeserialize;
   }
};

ref class App
{
public:
   static void Serialize()
   {
      // To serialize the objects, you must first open a stream for writing.  
      // We will use a file stream here.
      FileStream^ fs = gcnew FileStream( "DataFile.dat",FileMode::Create );
      try
      {
         // Construct a BinaryFormatter and use it  
         // to serialize the data to the stream.
         BinaryFormatter^ formatter = gcnew BinaryFormatter;

         // Construct a Version1Type Object and serialize it.
         Version1Type^ obj = gcnew Version1Type;
         obj->x = 123;
         formatter->Serialize( fs, obj );
      }
      catch ( SerializationException^ e ) 
      {
         Console::WriteLine( "Failed to serialize. Reason: {0}", e->Message );
         throw;
      }
      finally
      {
         fs->Close();
      }
   }

   static void Deserialize()
   {
      // Declare the Version2Type reference.
      Version2Type^ obj = nullptr;

      // Open the file containing the data that we want to deserialize.
      FileStream^ fs = gcnew FileStream( "DataFile.dat",FileMode::Open );
      try
      {
         // Construct a BinaryFormatter and use it  
         // to deserialize the data from the stream.
         BinaryFormatter^ formatter = gcnew BinaryFormatter;

         // Construct an instance of our  
         // Version1ToVersion2TypeSerialiationBinder type. 
         // This Binder type knows how to deserialize a Version1Type   
         // Object* to a Version2Type Object.
         formatter->Binder = gcnew Version1ToVersion2DeserializationBinder;
         obj = dynamic_cast<Version2Type^>(formatter->Deserialize( fs ));
      }
      catch ( SerializationException^ e ) 
      {
         Console::WriteLine( "Failed to deserialize. Reason: {0}", e->Message );
         throw;
      }
      finally
      {
         fs->Close();
      }

      // To prove that a Version2Type Object* was deserialized,  
      // display the Object's type and fields to the console.
      Console::WriteLine( "Type of Object deserialized: {0}", obj->GetType() );
      Console::WriteLine( "x = {0}, name = {1}", obj->x, obj->name );
   }
};

[STAThread]
int main()
{
   App::Serialize();
   App::Deserialize();
   return 0;
}

.NET Framework

Supported in: 4.6, 4.5, 4, 3.5, 3.0, 2.0, 1.1, 1.0

.NET Framework Client Profile

Supported in: 4, 3.5 SP1

Windows 8.1, Windows Server 2012 R2, Windows 8, Windows Server 2012, Windows 7, Windows Vista SP2, Windows Server 2008 (Server Core Role not supported), Windows Server 2008 R2 (Server Core Role supported with SP1 or later; Itanium not supported)

The .NET Framework does not support all versions of every platform. For a list of the supported versions, see .NET Framework System Requirements.

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.
Show:
© 2014 Microsoft