Export (0) Print
Expand All

Adding Security Attributes to Components

Visual Studio .NET 2003

Permissions are the way that your component interacts with the .NET Framework security policy. Permissions can allow your component to perform a variety of potentially unsafe actions that might otherwise be prohibited by the security policy. You can request permissions for your assembly through the use of security attributes. Security attributes modify code members, such as methods or classes. At compile time, security attributes are emitted into metadata that is then stored in the assembly manifest. The assembly manifest is then examined by the common language runtime, and the requested permissions are examined and applied against the local computer security policy. If policy allows, the requested permissions are granted and the assembly is allowed to run.

Security requests are made through the SecurityAction parameter of the attribute. The following example shows how:

' Visual Basic
Imports System.Security.Permissions
<Assembly: FileIOPermission(SecurityAction.RequestMinimum)>

// C#
using System.Security.Permissions;
[assembly: FileIOPermission(SecurityAction.RequestMinimum)]

You can specify different types of permission requests using the SecurityAction parameter.

Note   Regardless of where the attribute is attached in code, it is effective for the entire assembly. Either the permission will be granted to the whole assembly or to none of it.

You can only be granted the security permissions you request. Therefore, if you only request FileIOPermission, for example, you will be denied all other permissions. This is true even if you would have ordinarily been granted other permissions by the default setting of the local security policy.

Security attributes can also be used to protect individual classes or methods. You can use the SecurityAction parameter and the Demand method to require a particular permission level before allowing access to a class or method. For example, suppose you have a class that deletes files when no longer needed. Uncontrolled access to the class would leave you vulnerable to attacks by malicious users. By demanding permission to use the class, you ensure that all users will have the appropriate level of permission to use potentially dangerous code. The effect is similar to making an imperative security check, but the entire code member is protected, not just the blocks of code. For details on imperative security checks, see Adding Imperative Security Checks to Components.

To add a permission request to your component

  1. Determine the type and level of permission you are requesting.
  2. Attach the security attribute to the declaration of your component. Use the appropriate SecurityAction Enumeration to request the desired level of permission.
    SecurityActionPermission level
    RequestMinimumThe requested permission is required for the assembly to run, and if not granted, the assembly will not be started
    RequestOptionalThe assembly will still be run if the requested permission is not granted
    RequestRefuseThe assembly will be denied this permission

    The following example shows how to attach the RequestMinimum permission level:

    ' Visual Basic
    Imports System.Security.Permissions
    ' Indicates that FileIOPermission is required to run this assembly.
    <Assembly: FileIOPermission(SecurityAction.RequestMinimum)> 
       Public Class FileManager
    ' Insert code to add and delete files.
    End Class
    
    // C#
    using System.Security.Permissions;
    // Indicates that FileIOPermission is required to run this assembly.
    [assembly: FileIOPermission(SecurityAction.RequestMinimum)]
    public class FileManager
    {
    // Insert code to add and delete files.
    }
    

To add a security attribute to a code member of your component

  1. Identify the code member you want to protect and the permission that you will require to access it.
  2. Attach the security attribute, by calling the SecurityAction.Demand method to require the desired permission.
    ' Visual Basic
    Imports System.Security.Permissions
    <FileIOPermission(SecurityAction.Demand)> Public Sub FileDeleter()
    ' Insert code to delete files.
    End Sub
    
    // C#
    using System.Security.Permissions;
    [FileIOPermission(SecurityAction.Demand)]
    public void FileDeleter()
    {
    // Insert code to delete files.
    }
    

See Also

Adding Imperative Security Checks to Components | Code Security and Signing in Components | Security Tutorial | Key Security Concepts

Show:
© 2015 Microsoft