Secure an API that Executes on the Server Tier
You can make an API more secure by extending the CodeAccessPermission class. A class derived from the CodeAccessPermission class determines whether code accessing an API is trusted by checking for the appropriate permission.
You should secure an API that executes on the server tier and has the potential to be exploited maliciously because the impact of malicious code is more extensive in a shared server environment.
When you secure an API by using the procedure below, you must call the assert method in the derived class prior to invoking the API. Otherwise, the exception::CodeAccessSecurity exception is thrown. For information about APIs in Microsoft Dynamics AX that require a call to the assert method, see Secured APIs.
-
Derive a class that cannot be extended, from the CodeAccessPermission class.
-or-
Use one of the following derived classes that ship with and skip to step 6.
-
Create a method that returns the class parameters. For more information, see Accessor Methods.
-
Create a constructor for all of the class parameters that store permission data.
-
To determine whether the permissions required to invoke the API that you are securing exist, override the CodeAccessPermission::isSubsetOf method to compare the derived permission class to CodeAccessPermission.
The following example shows overriding the isSubsetOf method to determine whether permissions stored in the current object exist in _target.
public boolean isSubsetOf(CodeAccessPermission _target) { SysTestCodeAccessPermission sysTarget = _target; return this.handle() == _target.handle(); } -
Override the CodeAccessPermission::copy method to return a copy of an instance of the class created in step 1.
This helps to prevent the class object from being modified and passed to the API being secured.
-
Call the CodeAccessPermission::demand method before executing the API functionality that you're securing. The method checks the call stack to determine whether the permission required to invoke the API has been granted to the calling code.