How to: Secure an API on the AOS

Applies To: Microsoft Dynamics AX 2012 R3, Microsoft Dynamics AX 2012 R2, Microsoft Dynamics AX 2012 Feature Pack, Microsoft Dynamics AX 2012

In Microsoft Dynamics AX, you can make an API more secure by extending the CodeAccessPermission Class. A class that is derived from the CodeAccessPermission class determines whether code accessing an API is trusted by checking for the appropriate permission. This topic describes how to implement the CodeAccessPermission class for APIs that must run on the Application Object Server (AOS).

You should secure an API that executes on the AOS because it has the potential to be exploited maliciously. Malicious code running in a shared server environment can cause extensive damage.

To secure an API, you must call the assert method in the derived class prior to invoking the API. Otherwise, an exception is thrown. For information, see Secured APIs and Code Access Security.

To secure an API on the AOS

1. Derive a class that cannot be extended from the CodeAccessPermission class.

   -or-

   Use one of the following derived classes that ship with Microsoft Dynamics AX and skip to step 6.

   • ExecutePermission Class

   • FileIOPermission Class

   • InteropPermission Class

   • RunAsPermission Class

   • SkipAOSValidationPermission Class

   • SqlDataDictionaryPermission Class

   • SqlStatementExecutePermission Class

   • SysDatabaseLogPermission Class

2. Create a method that returns the class parameters. For more information, see Accessor Methods.

3. Create a constructor for all of the class parameters that store permission data.

4. To determine whether the permissions required to invoke the API that you are securing exist, override the CodeAccessPermission.isSubsetOf method to compare the derived permission class to CodeAccessPermission. The following code example shows how to override the CodeAccessPermission.isSubsetOf Method to determine whether permissions stored in the current object exist in _target.

        public boolean isSubsetOf(CodeAccessPermission _target)
        {
            SysTestCodeAccessPermission sysTarget = _target;
            return this.handle() == _target.handle();
        }

5. Override the CodeAccessPermission.copy method to return a copy of an instance of the class created in step 1. This helps to prevent the class object from being modified and passed to the API being secured.

6. Call the CodeAccessPermission.demand method before executing the API functionality that you are securing. The method checks the call stack to determine whether the permission required to invoke the API has been granted to the calling code.

See also

Exception Handling with try and catch Keywords

Code Access Security

Announcements: New book: "Inside Microsoft Dynamics AX 2012 R3" now available. Get your copy at the MS Press Store.