This documentation is archived and is not being maintained.

Link Demands

A link demand causes a security check during just-in-time compilation and checks only the immediate caller of your code. Linking occurs when your code is bound to a type reference, including function pointer references and method calls. If the caller does not have sufficient permission to link to your code, the link is not allowed and a runtime exception is thrown when the code is loaded and run. Link demands can be overridden in classes that inherit from your code.

Note that a full stack walk is not performed with this type of demand and that your code is still susceptible to luring attacks. The link demand specifies only the permissions direct callers must have to link to your code. It does not specify the permissions all callers must have to run your code.

If a method protected by a link demand is accessed through reflection, than a link demand checks the immediate caller of the code accessed through reflection. This is true both for method discovery and for method invocation performed using reflection. For example, suppose code uses reflection to return a MethodInfo object representing a method protected by a link demand and then passes that MethodInfo object to some other code that uses the object to invoke the original method. In this case the link demand check occurs twice: once for the code that returns the MethodInfo object and once for the code that invokes it.

Note   A link demand performed on a static class constructor does not protect the constructor because static constructors are called by the system, outside the application's code execution path. As a result, when a link demand is applied to an entire class, it cannot protect access to a static constructor, although it does protect the rest of the class.

The following code fragment declaratively specifies that any code linking to the ReadData method must have the CustomPermission permission. This permission is a hypothetical custom permission and does not exist in the .NET Framework. The demand is made by passing a SecurityAction.LinkDemand flag to the CustomPermissionAttribute.

<CustomPermissionAttribute(SecurityAction.LinkDemand)> Public Shared Function ReadData() As String
   'Access a custom resource.
End Function  
public static string ReadData()
   //Access a custom resource.

See Also

Extending Metadata Using Attributes | Security Demands | Creating Your Own Code Access Permissions | Adding Declarative Security Support | Code Access Security