5. Permission Set Attributes
You can declaratively instruct .NET to take a security action, such as demanding or asserting a permission set, using the PermissionSetAttribute class, defined as:
public sealed class PermissionSetAttribute : CodeAccessSecurityAttribute
{
public PermissionSetAttribute(SecurityAction action);
public SecurityAction Action{get;set;}
public string File{get;set;}
public string Name{get;set;}
public string XML {get;set;}
//Rest of the definition
}
Unlike with the programmatic composition of a permission set, when you use the Name property of the PermissionSetAttribute class, you are restricted to using only the predefined named permission sets, as in the following example:
[PermissionSet(SecurityAction.Demand,Name = "LocalIntranet")]
public void SomeMethod( )
{}
Note that you cannot use the Everything permission set (probably because it's specific to the .NET Configuration tool).
If you want to use a custom permission set declaratively, you need to
provide the attribute with an XML representation of that set. You can
assign the name of a file containing that XML to the File
property of the attribute. Using a file gives you the option of
changing the permission set you demand or assert after deployment.
However, a file can be tempered with (unless you apply NTFS protections
to it), and besides, declarative security attributes are better used in a static security context. With a custom permission set, I recommend that you use the XML property of PermissionSetAttribute. Whether you use the File property or the XML
property, you will need to prepare the XML representation of your
custom permission set. The easiest way to do that is to write a short
program that constructs the permission set programmatically and then
calls its ToString( ) method. The ToString( ) method of the PermissionSet class returns the XML encoding of the permission set. Next, either save that string to a file (for use with the File property), or hardcode it in the assembly for use with the XML property, as shown in Example 11.
Example 11. Defining and using a custom permission set
//Step 1: Construct a custom permission set programmatically and
//encode into XML
IPermission permission1 = new UIPermission(PermissionState.Unrestricted);
IPermission permission2 = new FileIOPermission(PermissionState.Unrestricted);
PermissionSet permisssionSet = new PermissionSet(PermissionState.None);
permisssionSet.AddPermission(permission1);
permisssionSet.AddPermission(permission2);
//Copy the resulting string from the trace:
Trace.WriteLine(permisssionSet.ToString( ));
//Step 2: Build a constant representing the custom permission set
public static class CustomPermissions
{
public const string MyPermissionSet = @"
<PermissionSet class = ""System.Security.PermissionSet"" version=""1"">
<IPermission class = ""System.Security.Permissions.UIPermission,
mscorlib,
Version=2.0.0.0,Culture=neutral,
PublicKeyToken=b77a5c561934e089""
version=""1""
Unrestricted=""true""/>
<IPermission class = ""System.Security.Permissions.FileIOPermission,
mscorlib,
Version=2.0.0.0,Culture=neutral,
PublicKeyToken=b77a5c561934e089""
version=""1""
Unrestricted=""true""/>
</PermissionSet>";}
//Step 3: Use the custom permission set
[PermissionSet(SecurityAction.Demand,XML = CustomPermissions.MyPermissionSet)]
public void SomeMethod( )
{}
|
You can even combine your
custom permission set with the named permission sets in a demand or
demand-choice manner. If you use demand choice, only one of the demanded
permission sets has to be satisfied:
[PermissionSet(SecurityAction.DemandChoice,
XML = CustomPermissions.MyPermissionSet)]
[PermissionSet(SecurityAction.DemandChoice,
Name = "LocalIntranet")]
public void SomeMethod( )
{}
