Posted by: Cirilo Meggiolaro | 11/28/2008

Tip of the day #45 – Imperative and declarative security

Security code is not straightforward to develop but the .NET framework provides a full set of objects that will help you develop a better and secure code.

The topic security is not a subject for a single “tip of the day” and really good books have been written about it.

Let’s start talking about what is a imperative and what is a declarative security.

Declarative security

Declarative security is a way to set security properties that will be checked before your code runs by using attributes like any other attributes for assemblies and / or methods. If your application does not have the access rights requested an exception will be thrown.

How to…

Apply the declarative security attribute is exactly the same than apply any other attribute in your .NET code. The following codes demonstrate how to apply a permission to event log for your assembly and how to ensure that there is access rights to a specific folder.

using System.Diagnostics;

[assembly: EventLogPermission(System.Security.Permissions.SecurityAction.RequestMinimum, MachineName=“ServerName”, PermissionAccess=EventLogPermissionAccess.Write)]

using System.Security.Permissions;

[FileIOPermission(SecurityAction.Assert, PathDiscovery=@”C:\MyFolder”)]
void MyMethod() { }

Imperative Security

Imperative security on the other hand is a way to perform access rights checks for portions of code by using regular instances of objects. You need to be more careful when using imperative security checking because exceptions will be thrown and depending on the settings you specify, the caller stack will be checked and so on.

How to…

To apply imperative security you might declare and instantiate the permission object as the same way as any object. The following code applies the same event log permission check using imperative security for a portion of code:

static void M()
{
    /// Create the permission object.
    FileIOPermission filePermission = new FileIOPermission(FileIOPermissionAccess.Read, @”C:\MyFolder”);

    /// Defines that the current code can have
    /// access to the resource specified above.
    
filePermission.Assert();

    try
    {
        /// Read a file from the C:\MyFolder directory
    
}
    finally
    {
        /// Revert any access granted
        
CodeAccessPermission.RevertAssert();
    }
}

Some examples of .NET permission classes

  1. DnsPermission: Allows access to DNS;
  2. EnvironmentPermission: Allows access to environment variables;
  3. EventLogPermission: Allows access to event log;
  4. FileDialogPermission: Allows access to files selected by an user from the open dialog box;
  5. FileIOPermission: Allows access to files or directories;
  6. MessageQueuePermission: Allows access to message queues;
  7. PerformanceCounterPermission: Allows access to performance counters;
  8. PrincipalPermission: Set permissions based on username and group memberships;
  9. PrintingPermission: Allows access to printers;
  10. ReflectionPermission: Allows access to get information about a type at run time;
  11. RegistryPermission: Allows access to the computer registry;
  12. ServiceControllerPermission: Allows access to services;
  13. SqlClientPermission: Allows access to SQL Server databases;
  14. UIPermission: Allows access to user interface. This permission is required to debug an assembly;
  15. WebPermission: Allows access to request or receive connections from the web.
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: