Restrict unauthorized code

From Guidance Share

Jump to: navigation, search

- J.D. Meier, Alex Mackman, Michael Dunner, Srinath Vasireddy, Ray Escamilla and Anandha Murukan

By using .NET Framework code access security — specifically, code identity demands — you can limit the assemblies that can access your data access classes and methods.

For example, if you only want code written by your company or a specific development organization to be able to use your data access components, use a StrongNameIdentityPermission and demand that calling assemblies have a strong name with a specified public key, as shown in the following code fragment:

using System.Security.Permissions;
. . .
[StrongNameIdentityPermission(SecurityAction.LinkDemand,
                             PublicKey="002...4c6")]
public void GetCustomerInfo(int CustId)
{
}

To extract a text representation of the public key for a given assembly, use the following command:

sn -Tp assembly.dll

Note Use an uppercase "T" in the –Tp switch.

Because Web application assemblies are dynamically compiled, you cannot use strong names for these assemblies. This makes it difficult to restrict the use of a data access assembly to a specific Web application. The best approach is to develop a custom permission and demand that permission from the data access component. Full trust Web applications (or any fully trusted code) can call your component. Partial trust code, however, can call your data access component only if it has been granted the custom permission.

Note Although you can compile and strong name your Web Application and its assemblies in .NET 2.0, any strong-named assembly can satisfy and pass a StrongNameIdentityPermission link demand. Therefore it is recommended that you use the custom permission demand in this situation.

For an example implementation of a custom permission, see "How To: Create a Custom Encryption Permission" at http://msdn.microsoft.com/library/en-us/dnnetsec/html/HTCustEncr.asp

References

Personal tools