如何用CAS拒绝Assert?
在此代码中,我希望禁止 ReadFileSystem 方法对文件系统断言权限。
我预计这会抛出 fileIo.Assert() ,但事实并非如此。 为什么?
using System.Security.Permissions;
static void Main(string[] args)
{
var fileIo = new FileIOPermission(PermissionState.Unrestricted);
var secuPerm = new SecurityPermission(SecurityPermissionFlag.Assertion);
PermissionSet set = new PermissionSet(PermissionState.Unrestricted);
set.AddPermission(fileIo);
set.AddPermission(secuPerm);
set.Deny();
ReadFileSystem();
Console.Read();
}
private static void ReadFileSystem()
{
var fileIo = newFileIOPermission(PermissionState.Unrestricted);
fileIo.Assert();
DirectoryInfo dir = new DirectoryInfo("C:/");
dir.GetDirectories();
}
更新
CAS 上的精彩链接:http://blogs.msdn.com/shawnfa/archive/2004/08/25/220458.aspx
In this code, I'd like the ReadFileSystem method to be forbidden to Assert a permission on the filesystem.
I expected this will throw at fileIo.Assert(), but it doesn't. Why?
using System.Security.Permissions;
static void Main(string[] args)
{
var fileIo = new FileIOPermission(PermissionState.Unrestricted);
var secuPerm = new SecurityPermission(SecurityPermissionFlag.Assertion);
PermissionSet set = new PermissionSet(PermissionState.Unrestricted);
set.AddPermission(fileIo);
set.AddPermission(secuPerm);
set.Deny();
ReadFileSystem();
Console.Read();
}
private static void ReadFileSystem()
{
var fileIo = newFileIOPermission(PermissionState.Unrestricted);
fileIo.Assert();
DirectoryInfo dir = new DirectoryInfo("C:/");
dir.GetDirectories();
}
Update
Great link here on CAS : http://blogs.msdn.com/shawnfa/archive/2004/08/25/220458.aspx
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
随后的断言否定了拒绝的效果。
断言 FileIOPermission 的能力主要取决于您的程序集是否受信任。 它不受先前拒绝 FileIOPermission 的影响。 事实证明,它也不受之前Deny of the Assertion SecurityPermission 的影响。 这是因为 SecurityPermissionFlag.Assertion 被检查为链接时间需求。这没有明确记录; 我在这里找到了它。
要强制 CLR 不信任您的程序集的 FileIOPermission,您可以在文件顶部的 using 语句后面使用以下内容。 当您将其添加到文件中时,断言将不会生效。 这会影响整个装配体。 没有更细的粒度。
The subsequent Assert negates the effects of the Deny.
The ability to assert FileIOPermission mainly depends on whether your assembly is trusted. It is not affected by a previous Deny of FileIOPermission. It turns out that it is also not affected by the previous Deny of the Assertion SecurityPermission. This is because SecurityPermissionFlag.Assertion is checked as a link time demand. This is not clearly documented; I found it here.
To force the CLR to not trust your assembly for FileIOPermission, you can use the following at the top of your file following the using statements. When you add this to your file, the assert will not take effect. This affects the entire assembly. There is no finer granularity.
我认为您可能误解了断言权限的目的。 当您在 CAS 中声明权限集时,您实际上是在说“我知道我在做什么……我不关心堆栈中更深层次的权限是什么。” 这几乎永远不是你想要的。 您通常需要请求权限集。 这会导致堆栈遍历,这会在堆栈上找到拒绝,然后导致安全异常。
然而,由于 .NET 几乎内置了所有必要的需求,因此很少需要实际需求任何东西,除非您正在执行断言(同样,这种情况很少见)或者您已经编写了自己的自定义权限类。
I think you may misunderstand the purpose of Asserting permissions. When you Assert a permission set in CAS, you are effectively saying "I know what I'm doing... I don't care what the permissions are deeper in the stack." That's almost never what you want. You generally want to Demand a permission set. That causes a stack walk, which would find the Deny on the stack and then cause a security exception.
However, since .NET has virtually all the necessary Demands built-in, there's rarely a need to actually Demand anything unless you're doing Asserts (again, that's rare) or you've written your own custom Permission class.