posted on Thursday, June 29, 2006 11:38 PM
by
scotts
Identity demands pass in full trust scenarios
StrongNameIdentityPermission is one of
those topics that just seem so attractive on paper. It has caught my attention
since the first early days of .net 1.0. The idea that a class can place an
identity demand on a method (or on the whole class), so that it can only be
called by another assembly that is signed with a particular strong name. It can
be done declaratively with attributes or explicitly in code. Early Quick Start
samples like "How
do I…Control access to my shared component." seemed so powerful, and
even worked in .net 1.0 and 1.1. All is good, right?
The problem is that the whole topic just
gives the developer a false sense of security around a class or component library
that they may be writing.
As a class library or component
author, you don't always know where this code will eventually be running; maybe it will
be used in a custom web app with some locked down minimal security, but maybe it
will be running in a Windows Forms app, executing in a process domain with full
trust. You just don't know. And if it is going to be used in a full trust
environment, your StrongNameIdentityPermission demand assumptions are hosed.
In .Net 2.0, identity demands have no
effect if the calling code is executing with full trust. They always just pass.
Apparently there was some hoop jumping in 1.x that prevented identity
permissions from having an unrestricted permission state and in .Net 2.0 this
hoop jumping has been removed and identity permissions can have any permission
state. It kind of makes the whole idea of StrongNameIdentityPermission a moot
point; well, except for maybe some pretty well defined scenarios.
I was attempting to code some proof of
concept work involving identity demand permissions today, in .Net 2.0; using a
simple console app as the harness process. For the life of me, I couldn't get
the StrongNameIdentityPermission to fail when it should have. After driving
myself completely batty, because I knew this was something I've previously
done/tested/used in .net 1.x, I finally read the MSDN page on StongNameIdentityPermission
a bit closer. And sure enough, right there under a header called
"Important" was this little nugget that made it all come clear:
"In the .NET
Framework versions 1.0 and 1.1, demands on the identity permissions are
effective, even when the calling assembly is fully trusted. That is, although
the calling assembly has full trust, a demand for an identity permission fails
if the assembly does not meet the demanded criteria. In the .NET Framework
version 2.0, demands for identity permissions are ineffective if the calling
assembly has full trust. This assures consistency for all permissions,
eliminating the treatment of identity permissions as a special case."
excerpt from
http://msdn2.microsoft.com/en-us/library/system.security.permissions.strongnameidentitypermission.aspx