This article has been
excerpted from book "The Complete Visual C# Programmer's Guide" from the Authors
of C# Corner.
The System.Security namespace provides the underlying structure of the .NET
Framework security system. It includes interfaces, attributes, exceptions, and
base classes for permissions, as well as the CodeAccessPermission class, which
defines the underlying structure of all code access permissions.
Many Permission classes implement the IPermission interface, which takes the
form shown in Listing 22.12.
Listing 22.12: IPermission Interface
The ISecurityEncodable interface is implemented to serialize permissions to and
from XML format. Listing 22.13 shows the typical structure of the interface.
Listing 22.13: ISecurityEncodable Interface
void FromXml(SecurityElement e);
Listing 22.14 provides an example of XML security serialization.
Listing 22.14: XML Security Serialization
// code to show XML serialization
PermissionSet ps = new
SecurityElement myDOM = ps.ToXml();
All of the classes listed in Table 22.4 are derived from the
Table 22.4: Permission Classes in the System.Security Namespace
Table 22.5 lists the most common methods used with the permission classes. Three
of these methods-Assert, Deny, and PermitOnly-are called overrides because they
override the default behavior of the security system. When different overrides
are present in the same stack frame, the runtime processes these overrides in
the following order: PermitOnly, Deny, and Assert
Table 22.5: Commonly Used Methods of Permissions Classes
If, during the stack walk, the runtime discovers more than one override of the
same type (e.g., two calls to Assert in one stack frame), the second override
causes an exception. To replace an override, first call the appropriate revert
method (e.g., RevertAssert) and then apply the new override. Also, be aware that
each stack frame can have, at most, one permission set used for denial. The most
recent Deny function replaces all other denials for other permission sets in the
current stack frame.
In Listing 22.15, a demand for a read operation to c:\dir1\ is called. If the
system refuses that demand, an exception is thrown.
Listing 22.15: Executing the Demand method of a Permissions object
FileIOPermission p = new
catch (SecurityException ex)
// catch SecurityException here
The code in Listing 22.16 compares two file permissions to determine whether one
is a subset of the other. If so, the subset may derive granted permissions from
the "parent." For example, if file I/O permission to c:\dir1\ is granted, then
file I/O permission to c:\dir1\dir2\ is also granted. Thus, you can conclude
that perm2 is a subset of perm1 in this example.
Listing 22.16: IsSubsetOf Example
// IsSubsetOf tests
public static void Main()
// create two registry permissions
RegistryPermission perm1 =
RegistryPermission perm2 =
// and test which is subset of which?
? "perm1 is subset of perm2." :
"test1 not successful!");
? "perm2 is subset of perm1." :
"test2 not successful!");
/* The program will output:
test1 not successful!
perm2 is subset of perm1.
occurred! " + e.ToString());
Listing 22.17 illustrates a typical use of the Assert method. First, file I/O
permission is demanded. Then the Assert method is called to affirm permission to
unmanaged code. As a result, no more stack walk-ups are performed until
processing of the unmanaged code is complete.
Listing 22.17: Assert Example
// assert unmanaged code
FileIOPermission p1 =
// call unmanaged code
// demand for file I/O permission failed.
Listing 22.18 uses the Demand and Assert methods together for performance
tuning. First, you demand an environment variable for read permission. Then you
assert that need and execute nonrisky code in terms of that environment
Listing 22.18: Demand and Assert Example
// demand and assert together
EnvironmentPermission envPerm =
// Demand it once to see if it has been
// Assert the permission to stop the stack
i = 0; i < 100; i++)
// code that reads TEMP environment
// The demand failed.
SecurityAction is an enumeration that encompasses the following elements:
The SecurityPermissionFlag enumeration helps to specify access flags for the
security permission object. The SecurityPermission class uses this enumeration.
Many of these flags are powerful and should be granted only to highly trusted
The enumeration contains the following elements:
Listing 22.19 shows how to use the
SecurityPermissionFlag enumeration to request minimum security in the class
attributes. This causes security verification to be skipped during JIT
Listing 22.19: SecurityPermissionFlag
public class MySecureClass
public MySecureClass ()
// code here
Hope this article would have helped you in understanding
Security Classes in .NET. See other articles on the website on .NET and C#.
| ||The Complete Visual
C# Programmer's Guide covers most of the major components that make
up C# and the .net environment. The book is geared toward the
intermediate programmer, but contains enough material to satisfy the
advanced developer. |