StrongNameIdentityPermissionAttribute at Assembly level

S

SA

Hi all,

(I know this has been asked before, but I could not find a reply.)


I want to restrict the callers of my business logic DLL. The assembly should
be called only by my service interfaces.

However, when I try this (in assemblyinfo.vb):

<Assembly: StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")>

the assembly doesn't compile, apparently becuase LinkDemand is not allowed
at assembly level?

Then I tried

<Assembly: StrongNameIdentityPermission( _
SecurityAction.RequestMinimum, _
PublicKey:="<goes here>")>

That doesn't work: every client can call my assembly, no matter which public
key they have.

When I switch to

<StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")> _
Public Class SomeBizLogic
....

it does work: only clients with that specific public key can call into that
class.

However, because that assembly will be expanded with more classes, I don't
want to have to put that attribute in front of every class (just in case I
forget, etc.).

What is the correct way to enforce this permission at assembly level?

Thanks,
 
N

Nicole Calinoiu

SA said:
Hi all,

(I know this has been asked before, but I could not find a reply.)


I want to restrict the callers of my business logic DLL. The assembly
should
be called only by my service interfaces.

However, when I try this (in assemblyinfo.vb):

<Assembly: StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")>
Click to expand...

Just so you know, demands for identity permissions are fairly easily
bypassed by highly privileged code. This doesn't make them useless, but it
does mean that they don't actually prevent all access from "foreign" code.

the assembly doesn't compile, apparently becuase LinkDemand is not allowed
at assembly level?
Click to expand...

It's not. Only the RequestMinimum, RequestOptional, and RequestRefuse
security actions can be used with an assembly-level permission attribute.

Then I tried

<Assembly: StrongNameIdentityPermission( _
SecurityAction.RequestMinimum, _
PublicKey:="<goes here>")>

That doesn't work: every client can call my assembly, no matter which
public
key they have.
Click to expand...

The RequestMinimum specifies that your assembly shouldn't load unless it's
granted the permission. It has no effect on other assemblies' use of your
assembly.

When I switch to

<StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")> _
Public Class SomeBizLogic
...

it does work: only clients with that specific public key can call into
that
class.

However, because that assembly will be expanded with more classes, I don't
want to have to put that attribute in front of every class (just in case I
forget, etc.).
Click to expand...

You don't have a choice. The class is the biggest container on which the
demand can be placed.

What is the correct way to enforce this permission at assembly level?
Click to expand...

Apply it to every class.
 
S

Sean Hederman

You could put some checking code against
Assembly.GetCallingAssembly().PublicKeyToken in your more important methods.
Not nice though...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

StrongNameIdentityPermission at Assembly level? 6
Web Application, Web Service, Class Libraries, and StrongNameIdentityPermissionAttribute Class 1
StrongNameIdentityPermission (C++) 2
Appdomain cannot load assembly... why? 1
Call Graph from Assembly or Code 1
Reading cryptographic key information from snk/assembly 0
Get the public key of the calling assembly 1
Handling security of dynamically generated code? 1

Top