[FileIOPermission(SecurityAction.Deny,ViewAndModify = @"C:\")] static void Main(string[] args) { WriteTest testWriter = new WriteTest(); testWriter.Test(); Console.Read(); }
public class WriteTest { public void Test() { try { FileIOPermission permission = new FileIOPermission(FileIOPermissionAccess.Write,@"C:\"); permission.Assert(); using (StreamWriter sw = new StreamWriter(@"C:\test.txt")) { sw.WriteLine("testing!"); sw.Flush(); } Console.WriteLine("Writen to file!"); } catch (SecurityException sec) { Console.WriteLine("No privileges!"); } } }
@H_403_19@ 当权限较低的代码(“程序集A”)调用更具特权的代码(“程序集B”)来执行某些任务时,Assert()非常有用.为了执行该任务,程序集B需要运行需要强大权限的代码 – 程序集A可能没有的权限.因此,程序集B首先需要一个不太强大的权限(首先执行任务的权限),然后声明实际执行任务的更强大的权限.例如,假设部分信任的Silverlight应用程序想要使用System.Net.WebRequest类发出HTTP请求.建立网络连接需要SocketPermission,但这是一个功能强大的低级别权限,不应授予来自Internet的不受信任的代码.因此,WebRequest需要一个不太强大的权限WebPermission,然后在继续建立网络连接之前断言SocketPermission.
现在,在您的特定示例中,Assert()会覆盖Deny,因为类库在与应用程序相同的权限级别运行 – 应用程序和类库都可能作为完全信任运行.程序集始终可以在其授权集中Assert()任何权限.要在类库上强制执行Deny,您必须将类库放在沙箱中.
注意:在.NET 4.0中,Deny已被弃用.从MSDN Library开始:
Runtime support has been removed for enforcing the Deny,RequestMinimum,RequestOptional,and RequestRefuse permission requests. In general,these requests were not well understood and presented the potential for security vulnerabilities when they were not used properly:
- A Deny action could be easily overridden by an Assert action. The code in an assembly was able to execute an Assert action for a permission if the permission was in the grant set for the assembly. The Assert prevented the Deny from being seen on the stack,making it ineffective.