notouch

 Profile Answers by notouch 

• Oct 19th, 2008

 

You can see the detail in MSDN library: http://msdn.microsoft.com/en-us/library/0xkh23z7.aspx and http://msdn.microsoft.com/en-us/library/kaacwy28.aspx

From what I understand, Declarative Security can be used on Request, Demand and Overrides, Imperative can only be used on Demand and Overrides, but not Request.

Also imperative is used for determine security restriction based on run-time results. i.e. only users above age 17 can access rated M games. Both birth date and game rating are only available by user input at run time, so you will use imperative instead of declarative.

jabijohn

 Profile Answers by jabijohn 

• Apr 4th, 2009

 

There are two ways to demand security permissions in C#: Imperatively: Using calls to permission classes in the .NET Framework Declaratively: Using security permission attributes

ponss

 Profile Answers by ponss 

• Jun 1st, 2009

 

 Imperative versus Declarative Security

The code security can be implemented by either using the Declarative Security or the Imperative Security. Let us now understand how these two differ.

Declarative Security

This is accomplished by placing security attributes at the assembly level, class level or member level. The attribute indicates the request type, overrides and demands. Each permission object has a state data, and this needs to be initialized to use that permission. Also, each permission has an attribute to which the type of security action, which is an enumeration called SecurityAction, is passed to the attribute. In the example below, all the members of the class are restricted accessing the "Program Files" folder.

Listing 4

[FileIOPermissionAttribute(SecurityAction.RequestRefuse, "C:Program Files")]
public class RestrictPF
{
   public RestrictPF()
   {
      //security call protects the constructor.
   }
 
   public void SomeMethod()     
   {
            //security call also protects this method.
   }
}

If you want to restrict the permission on the assembly level, you can use the following.

Listing 5

[assembly: FileIOPermissionAttribute(SecurityAction.RequestRefuse, "C:Program Files")]

If you want to restrict any registry access from the assembly level, you can use the following.

Listing 6

[assembly: RegistryPermissionAttribute(SecurityAction.RequestRefuse, Unrestricted = true)]

So even though the code runs in an environment that allows access to the registry or perform FileIO operations, the assembly will not be granted any kind of permissions.


Imperative Security

This kind of security could be used to perform demands and overrides. This helps in situations where you want to check the permissions at runtime. However, this kind of security cannot be used to perform requests. In imperative syntax, a new instance of the security permission object needs to be created before calling. Also, you need to initialize the permission set to invoke a security object. A permission set consists of a group of permissions; initializing a permission group provides a means to perform assert calls on multiple permissions in one method. For this purpose you could use the NamedPermissionSet and PermissionSet classes for grouping of permissions. You can then call the required method to invoke the appropriate security call.

Listing 7

public class RestrictPF
{
  public RestrictPF(){}
 
  public void SomeMethod()
  {
    //Here the FileIOPermissionAttribute is demanded using the imperative syntax.
    //Method is protected by security call.
    FileIOPermissionAttribute flsIOPerm = new FileIOPermissionAttribute();
    flsIOPerm.Demand();
  }
 
  public void SomeOtherMethod()
  {
    //Method not protected by security call.
  }
}