StrongNameIdentityPermissionAttribute at Assembly level

  • Thread starter Thread starter SA
  • Start date Start date
S

SA

Hi all,

(I know this has been asked before, but I could not find a reply.)


I want to restrict the callers of my business logic DLL. The assembly should
be called only by my service interfaces.

However, when I try this (in assemblyinfo.vb):

<Assembly: StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")>

the assembly doesn't compile, apparently becuase LinkDemand is not allowed
at assembly level?

Then I tried

<Assembly: StrongNameIdentityPermission( _
SecurityAction.RequestMinimum, _
PublicKey:="<goes here>")>

That doesn't work: every client can call my assembly, no matter which public
key they have.

When I switch to

<StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")> _
Public Class SomeBizLogic
....

it does work: only clients with that specific public key can call into that
class.

However, because that assembly will be expanded with more classes, I don't
want to have to put that attribute in front of every class (just in case I
forget, etc.).

What is the correct way to enforce this permission at assembly level?

Thanks,
 
SA said:
Hi all,

(I know this has been asked before, but I could not find a reply.)


I want to restrict the callers of my business logic DLL. The assembly
should
be called only by my service interfaces.

However, when I try this (in assemblyinfo.vb):

<Assembly: StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")>
Click to expand...

Just so you know, demands for identity permissions are fairly easily
bypassed by highly privileged code. This doesn't make them useless, but it
does mean that they don't actually prevent all access from "foreign" code.

the assembly doesn't compile, apparently becuase LinkDemand is not allowed
at assembly level?
Click to expand...

It's not. Only the RequestMinimum, RequestOptional, and RequestRefuse
security actions can be used with an assembly-level permission attribute.

Then I tried

<Assembly: StrongNameIdentityPermission( _
SecurityAction.RequestMinimum, _
PublicKey:="<goes here>")>

That doesn't work: every client can call my assembly, no matter which
public
key they have.
Click to expand...

The RequestMinimum specifies that your assembly shouldn't load unless it's
granted the permission. It has no effect on other assemblies' use of your
assembly.

When I switch to

<StrongNameIdentityPermission( _
SecurityAction.LinkDemand, _
PublicKey:="<goes here>")> _
Public Class SomeBizLogic
...

it does work: only clients with that specific public key can call into
that
class.

However, because that assembly will be expanded with more classes, I don't
want to have to put that attribute in front of every class (just in case I
forget, etc.).
Click to expand...

You don't have a choice. The class is the biggest container on which the
demand can be placed.

What is the correct way to enforce this permission at assembly level?
Click to expand...

Apply it to every class.
 
You could put some checking code against
Assembly.GetCallingAssembly().PublicKeyToken in your more important methods.
Not nice though...
 
Back
Top