nickhoggard
asked on
CodeDom / Code Access Security - Restrict access to instantiate classes
Hi All,
I'm not all that familar with the Code Access Security model within .NET, and I'm wondering if someone can help me out here (or at least tell me I'm going about it all wrong).
I'm just working my way through how the CodeDom works, and how it can be used to add scripting to an application.
I have a piece of code that is using CodeDom to automatically generate a basic assembly that has a reference to my business objects. What I want is to be able to restrict the generated code from being able to instantite new instances of my business classes, while still being able to call the methods etc on them.
It is not an option to make the constructors Friend of Private because the classes are current used in multipe assemblies. Is there a way to specify which assemblies are allowed to create instances of a class?
Here's a sample of the output code. I want the first function to work , but the second one to fail.
imports MyAssembly.MyObjects
' I want this to work
Public Function EvalCode(obj as MyObject)
obj.Property1= "BlaBlaBla"
Return obj.Property1
End Function
' I want this to fail, because I do not want the
' constructor to be able to be called
Public Function EvalCode() As Object
Dim obj As New MyObject
obj.Property1= "BlaBlaBla"
Return obj.Property1
End Function
Is what I'm looking for possible, or am I going in the wrong direction?
Cheers
Nick
I'm not all that familar with the Code Access Security model within .NET, and I'm wondering if someone can help me out here (or at least tell me I'm going about it all wrong).
I'm just working my way through how the CodeDom works, and how it can be used to add scripting to an application.
I have a piece of code that is using CodeDom to automatically generate a basic assembly that has a reference to my business objects. What I want is to be able to restrict the generated code from being able to instantite new instances of my business classes, while still being able to call the methods etc on them.
It is not an option to make the constructors Friend of Private because the classes are current used in multipe assemblies. Is there a way to specify which assemblies are allowed to create instances of a class?
Here's a sample of the output code. I want the first function to work , but the second one to fail.
imports MyAssembly.MyObjects
' I want this to work
Public Function EvalCode(obj as MyObject)
obj.Property1= "BlaBlaBla"
Return obj.Property1
End Function
' I want this to fail, because I do not want the
' constructor to be able to be called
Public Function EvalCode() As Object
Dim obj As New MyObject
obj.Property1= "BlaBlaBla"
Return obj.Property1
End Function
Is what I'm looking for possible, or am I going in the wrong direction?
Cheers
Nick
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Nick,
An application should request an explicit set of permissions, instead of the default Full Trust, in order to cut down on the possibility of being turned into a rogue application by hackers.
Bob
An application should request an explicit set of permissions, instead of the default Full Trust, in order to cut down on the possibility of being turned into a rogue application by hackers.
Bob
Nickhoggard,
Did you find what you were looking for?
Did you find what you were looking for?
ASKER
Hi,
Sorry - I had my priorities changed for me on the project and havn't had a chance to get back to this one. I did have a quick play with it and believe I will end up going with the CodeDom approach using strong named assemblies and requiring the strong name on callers to specific operations.
Thanks
Nick
Sorry - I had my priorities changed for me on the project and havn't had a chance to get back to this one. I did have a quick play with it and believe I will end up going with the CodeDom approach using strong named assemblies and requiring the strong name on callers to specific operations.
Thanks
Nick
Nick,
It does look like CodeDom would keep a few more hairs on your head. :-)
I did a little reading on CodeDom because I haven't had much exposure on the subject. I came across this article on attributes and thought it might be useful:
http://www.15seconds.com/issue/021113.htm
From what I understand you can create attributes and assign them to your assemblies to create security levels in your code.
If you don't mind answering a quick question for me, can you give me a real world example of what CodeDom would be used for? Is the goal of CodeDom simply to speed up your code?
Cheers!
It does look like CodeDom would keep a few more hairs on your head. :-)
I did a little reading on CodeDom because I haven't had much exposure on the subject. I came across this article on attributes and thought it might be useful:
http://www.15seconds.com/issue/021113.htm
From what I understand you can create attributes and assign them to your assemblies to create security levels in your code.
If you don't mind answering a quick question for me, can you give me a real world example of what CodeDom would be used for? Is the goal of CodeDom simply to speed up your code?
Cheers!
ASKER
Hi,
The main thing we are looking at it for is expression evaluation within our application. Initially it was just looking to be basic expressions so I was using the JScript.Eval statement (for stuff like user defined unit conversion expresses, such as converting kgs to pounds).
Then we took that idea a step further and wanted to look at whether we could have user defined fields within our business objects. The idea was that the user to build the field based on other data within the object. For example the object might declare a date for an event. Using the expressions we wanted the user to be able to add a user defined field that could return the number of days to that event. Take that a step further, and perhaps the user can call an external stats package to perform calculations for the derived field.
The other thing I was looking at was whether we could use this to allow users to implement custom validation rules when adding new business objects to a collection, or for saving them etc. We have a scenario where it is common for one client to say 'we only allow this if ...' and another would do it quite differently. What I'm hoping is that using CodeDom we might be able to implement some of these rules without the need to deloy different compiled assemblies to each client.
The main concern I had was that by allowing access to the business objects for use in the expressions they could also gain access to more restricted resources (such as calling the data tier). The other potential problem is that .NET wont unload assemblies, but I think I can get around this by caching a reference to the assembly, rather than recompiling it for every call.
At this stage I havn't been given the ok to go ahead with development on this yet, so there may still be more issues to contend with but it all seems to work ok in a prototyping state.
Thanks for your help with this one.
Cheers
Nick
The main thing we are looking at it for is expression evaluation within our application. Initially it was just looking to be basic expressions so I was using the JScript.Eval statement (for stuff like user defined unit conversion expresses, such as converting kgs to pounds).
Then we took that idea a step further and wanted to look at whether we could have user defined fields within our business objects. The idea was that the user to build the field based on other data within the object. For example the object might declare a date for an event. Using the expressions we wanted the user to be able to add a user defined field that could return the number of days to that event. Take that a step further, and perhaps the user can call an external stats package to perform calculations for the derived field.
The other thing I was looking at was whether we could use this to allow users to implement custom validation rules when adding new business objects to a collection, or for saving them etc. We have a scenario where it is common for one client to say 'we only allow this if ...' and another would do it quite differently. What I'm hoping is that using CodeDom we might be able to implement some of these rules without the need to deloy different compiled assemblies to each client.
The main concern I had was that by allowing access to the business objects for use in the expressions they could also gain access to more restricted resources (such as calling the data tier). The other potential problem is that .NET wont unload assemblies, but I think I can get around this by caching a reference to the assembly, rather than recompiling it for every call.
At this stage I havn't been given the ok to go ahead with development on this yet, so there may still be more issues to contend with but it all seems to work ok in a prototyping state.
Thanks for your help with this one.
Cheers
Nick
ASKER
Cheers
Nick