Solved

CodeDom / Code Access Security - Restrict access to instantiate classes

Posted on 2006-07-16
7
262 Views
Last Modified: 2012-06-27
Hi All,

I'm not all that familar with the Code Access Security model within .NET, and I'm wondering if someone can help me out here (or at least tell me I'm going about it all wrong).

I'm just working my way through how the CodeDom works, and how it can be used to add scripting to an application.

I have a piece of code that is using CodeDom to automatically generate a basic assembly that has a reference to my business objects.  What I want is to be able to restrict the generated code from being able to instantite new instances of my business classes, while still being able to call the methods etc on them.

It is not an option to make the constructors Friend of Private because the classes are current used in multipe assemblies.  Is there a way to specify which assemblies are allowed to create instances of a class?

Here's a sample of the output code.  I want the first function to work , but the second one to fail.

imports MyAssembly.MyObjects

' I want this to work
Public Function EvalCode(obj as MyObject)
      obj.Property1= "BlaBlaBla"
      Return obj.Property1
End Function

' I want this to fail, because I do not want the
' constructor to be able to be called
Public Function EvalCode() As Object
      Dim obj As New MyObject
      obj.Property1= "BlaBlaBla"
      Return obj.Property1
End Function

 Is what I'm looking for possible, or am I going in the wrong direction?

Cheers

Nick
0
Comment
Question by:nickhoggard
  • 3
  • 3
7 Comments
 
LVL 4

Accepted Solution

by:
sr101880 earned 500 total points
ID: 17124803
To get you started,

I think you are on the right path.  From what I've read you will need to place demands on the parts of your code that you don't want to work.  Below I have listed some good resourses for CAS,  most are in C# but I think you will get the picture.

This is a quick overview of CAS:
http://www.codeproject.com/dotnet/UB_CAS_NET.asp

This is a more detailed overview with lots of examples:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/THCMCh08.asp

This is a good book that contains VB and C# examples:
http://www.oreilly.com/catalog/prognetsec/

0
 
LVL 5

Author Comment

by:nickhoggard
ID: 17127940
Thanks,  I'll have a read over them when I'm at work tomorrow.  C# is fine ... I'm only working in VB right now because thats what was specified by the project managers.

Cheers

Nick
0
 
LVL 96

Expert Comment

by:Bob Learned
ID: 17129376
Nick,
An application should request an explicit set of permissions, instead of the default Full Trust, in order to cut down on the possibility of being turned into a rogue application by hackers.

Bob
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 4

Expert Comment

by:sr101880
ID: 17175396
Nickhoggard,

     Did you find what you were looking for?
0
 
LVL 5

Author Comment

by:nickhoggard
ID: 17177454
Hi,

Sorry - I had my priorities changed for me on the project and havn't had a chance to get back to this one.  I did have a quick play with it and believe I will end up going with the CodeDom approach using strong named assemblies and requiring the strong name on callers to specific operations.

Thanks

Nick
0
 
LVL 4

Expert Comment

by:sr101880
ID: 17183627
Nick,

It does look like CodeDom would keep a few more hairs on your head. :-)

I did a little reading on CodeDom because I haven't had much exposure on the subject.  I came across this article on attributes and thought it might be useful:

http://www.15seconds.com/issue/021113.htm

From what I understand you can create attributes and assign them to your assemblies to create security levels in your code.

If you don't mind answering a quick question for me, can you give me a real world example of what CodeDom would be used for?  Is the goal of CodeDom simply to speed up your code?

Cheers!
0
 
LVL 5

Author Comment

by:nickhoggard
ID: 17186732
Hi,

The main thing we are looking at it for is expression evaluation within our application.  Initially it was just looking to be basic expressions so I was using the JScript.Eval statement (for stuff like user defined unit conversion expresses, such as converting kgs to pounds).

Then we took that idea a step further and wanted to look at whether we could have user defined fields within our business objects.  The idea was that the user to build the field based on other data within the object.  For example the object might declare a date for an event.  Using the expressions we wanted the user to be able to add a user defined field that could return the number of days to that event.  Take that a step further, and perhaps the user can call an external stats package to perform calculations for the derived field.

The other thing I was looking at was whether we could use this to allow users to implement custom validation rules when adding new business objects to a collection, or for saving them etc.  We have a scenario where it is common for one client to say 'we only allow this if ...' and another would do it quite differently.  What I'm hoping is that using CodeDom we might be able to implement some of these rules without the need to deloy different compiled assemblies to each client.

The main concern I had was that by allowing access to the business objects for use in the expressions they could also gain access to more restricted resources (such as calling the data tier).  The other potential problem is that .NET wont unload assemblies, but I think I can get around this by caching a reference to the assembly, rather than recompiling it for every call.

At this stage I havn't been given the ok to go ahead with development on this yet, so there may still be more issues to contend with but it all seems to work ok in a prototyping state.

Thanks for your help with this one.

Cheers

Nick
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Creating an analog clock UserControl seems fairly straight forward.  It is, after all, essentially just a circle with several lines in it!  Two common approaches for rendering an analog clock typically involve either manually calculating points with…
Parsing a CSV file is a task that we are confronted with regularly, and although there are a vast number of means to do this, as a newbie, the field can be confusing and the tools can seem complex. A simple solution to parsing a customized CSV fi…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now