Serialization
Code that supports serialization must be granted a SecurityPermission with its Flag attribute set to SerializationFormatter . If you develop classes that support serialization and your code supports partial trust callers , you should consider using additional permission demands to place restrictions on which code can serialize your object's state.
Restricting Serialization
If you create a class that implements the ISerializable interface, which allows your object to be serialized, you can add a permission demand to your ISerializable.GetObjectData implementation to authorize the code that is attempting to serialize your object. This is particularly important if your code supports partial trust callers.
For example, the following code fragment uses a StrongNameIdentityPermission demand to ensure that only code signed with a particular private key corresponding to the public key in the demand can serialize your object's state.
[StrongNameIdentityPermission(SecurityAction.Demand, PublicKey="00240000048...97e85d098615")] public override void GetObjectData(SerializationInfo info, StreamingContext context)
For more guidelines about using serialization securely, see the "Serialization" section in Chapter 7, "Building Secure Assemblies."
EAN: 2147483647
Pages: 613