9.2 Inspecting Declarative Security Statements

The Permissions View tool (Permview.exe) allows you to view the declarative security statements used in an assembly. This is particularly useful when configuring security policy, as it allows you to view the permission requests contained in the assembly. Permview.exe is located in the \bin subdirectory of the .NET Framework SDK installation directory. Note that the \bin directory is not added to the Path environment variable by the SDK-installation process.

Permview.exe only shows declarative security statements and cannot extract the imperative security demands. It overrides from the body of an assembly.

To demonstrate Permview.exe, use the MessageUtil class shown here, which allows any caller to display a message box containing the value of the Message environment variable. MessageUtil uses three RequestMinumum permission requests to ensure that it has permission to read the Message environment variable, called Assert, and display safe top-level windows (such as message boxes). The DisplayMessage method uses declarative syntax to Assert UIPermission and EnvironmentPermission. This allows any client code to use DisplayMessage regardless of the caller's permissions:

# C# using System; using System.Windows.Forms; using System.Security.Permissions; // Request read access to the Message environment variable. [assembly:EnvironmentPermission(SecurityAction.RequestMinimum,      Read = "Message")] // Request permission to Assert. [assembly:SecurityPermission(SecurityAction.RequestMinimum,      Assertion = true)] // Request permission to display safe top level windows. [assembly:UIPermission(SecurityAction.RequestMinimum,      Window = UIPermissionWindow.SafeTopLevelWindows)] public class MessageUtil {         // Assert the permission to read the Message environment variable and     // to display top level windows.     [EnvironmentPermission(SecurityAction.Assert, Read = "Message")]     [UIPermission(SecurityAction.Assert,          Window = UIPermissionWindow.SafeTopLevelWindows)]     public static void DisplayMessage(  ) {         // Display the value of the Message environment variable         // in a message box.         MessageBox.Show(Environment.GetEnvironmentVariable("Message"));             }     } # Visual Basic .NET Imports System Imports System.Windows.Forms Imports System.Security.Permissions   ' Request read access to the Message environment variable. <assembly:EnvironmentPermission(SecurityAction.RequestMinimum, _      Read := "Message")> _   ' Request permission to Assert. <assembly:SecurityPermission(SecurityAction.RequestMinimum, _     Assertion := True)> _   ' Request permission to display safe top level windows. <assembly:UIPermission(SecurityAction.RequestMinimum, _     Window := UIPermissionWindow.SafeTopLevelWindows)> _   Public Class MessageUtil       ' Assert the permission to read the Message environment variable and     ' to display top level windows.     <EnvironmentPermission(SecurityAction.Assert, Read := "Message"), _     UIPermission(SecurityAction.Assert, _     Window := UIPermissionWindow.SafeTopLevelWindows)> _     Public Shared  Sub DisplayMessage(  )         ' Display the value of the Message environment variable         ' in a message box.         MessageBox.Show(Environment.GetEnvironmentVariable("Message"))     End Sub End Class

If you build MessageUtil into a library named MessageUtil.dll and then run the command permview MessageUtil.dll, you will see the following XML descriptions of the permission request statements:

Microsoft (R) .NET Framework Permission Request Viewer.  Version 1.0.3705.0 Copyright (C) Microsoft Corporation 1998-2001. All rights reserved. minimal permission set: <PermissionSet                 version="1">    <IPermission                  version="1"                 Read="Message"/>    <IPermission                  version="1"                 Flags="Assertion"/>    <IPermission                  version="1"                 Window="SafeTopLevelWindows"/> </PermissionSet> optional permission set:   Not specified refused permission set:   Not specified

This is not the easiest format to read, but it contains all the information you need to configure your security policy correctly. Unfortunately, the output is not pure XML, and therefore creating a utility to parse the output and create a more readable report is not as straightforward as it could be.

Using the command permview /decl MessageUtil.dll extracts and displays all declarative security demands and stack walk overrides in addition to the permission requests. You will see the following information in addition to the permission request information we have already shown. Be aware that for large libraries the output from Permview may be significant:

Method MessageUtil::DisplayMessage(  ) Assert permission set: <PermissionSet                 version="1">    <IPermission                  version="1"                 Read="Message"/>    <IPermission                  version="1"                 Window="SafeTopLevelWindows"/> </PermissionSet>


Programming. NET Security
Programming .Net Security
ISBN: 0596004427
EAN: 2147483647
Year: 2005
Pages: 346

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net