Declarative Security
Compared to imperative security, declarative security has two main advantages:
Being part of the metadata, declarative security can be identified and assessed without exhaustive analysis of the application’s IL code.
Declarative security can be developed and modified independent of the functional code. As a result, a division of labor is possible: developer X the functionality guru writes the application, and developer Y the security guru tinkers with the security attributes.
A disadvantage of declarative security is its coarse targeting. Declarative security can be attributed to a class as a whole but not to the parts of the class and not to specific instances. Declarative security can be attributed to a method as a whole, without exact specification of when and under what circumstances the special rights might be needed. Imperative security, in contrast, allows the method to behave more flexibly—“ can I do this? No? OK, then I’ll do it some other way. Let’s see. Can I do that? ”