使用.NET Framework安全系统

时间:2022-10-01 05:01:36

I was wondering - do any of you actually use the various classes in the System.Security.Permissions namespace? I mainly develop desktop/server-side components (i.e., no web) and the general assumption is that FullTrust is always available and no testing is performed on environments for which this is not the case. Apart from MS source code (EnterpriseLibrary and such), I have yet to see actual, in-use source code that makes use of said constructs.

我想知道 - 你们中的任何人真的使用System.Security.Permissions命名空间中的各种类吗?我主要开发桌面/服务器端组件(即没有网络),一般的假设是FullTrust始终可用,并且没有对不是这种情况的环境进行测试。除了MS源代码(EnterpriseLibrary等),我还没有看到使用所述构造的实际使用中的源代码。

Is this prevalent, or are we the exception? I know, of course, that not doing this kind of testing is a problem on our side...

这是普遍的,还是我们的例外?当然,我知道不进行这种测试是我们身边的一个问题......

4 个解决方案

#1


3  

The .NET code access security is more relevant when users run code directly off a server over the internet, in which case they can't necessarily trust it to automatically do things such as access the file system. I don't know of anyone who makes their code available like that, though.

当用户通过互联网直接从服务器上运行代码时,.NET代码访问安全性更为相关,在这种情况下,他们不一定信任它自动执行诸如访问文件系统之类的操作。不过,我不知道有谁让他们的代码可以使用。

#2


3  

I make lots of use of PrincipalPermissionAttribute to demand the user has necessary access rights (using roles) from the Thread's Principal - saves a lot of manual checking in my business code (obviously the UI should check too and disable buttons etc - this is just the double-check at the back-end).

我大量使用PrincipalPermissionAttribute来要求用户拥有Thread的Principal所需的访问权限(使用角色) - 在我的业务代码中保存了大量的手动检查(显然UI也应检查并禁用按钮等 - 这只是在后端仔细检查)。

I find Principal-based security to be very versatily, especially with a custom Principal. But I don't use the CAS stuff.

我发现基于Principal的安全性非常普遍,特别是对于自定义Principal。但我不使用CAS的东西。

#3


1  

If you deploy your desktop applications with ClickOnce, then the security sandbox can come into play.

如果使用ClickOnce部署桌面应用程序,则安全沙箱可以发挥作用。

#4


1  

I have never seen anyone make use of the permit, assert functionality.

我从未见过有人使用许可证,断言功能。

I suspect a number of developers are not actually aware of the functionality.

我怀疑许多开发人员实际上并不了解这些功能。

I think it could be useful to restrict calls to dangerous functions.

我认为限制对危险函数的调用可能很有用。

Its going to depend on what you are doing but who wants to make a deployment more complex than it already is?

它取决于你在做什么,但是谁想让部署比现在更复杂?

#1


3  

The .NET code access security is more relevant when users run code directly off a server over the internet, in which case they can't necessarily trust it to automatically do things such as access the file system. I don't know of anyone who makes their code available like that, though.

当用户通过互联网直接从服务器上运行代码时,.NET代码访问安全性更为相关,在这种情况下,他们不一定信任它自动执行诸如访问文件系统之类的操作。不过,我不知道有谁让他们的代码可以使用。

#2


3  

I make lots of use of PrincipalPermissionAttribute to demand the user has necessary access rights (using roles) from the Thread's Principal - saves a lot of manual checking in my business code (obviously the UI should check too and disable buttons etc - this is just the double-check at the back-end).

我大量使用PrincipalPermissionAttribute来要求用户拥有Thread的Principal所需的访问权限(使用角色) - 在我的业务代码中保存了大量的手动检查(显然UI也应检查并禁用按钮等 - 这只是在后端仔细检查)。

I find Principal-based security to be very versatily, especially with a custom Principal. But I don't use the CAS stuff.

我发现基于Principal的安全性非常普遍,特别是对于自定义Principal。但我不使用CAS的东西。

#3


1  

If you deploy your desktop applications with ClickOnce, then the security sandbox can come into play.

如果使用ClickOnce部署桌面应用程序,则安全沙箱可以发挥作用。

#4


1  

I have never seen anyone make use of the permit, assert functionality.

我从未见过有人使用许可证,断言功能。

I suspect a number of developers are not actually aware of the functionality.

我怀疑许多开发人员实际上并不了解这些功能。

I think it could be useful to restrict calls to dangerous functions.

我认为限制对危险函数的调用可能很有用。

Its going to depend on what you are doing but who wants to make a deployment more complex than it already is?

它取决于你在做什么,但是谁想让部署比现在更复杂?