I often see the MSDN ASP.NET webcontrol samples that include the following
CAS class declaration.
[AspNetHostingPermission(SecurityAction.LinkDemand, Level =
AspNetHostingPermissionLevel.Minimal)]
[AspNetHostingPermission(SecurityAction.InheritanceDemand, Level =
AspNetHostingPermissionLevel.Minimal)]
public class MyWebControl : System.Web.UI.WebControls.WebControl
{
>From my very basic knowledge CAS, this would seem to be to enforce
restricting that immediately calling code and/or a derived class from
doing anything but the most trival processing. By default, ASP.NET runs at
Full trust. So, is the MSDN sample code trying to convey placing some
basic security demands for ASP.NET in partial trust environments?
One problem is that if you decorate a class as above FXCop 1.3.5 creates a
ReviewVisibleEventHandlers criticalerror when an attempt is made to
override base class methods in the control.
protected override void OnPreRender(EventArgs e)
{
base.OnPreRender(e);
"It appears that an event handler is externally visible
or that an EventArgs parameter is being exposed in
a visible method decorated with a security demand.
There can be problems exposing sensitive functionality
in an event handler function; the security demand might
not do what you expect."
So I would like to know how I should proceed to implement CAS/or not to in
the contol to make it as flexible (non-full trust environments) and safe
as possible. Do I need any CAS declarations at all? It's a web UI control
and really doesn't do anything that I can imagine that could be of harm
in the event handler function(s) in question.
===================================
This list is hosted by DevelopMentorĀ® http://www.develop.com
View archives and manage your subscription(s) at http://discuss.develop.com
