Chapter 11-Lesson 2

• We may use declarative CAS for methods using almost the same approach as used for namespaces.
• The difference is only in the location where they are declared (ofcourse before a method) and the names of attribute enumerations.
• Declarative CAS for methods check those mthods for security Permissions which would be calling our method. (refer to Diagram 11-9 and 11-10)
• SecurityAction.Demand would require every caller in the stack to have enough Permissions, while SecurityAction.LinkDemand only checks the immediate caller for enough Permissions.
• We may use Imperative CAS demands (i.e. using C# method calls rather than attributes) if we wish to catch the exceptions raised by Demand/DemandLink inour own method. (refer to page 678 code example)
• If we just wish to pass exception to the caller method (for not having enough Permissions) we may use Declarative CAS.
• Demand is designed to check an assembly’s caller for permission, not the assembly itself. Instead, use the System.Security.SecurityManager.IsGranted method.
• Most .NET built-in classes use Demand to ensure that callers have Permissions required to use them, e.g. StreamWriter itself checks for FileIOPermission.
• SecurityAction.Deny reduces Permission such that it removes Permissions only for the specified set, while SecurityAction.PermitOnly reduces Permission such that it allows only the specified set and nothing else.
• Deny performs a similar function to RequestRefuse, whereas PermitOnly is similar to RequestOptional.
• CodeAccessPermission is a class which provides (also all the classes that derive from it) static methods Deny( ), PermitOnly( ), RevertDeny( ) and RevertPermitOnly( ) for imperative method CAS.
• Best Practice is to use imperative security in error-handling routine, such as in a catch block. Acquire the bare minimum permissions for say, log an event, log it, and finally revert the permission limitation.
• An assembly decorated with AllowPartiallyTrustedCallers attribute allows partially trusted code to access the assembly.
• We may call Assert( ) static method only once in a given method, so if we wish to assert multiple Permissions, we'll use Assert on PermissionSet object.