I am studying code access security. This made some effort to twist my head, so I thought that I would finally use Reflector and start exploring how .NET 4.0 uses security attributes.
Observations
The System.IO.File.Delete
method is decorated with the [SecuritySafeCritical]
attribute.
The System.IO.File.Delete
method delegates the internal method InternalDelete , which is decorated with the [SecurityCritical]
attribute.
I have a method in one of my MVC application classes called DeleteFile that works like SecurityTransparent
(which I checked by checking the DeleteFile property of MethodInfo.IsSecurityCritical)
Access rights
From my current understanding, which will mean that:
- System.IO.File.Delete can call InternalDelete , because the
[SecuritySafeCritical]
methods can call [SecurityCritical]
, so no SecurityException is thrown. - DeleteFile can call System.IO.File.Delete, because
[SecurityTransparent]
can call [SecuritySafeCritical]
Thus, in principle, without configuring any security settings, this code will successfully delete the dummy file called test.txt
namespace MyTestMvcApp { public class FileHelpers() {
Confusion
Inside the InternalDelete System.IO.File.Delete
method, it uses the CodeAccessPermission.Demand
method to verify that all callers in the stack have the necessary permissions. What I don't quite understand is the line in the MSDN CodeAccessPermission.Demand
:
The permissions of the code calling this method are not checked; verification begins with the immediate caller of this code and continues to the stack.
So my question is: if the DeleteFile method of my application is SecurityTransparent
, then why is it allowed to call the SecurityCritical
method?
This is probably a broken example, perhaps with some missing concepts, but, as I said, I still embrace it, and any understanding of people can give more, I will develop my understanding.
thanks