Implement a custom membership condition
Background
The Microsoft .NET Framework uses code access security to protect secure
resources from malicious code. Code access security works by gathering evidence
from an assembly, placing that assembly into a code group based on its
evidence, and granting operations to the assembly based on the permissions that
are granted to the code group.
Membership conditions are responsible for grouping an assembly into a code group
based on its evidence. The .NET Framework ships with default membership
conditions, but it also supports the addition of custom membership
conditions.
The Default Membership Conditions
The default membership conditions that come with the .NET Framework map
one-to-one with evidence types. For example, one type of evidence is site,
which is represented by the Site class. There is a corresponding membership
condition named SiteMembershipCondition.
In all, there are eight default membership conditions, seven of those that
correspond to the seven evidence types. The mappings are shown in the following
table:
| MembershipCondition Class |
Evidence Class |
Description |
| ZoneMembershipCondition |
Zone |
|
| UrlMembershipCondition |
Url |
|
| SiteMembershipCondition |
Site |
|
| ApplicationDirectoryMembershipCondition |
ApplicationDirectory |
|
| StrongNameMembershipCondition |
StrongName |
|
| PublisherMembershipCondition |
Publisher |
|
| HashMembershipCondition |
Hash |
|
| AllMembershipCondition |
(None) |
|
Each membership condition usually contains a property that maps to the Evidence
type for which the membership condition is associated. Each membership
condition implements a Check method, which accepts a single Evidence parameter.
The purpose of the Check method is to check the Evidence instance for an
instance of the type of evidence that the membership condition supports. (The
Evidence class is actually a collection of objects). For example, the
ZoneMembershipCondition first iterates the collection for an instance of Zone.
If it finds one, it checks the SecurityZone property and compares it to the
SecurityZone property set on the membership condition. If the two match, the
Check method returns true. Otherwise, it returns false.
Implement a Custom Membership Condition
To implement a custom membership condition, you must first decide on the type of
evidence that you want to associate with the membership condition. You are not
limited to only one evidence type per membership condition.
You must derive the custom membership condition class from IMembershipCondition.
This interface inherits both ISecurityEncodable and ISecurityPolicyEncodable,
so you must implement the methods exposed by all three interfaces.
You should add a property for each evidence type that the membership condition
supports.
When overriding the Check method, you must iterate the Evidence collection for
all evidence types that the membership condition supports. If the evidence is
found, you must compare it to the properties that were set be external code,
such as by the code access security policy or by other code that instantiated
the membership condition class. If the properties match, you should return
true. If not, you should return false.
Make the Membership Condition Available to the Code Access Security Policy
To make the membership condition available to the code access security policy,
you must first give the assembly containing the membership condition a strong
name. You should also install it in the global assembly cache. Once there, you
can use the .NET Framework Configuration Tool to import the assembly into the
Policy Assemblies node for each policy level.
Back to Tips and Tricks