Reputation: 899
How to implement SecurityPermission on .NET sdk 5?
In previous versions of .NET sdk, we had implemented the following code:
[SecurityPermission(SecurityAction.Demand, SerializationFormatter = true)]
protected HttpResponseException(SerializationInfo info, StreamingContext context)
: base(info, context)
{
ErrorId = (Guid)info.GetValue("ErrorId", typeof(Guid));
StatusCode = (HttpStatusCode)info.GetValue("StatusCode", typeof(HttpStatusCode));
ShouldLog = info.GetBoolean("ShouldLog");
}
I have migrated to .NET 5 and we have started to face a lot of warning about it:
SecurityPermissionAttribute is deprecated: Code Access Security is not supported or honored by the runtime
What is the proper way to migrate it? Just remove the annotation or suppress the warning message?
Upvotes: 1
Views: 2102
Answers (3)
Reputation: 1
I believe that it is unwise for Microsoft to remove CAS in .NET 5. For plugin systems that load external DLLs, systems like CAS are very useful. I have thought of a not-so-ideal solution: loading plugins from the source code, then analyzing the used types from the syntax tree, and issuing a warning if there are any prohibited types being used.
Upvotes: 0
Reputation: 24147
The Code Access Security (CAS) APIs are non functional in all of .NET Core upto .NET 5.
In other words: they do... nothing.
The types were carried over from .NET Framework 4 to allow easier migration of code, and nothing more - only to avoid compile errors. In some cases you may even get a PlatformNotSupportedException.
You can leave it all in for now, but because it does nothing it serves only one purpose: to act as a reminder that (a) you should consider removing it, while (b) assessing the reasons why it was put in + what replacement safeguards you might want to add, to get something that resembles the protection that it gave you in .NET Framework.
More info here:
https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/code-access-security-apis-obsolete
Upvotes: 2
Reputation: 2892
According to the Microsoft docs:
If you're asserting any security permission, remove the attribute or call that asserts the permission.
If you're denying or restricting (via PermitOnly) any permission, contact your security advisor. Because CAS attributes are not honored by the .NET 5.0+ runtime, your application could have a security hole if it incorrectly relies on the CAS infrastructure to restrict access to these methods.
If you're demanding any permission (except PrincipalPermission), remove the demand. All demands will succeed at run time.
If you're demanding PrincipalPermission, consult the guidance for PrincipalPermissionAttribute is obsolete as error. That guidance applies for both PrincipalPermission and PrincipalPermissionAttribute.
If you absolutely must disable these warnings (which is not recommended), you can suppress the SYSLIB0003 warning in code.
So, since you are using SecurityAction.Demand, you should remove it.
Upvotes: 0
Related Questions
- How to add custom authorization in .NET 5?
- About authorization in ASP.NET Core
- How to use MemberShip in .Net Core 5
- How to work with ACL in .NET Core 2?
- Implementing IPermission for custom code access security
- Create a custom PrincipalPermission for ASP.Net
- Security.Principal and Security.Permissions Samples
- Why Custom SecurityPermission is not loaded?
- .Net and Security
- How would I use the SecurityPermissionAttribute correctly?