Compartilhar via


Adding Declarative Security Support

Although not strictly required, a custom permission should support declarative security so that developers can specify the custom permission when using declarative syntax for security actions such as requests, demands, or assertions. In fact, permission requests, link demands, and inheritance demands can only be made declaratively. For this reason, your custom code access permission cannot be requested or used with link demands or inheritance demands unless you provide support for declarative security. This topic describes how to implement an Attribute class that enables declarative security support for your custom permission.

Security attributes for declarations must derive (either directly or indirectly) from the SecurityAttribute class. If the permission is a code access permission, the attribute class derives from CodeAccessSecurityAttribute, which derives from SecurityAttribute. Security attribute classes must implement the CreatePermission method, which creates an instance of the permission object from the associated custom permission. Note that this associated custom permission class must be marked with the SerializableAttribute in order to be serialized into metadata by the compiler. For more information, see Implementing a Custom Permission.

The following code implements an attribute class for a Boolean permission named CustomPermission. In this example, the permission class has a single Boolean Unrestricted property that contains its state.

<AttributeUsageAttribute(AttributeTargets.All, AllowMultiple := True)> Public Class 
CustomPermissionAttribute

   Inherits CodeAccessSecurityAttribute
   Private myUnrestricted As Boolean = False
   
   Public Shadows Property Unrestricted() As Boolean
      Get
         Return myUnrestricted
      End Get
      Set
         myUnrestricted = value
      End Set
   End Property
    
   Public Sub New(action As SecurityAction)
      MyBase.New(action)
   End Sub
   
   Public Overrides Function CreatePermission() As IPermission
      If Unrestricted Then
         Return New CustomPermission(PermissionState.Unrestricted)
      Else
         Return New CustomPermission(PermissionState.None)
      End If
   End Function
End Class
[C#]
[AttributeUsageAttribute(AttributeTargets.All, AllowMultiple = true)]
public class CustomPermissionAttribute: CodeAccessSecurityAttribute
{
   bool unrestricted = false;

   public new bool Unrestricted
   {
      get{ return unrestricted; }
      set{ unrestricted = value; }
   }

   public CustomPermissionAttribute(SecurityAction action): base (action)
   {  
   }
   public override IPermission CreatePermission()
   {
      if(Unrestricted)
      {
         return new CustomPermission(PermissionState.Unrestricted);
      }
      else
      {
         return new CustomPermission(PermissionState.None);
      }
   }
}

In this case, CreatePermission checks the internal Unrestricted property and creates the appropriate instance of a CustomPermission object. While only the Unrestricted property is used in this case, other custom permission attribute classes should support all possible states of the permission objects they support.

The use of CustomPermissionAttribute is illustrated in the following demand declaration:

<CustomPermissionAttribute(SecurityAction.Demand, Unrestricted := true)>
[C#]
[CustomPermissionAttribute(SecurityAction.Demand, Unrestricted = true)]

See Also

Extending Metadata Using Attributes | Creating Your Own Code Access Permissions | Code Access Security | SecurityAttribute Class | CodeAccessSecurityAttribute Class | SerializableAttribute Class | Implementing a Custom Permission