C#代碼安全性_第1頁
C#代碼安全性_第2頁
C#代碼安全性_第3頁
C#代碼安全性_第4頁
C#代碼安全性_第5頁
已閱讀5頁,還剩5頁未讀 繼續(xù)免費(fèi)閱讀

下載本文檔

版權(quán)說明:本文檔由用戶提供并上傳,收益歸屬內(nèi)容提供方,若內(nèi)容存在侵權(quán),請進(jìn)行舉報(bào)或認(rèn)領(lǐng)

文檔簡介

1、C#強(qiáng)化系列文章九:代碼訪問安全性使用在.Net Framework中提供了代碼訪問安全性(Code Access Security),它的主要作用就是限制 代碼的使用權(quán)限。可以控制各種系統(tǒng)資源的訪問權(quán)限、可以要求代碼的調(diào)用方擁有特定的權(quán) 限.。比如我們可以控制自己的dll只能在什么條件下由什么人調(diào)用,特別是在A中 可以限制不同代碼的安全權(quán)限,從源頭限制住網(wǎng)絡(luò)上的攻擊等。本文的主要內(nèi)容如下:1、在Asp.Net中使用自定義的信任級別2、配置Sqlconnection的代碼訪問權(quán)限3、實(shí)現(xiàn)和使用一個最簡版的自定義權(quán)限在Asp.Net中使用自定義的信任級別Asp.Net 默認(rèn)在 C:WINDOWS

2、Microsoft.NETFrameworkv2.050727CONFIGweb.config 中 配置了網(wǎng)站的信任級別:securityPolicy trustLevel name =Full policyFile =internal /trustLevel name =High policyFile =web_hightrust.config /trustLevel name =Medium policyFile =web_mediumtrust.config /trustLevel name =Low policyFile =web_lowtrust.config /trustLevel

3、 name =Minimal policyFile =web_minimaltrust.config / trust level =Full originUrl = /默認(rèn)為Full,表示擁有最大的權(quán)限,當(dāng)然風(fēng)險(xiǎn)也就最高,我們可以在自己的網(wǎng)站下的 web.config中自定義信任級別:securityPolicy trust level =Custom originUrl = /這里使用了自定義的配置文件,其實(shí)也就是復(fù)制 C:WINDOWSMicrosoft.NETFrameworkv2.050727CONFIGweb_lowtrust.config 文件,然后 在此文件上進(jìn)行適當(dāng)修改就可以了

4、(使用此配置默認(rèn)是不允許連接數(shù)據(jù)庫的)配置Sqlconnection的代碼訪問權(quán)限 配置的方法就是修改自定義的web_customtrust.config文件,修改后的文件如下所示:粗體部分為修改點(diǎn)web_customtrust.configSecurityClass Name =AllMembershipCondition Description =System.Security.Policy.AllMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /Secur

5、ityClass Name =AspNetHostingPermission Description =System.Web.AspNetHostingPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =FileIOPermission Description =System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyT

6、oken=b77a5c561934e089” /SecurityClass Name =FirstMatchCodeGroup Description =System.Security.Policy.FirstMatchCodeGroup, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =IsolatedStorageFilePermission Description =System.Security.Permissions.IsolatedStorageFi

7、lePermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =NamedPermissionSet Description =System.Security.NamedPermissionSet /SecurityClass Name =SecurityPermission Description =System.Security.Permissions.SecurityPermission, mscorlib, Version=, Culture

8、=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =StrongNameMembershipCondition Description =System.Security.Policy.StrongNameMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =UnionCodeGroup Description =System.Security.Poli

9、cy.UnionCodeGroup, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =UrlMembershipCondition Description =System.Security.Policy.UrlMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =ZoneMembershipCo

10、ndition Description =System.Security.Policy.ZoneMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =SqlClientPermission Description =System.Data.SqlClient.SqlClientPermission, System.Data, Version=, Culture=neutral, PublicKeyToken=b77a5c561

11、934e089” /PermissionSetclass =NamedPermissionSet”version =1”Unrestricted =true”Name =FullTrustDescription =Allows full access to all resources/PermissionSetclass =NamedPermissionSet”version =1”Name =NothingDescription =Denies all resources, including the right to execute /PermissionSetclass =NamedPe

12、rmissionSetversion =1Name =ASP.Net IPermissionclass =AspNetHostingPermissionversion =1Level =High”/IPermissionclass =FileIOPermissionversion =1Read =$AppDir$”PathDiscovery =$AppDir$”/IPermissionclass =IsolatedStorageFilePermissionversion =1Allowed =AssemblyIsolationByUserUserQuota =1048576/IPermissi

13、onclass =SecurityPermissionversion =1Flags =Execution/IPermission class =SqlClientPermission version =1 IMembershipConditionclass =AllMembershipCondition”version =1”/CodeGroupclass =UnionCodeGroup”version =1PermissionSetName =ASP.Net IMembershipConditionclass =UrlMembershipCondition”version =1Url =$

14、AppDirUrl$/*/CodeGroupclass =UnionCodeGroup”version =1PermissionSetName =ASP.Net IMembershipConditionclass =UrlMembershipCondition”version =1Url =$CodeGen$/*”/CodeGroup class =UnionCodeGroup version =1 PermissionSetName =Nothing IMembershipConditionclass =ZoneMembershipCondition”version =1”Zone =MyC

15、omputer /CodeGroupclass =UnionCodeGroup”version =1”PermissionSetName =FullTrust”Name =Microsoft_Strong_Name”Description =This code group grants code signed with the Microsoft strong name full trust. IMembershipConditionclass =StrongNameMembershipConditionversion =1PublicKeyBlob=002400000480000094000

16、000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC 1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C 0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4 963D261C8A12436518206DC093344D5AD2

17、93/IMembershipConditionclass =StrongNameMembershipConditionversion =1PublicKeyBlob =00000000000000000400000000000000/加入以上的配置后限制使用SqlConnection時只能訪問dbserver上的db1數(shù)據(jù)庫,不能訪問 其他數(shù)據(jù)庫,用戶名密碼等可以自由輸入,也就是在代碼中只能:SqlConnection connection = new SqlConnection( data source=dbserver;User ID=gspring;Password=*;initial

18、catalog=db1 ) 如果連接其他數(shù)據(jù)庫就會報(bào)錯:說明:應(yīng)用程序試圖執(zhí)行安全策略不允許的操作。要授予此應(yīng)用程序所需的權(quán)限,請與系 統(tǒng)管理員聯(lián)系,或在配置文件中更改該應(yīng)用程序的信任級別。異 常 詳 細(xì) 信 息 :System.Security.SecurityException: 請 求“ System.Data.SqlClient.SqlClientPermission, System.Data, Version = 2.0 . 0.0 , Culture = neutral, PublicKeyToken = b77a5c561934e089” 類型的權(quán)限已失敗。這樣就從源頭上限制住了

19、數(shù)據(jù)庫的連接操作。當(dāng)然如果希望可以連接任意數(shù)據(jù)庫,可以修改為如下配置: 實(shí)現(xiàn)和使用一個最簡版的自定義權(quán)限自定義一個代碼訪問權(quán)限需要從CodeAccessPermission繼承,并且要實(shí)現(xiàn) IUnrestrictedPermission接口,主要需實(shí)現(xiàn)的方法有:Copy創(chuàng)建當(dāng)前權(quán)限對象的副本。Intersect返回當(dāng)前類與傳遞的類所允許權(quán)限的交集。IsSubsetOf如果傳遞的權(quán)限包括當(dāng)前權(quán)限允許的一切操作,則IsSubsetOf返回true。FromXml對您的自定義權(quán)限的XML表示形式進(jìn)行解碼。ToXml對您的自定義權(quán)限的XML表示形式進(jìn)行編碼。Union創(chuàng)建一個權(quán)限,該權(quán)限是當(dāng)前權(quán)限與指

20、定權(quán)限的并集。using System;using System.Text;using System.Security;using System.Security.Permissions;5namespace MyPermissionSerializablepublic sealed class CustomPermission : CodeAccessPermission,IUnrestrictedPermission1011private DateTime _expiredDate;1213public DateTime ExpiredDate1415get return _expired

21、Date; 16set _expiredDate = value; 171819public CustomPermission()20212223/必須有這個方法,CAS系統(tǒng)會調(diào)用此方法的24public CustomPermission(PermissionState state)25262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970public bool IsUnrestricted()return false ;public override IPermiss

22、ion Copy()CustomPermission copy = new CustomPermission();copy.ExpiredDate = this .ExpiredDate;return copy;public override IPermission Intersect(IPermission target) if ( null = target)return null ;elsereturn target;private bool CheckDate(DateTime date)if (System.DateTime.Now.CompareTo(date) 0 )return

23、 true ;elsereturn false ;/*/ /進(jìn)行權(quán)限判斷/ / / public override bool IsSubsetOf(IPermission target)7172if ( null = target)7374return false ; /為false時,指示條件不滿足,需要讀取config中配置來判斷7576try7778CustomPermission passedpermission = (CustomPermission)target;7980return CheckDate(passedpermission.ExpiredDate);8182catch

24、 (InvalidCastException)8384throw new ArgumentException( Argument_WrongType ,this .GetType().FullName);85868788public override void FromXml(SecurityElement PassedElement)8990string element = PassedElement.Attribute( expireddate );9192if ( null != element)9394this .ExpiredDate = Convert.ToDateTime(ele

25、ment);95969798public override SecurityElement ToXml()99100SecurityElement element = new SecurityElement( IPermission );101Type type = this .GetType();102StringBuilder AssemblyName=newStringBuilder(type.Assembly.ToString();103AssemblyName.Replace( , );104element.AddAttribute( class , type.FullName + , +AssemblyName);105element.AddAttribute( version , 1 );106element.AddAttribute( expireddate , this .ExpiredDate.ToString();107return element;108109110 例子比較簡單,就是讀取配置中的過期時間進(jìn)行判斷,需要特別說明的地方有:1、public CustomPermission(PermissionState state)這個構(gòu)造函數(shù)必須要有,CAS 內(nèi)部會

溫馨提示

  • 1. 本站所有資源如無特殊說明,都需要本地電腦安裝OFFICE2007和PDF閱讀器。圖紙軟件為CAD,CAXA,PROE,UG,SolidWorks等.壓縮文件請下載最新的WinRAR軟件解壓。
  • 2. 本站的文檔不包含任何第三方提供的附件圖紙等,如果需要附件,請聯(lián)系上傳者。文件的所有權(quán)益歸上傳用戶所有。
  • 3. 本站RAR壓縮包中若帶圖紙,網(wǎng)頁內(nèi)容里面會有圖紙預(yù)覽,若沒有圖紙預(yù)覽就沒有圖紙。
  • 4. 未經(jīng)權(quán)益所有人同意不得將文件中的內(nèi)容挪作商業(yè)或盈利用途。
  • 5. 人人文庫網(wǎng)僅提供信息存儲空間,僅對用戶上傳內(nèi)容的表現(xiàn)方式做保護(hù)處理,對用戶上傳分享的文檔內(nèi)容本身不做任何修改或編輯,并不能對任何下載內(nèi)容負(fù)責(zé)。
  • 6. 下載文件中如有侵權(quán)或不適當(dāng)內(nèi)容,請與我們聯(lián)系,我們立即糾正。
  • 7. 本站不保證下載資源的準(zhǔn)確性、安全性和完整性, 同時也不承擔(dān)用戶因使用這些下載資源對自己和他人造成任何形式的傷害或損失。

最新文檔

評論

0/150

提交評論