Best IT Recipes

How can I use CAS in .NET 4 to block my MEF extensions?

I have an application in .NET 4 that uses MEF for extensibility. My main application has three assemblies: Host , Application and Contracts .

Host is the boot-strapping executable that creates the container and executes the composition.

Application contains the logic of my application and additional extension points for third parties.

Contracts contains interfaces (and some helper classes) that are used at extension points.

Therefore, someone developing a third-party application should include a link to Contracts , but not to Application .

I think my security model should look like this:

  • Host and Application must be SecurityCritical
  • Contracts must be SecuritySafeCritical
  • All third-party extensions must be SecurityTransparent

I think that 1. will be executed by default. I know that I can implement 2. with an assembly attribute. The question is, how can I apply rule 3.? Does the operating system do this automatically, marking all downloaded extensions as untrustworthy? Is it possible for a loaded incremental assembly to become fully trusted?

+3
mef code-access-security
Aug 04 '10 at 2:11
source share
1 answer

If your application works to the full, then by default your extensions will work in full confidence and will be able to do whatever they want. It doesn't matter what the security attributes are on them. To limit the scope of the extension, you need to create an appdomain for the sandbox. You would set your Host and Application as fully trusted that AppDomain and all other code would only have the permissions that you grant it.

Here's an MSDN article on this topic: How to execute partially trusted code in a sandbox

+3
Aug 04 2018-10-10T00:
source share


More articles:


All Articles