C#代码安全性

1、C#强化系列文章九：代码访问安全性使用在.Net Framework中提供了代码访问安全性(Code Access Security)，它的主要作用就是限制 代码的使用权限。可以控制各种系统资源的访问权限、可以要求代码的调用方拥有特定的权 限.。比如我们可以控制自己的dll只能在什么条件下由什么人调用，特别是在A中 可以限制不同代码的安全权限，从源头限制住网络上的攻击等。本文的主要内容如下：1、在Asp.Net中使用自定义的信任级别2、配置Sqlconnection的代码访问权限3、实现和使用一个最简版的自定义权限在Asp.Net中使用自定义的信任级别Asp.Net 默认在 C:WINDOWS

2、Microsoft.NETFrameworkv2.050727CONFIGweb.config 中 配置了网站的信任级别：securityPolicy trustLevel name =Full policyFile =internal /trustLevel name =High policyFile =web_hightrust.config /trustLevel name =Medium policyFile =web_mediumtrust.config /trustLevel name =Low policyFile =web_lowtrust.config /trustLevel

3、 name =Minimal policyFile =web_minimaltrust.config / trust level =Full originUrl = /默认为Full，表示拥有最大的权限，当然风险也就最高，我们可以在自己的网站下的 web.config中自定义信任级别：securityPolicy trust level =Custom originUrl = /这里使用了自定义的配置文件，其实也就是复制 C:WINDOWSMicrosoft.NETFrameworkv2.050727CONFIGweb_lowtrust.config 文件，然后 在此文件上进行适当修改就可以了

4、(使用此配置默认是不允许连接数据库的)配置Sqlconnection的代码访问权限 配置的方法就是修改自定义的web_customtrust.config文件，修改后的文件如下所示：粗体部分为修改点web_customtrust.configSecurityClass Name =AllMembershipCondition Description =System.Security.Policy.AllMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /Secur

5、ityClass Name =AspNetHostingPermission Description =System.Web.AspNetHostingPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =FileIOPermission Description =System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyT

6、oken=b77a5c561934e089” /SecurityClass Name =FirstMatchCodeGroup Description =System.Security.Policy.FirstMatchCodeGroup, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =IsolatedStorageFilePermission Description =System.Security.Permissions.IsolatedStorageFi

7、lePermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =NamedPermissionSet Description =System.Security.NamedPermissionSet /SecurityClass Name =SecurityPermission Description =System.Security.Permissions.SecurityPermission, mscorlib, Version=, Culture

8、=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =StrongNameMembershipCondition Description =System.Security.Policy.StrongNameMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =UnionCodeGroup Description =System.Security.Poli

9、cy.UnionCodeGroup, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =UrlMembershipCondition Description =System.Security.Policy.UrlMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =ZoneMembershipCo

10、ndition Description =System.Security.Policy.ZoneMembershipCondition, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089” /SecurityClass Name =SqlClientPermission Description =System.Data.SqlClient.SqlClientPermission, System.Data, Version=, Culture=neutral, PublicKeyToken=b77a5c561

11、934e089” /PermissionSetclass =NamedPermissionSet”version =1”Unrestricted =true”Name =FullTrustDescription =Allows full access to all resources/PermissionSetclass =NamedPermissionSet”version =1”Name =NothingDescription =Denies all resources, including the right to execute /PermissionSetclass =NamedPe

12、rmissionSetversion =1Name =ASP.Net IPermissionclass =AspNetHostingPermissionversion =1Level =High”/IPermissionclass =FileIOPermissionversion =1Read =$AppDir$”PathDiscovery =$AppDir$”/IPermissionclass =IsolatedStorageFilePermissionversion =1Allowed =AssemblyIsolationByUserUserQuota =1048576/IPermissi

13、onclass =SecurityPermissionversion =1Flags =Execution/IPermission class =SqlClientPermission version =1 IMembershipConditionclass =AllMembershipCondition”version =1”/CodeGroupclass =UnionCodeGroup”version =1PermissionSetName =ASP.Net IMembershipConditionclass =UrlMembershipCondition”version =1Url =$

14、AppDirUrl$/*/CodeGroupclass =UnionCodeGroup”version =1PermissionSetName =ASP.Net IMembershipConditionclass =UrlMembershipCondition”version =1Url =$CodeGen$/*”/CodeGroup class =UnionCodeGroup version =1 PermissionSetName =Nothing IMembershipConditionclass =ZoneMembershipCondition”version =1”Zone =MyC

15、omputer /CodeGroupclass =UnionCodeGroup”version =1”PermissionSetName =FullTrust”Name =Microsoft_Strong_Name”Description =This code group grants code signed with the Microsoft strong name full trust. IMembershipConditionclass =StrongNameMembershipConditionversion =1PublicKeyBlob=002400000480000094000

16、000060200000024000052534131000400000100010007D1FA57C4AED9F0A32E84AA0FAEFD0DE9E8FD6AEC8F87FB03766C834C99921EB23BE79AD9D5DCC 1DD9AD236132102900B723CF980957FC4E177108FC607774F29E8320E92EA05ECE4E821C 0A5EFE8F1645C4C0C93C1AB99285D622CAA652C1DFAD63D745D6F2DE5F17E5EAF0FC4 963D261C8A12436518206DC093344D5AD2

17、93/IMembershipConditionclass =StrongNameMembershipConditionversion =1PublicKeyBlob =00000000000000000400000000000000/加入以上的配置后限制使用SqlConnection时只能访问dbserver上的db1数据库，不能访问 其他数据库，用户名密码等可以自由输入，也就是在代码中只能：SqlConnection connection = new SqlConnection( data source=dbserver;User ID=gspring;Password=*;initial

18、catalog=db1 ) 如果连接其他数据库就会报错：说明：应用程序试图执行安全策略不允许的操作。要授予此应用程序所需的权限，请与系 统管理员联系，或在配置文件中更改该应用程序的信任级别。异 常 详 细 信 息 :System.Security.SecurityException: 请 求“ System.Data.SqlClient.SqlClientPermission, System.Data, Version = 2.0 . 0.0 , Culture = neutral, PublicKeyToken = b77a5c561934e089” 类型的权限已失败。这样就从源头上限制住了

19、数据库的连接操作。当然如果希望可以连接任意数据库，可以修改为如下配置： 实现和使用一个最简版的自定义权限自定义一个代码访问权限需要从CodeAccessPermission继承，并且要实现 IUnrestrictedPermission接口，主要需实现的方法有：Copy创建当前权限对象的副本。Intersect返回当前类与传递的类所允许权限的交集。IsSubsetOf如果传递的权限包括当前权限允许的一切操作，则IsSubsetOf返回true。FromXml对您的自定义权限的XML表示形式进行解码。ToXml对您的自定义权限的XML表示形式进行编码。Union创建一个权限，该权限是当前权限与指

20、定权限的并集。using System;using System.Text;using System.Security;using System.Security.Permissions;5namespace MyPermissionSerializablepublic sealed class CustomPermission : CodeAccessPermission,IUnrestrictedPermission1011private DateTime _expiredDate;1213public DateTime ExpiredDate1415get return _expired

21、Date; 16set _expiredDate = value; 171819public CustomPermission()20212223/必须有这个方法，CAS系统会调用此方法的24public CustomPermission(PermissionState state)25262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970public bool IsUnrestricted()return false ;public override IPermiss

22、ion Copy()CustomPermission copy = new CustomPermission();copy.ExpiredDate = this .ExpiredDate;return copy;public override IPermission Intersect(IPermission target) if ( null = target)return null ;elsereturn target;private bool CheckDate(DateTime date)if (System.DateTime.Now.CompareTo(date) 0 )return

23、 true ;elsereturn false ;/*/ /进行权限判断/ / / public override bool IsSubsetOf(IPermission target)7172if ( null = target)7374return false ; /为false时，指示条件不满足，需要读取config中配置来判断7576try7778CustomPermission passedpermission = (CustomPermission)target;7980return CheckDate(passedpermission.ExpiredDate);8182catch

24、 (InvalidCastException)8384throw new ArgumentException( Argument_WrongType ,this .GetType().FullName);85868788public override void FromXml(SecurityElement PassedElement)8990string element = PassedElement.Attribute( expireddate );9192if ( null != element)9394this .ExpiredDate = Convert.ToDateTime(ele

25、ment);95969798public override SecurityElement ToXml()99100SecurityElement element = new SecurityElement( IPermission );101Type type = this .GetType();102StringBuilder AssemblyName=newStringBuilder(type.Assembly.ToString();103AssemblyName.Replace( , );104element.AddAttribute( class , type.FullName + , +AssemblyName);105element.AddAttribute( version , 1 );106element.AddAttribute( expireddate , this .ExpiredDate.ToString();107return element;108109110 例子比较简单，就是读取配置中的过期时间进行判断，需要特别说明的地方有：1、public CustomPermission(PermissionState state)这个构造函数必须要有，CAS 内部会