"Allows strong-named assemblies to be called by partially trusted
code. Without this declaration, only fully trusted callers are able to
use such assemblies"
AllowPartiallyTrustedCallersAttribute is only effective when applied
by a strong-named assembly at the assembly level. For more information
about applying attributes at the assembly level, see Applying
Attributes.
By default, a strong-named assembly that does not explicitly apply
this attribute at assembly level to allow its use by partially trusted
code can be called only by other assemblies that are granted full
trust by security policy. This restriction is enforced by placing a
LinkDemand for FullTrust on every public or protected method on every
publicly accessible class in the assembly. Assemblies that are
intended to be called by partially trusted code can declare their
intent through the use of the AllowPartiallyTrustedCallersAttribute.
The attribute is declared at the assembly level. An example of the
declaration in C# is [assembly:AllowPartiallyTrustedCallers] and in
Visual Basic is <assembly:AllowPartiallyTrustedCallers>.
Caution:
The presence of this assembly-level attribute prevents the default
behavior of placing FullTrust LinkDemand security checks, making the
assembly callable from any other assembly (partially or fully
trusted).
When this attribute is present, all other security checks function as
intended, including any class-level or method-level declarative
security attributes that are present. This attribute blocks only the
implicit fully trusted caller demand.
This is not a declarative security attribute, but a regular attribute
(it derives from Attribute, not SecurityAttribute).
--
Cheers,
hammett
http://hammett.castleproject.org/
Isn't there a build option to do this if you need to? (checks..) Yes -
there is:
> nant -D:assembly.allow-partially-trusted-callers=true
The assumption is that - this is something you can do for yourself if
required - but we don't think this is a good default.
Why does this not meet your requirement?
This is why this isn't the default.
This is a (seriously) non-trivial amount of work. It's about as much
fun as writing documentation - and it needs to apply not only to the
existing codebase (100,000's of lines) but also to every SVN commit
from here on. Here's what's required:
1. Make sure that every item on this list is checked off. -
http://msdn.microsoft.com/en-us/library/aa302339.aspx
2. Read this: http://msdn.microsoft.com/en-us/library/aa720569.aspx -
and then ensure that every piece of code in each library meets these
standards.
Just changing the default built setting is basically saying - "We (the
castle project/PMC) think this is ok/secure." - and we don't.
I would _happily_ accept a patch which did the above - or even made a
start - but changing the default without doing the work is crazy.
I realise that it's inconvenient to have to do private builds - but
that inconvenience is a deliberate choice. It's there so that you have
to think this through and make a risk assessment for oneself.
j.
Exactly. It makes no difference wether it's the default or not - if we
publish assemblies it's the same result.
As I said previously - this is meant to be a little bit difficult!
(svn up && build - isn't that difficult IMO).... but the burden of
responsibility rests on the individual who performs the build - rather
than castle-dev getting email "My server got HAX0RED". (Unlikely - but
not impossible - if you e.g. allow users to submit Brail/NH templates
or something similar).
Am I not explaining clearly the reason why we (the royal we) don't
wish to publish APTC assemblies? Help me here.
j.
As an outsider (just someone that uses Castle -- not a committer/team
member), I DO NOT want the Castle team to publish pre-built APTC
assemblies at this time. As said earlier, a deep security audit of
the codebase would be required. Heck, even if I WANTED to download
pre-built assemblies with APTC, I'd want a document explaing the
detailed audit procedure that was done to make this a good idea.
I know making a private build can be tricky sometimes to get set up.
But once it's up and running it's zero maintenance -- just download
the trunk (or whatever version you want) with SVN and re-build. I
would prefer people ask for help getting Castle built than publishing
APTC assemblies. All we need is one little security leak on a visible
Castle project and Castle's credibility could be hurt.
--
Patrick Steele
http://weblogs.asp.net/psteele
What I'm hearing an argument for is that we should implement a
contract without support for it.
Essentially - the argument is equivalent to: Can you please implement
this interface ITrustMeIKnowWhatImDoing and just throw NotImplemented
exceptions.
Except this is wholesale worse - because it's a silent failure of the
_entire_ trust mechanism for the .Net framework. (i.e.
ITrustMeIKnowWhatImDoing.IsAuthorized always returns true[1]).
I have no idea why DP2 is marked APTC (SVN blame might explain why) -
but an argument from existing practice is not a good one. (e.g. I've
never used source control - why do I need it now?)
If you seriously think that adding verbiage to a web page is a
solution to this problem then you haven't been paying attention.
e.g. Search the lists for "My AR instance is getting saved even though
I haven't called save and then read this:
http://castleproject.org/activerecord/index.html.
Basically - what your asking is for your support burden of maintaining
a private build (which is hardly onerous) to be exchanged for
additional support by other people on this mailing list.
I can understand why thats an attractive proposition to people who
need to build APTC - but it's not sounding like a great deal from my
seat.
j.
p.s. sorry if I seem arsey - I'm not having a great day and I'm
finding it hard to get my tone right (but I'm trying :-).
[1] Sorry for stretching this metaphor well past it's use.