IPermission.Union help
Can someone help me understand what actually happens behind the scenes in the Union method on an IPermission implementation? Here's my basic scenario:
I have an custom CAS atrribute that requires up to three values to be evaluated together to know if the demand will pass or not. This became difficult to manage when trying to determine how to union two instances of the IPermission implementation together. So, in the Union call, I evaluate Demand on the current instance and on the target. Those resolve to a "Yes/No" answer that are passed as two bool values to another IPermission implementation - UnionPermission. The demand on this permission just evaluates the two passed in bool values. However, Demand is never called on the UnionPermission and I have no idea what's going on.
I really want to know what class in the CLR is invoking the methods on the IPermission implementations. Then I could decompile it and look to see what it does with the returned IPermission instance.
Can someone help me understand what is going on here?
Thanks,
dwj
[1105 byte] By [
dwj] at [2007-12-23]
I'm not entirely sure I understand what you are trying to accomplish, but the IPermission.Union abstract method is not designed to demand permissions. It is simply designed to allow logical set operations on multiple permissions.
For example, the union of Read and Write permissions on a specific file could conceptually be mapped to Read/Write permissions on the same file.
In your Union method, you would need to update your custom permission private data to store both types of permission information. However, you should not perform an actual Demand inside the Union call.
We call union when performing certain PermissionSet operations for declarative and imperative security operations. You can simulate this by creating two different permission instances of your class, then calling your custom Union method.
Hope that helps,
Stephen
Okay, let me try to say it more clearly. I know when the Union is called and that calling Demand in it is not typical (or even recommended). But, I think the union logic breaks down in certain cases. Here's an example: If the state maintained on my IPermission instance is a boolean value, I can easily say that the Union of two booleans is 'Yes' or 'No', depending on the individual states.
But, if the state maintained on the IPermission instance is string, the union logic does not seem as obvious. For example, "View" permission unioned with "Edit" permission does not result in a "Yes" or "No" answer. It results in a "Edit/View" answer (because I only have a string to maintain state on my IPermission) which is not a valid value. So, if I am to do anything meanigful with this unioned string, I must break it apart in the demand logic, which seems very ugly and undesirable to me.
So, I am looking for a way to union IPermission instances with strings as their state. I have not seen a good solution yet.
In addition, I cannot figure out what the CLR is actually doing with the IPermission instance that gets returned from the Union call. Do you know? I don't see the 'demand' method being invoked on the unioned instance which is what I was expecting.
dwj at 2007-8-30 >
RE: Implementing Union with non-boolean state
We use enums in the BCL for various permissions, including File I/O and Registry. The BCL source code is publicly available as part of the shared source initiative AFAIK.
http://msdn.microsoft.com/net/sscli
RE: Usage of Union by the CLR
Can you clarify what code you are seeing that is calling Union? Can you provide callstacks? Is this during declarative security analysis? Or at runtime?
Thanks,
Stephen
My attribute is valid as a class attribute and a method attribute. When I mark up my test class and test method with different levels ("View" at the class level and "Edit" at the method level"), union is called twice. I expected one call to union and then 'demand' would be called on the resulting instance. But I can not figure out what happens to the resulting IPermission instance created within the union call.
This scenario happens when I debug my test console application. Let me know if you want more information.
Thanks!
dwj at 2007-8-30 >
