what are A, B, C??In the second case, the Common Language Runtime (CLR) will demand that the principal associated with the calling THREAD is in the "Claims Approver" role and will generate a SecurityException if the demand is not satisfied. Note that PrincipalPermissionAttribute is NOT a context attribute, so your object does not need to be context-bound to have this security check performed on its behalf. This functionality is in the runtime itself
A,B,C分别是三个函数,A中的代码调用函数B,B然后又调用函数C,但C中一段代码要求权限检查,如果才用第二种方法授权失败CLR可以捕获异常抛出“请求主体权限失败”,现在的问题是,二种方法授权失败后,调用堆栈是如何工作的,有什么区别?
1.手动授权
it is up to you to decide what to do, since it does nothing if User not in the role of "Claims Approver"2.声明式授权
CLR throws a SecurityException, it wil rewind to wherever you have a handler or crash your system. You'd better use a try/catch in B
PrincipalPermission CEOPermission = new PrincipalPermission("Bob","CEO");
PrincipalPermission MgtPermission = new PrincipalPermission("mike","Senior Manager");
(CEOPermission.Union(MgtPermission)).Demand();
手动检查如下:
If(HttpContext.Current.User.IsInRole( “Claims Approver” ))
{
// Permit access to some code
}
声明式检查如下:
[PrincipalPermissionAttribute (SecurityAction.Demand, Role="Claims Approver")]
public void ApproveClaims()
{
//只有"Claims Approver"的成员能执行此函数
}
这样看来如果采用手动检查,可能会使功能函数被其他非信任代码调用,这可能是这种方法的缺陷.是么?