16

I received the following compilation warning as a error while upgrading some ASP.NET code from .NET 3.5: 'System.Security.Permissions.SecurityAction.RequestMinimum' is obsolete.

The attribute has bee applied on the assebly level:

[assembly: System.Security.Permissions.SecurityPermission(System.Security.Permissions.SecurityAction.RequestMinimum, Execution=true)]

Also the code makes use of the P&P Web Client Software Factory, specificly the ObjectBuilder.WCSFExtensions library. Also it the code is providing some role provider implementations.

Keep in mind this code is used as Framework code in other projects, so it is hard to determine what security demands there might be.

So the milion dolar question is:

What value needs to be used for the "System.Security.Permissions.SecurityAction" enum?

Alternatively is there a better approach to applying the this security attribute?

Schalk
  • 280
  • 1
  • 4
  • 13

2 Answers2

14

Did you read the full compiler warning or visit the link it includes? The "naked" CLR no longer restricts CAS permissions under .NET 4.0 unless you flip a "legacy mode" switch, so there is no replacement for your RequestMinimum use. The assembly-level SecurityPermissionAttribute should be removed, not modified.

For a more complete explanation of the 4.0 CAS changes than appears on MSDN, see http://blogs.msdn.com/b/shawnfa/archive/2009/05/21/security-policy-in-the-v4-clr.aspx and http://blogs.msdn.com/b/shawnfa/archive/2010/02/24/so-is-cas-dead-in-net-4-or-what.aspx.

Nicole Calinoiu
  • 20,843
  • 2
  • 44
  • 49
  • Thanks Nicole, the articles you mentioned provides a clearer background than the MSDN documentation (which was comprehensive, but did not give any explicit/obvious statement saying: remove the attribute). I was not sure what the implications would be in removing the attribute. In the end I opted to leave that code in 3.5 for now. – Schalk Nov 29 '11 at 19:34
  • 2
    An assembly-level RequestMinimum simply instructs the host not to load the assembly if it isn't granted the specified permission. A RequestMinimum for execution permission is pretty near useless anyway since the host won't run any code in the assembly unless it has execution permission. The only difference in runtime behaviour when the permission is not granted are the details of the exception and when it is thrown. However, regardless of whether the attribute is present or not, you will see an exception before any code in the assembly is executed. – Nicole Calinoiu Nov 30 '11 at 13:10
-2

http://msdn.microsoft.com/en-us/library/ee471421.aspx

It seems the problem is that assembly level declarative security on the whole has been marked obsolete. Perhaps you can apply this at a method-level instead?

Menno van den Heuvel
  • 1,851
  • 13
  • 24