开发者

SecurityExceptions using the HTML Helpers in third-party libraries

开发者 https://www.devze.com 2022-12-13 19:05 出处:网络
Ca开发者_运维知识库n someone explain this paragraph on page 258(Pro ASP.NET MVC 1.0 Chapter 6: Using the HTML Helpers)?

Ca开发者_运维知识库n someone explain this paragraph on page 258(Pro ASP.NET MVC 1.0 Chapter 6: Using the HTML Helpers)?

If you're writing a third-party library(as opposed to a web application) that uses the HTML helpers, never call the overloads that accept anonymous objects. Always call the overloads that accept dictionaries. Otherwise, web application authors that consume your library are likely to experience SecurityExceptions.


If you pass anonymous object to a helper then it should use Reflection.

Reflection requires privileges and if there are no such then SecurityExpection-s will be thrown.


Anonymous types are internal to the assembly in which they're defined.

MVC is [SecurityTransparent], so to the CLR it looks like anything that MVC does is actually being performed by your application. If your third-party library is also [SecurityTransparent] (which it really should be) and is deployed to the GAC, then it will appear to the CLR that your application code is trying to perform private reflection over a GACed assembly. If your application is running in Medium trust or otherwise doesn't have reflection permission, this will cause a SecurityException.

Edit: This doesn't mean that third-party libraries can't use anonymous objects in their own code. It just means that they shouldn't pass those objects to MVC APIs that try to perform reflection over those objects, such as htmlAttributes or routeValues.

0

精彩评论

暂无评论...
验证码 换一张
取 消