SqlClientPermission.Add(String, String, KeyRestrictionBehavior) 方法

定义

SqlClientPermission 对象添加新的连接字符串和一组限制性关键字。Adds a new connection string and a set of restricted keywords to the SqlClientPermission object.

public:
 override void Add(System::String ^ connectionString, System::String ^ restrictions, System::Data::KeyRestrictionBehavior behavior);
public override void Add (string connectionString, string restrictions, System.Data.KeyRestrictionBehavior behavior);
override this.Add : string * string * System.Data.KeyRestrictionBehavior -> unit
Public Overrides Sub Add (connectionString As String, restrictions As String, behavior As KeyRestrictionBehavior)

参数

connectionString
String

连接字符串。The connection string.

restrictions
String

关键限制。The key restrictions.

behavior
KeyRestrictionBehavior

KeyRestrictionBehavior 枚举之一。One of the KeyRestrictionBehavior enumerations.

注解

使用此方法可配置特定权限对象允许的连接字符串。Use this method to configure which connection strings are allowed by a particular permission object. 例如,如果希望只允许特定的连接字符串而不允许使用其他任何内容,请使用以下代码片段:For example, use the following code fragment if you want to only allow a specific connection string and nothing else:

permission.Add("server=MyServer; database=MyDatabase; Integrated Security=true", "", KeyRestrictionBehavior.AllowOnly)

下面的示例允许使用任意数据库的连接字符串,但仅允许在名为 MyServer 的服务器上使用任何用户和密码组合,不包含任何其他连接字符串关键字:The following example allows connection strings that use any database, but only on the server named MyServer, with any user and password combination and containing no other connection string keywords:

permission.Add("server=MyServer;", "database=; user id=; password=;", KeyRestrictionBehavior.AllowOnly)

下面的示例使用与上述相同的方案,但允许在连接到为镜像配置的服务器时可以使用的故障转移伙伴:The following example uses the same scenario as above but allows for a failover partner that can be used when connecting to servers configured for mirroring:

permission.Add("server=MyServer; failover partner=MyMirrorServer", "database=; user id=; password=;", KeyRestrictionBehavior.AllowOnly)

备注

对 ADO.NET 使用代码访问安全权限时,正确的模式是从最严格的情况开始 (没有任何) 的权限,然后添加代码需要执行的特定任务所需的特定权限。When using code access security permissions for ADO.NET, the correct pattern is to start with the most restrictive case (no permissions at all) and then add the specific permissions that are needed for the particular task that the code needs to perform. 相反的模式是从所有权限开始,然后尝试拒绝特定权限,这种方法并不安全,因为有多种方法可表示相同的连接字符串。The opposite pattern, starting with all permissions and then trying to deny a specific permission, is not secure, because there are many ways of expressing the same connection string. 例如,如果一开始就授予所有权限,然后尝试拒绝使用连接字符串“server=someserver”,则仍将允许使用“server=someserver.mycompany.com”。For example, if you start with all permissions and then attempt to deny the use of the connection string "server=someserver", the string "server=someserver.mycompany.com" would still be allowed. 通过在开始时始终不授予任何权限,可以降低权限集中存在漏洞的几率。By always starting by granting no permissions at all, you reduce the chances that there are holes in the permission set.

适用于