通过部分受信任的代码使用库Using Libraries from Partially Trusted Code

注意

代码访问安全性和部分受信任的代码Code Access Security and Partially Trusted Code

.NET Framework 提供一种机制,对在相同应用程序中运行的不同代码强制实施不同的信任级别,该机制称为代码访问安全性 (CAS)。The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS). .NET Framework 中的代码访问安全性不应用作基于代码来源或其他标识方面强制实施安全边界的一种机制。Code Access Security in .NET Framework should not be used as a mechanism for enforcing security boundaries based on code origination or other identity aspects. 我们正在更新相应指南以反映代码访问安全性,并且将不支持把安全透明代码用作部分受信任的代码(尤其是未知来源的代码)的安全边界。We are updating our guidance to reflect that Code Access Security and Security-Transparent Code will not be supported as a security boundary with partially trusted code, especially code of unknown origin. 建议在未实施其他安全措施的情况下,不要加载和执行未知来源的代码。We advise against loading and executing code of unknown origins without putting alternative security measures in place.

此策略适用于 .NET Framework 的所有版本,但不适用于 Silverlight 中所含的 .NET Framework。This policy applies to all versions of .NET Framework, but does not apply to the .NET Framework included in Silverlight.

备注

本主题介绍强名称程序集的行为, 并且仅适用于第1级程序集。This topic addresses the behavior of strong-named assemblies and applies only to Level 1 assemblies. 安全透明代码、 .NET Framework 4 或更高版本中的级别2程序集不受强名称的影响。Security-Transparent Code, Level 2 assemblies in the .NET Framework 4 or later are not affected by strong names. 有关安全系统更改的详细信息, 请参阅安全更改For more information about changes to the security system, see Security Changes.

不允许未从其主机或沙盒获取完全信任的应用程序调用共享的托管库,除非库编写器明确允许它们使用 AllowPartiallyTrustedCallersAttribute 特性。Applications that receive less than full trust from their host or sandbox are not allowed to call shared managed libraries unless the library writer specifically allows them to through the use of the AllowPartiallyTrustedCallersAttribute attribute. 因此,应用程序编写器必须注意某些库在部分受信任的上下文中将不可用。Therefore, application writers must be aware that some libraries will not be available to them from a partially trusted context. 默认情况下, 在部分信任沙箱中执行且不在完全信任程序集列表中的所有代码都是部分受信任的程序集。By default, all code that executes in a partial-trust sandbox and is not in the list of full-trust assemblies is partially trusted. 如果不希望从部分受信任的上下文中执行或由部分受信任的代码调用自己的代码,则不必关心此部分的信息。If you do not expect your code to be executed from a partially trusted context or to be called by partially trusted code, you do not have to be concerned about the information in this section. 但是,如果所编写的代码必须与部分受信任的代码进行交互或从部分受信任的上下文环境进行操作,则应考虑以下因素:However, if you write code that must interact with partially trusted code or operate from a partially trusted context, you should consider the following factors:

  • 为了方便多个应用程序共享库,则必须使用强名称对库进行签名。Libraries must be signed with a strong name in order to be shared by multiple applications. 强名称允许你的代码可放入全局程序集缓存中或添加到沙盒处理 AppDomain 的完全信任列表,并允许使用者验证实际来自你的移动代码的特定部分。Strong names allow your code to be placed in the global assembly cache or added to the full-trust list of a sandboxing AppDomain, and allow consumers to verify that a particular piece of mobile code actually originates from you.

  • 默认情况下, 强名称级别 1共享库自动执行完全信任的隐式LinkDemand , 而库编写器不需要执行任何操作。By default, strong-named Level 1 shared libraries perform an implicit LinkDemand for full trust automatically, without the library writer having to do anything.

  • 如果调用方不具有完全信任但仍尝试调用这样的库,则运行时会引发 SecurityException,且会不允许调用方链接到库。If a caller does not have full trust but still tries to call such a library, the runtime throws a SecurityException and the caller is not allowed to link to the library.

  • 为了禁用自动LinkDemand并防止引发异常, 你可以将AllowPartiallyTrustedCallersAttribute属性放置在共享库的程序集范围内。In order to disable the automatic LinkDemand and prevent the exception from being thrown, you can place the AllowPartiallyTrustedCallersAttribute attribute on the assembly scope of a shared library. 此属性允许从部分受信任的托管代码调用你的库。This attribute allows your libraries to be called from partially trusted managed code.

  • 被授予访问具有此属性的库的权限的部分受信任代码仍将受到由 AppDomain 定义的进一步限制。Partially trusted code that is granted access to a library with this attribute is still subject to further restrictions defined by the AppDomain.

  • 部分受信任代码无法通过编程方式调用不具有AllowPartiallyTrustedCallersAttribute属性的库。There is no programmatic way for partially trusted code to call a library that does not have the AllowPartiallyTrustedCallersAttribute attribute.

专用于特定应用程序的库不需要强名称或AllowPartiallyTrustedCallersAttribute属性, 并且不能由应用程序外部的潜在恶意代码引用。Libraries that are private to a specific application do not require a strong name or the AllowPartiallyTrustedCallersAttribute attribute and cannot be referenced by potentially malicious code outside the application. 保护此类代码免受部分受信任的移动代码的有意或无意滥用,而无需开发人员进行任何额外操作。Such code is protected against intentional or unintentional misuse by partially trusted mobile code without the developer having to do anything extra.

你应该考虑显式启用以下代码类型的部分受信任代码的用法:You should consider explicitly enabling use by partially trusted code for the following types of code:

  • 已对安全漏洞进行了认真测试, 并遵循安全编码准则中所述的指导原则。Code that has been diligently tested for security vulnerabilities and is in compliance with the guidelines described in Secure Coding Guidelines.

  • 专门为部分受信任的情况进行编写的强名称代码库。Strong-named code libraries that are specifically written for partially trusted scenarios.

  • 使用强名称签名的任何组件(无论是部分或完全受信任)都将由从 Internet 下载的代码调用。Any components (whether partially or fully trusted) signed with a strong name that will be called by code that is downloaded from the Internet.

备注

.NET Framework 类库中的某些类不具有AllowPartiallyTrustedCallersAttribute特性, 因此不能由部分受信任的代码调用。Some classes in the .NET Framework class library do not have the AllowPartiallyTrustedCallersAttribute attribute and cannot be called by partially trusted code.

请参阅See also