從部分受信任程式碼使用程式庫Using Libraries from Partially Trusted Code

警告

程式碼存取安全性和部分信任的程式碼Code Access Security and Partially Trusted Code

.NET Framework 提供一個稱為程式碼存取安全性 (CAS) 的機制,可對在同一個應用程式中執行的不同程式碼強制執行各種信任層級。The .NET Framework provides a mechanism for the enforcement of varying levels of trust on different code running in the same application called Code Access Security (CAS). .NET Framework 中的程式碼存取安全性不應該用作一種機制,以根據程式碼來源或其他身分識別層面的來強制安全性界限。Code Access Security in .NET Framework should not be used as a mechanism for enforcing security boundaries based on code origination or other identity aspects. 我們正在更新指南,以反映程式碼存取安全性與安全性透明的程式碼,將不會如同部分程式碼受信任的安全性界限般受到支援,特別是來源不明的程式碼。We are updating our guidance to reflect that Code Access Security and Security-Transparent Code will not be supported as a security boundary with partially trusted code, especially code of unknown origin. 建議不要載入及執行未知來源的程式碼,如此便不需要使用替代的安全措施。We advise against loading and executing code of unknown origins without putting alternative security measures in place.

這項原則適用於所有 .NET Framework 版本,但不適用於 Silverlight 隨附的 .NET Framework。This policy applies to all versions of .NET Framework, but does not apply to the .NET Framework included in Silverlight.

注意

本主題說明強式名稱元件的行為, 並且只適用于層級 1元件。This topic addresses the behavior of strong-named assemblies and applies only to Level 1 assemblies. 安全性透明的程式碼、 .NET Framework 4 或更新版本中的層級2元件不會受到強式名稱的影響。Security-Transparent Code, Level 2 assemblies in the .NET Framework 4 or later are not affected by strong names. 如需安全性系統變更的詳細資訊, 請參閱安全性變更For more information about changes to the security system, see Security Changes.

從其主機或沙箱獲得低於完全信任的應用程式不允許呼叫共用 Managed 程式庫,除非程式庫撰寫者透過使用 AllowPartiallyTrustedCallersAttribute 來特別允許它們。Applications that receive less than full trust from their host or sandbox are not allowed to call shared managed libraries unless the library writer specifically allows them to through the use of the AllowPartiallyTrustedCallersAttribute attribute. 因此,應用程式撰寫者必須知道有些程式庫將無法從部分信任的內容使用它們。Therefore, application writers must be aware that some libraries will not be available to them from a partially trusted context. 根據預設, 在部分信任的沙箱中執行且不在完全信任元件清單中的所有程式碼, 都是部分信任的。By default, all code that executes in a partial-trust sandbox and is not in the list of full-trust assemblies is partially trusted. 如果您不希望從部分信任的內容中執行您的程式碼,或由部分信任程式碼呼叫您的程式碼,不必顧慮這一節中的資訊。If you do not expect your code to be executed from a partially trusted context or to be called by partially trusted code, you do not have to be concerned about the information in this section. 不過,如果您撰寫的程式碼必須與部分信任的程式碼互動,或從部分信任的內容操作,則應該考慮下列因素:However, if you write code that must interact with partially trusted code or operate from a partially trusted context, you should consider the following factors:

  • 程式庫必須使用強式名稱簽署,才能由多個應用程式共用。Libraries must be signed with a strong name in order to be shared by multiple applications. 強式名稱可讓您的程式碼放入全域組件快取,或加入沙箱環境 AppDomain 的完全信任清單中,並允許取用者驗證行動程式碼的特定部分確實來自您。Strong names allow your code to be placed in the global assembly cache or added to the full-trust list of a sandboxing AppDomain, and allow consumers to verify that a particular piece of mobile code actually originates from you.

  • 根據預設, 強式名稱層級 1共用程式庫會自動執行完全信任的隱含LinkDemand , 而不需要程式庫撰寫者執行任何動作。By default, strong-named Level 1 shared libraries perform an implicit LinkDemand for full trust automatically, without the library writer having to do anything.

  • 如果呼叫端沒有完全信任,但仍嘗試呼叫這類程式庫,執行階段會擲回 SecurityException,且不允許呼叫端連結程式庫。If a caller does not have full trust but still tries to call such a library, the runtime throws a SecurityException and the caller is not allowed to link to the library.

  • 若要停用自動LinkDemand並防止擲回例外狀況, 您可以將AllowPartiallyTrustedCallersAttribute屬性放在共用程式庫的元件範圍上。In order to disable the automatic LinkDemand and prevent the exception from being thrown, you can place the AllowPartiallyTrustedCallersAttribute attribute on the assembly scope of a shared library. 此屬性允許從部分信任的 Managed 程式碼呼叫您的程式庫。This attribute allows your libraries to be called from partially trusted managed code.

  • 以這個屬性被授權存取程式庫的部分信任程式碼,仍受限於 AppDomain 定義的其他限制。Partially trusted code that is granted access to a library with this attribute is still subject to further restrictions defined by the AppDomain.

  • 部分信任的程式碼沒有任何程式設計的方式可呼叫沒有AllowPartiallyTrustedCallersAttribute屬性的程式庫。There is no programmatic way for partially trusted code to call a library that does not have the AllowPartiallyTrustedCallersAttribute attribute.

特定應用程式私用的程式庫不需要強名稱或AllowPartiallyTrustedCallersAttribute屬性, 而且不能由應用程式外部的潛在惡意程式碼參考。Libraries that are private to a specific application do not require a strong name or the AllowPartiallyTrustedCallersAttribute attribute and cannot be referenced by potentially malicious code outside the application. 這類程式碼受到保護可避免部分信任的行動程式碼有意或無意地誤用,而不需要開發人員執行任何額外的動作。Such code is protected against intentional or unintentional misuse by partially trusted mobile code without the developer having to do anything extra.

針對下列程式碼類型,您應該考慮明確地啟用部分信任程式碼的使用:You should consider explicitly enabling use by partially trusted code for the following types of code:

  • 已針對安全性弱點進行過仔細測試的程式碼, 並遵循安全程式碼撰寫方針中所述的指導方針。Code that has been diligently tested for security vulnerabilities and is in compliance with the guidelines described in Secure Coding Guidelines.

  • 專為部分信任案例撰寫的強式名稱程式碼程式庫。Strong-named code libraries that are specifically written for partially trusted scenarios.

  • 使用強式名稱簽署,且將由從網際網路下載的程式碼呼叫的任何元件 (不論部分或完全信任)。Any components (whether partially or fully trusted) signed with a strong name that will be called by code that is downloaded from the Internet.

注意

.NET Framework Class Library 中的某些類別沒有AllowPartiallyTrustedCallersAttribute屬性, 而且無法由部分信任的程式碼呼叫。Some classes in the .NET Framework class library do not have the AllowPartiallyTrustedCallersAttribute attribute and cannot be called by partially trusted code.

另請參閱See also