| Groups | Blog | Home |
dotnet security : Toggling SecurityManager.SecurityEnabled
Unfortunately, weird as it may seem, it can't be turned back on for the current process. The simplest workaround is to name the various test classes and methods so that the CAS-enabled tests run prior to disabling CAS. (IME so far, they are run in alphabetical order.) Of course, if you take this approach, you should end the NUnit process between each test run. Another option would be to split your CAS-enabled and CAS-disabled tests into separate test assemblies. This is my own preferred approach. As with the previous approach, a new instance of NUnit should be launched once any disabled-CAS test suite has been run. Yet another option is to launch the individual tests on separate processes. AFAIK, this is not a terribly convenient approach in any of the existing unit testing frameworks for .NET. In addition, if you actually need to persist the setting (as opposed to simply disabling within any given process), elevated user privileges may be required. HTH, Nicole [quoted text, click to view] "Kevin Westhead" <kevinw@NOSPAM.i2DOTcoDOTuk> wrote in message news:%23Vpm4RJoEHA.692@TK2MSFTNGP12.phx.gbl... > Is there a way I can toggle SecurityManager.SecurityEnabled so that I can > test some methods that check this value? For example, I have a class that > I > want to use with NUnit as follows: > > [Category("Exceptions - code access security is disabled.")] > [TestFixture()] > public class CodeAccessSecurityDisabledExceptions > { > > public CodeAccessSecurityDisabledExceptions() : base() > { > } > > [TestFixtureSetUp()] > public void DisableCodeAccessSecurity() > { > SecurityManager.SecurityEnabled = false; > } > > [TestFixtureTearDown()] > public void EnableCodeAccessSecurity() > { > SecurityManager.SecurityEnabled = true; > SecurityManager.SavePolicy(); > } > > // Various method tests that are expected to throw SecurityException > when SecurityManager.SecurityEnabled == false) > > } > > Unfortunately CAS remains disabled when I run any other tests, so it looks > like simply setting SecurityManager.SecurityEnabled = true isn't the > answer. > Is there a way I can turn CAS back on from code? > > TIA. > > -- > Kevin Westhead > >
I have no idea why it was implemented this way, but I agree that it's odd.
Also, I wouldn't quite trust the docs on this one. For starters, CAS can be disabled under a non-admin account for the current process even if default settings prevent persistence of this (via SavePolicy method) for use by new processes. The statement concerning the effect on the current process is also rather bizarre. The effect is completely predictable, although I guess the author was correct about it being potentially "unexpected". <g> While I agree with you that the implementation could use some changes, I can't see any reason to replace the property with a new method. Instead, the property could simply be fixed to behave as one might normally expect. i.e.: 1. Don't allow CAS to be disabled by a non-admin, even for the current process, regardless of the permissions on the setting store. (Obviously, different behaviour would be necessary on Win9x.) Another alternative would be to at least make within-process changes dependent on permission to persist the change, even if the change isn't being persisted. However, this is not what the documentation seems to reflect as the intended behaviour. 2. Make it at least as easy to enable CAS as it is to disable CAS. This includes making it possible to enable CAS for the current process by toggling the value of the property. [quoted text, click to view] "Kevin Westhead" <kevinw@NOSPAM.i2DOTcoDOTuk> wrote in message news:%2327yLaKoEHA.2684@TK2MSFTNGP11.phx.gbl... > Thanks for the helpful response. > > Now that I know I'm seeing expected behaviour I can start figuring out how > to arrange my tests, which will probably be something along the lines of > one > of your suggestions. > > Out of curiosity, do you know why the SecurityEnabled property is only > settable one way? The documentation sort of hints at it with > "SecurityEnabled provides a way for administrators to disable code access > security." although IMHO the resulting behaviour is unintuitive: making > the > property read-only and providing a DisableSecurity method would have made > the usage clearer even if the reasoning behind it was still vague. > > -- > Kevin Westhead > > "Nicole Calinoiu" <ngcalinoiu REMOVETHIS AT gmail DOT com> wrote in > message > news:u3Sq$5JoEHA.3224@tk2msftngp13.phx.gbl... >> Unfortunately, weird as it may seem, it can't be turned back on for the >> current process. The simplest workaround is to name the various test >> classes and methods so that the CAS-enabled tests run prior to disabling >> CAS. (IME so far, they are run in alphabetical order.) Of course, if >> you >> take this approach, you should end the NUnit process between each test > run. >> >> Another option would be to split your CAS-enabled and CAS-disabled tests >> into separate test assemblies. This is my own preferred approach. As > with >> the previous approach, a new instance of NUnit should be launched once >> any >> disabled-CAS test suite has been run. >> >> Yet another option is to launch the individual tests on separate > processes. >> AFAIK, this is not a terribly convenient approach in any of the existing >> unit testing frameworks for .NET. In addition, if you actually need to >> persist the setting (as opposed to simply disabling within any given >> process), elevated user privileges may be required. > >
Is there a way I can toggle SecurityManager.SecurityEnabled so that I can
test some methods that check this value? For example, I have a class that I want to use with NUnit as follows: [Category("Exceptions - code access security is disabled.")] [TestFixture()] public class CodeAccessSecurityDisabledExceptions { public CodeAccessSecurityDisabledExceptions() : base() { } [TestFixtureSetUp()] public void DisableCodeAccessSecurity() { SecurityManager.SecurityEnabled = false; } [TestFixtureTearDown()] public void EnableCodeAccessSecurity() { SecurityManager.SecurityEnabled = true; SecurityManager.SavePolicy(); } // Various method tests that are expected to throw SecurityException when SecurityManager.SecurityEnabled == false) } Unfortunately CAS remains disabled when I run any other tests, so it looks like simply setting SecurityManager.SecurityEnabled = true isn't the answer. Is there a way I can turn CAS back on from code? TIA. -- Kevin Westhead
Thanks for the helpful response.
Now that I know I'm seeing expected behaviour I can start figuring out how to arrange my tests, which will probably be something along the lines of one of your suggestions. Out of curiosity, do you know why the SecurityEnabled property is only settable one way? The documentation sort of hints at it with "SecurityEnabled provides a way for administrators to disable code access security." although IMHO the resulting behaviour is unintuitive: making the property read-only and providing a DisableSecurity method would have made the usage clearer even if the reasoning behind it was still vague. -- Kevin Westhead [quoted text, click to view] "Nicole Calinoiu" <ngcalinoiu REMOVETHIS AT gmail DOT com> wrote in message news:u3Sq$5JoEHA.3224@tk2msftngp13.phx.gbl... > Unfortunately, weird as it may seem, it can't be turned back on for the > current process. The simplest workaround is to name the various test > classes and methods so that the CAS-enabled tests run prior to disabling > CAS. (IME so far, they are run in alphabetical order.) Of course, if you > take this approach, you should end the NUnit process between each test run. > > Another option would be to split your CAS-enabled and CAS-disabled tests > into separate test assemblies. This is my own preferred approach. As with > the previous approach, a new instance of NUnit should be launched once any > disabled-CAS test suite has been run. > > Yet another option is to launch the individual tests on separate processes. > AFAIK, this is not a terribly convenient approach in any of the existing > unit testing frameworks for .NET. In addition, if you actually need to > persist the setting (as opposed to simply disabling within any given > process), elevated user privileges may be required.
Don't see what you're looking for? Try a search.
|
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
| home · blog · groups | Questions? Comments? Contact the dn |