我正在使用.net框架4.6.2,我们为我们的应用程序创建了一个 httpmodule 。
应用程序的.Net信任级别设置为中等。我们无法更改.net信任级别,因为我们必须使我们的应用程序与中等信任级别兼容,而且我们无法从类级属性中删除LinkDemand SecurityAction,因为如果我们删除 LinkDemand ,那么 AntiHttpCrossSiteForgeryRequestSettings 类因部分信任级别而抛出异常。
我们收到以下错误 -
尝试安全透明方法' Framework.HttpModule.AntiHttpCrossSiteForgeryRequestModule.Init(System.Web.HttpApplication)'访问LinkDemand受保护的方法' Framework.HttpModule.AntiHttpCrossSiteForgeryRequestModule.PreSendRequestHeaders(System.Object,System.EventArgs)'失败。方法必须是安全关键或安全安全关键,以满足LinkDemand。
代码:
namespace Framework.HttpModule
{
[AspNetHostingPermissionAttribute(SecurityAction.InheritanceDemand, Level = AspNetHostingPermissionLevel.Minimal)]
[AspNetHostingPermissionAttribute(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public class AntiHttpCrossSiteForgeryRequestModule : IHttpModule
{
private const string ContextIndexName = "AntiHttpCrossSiteForgeryRequestModule.CSRFToken";
[System.Security.SecuritySafeCritical]
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += PreSendRequestHeaders;
context.PreRequestHandlerExecute += PreRequestHandlerExecute;
context.AcquireRequestState += AcquireRequestStateExecute;
}
private static void PreRequestHandlerExecute(object source, EventArgs eventArgs)
{
HttpApplication application = (HttpApplication)source;
HttpContext context = application.Context;
HttpCookie HttpModuleCSRFCookie = context.Request.Cookies[AntiHttpCrossSiteForgeryRequestSettings.Settings.AntiCSRFCookie];
}
private static void AcquireRequestStateExecute(object source, EventArgs eventArgs)
{
}
private static void PreSendRequestHeaders(object source, EventArgs eventArgs)
{
}
}
public sealed class AntiHttpCrossSiteForgeryRequestSettings : ConfigurationSection
{
private const string AntiCSRFCookieNameKey = "antiCSRFC";
private const string AntiCSRFFormFieldKey = "antiCSRFF";
////The default value for configuration attribute
private const string AntiCSRFCookieDefaultValue = "ANTICSRFC";
private const string AntiCSRFFormFieldDefaultValue = "ANTICSRFT";
//The CSRF settings.
private static AntiHttpCrossSiteForgeryRequestSettings settings =
ConfigurationManager.GetSection("AntiHttpCrossSiteForgeryRequestSettings") as AntiHttpCrossSiteForgeryRequestSettings;
//Gets the CSRF Settings.
public static AntiHttpCrossSiteForgeryRequestSettings Settings
{
get
{
// If the configuration setting is not present create one with the default values.
if (settings == null)
{
settings = new AntiHttpCrossSiteForgeryRequestSettings
{
AntiCSRFCookie = AntiCSRFCookieDefaultValue,
AntiCSRFFormField = AntiCSRFFormFieldDefaultValue,
};
}
return settings;
}
}
[ConfigurationProperty(AntiCSRFCookieNameKey, DefaultValue = AntiCSRFCookieDefaultValue)]
public string AntiCSRFCookie
{
get
{
return (string)base[AntiCSRFCookieNameKey];
}
set
{
base[AntiCSRFCookieNameKey] = value;
}
}
[ConfigurationProperty(AntiCSRFFormFieldKey, DefaultValue = AntiCSRFFormFieldDefaultValue)]
public string AntiCSRFFormField
{
get
{
return (string)base[AntiCSRFFormFieldKey];
}
set
{
base[AntiCSRFFormFieldKey] = value;
}
}
}
}