Language modifiers such as sealed, public, private, and virtual give you a level of control over the ability of classes to inherit from your class and override its members. However, these modifiers are inflexible, providing no selectivity in restricting what code can extend a class or override its members.
For example, you might want to allow only code written by your company or department to extend business-critical classes. By applying an InheritanceDemand attribute to your class or member declaration, you can specify runtime permissions that a class must have to extend your class or override particular members. Remember that the permissions of a class are the permissions of the assembly in which the class is declared.
Although you can demand any permission or permission set in your InheritanceDemand, it’s more common to demand identity permissions. Identity permissions represent evidence presented to the runtime by an assembly. If an assembly presents certain types of evidence at load time, the runtime will automatically assign the assembly the appropriate identity permission. Identity permissions allow you to use regular imperative and declarative security statements to base security decisions directly on code identity, without the need to evaluate evidence objects directly.
Note The runtime assigns identity permissions to an assembly based on the evidence presented by the assembly. You cannot assign additional identity permissions to an assembly through the configuration of security policy.
You must use declarative security syntax to implement an InheritanceDemand, and so you must use the attribute counterpart of the permission class that you want to demand. All permission classes, including InheritanceDemand, have an attribute counterpart that you use to construct declarative security statements. For example, the attribute counterpart of PublisherIdentityPermission is PublisherIdentityPermissionAttribute, and the attribute counterpart of StrongNameIdentityPermission is StrongNameIdentityPermissionAttribute. All permissions and their attribute counterparts follow the same naming convention and are members of the same namespace. To control which code can extend your class, apply the InheritanceDemand to the class declaration.
To control which code can override specific members of a class, apply the InheritanceDemand to the member declaration.
The Example
The following example demonstrates the use of an InheritanceDemand attribute on both a class and a method. Applying a PublisherIdentityPermissionAttribute to the SomeProtectedClass class means that only classes in assemblies signed by the publisher certificate contained in the pubcert.cer file (or assemblies granted FullTrust) can extend the class. The contents of the pubcert.cer file are read at compile time, and the necessary certificate information is built into the assembly metadata. To demonstrate that other permissions can also be used with an InheritanceDemand, the PermissionSetAttribute is used to allow only classes granted the FullTrust permission set to override the method SomeProtectedMethod.
using System.Security.Permissions;
[PublisherIdentityPermission(SecurityAction.InheritanceDemand, CertFile = "pubcert.cer")]
public class SomeProtectedClass
{
[PermissionSet(SecurityAction.InheritanceDemand, Name="FullTrust")]
public void SomeProtectedMethod ()
{
// Method implementation . . .
}
}
