none
Why is SecurityCritical applied to ISerializable GetObjectData? RRS feed

  • Question

  • I ran into a strange problem when trying to convert .Net 2 code to .Net 4.  We implement custom exceptions in our code and have flagged them as Serializable.

    In .Net 4 this results in security exceptions for changes in mode of the security model.  After looking at ISerializable I can see that it does indeed now have the SecurityCritical attribute on it, but why?

    That means I have to modify all my code to also have the SecurityCritical attribute now, won't that fail in Medium Trust now?

     

    [ComVisible(true)]
    public interface ISerializable
    {
      // Methods
      [SecurityCritical]
      void GetObjectData(SerializationInfo info, StreamingContext context);
    }
    

    Friday, May 28, 2010 9:28 PM

Answers

  • You can try to configure:

    <trust level="___" legacyCasModel="true"  />

    to switch on compability mode.

    For subclasses of Exception, there is a new interface and technique provided to get around this issue.  Presumably because this class is the case where developers have most often had to deal with GetObjectData.  See the example here: http://msdn.microsoft.com/en-us/library/system.runtime.serialization.isafeserializationdata.aspx

    Perhaps someone else can shed a lot more light on what is going on here.  I could find practically no information on this new interface by searching the Internet other than the MSDN reference page.

    > That means I have to modify all my code to also have the SecurityCritical attribute now

    Actually overriding GetObjectData is a different matter than marking with the Serializable attribute.  So I think this depends on whether you actually override GetObjectData.  In this case, you should implement ISafeSerializationData instead.

     

    • Marked as answer by eryang Tuesday, June 8, 2010 5:12 AM
    Saturday, May 29, 2010 3:58 PM

All replies

  • You can try to configure:

    <trust level="___" legacyCasModel="true"  />

    to switch on compability mode.

    For subclasses of Exception, there is a new interface and technique provided to get around this issue.  Presumably because this class is the case where developers have most often had to deal with GetObjectData.  See the example here: http://msdn.microsoft.com/en-us/library/system.runtime.serialization.isafeserializationdata.aspx

    Perhaps someone else can shed a lot more light on what is going on here.  I could find practically no information on this new interface by searching the Internet other than the MSDN reference page.

    > That means I have to modify all my code to also have the SecurityCritical attribute now

    Actually overriding GetObjectData is a different matter than marking with the Serializable attribute.  So I think this depends on whether you actually override GetObjectData.  In this case, you should implement ISafeSerializationData instead.

     

    • Marked as answer by eryang Tuesday, June 8, 2010 5:12 AM
    Saturday, May 29, 2010 3:58 PM
  •  

    Hi Jason,

    Did you try BinaryCoder's suggestion, is it help? please feel free to let us know if you have any concern.


    Sincerely,
    Eric
    MSDN Subscriber Support in Forum
    If you have any feedback of our support, please contact msdnmg@microsoft.com.
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    Welcome to the All-In-One Code Framework! If you have any feedback, please tell us.
    Thursday, June 3, 2010 2:01 AM