tags:

views:

89

answers:

3
+1  Q: 

What is "declarative security"? In general

The answer to this question: http://stackoverflow.com/questions/1210609 Doesn't really tell me much... doesn't tell me anything at all to be blunt.

I came across a blog about performance in .NET and it mentioned this:

Do You Use Declarative Security?

Where possible, it is recommended that you use declarative security instead of imperative security checks. The current implementation of demand provides better performance and support with the security tools that are currently being built to help security audits.

Note that if your security checks are conditional within a method, imperative security is your only option.

Link: http://weblogs.asp.net/sanjeevagarwal/archive/2009/09/09/net-code-performance-tips-part-1.aspx

What does "declarative security" stand for? Can someone give a concrete example?

+3  A: 

In general, it's security based on annotating instead of coding. For example, in .NET you can apply an attribute to a method that causes the generated code to require the caller to have certain rights.

Here's a concrete example: http://www.knowdotnet.com/articles/securityattributes.html

Steven Sudit  2009-09-09 18:25:48
Nice one, and a good example.
WebDevHobo  2009-09-09 19:15:31
+1  A: 

Declarative features allow the programmer to express intentions at design time. These intentions are enforced internally by the language's engine — in other words, we don't see how it's done. An example would be attributes:

[RequireDeletePermission]
public void DeleteFile( string fileName )
{
}

This declaration states that the DeleteFile method cannot be called without the DeletePermission. (This is a made-up example.) The runtime will enforce this rule for you. No more code is required. SQL permissions also fit into this category.

Policies that you enforce using your own code are called imperative. You can use any language mechanism to accomplish this, but the code itself (as opposed to a built-in construct) expresses your intention. You'll see this kind of thing in SQL triggers, when no formal constraint captures the exact restriction that is required.

CREATE TRIGGER TR_UPD_fix_image_filename ON products AFTER UPDATE
AS
BEGIN
    UPDATE product SET image=itemnumber + '.jpg' WHERE id IN (SELECT id FROM inserted)
END

(Okay, so it's a dumb example. By design, most typical cases can be handled by constraints.)

harpo  2009-09-09 18:32:58
A: 

You can look at AOP examples.

In general, declarative implies a code organization when code implementing security is detached from the other code (from business logic e.g.). Usually all security artifacts concentrated in one place, and that simplifies development of both components: business logic and security.

serge_bg  2009-09-09 18:38:08

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security