Code Access Security "Direct SQL"
Views (125)
Hossein.K
6,648
Like
Share
Report
Microsoft Dynamics AX Code Access Security is used by developers to protect
Secured APIs from being invoked by un-trusted code (code that does not
originate from the AOT). Code access security does this by verifying the
following:
• The code asserted the appropriate permission on the call stack to use
the secured class.
• The assert (the request to use the secured class) is executed in trusted
code and saved in the AOT.
• The assert is executed on the same tier as the secured class.
Code Access Security covers the use of secured classes on the server tier only.
You do not need to modify or mitigate client-only invocations of secured classes.
Code Access Security must be implemented by the secured class owner and allconsumers of the secured class. The owner secures the secured class by
implementing a specific type of permission class and calling the demand()method on that class. Each class consumer must explicitly request permission to
invoke a secured class by calling the assert() method on the permission class.
Application code will break unless both of these steps are completed.
NOTE: Code Access Security does not guarantee the validity of any data or
parameters passed to the secured class. Data validation is still the responsibility
of the consumer.There are six groups of protected standard classes in Microsoft Dynamics AX
Code Access Security:
• Direct SQL
• Run-time compilation and execution of X++
• Data-controlled execution of X++
• File handling
• Win32 Interop
• Windows API
When direct SQL is used through the Connection and Statement classes, it is
subject to SQL injection threats. Note that record-level security and field-level
security are not enforced on the Statement class.
Best Regards,
Hossein Karimi
Secured APIs from being invoked by un-trusted code (code that does not
originate from the AOT). Code access security does this by verifying the
following:
• The code asserted the appropriate permission on the call stack to use
the secured class.
• The assert (the request to use the secured class) is executed in trusted
code and saved in the AOT.
• The assert is executed on the same tier as the secured class.
Code Access Security covers the use of secured classes on the server tier only.
You do not need to modify or mitigate client-only invocations of secured classes.
Code Access Security must be implemented by the secured class owner and allconsumers of the secured class. The owner secures the secured class by
implementing a specific type of permission class and calling the demand()method on that class. Each class consumer must explicitly request permission to
invoke a secured class by calling the assert() method on the permission class.
Application code will break unless both of these steps are completed.
NOTE: Code Access Security does not guarantee the validity of any data or
parameters passed to the secured class. Data validation is still the responsibility
of the consumer.There are six groups of protected standard classes in Microsoft Dynamics AX
Code Access Security:
• Direct SQL
• Run-time compilation and execution of X++
• Data-controlled execution of X++
• File handling
• Win32 Interop
• Windows API
When direct SQL is used through the Connection and Statement classes, it is
subject to SQL injection threats. Note that record-level security and field-level
security are not enforced on the Statement class.
1 | static void getCustomersDirectSQL(Args _args) |
Best Regards,
Hossein Karimi
*This post is locked for comments