This is preliminary documentation and subject to change.
To comment on this topic, please send us email at ngwssdk@microsoft.com. Thanks!
Declarative security
Declarative security allows both programmers and administrators to define and set security settings of various kinds as attributes associated with code. Since declarative security is represented as attributes of the code rather than being embedded within the code itself, it offers the following advantages over imperative security (runtime security demands by code).
- Declarative security may be browsed through metadata, makes security self-describing
- Declarative security may be added after code is developed by a specialist, or a standard set of declarations defined by an expert can be easily attached to code by other developers
- Declarative security may be modified without requiring code changes
- Future optimizations are possible by analyzing (static) declarative security
Thus, declarative security is preferred when it can be used since – unlike imperative security embedded within code – it is explicitly defined at compile-time, and therefore subject to possible changes and optimizations not available to imperative security which in general being part of the program logic is not really subject to manipulation apart from the code itself.
Declarative security is subject to the following restrictions:
- declarative security may only be applied at the beginning of a method
- all parameters of the declaration must be fixed and known at compile-time
- changing declarative security on assemblies breaks any digital signature (requires re-signing)