Wednesday, July 4, 2018

Code Access Security "Direct SQL"

Microsoft Dynamics AX Code Access Security is used by developers to protect
Secured APIs from being invoked by un-trusted code (code that does not
originate from the AOT). Code access security does this by verifying the
following:

• The code asserted the appropriate permission on the call stack to use
the secured class.

• The assert (the request to use the secured class) is executed in trusted
code and saved in the AOT.

• The assert is executed on the same tier as the secured class.

Code Access Security covers the use of secured classes on the server tier only.
You do not need to modify or mitigate client-only invocations of secured classes.
Code Access Security must be implemented by the secured class owner and allconsumers of the secured class. The owner secures the secured class by
implementing a specific type of permission class and calling the demand()method on that class. Each class consumer must explicitly request permission to
invoke a secured class by calling the assert() method on the permission class.
Application code will break unless both of these steps are completed.

NOTE: Code Access Security does not guarantee the validity of any data or
parameters passed to the secured class. Data validation is still the responsibility
of the consumer.There are six groups of protected standard classes in Microsoft Dynamics AX

Code Access Security:

• Direct SQL

• Run-time compilation and execution of X++

• Data-controlled execution of X++

• File handling

• Win32 Interop

• Windows API

When direct SQL is used through the Connection and Statement classes, it is
subject to SQL injection threats. Note that record-level security and field-level
security are not enforced on the Statement class. 


 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
static void getCustomersDirectSQL(Args _args)
{
  Connection userConnection;
  Statement stmt;
  str sqlString;

  userConnection = new Connection();
  stmt = userConnection.createStatement();
  sqlString = 'select * from custTable';
  new 
 SqlStatementExecutePermission(sqlString).assert();
  stmt.executeQuery(sqlString);
  CodeAccessPermission::revertAssert();
}

Best Regards,
Hossein Karimi
By at
Labels: ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Configure the Firewall on the Enterprise Portal Server

After you install Enterprise Portal, enable Web Server (HTTP) in Windows Firewall. If you do not enable the web server in Windows Firewall...

  • Connect Analysis Services to the AOS
    To integrate Microsoft Dynamics AX and Analysis Services, you must connect Analysis Services to the Application Object Server (AOS). To do s...
  • Select count(*) sum(Field) from MyTable
    The below select query will give the both the Sales Line record count and the sum of sales quantity. static void Test_Data(Args _args) ...
  • Collection Classes "List"
    A List object contains members that are accessed sequentially. Lists are structures that can contain members of any X++ type. All the member...