Microsoft KB Archive/326971

= PRB: You Cannot Use XML Serialization on a Class with Declarative Security =

Article ID: 326971

Article Last Modified on 6/29/2004

-

APPLIES TO


 * Microsoft .NET Framework 1.0 Service Pack 2
 * Microsoft .NET Framework Class Libraries 1.1
 * Microsoft .NET Framework Class Libraries 1.0
 * Microsoft .NET Framework 1.0 Service Pack 1

-



This article was previously published under Q326971



SYMPTOMS
The XmlSerializer class (under the System.Xml.Serialization namespace) does not support serializing class members that have declarative security attributes. This prevents the XmlSerializer class from accidentally circumventing certain kinds of declarative security. If the XmlSerializer is constructed for a type that contains members with declarative security attributes, it throws an exception, and you receive an exception error message that is similar to following:

The property &quot;...&quot; on type &quot;...&quot; cannot be serialized because it is decorated with declarative security permission attributes.



STATUS
This behavior is by design.



MORE INFORMATION
For example, TestClass has a password property that has declarative security attributes: public class TestClass {  string password; public string Password {   [SecurityPermission(SecurityAction.Demand, Flags=SecurityPermissionFlag.UnmanagedCode)] get { return password; } [SecurityPermission(SecurityAction.Demand, Flags=SecurityPermissionFlag.UnmanagedCode)] set { password = value; } } } The following code uses the XmlSerializer to serialize an object of TestClass: using System; using System.Xml.Serialization; using System.IO; using System.Security.Permissions;

namespace ConsoleApplication1 {   public class TestClass {       string password;

public string Password {           [SecurityPermission(SecurityAction.Demand, Flags=SecurityPermissionFlag.UnmanagedCode)] get { return password; } [SecurityPermission(SecurityAction.Demand, Flags=SecurityPermissionFlag.UnmanagedCode)] set { password = value; } }

static void Main(string[] args) {           try {               TestClass tc = new TestClass; tc.Password = &quot;mypassword&quot;; // This line throws an exception because of the declarative security // on the get and set methods of TestClass.Password XmlSerializer s = new XmlSerializer(typeof(TestClass)); s.Serialize(Console.Out, tc); }           catch (Exception e)             { Console.WriteLine(e.ToString); }           Console.Read; }   } }

This code throws an exception, and you receive an exception error message that is similar to the following:

The property 'Password' on type 'ConsoleApplication1.TestClass' cannot be serialized because it is decorated with declarative security permission attributes. Consider using imperative asserts or demands in the property accessors.

To serialize TestClass with the XmlSerializer, you must use an imperative Demand method instead of a declarative Demand method. For example: public class TestClass1 {   string password;

public string Password {       get {           new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Demand; return password; }

set {           new SecurityPermission(SecurityPermissionFlag.UnmanagedCode).Demand; password = value; }   } }

You can serialize the object of TestClass1 with the XmlSerializer without any exception.

NOTE: The System.Exception class has a few properties with declarative security attributes. When you use XmlSerializer to serialize an Exception object, an exception is raised, and you receive an error exception message that is similar to the following:

&quot;The property 'Source' on type 'System.Exception' cannot be serialized because it is decorated with declarative security permission attributes. &quot;

You receive this message when the full Exception information is returned. catch (Exception e) { Console.WriteLine(e.ToString); } If you return the Exception (error message), you receive only the following error message:

There was an error reflecting 'System.Exception'.

Keywords: kbprb KB326971

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.