Mark Wilson I am the creator of TopXML. I am available for international and local (Australia) contracts. I am a Solution Architect/Business Analyst. I have worked in IT in several countries (NZ, Australia, South Africa, UK) building and training teams for government and very large non-governmental organizations. I am ex-Microsoft Consulting Services. I wrote the first book on Microsoft XML published in 2000 called XML Programming with VB and ASP. Most recently I have been building tools for the SEO industry. Ask me for a 37 point SEO health-checkup for your website.
First posted :
03/24/2008
Times viewed :
304
The SoapFormatter
The SoapFormatter
class handles serialization of object graphs to SOAP format. It produces SOAP
messages complete with the envelope, the body and, optionally, application
specific header tags. In reverse, the SoapFormatter can turn a SOAP message
into a live object that our applications can easily access. Message
deserialization also allows access to any custom SOAP headers a message might
contain.
Table The SoapFormatter constructors allow some degree of
control to override default serialization behavior
Constructor
Description
public SoapFormatter();
Instantiates a new SoapFormatter object
public SoapFormatter(ISurrogateSelector selector,
StreamingContext context);
Instantiates a new SoapFormatter object and specifies
alternate serialization handler classes for certain types in certain
contexts.
Using the SoapFormatter
in our applications is very simple. We have to add a reference to the System.Runtime.Serialization.Formatters.Soap
library and our applications can instantiate SoapFormatter objects. In the Visual
Studio.NET IDE we add references using the References menu in the Solution
Explorer window. If we invoke the complier from a shell-script or the
command-line we need to add the /r command-line option.
The syntax for serializing and deserializing objects with the
SoapFormatter
is very similar to the XmlSerializer
but there are far fewer requirements on the types that the SoapFormatter
can process. The XmlSerializer
only processes publicly accessible members of a type and classes must provide a
default constructor to instantiate objects the “regular” way. The behavior of
the SoapFormatter
is very different. It takes an accurate snapshot of the all fields, public and
private, of the object being serialized. The generated XML contains the
complete object graph, with all references intact. Even cyclical references are
properly resolved and reflected in the output document. When the SOAP message
is deserialized later on, the entire object graph is reconstructed and all
relationships are restored. The .NET remoting architecture leverages this
functionality to transmit objects from one process to another, regardless if
they are running on the same computer or on a different one across the
internet. This process is also referred to as Marshal-By-Value or MBV.
These powerful capabilities come at a price: Running the SoapFormatter
requires a special security permission, the Serialization Formatter permission,
because the formatter accesses private data members. The .NET security
infrastructure by default only grants this permission to locally installed
applications. Applications installed over a network or running from a WebServer
are not considered to be trustworthy and cannot access to private data members.
Starting an application linked against the SoapFormatter’s assembly even fails
with a SecurityException
if the Serialization Formatter permission is not granted to the application.
Furthermore, the SoapFormatter
checks if the active permission set includes the Serialization Formatter
permission every time it executes. If this permission is not available it also
throws a SecurityException.
The.NET security model groups multiple permissions to a
permission set. These permission sets can be granted at different levels: to
different users running programs on a computer or dependent on whether an
application is installed locally or was downloaded across a network,
specifically the internet. By default only the permission set for fully trusted
applications, i.e. locally installed applications, grants the permission to run
the SoapFormatter.
Modifying the active permission set is a little bit tricky
and you really need a basic understanding of the .NET code access security
model. The .NET Framework supplies a tool to add a modify permission sets and
apply them to pre-defined security zones. The tool is implemented as a MMC
snap-in called mscorcfg.msc, which is located in the Microsoft.NET folder of
your Windows installation directory. You can invoke it through the shortcut in
the “Administrative Tools” section of the Windows Control Panel or directly
from the command-line.
The tool allows you to create and edit your own permission
sets, the system supplied ones are read-only. If you need to alter the default
permissions you have to create your own permission set first. You can create
one from scratch or by selecting “Duplicate” from the context menu. Once you
have an editable permission set you can select “Change Permissions…” from the
context menu, double-click on “Security” on the list of available permissions
and modify the “Enable serialization formatter” option as shown in figure 13.2.
Then click on OK and you the new permission set is ready.
Figure The Permission viewer dialog displays and allows editing
a permission set. The Serialization Formatter permission has to be granted for
runtime serialization to work. Be default this permission is disabled in
untrusted security zones, e.g the Internet Zone.
Finally, you have to assign the new permission set to the
Code Group active in your environment. Select the Code Group you would like to
modify under the “Runtime Security Policy” node, click on the “Edit Code Group
Properties” link on the right hand menu and assign your permission set on the
Permission Set tab. This is enough of a trip into .NET security land, let’s go
back to serialization.
