System.Security (mscorlib.dll)interface
public interface IStackWalk {
// Public Instance Methods
   public void Assert(  );
   public void Demand(  );
   public void Deny(  );
   public void PermitOnly(  );

Permission classes that use stack walks to resolve security demands implement the IStackWalk interface. These include the PermissionSet class, as well as the CodeAccessPermission class, from which all standard code-access and identity permissions inherit.

IStackWalk defines the Demand( ) method, which duplicates the method of the same name defined in the IPermission interface. However, the IStackWalk.Demand( ) method initiates a stack-walk-based security demand, whereas IPermission.Demand( ) is not intended to use the call stack to resolve security demands. The Assert( ), Deny( ), and PermitOnly( ) methods annotate the call stack frame of the code from which they are executed, and affect the stack walk process initiated by a Demand( ) call.

Assert( ) allows code to vouch for the permissions of the callers above it on the call stack. During a stack walk, if a demanded permission matches, or is a subset of, the asserted permission, the stack walk terminates successfully without evaluating further stack frames. If the asserted permissions provide only a partial match of those demanded, the stack walk continues but only for the remaining unasserted permissions. Code must have been granted a permission in order to assert it, and the code must have the permission to assert defined by the System.Security.Permissions.SecurityPermission class.

Deny( ) has the opposite effect of Assert( ). If the demanded permission matches, or is a subset of the denied permission, the stack walk is terminated, and the runtime throws a SecurityException to the code that initiated the Demand( ).

PermitOnly( ) functions as an inverted Deny( ). Instead of specifying the permissions that should terminate a stack walk, PermitOnly( ) specifies those permissions that permit the stack walk to continue unaffected. PermitOnly( ) provides a more concise way of denying large sets of permissions without the need to specify them all in a Deny( ) override.

Implemented By

CodeAccessPermission, PermissionSet

    Part V: API Quick Reference