Condividi tramite


SerializationBinder in runtime serialization

Binary and Soap formatters have a way to specify a SerializationBinder. Each time a type is being deserialized the BindToType method on the registered binder will be invoked. This gives the user the opportunity to load his/her own custom type instead of the default loading done by the serialization engine (which in essence invokes Assembly.Load). This feature helps in a couple of scenarios:

1. Versioning: If you have versioned a type and now you want to deserialize in either the older or the newer version of the type, you could use the binder to load the appropriate type

2. Security: There might be some security exploits when you are trying to deserialize some data from an untrusted source. The binder gives you an opportunity to inspect what types are being loaded in your appdomain. You can then either maintain a black list of denied types or white list of allowed types and restrict which types are being loaded and instantiated.