What it Code Access Security (CAS)? And why is it important to me?

Well, the simplest definition can be found in the name itself, what resources are you code allowed to access (Code Access Security). Will your code be allowed to access local files? The registry? SQL Server? These are questions that you should be asking yourself when you are designing your application but far too often, security is just an afterthought it the design process.

CAS is also sometimes called evidence-based security. To determine the access your code possesses, the Common Language Runtime (CLR) evidence it gathers about assemblies. This "evidence" is determined by a number of factors.

• Where did the code come from?
  • The site, URL, Zone, and Application Directory.
• What does the assembly contain?
  • Evidence Hash (Not the Strong Name Hash)

  The Hash evidence is simply a compact identifier that uniquely identifies a particular compilation of a component. The Hash evidence is added by the assembly loader to all assemblies and allows security policy to recognize particular builds of an assembly, even when the assembly version numbers have not changed.

  A hash value represents a unique value that corresponds to a particular set of bytes. Rather than referring to an assembly by name, version, or other designation, a hash value designates the assembly without ambiguity. Names are subject to collisions in rare cases where the same name is given to completely different code. Different variations of code can accidentally be marked with the same version. However, even changing a single bit results in a very different hash value.

  Hash values are a cryptographically secure way to refer to specific assemblies in policy without the use of digital signatures. A secure hash algorithm is designed so that it is computationally infeasible to construct a different assembly with the identical hash value by either an accidental or malicious attempt. By default, evidence from the SHA1 and MD5 hash algorithms is supported, although any hash algorithm can be used through GenerateHash.

• Who wrote the code :
  • Is the assembly Strongly Named? If so, what is the Strong Name?
  • Who is the publisher of the assembly? Is it digitally signed?

Evidence is where CAS starts. It is the who, what, where and why of your code. Let's talk about the about the different types of evidence.

The assembly loader works with the first four parts of the evidence, the Site, URL, ZONE, and Application directory. All four of these are derived by the CODEBASE URL. The URL evidence is the simplest since it is just be the URI of the assembly. The site evidence is derived from the URL. If the URL of the assembly is http://www.DotNetDoc.com/downloads/samplestuff.dll then the Site evidence will be www.DotNetDoc.com. But if the assembly is file based (C:\MyStuff\AndThings\samplestuff.dll) then this evidence will be blank. The Zone evidence also comes from the URL but is divided into five possible Zones :

• My Computer – All code loaded from local file system
• Intranet – All code loaded off of a remote file system using mapped drives
• Trusted – IE Mapped Trusted Sites
• Internet – All code loaded off the internet
• Not Trusted – IE Mapped Not Trusted Sites

The final location-based evidence is ApplicationDirectory. This evidence specifies the base directory for running the application. This is usually used to grant special permissions to assemblies that are run from the same location as the base application.

I hate to steal a blog post but Scott Hanselman always finds the coolest tools.
http://www.hanselman.com/blog/BinaryFortressSoftwaresASPNETViewStateHelperATreasureTroveOfTools.aspx

This time it is binary fortress. It is a tool for viewing View State. It is easy to use and to the point.

Thanks for pointing it out Scott.

Doc

Well, I finally did it, I set up my office 2007 to allow me to blog from word. It is pretty Cool.

It allows me to easily cross stuff things words out. Color how I want. Add pictures with cut and paste. Using Snag-it.

UPDATE : Can't seem to publish pictures yet….hmmmmm… I wonder why

UPDATE 2: User Error… I did not format my FTP String Correctly

And format them however I want.

I can select specific categories but the best thing is the fact that I get SPELL CHECK!!! I really need this ;)

Pretty cool stuff…. I use das Blog so I upgraded to the 1.9 version and used this tutorial to get it done.

http://www.colinneller.com/blog/SyndicationService.asmx/GetRssCategory?categoryName=Office

Happy Programming

Doc

I have had a heck of a problem with Adobe on my system and it was driving me crazy. It would work as a stand-alone program, but whenever I tried to open up a PDF file through IE, it would lock up first IE and then Regular Explorer.  So you would think I could just uninstall and re-install right???

Well you would be wrong. First, when I tried to uninstall, it told me that I was missing a patch file and would have to abort......Great....just what I wanted....

So I found this tool from MS that allows you to remove items that were installed using Windows Installer

http://support.microsoft.com/default.aspx?kbid=290301

It seems pretty straight forward, Click on the program and select Remove.

That went pretty smooth. But then when trying to re-install Adobe Acrobat version 8 (The current version), I could not get the Adobe downloader to work.

What a pain !!!!!!!!!!!

Well, to make a long story short.... I am sure there is a work-around to this.... but I instead found a stand-alone installer at this link.

http://ardownload.adobe.com/pub/adobe/reader/win/7x/7.0.8/enu/AdbeRdr708_en_US.exe

It is only 7.0.8, but at least my system doesnt crash now :).   Maybe when I have time I will troubleshoot this more.

Happy (or not so happy) programing.

Doc

So I have mentioned before that LADotNet.org runs a Masters Series on Saturdays and this Saturday is no different. This week it is being presented by Ken Getz. Ken is a great presenter and we are glad to have him back in California (Sorry Florida). Anyway, as he was going through delegates and events and he covered something I was not aware of.

Anonymous Delegates. Whenever I used delegates in the past, I aways had a method that could be passed that would handle the call. You can also pass a proceedure or "Block of Code" instead of passing a pointer to a method like below. (Both C# and VB)

.Net Ought To Know #7 : What is a PID? How is it useful when troubleshooting a system?

If you have ever used the task manager (right-click on start bar and select Task Manager) and gone to the Process tab, then you have seen the processes that are running on your system. The default set-up of the task manager does not show the PID or Process ID. To add this, go to View/Add Columns on the menu and check the box next to PID(Process Identifer).

The PID is an integer that is assigned to each process in your operating system.It is usefull when you need to diagnose problems with your application since it allows you to uniquely identify each process.

In the .Net framework, you can access this information by using the System.Diagnostics namespace.

Doc

.Net Ought To Know #6 : Corillian's product is a "Component Container." Name at least 3 component containers that ship now with the Windows Server Family?

The answer to the question is not that tough so I thought we would go a little deeper and talk about Components, Controls, and Containers Oh My!! (Sorry I couldn't resist). In the .Net Framework, simply put, a component is a class that implements the System.ComponentModel.IComponent interface or derives from a class that does. A component is something that can be reused. C# is considered a component-oriented language. Re-use is everything in component-oriented design. Putting together pre-tested parts is faster and cheaper then coding it yourself. So to summertime, a component is any class that directly or indirectly implements the IComponent Interface. A component can be added to the toolbox and dragged and dropped onto a form.

A control on the other hand is a component that provides a UI. To do this you need to implement System.Windows.Forms.Control OR System.Web.UI.Control. So a control is basically a component that has visual properties.

This finally leads us to the answer to this question. You need a place to hold your components and controls. This is done in a Container. A Container is a class that implements the System.ComponentModel.IContainer interface (directly or indirectly). Since this container holds your controls, it is easy to access the controls dynamically.

So you tell me now, this should be easy. What are 3 containers in then Windows Server Family?

Happy Programming.

Doc

.Net Ought To Know #5 : What is strong-typing versus weak-typing? Which is preferred? Why?

In strongly-typed programming languages you usually have to declare variables prior to using them. Strong-typing is the strict enforcement of [type] rules. All types (int, short, long, string) are know at compile time and are statically bound. So C# is a strongly-typed language because variables must be assigned a type before you use them. If you came from the ASP world then you will remember having to use either Javascript or VBScript. Variables that you declare in either of those languages can hold any data type which makes it weakly-typed.

But lets take this up a level. Instead to talking about programming languages, lets talk about strongly-typed/weakly-typed objects. The DataSet object is a great example. If we use a weakly-typed dataset, the developer needs to know the name of the table and the name of the field being requested. Since we are just passing strings, this code will compile and will not show any possible problems (like typing the name of the table wrong) until run time.

If our Dataset is Strongly-Typed, we are able to access the names of the tables and columns directly. Any errors are caught at compile time.

I am not really going to argue which is better, I will leave that up to you. I will leave you with this question though; would you rather catch your errors at compile time, or run-time?

Happy Programming.

Doc

Setting up membership for your ASP.Net website is pretty simple. All you need to do is:

1.  run the scripts using the aspnet_regsql.ext tool (C:\WINDOWS\Microsoft.Net\Framework\v2.0.50727\aspnet_regsql.exe    your version number may be diferent) to set up the database tables.
2. Add a membership section to your web.config. Making sure that you add the <clear/> tag since you need to override the machine.config.
   
   

      41     <membership>

      42       <providers>

      43         <clear/>

      44         <add name="AspNetSqlMembershipProvider"

      45                   type="System.Web.Security.SqlMembershipProvider,
                            System.Web, Version=2.0.0.0, Culture=neutral,
                            PublicKeyToken=b03f5f7f11d50a3a"

      46                   connectionStringName="LocalSqlServer"

      47                   enablePasswordRetrieval="false"

      48                   enablePasswordReset="true"

      49                   requiresQuestionAndAnswer="true"

      50                   applicationName="/"

      51                   requiresUniqueEmail="false"

      52                   minRequiredPasswordLength="1"

      53                   minRequiredNonalphanumericCharacters="0"

      54                   passwordFormat="Hashed"

      55                   maxInvalidPasswordAttempts="5"

      56                   passwordAttemptWindow="10"

      57                   passwordStrengthRegularExpression="" />

      58       </providers>

      59     </membership>

      60   </system.web>
   
   

3. Add a connection string once again using the <clear/>  tag to clear out the machine.config settings. (I will tell you why soon) 
   
   

      16   <connectionStrings>

      17     <clear/>

      18     <add name="LocalSqlServer" connectionString="Data
                Source=xxx;Initial Catalog=xxx;Persist Security
                Info=True;User ID=xxxx; password=xxx" />

      19   </connectionStrings>
   
   
   

4. Then load up the Web Site Administration Tool by going to Website\Asp.Net Configuration in VS2005.

5. You will then be about to configure your membership using SQL2000/2005 using this tool.