The Artima Developer Community
Articles | News | Weblogs | Books | Forums
Artima Forums | Articles | Weblogs | Java Answers | News
Sponsored Link

.NET Buzz Forum
The .NET with ES/COM+ Security Story?

0 replies on 1 page.

Welcome Guest
  Sign In

Go back to the topic listing  Back to Topic List Click to reply to this topic  Reply to this Topic Click to search messages in this forum  Search Forum Click for a threaded view of the topic  Threaded View   
Previous Topic   Next Topic
Flat View: This topic has 0 replies on 1 page
Sam Gentile

Posts: 1605
Nickname: managedcod
Registered: Sep, 2003

Sam Gentile is a Microsoft .NET Consultant who has been working with .NET since the earliest
The .NET with ES/COM+ Security Story? Posted: Nov 15, 2003 6:20 AM
Reply to this message Reply

This post originated from an RSS feed registered with .NET Buzz by Sam Gentile.
Original Post: The .NET with ES/COM+ Security Story?
Feed Title: Sam Gentile's Blog
Feed URL: http://samgentile.com/blog/Rss.aspx
Feed Description: .NET and Software Development from an experienced perspective - .NET/CLR, Rotor, Interop, MC+/C++, COM+, ES, Mac OS X, Extreme Programming and More! 		Latest .NET Buzz Posts
Latest .NET Buzz Posts by Sam Gentile
Latest Posts From Sam Gentile's Blog

Advertisement

Robert has been doing some great work for us this week in the area of .NET CAS end to end security and with ES/COM+. ES, since it has some unmanaged code underneath (not all because it does clever stuff to avoid one of the transitions) seems to be the kink in the .NET CAS story. Basically, you can use CAS (and Roles) but when you get to an ES boundary the security thread is completly dropped! It is not propogated. As he said in the earlier post, we setting up ASP.Net pages with Partial Trust (this is only allowed in 1.1).  In order to call Fully Trusted GAC-installed ES/COM+ components by Partially Trusted ASP.Net pages, we have to use a sandbox wrapper component that is also installed in the GAC with Full Trust, but with the AllowPartiallyTrustedCallersAttribute. 

He found this:

There are some limitations to COM+ 1.0 security interoperability. COM+ 1.0 security properties are not propagated across process or machine boundaries or to newly created execution threads within managed code. [Emphasis mine] COM+ 1.0 security services can only be used by managed code on Windows 2000 systems.

And as he said “I have not found any specific COM+ 1.5 information that gives a different spin on this (as you may know, COM+ 1.0 is used on Windows 2000 only, and COM+ 1.5 is used on Windows XP/2003 only).”

He was able to successfully create an ASP.NET demo page this week marked with Partial Trust, and created a sandbox wrapper GAC assembly marked with the “AllowPartiallyTrustedCallersAttribute“, and called a Full Trust ES/COM+ component.  Next, he is testing the best way to set up security through all layers when you use ASP.NET and ES/COM+. 

I am suprised he is not getting any comments and we have not been able to find anything out there. The Mircrosoft Designing Secure ASP.NET Apps books don't help as they punt ES. Is no one else doing this? Are we on the frontier? I can't believe no one has tried to build a 4-tier .NET architecture/system and use ES and have CAS and role based security and not run into these walls at 100 MPH...

Read: The .NET with ES/COM+ Security Story?

Topic: Technical writing - The complete idiot's guide Previous Topic   Next Topic Topic: The predictable history of a programmer (reloaded)
Sponsored Links


Google
  Web Artima.com   

Copyright © 1996-2019 Artima, Inc. All Rights Reserved. - Privacy Policy - Terms of Use