Developing Windows and Web Applications using Visual Studio'NET

1 / 61

About This Presentation

Title:

Developing Windows and Web Applications using Visual Studio'NET

Description:

Developing Windows and Web Applications using Visual Studio'NET – PowerPoint PPT presentation

Number of Views:43

Avg rating:3.0/5.0

Slides: 62

Provided by: Tatham

more less

Transcript and Presenter's Notes

Title: Developing Windows and Web Applications using Visual Studio'NET

1
Developing Windows and Web Applications using
Visual Studio.NET
Part 1 Developing Windows Applications using
Visual Studio.NET

Session 4 Deployment and Security of
Windows Forms (in C 2005)

Presented byMarten Ataalla (MartenAtaalla_at_ssw.
com.au) Eric Phan (EricPhan_at_ssw.com.au)
2
About Marten

Senior Software Architect at SSW
Specialize in
Application Deployment
SQL Reporting Services
Software Auditing
SharePoint 2003 2007
Speaker at Sydney .Net Usergroups UTS lectures

3
Admin Stuff

Attendance
You initial sheet
Hands On Lab
You get me to initial sheet
Homework

4
Session 4 Deployment Security

Agenda
Part 1 Deployment of .NET Winforms apps
History
Deployment Updates
Security
Issues Warnings
Part 2 Security
Role-based security
Authentication and Authorization
Impersonation
Code Access Security
Assembly Strong Naming

5
Part 1

ClickOnce

6
Windows vs Web forms

Which side are you on? Why?

7
ClickOnceThe Best of both Worlds
Click Once
Windows Forms
Web Forms
Rich UserExperience
NetworkDependency
Tough ToDeploy
Easy To Update
Offline Capable
Tough To Update
Limited UserExperience
Easy To Deploy
High User Productivity
Easy To Manage
Fragile DLL Hell
Responsive Flexible
Complex To Develop
8
ClickOnceThe Best of both Worlds

Which side are you on now?

ClickOnce
Web Apps
9
History

Remember the good old Windows Installer?
Lets compare it to ClickOnce

10
History Feel the pain Windows Installer vs
ClickOnce
11
History Feel the pain.Net 1.x HREFing .EXEs

The.NET Framework must be already installed
Only available offline if you are Working
Offline
Your application will run on the client as
partially trusted code only.
Bad performance as the executable will try to
load several DLLs with localization resources
No way to guarantee that all your files are
indeed downloaded your client may be stuck with
a "half updated" application.
Your application won't have a shortcut in the
desktop or the Start menu.

12
History Feel the painUpdater Application Block

You must change your application substantially in
order to use it
Needed to write to C\Program Files\
It runs as a fully trusted local application, so
it pretty much ignores code access security
It's not supported by Microsoft.
Since it uses BITS to download the application
pieces, it does not run under Windows 98/ME.
However, Jamie Cool has a work around .NET
Application Updater Component http//www.windowsf
orms.net/articles/appupdater.aspx

13
Demo

SSW Diagnostics install

14
Demo

Lets create our first ClickOnce application

15
ClickOnce DeploymentHow it works?

Users download either
Setup.exe (500kb) Bootsraper which checks
pre-requisites
(Recommended)
OR
2. Application manifestBoo.application(small
but does not check prerequisites)

16
ClickOnce Deployment Deployment Manifests

Architecture based on two XML manifest
files
Application manifest
Authored by the developer
Describes the application
Example which assemblies constitute the
application
Deployment manifest
Authored by the administrator
Describes the application deployment
Example which version clients should use

17
ClickOnce DeploymentDeployment Manifests
1.0
? 1.1
18
Deployed Files
19
ClickOnce DeploymentBootstraper

What does the bootstrapper do?

Web Server
Setup.exe
Setup.exe
Dotnetfx.exe
Dotnetfx.exe
Mdac_typ.exe
a
Custom.msi
Custom.msi
Reboot
MDAC detected!
Bar.application
Bar.application
a
20
ClickOnce DeploymentWhich download to provide?

Q\ Which way?
A\ Depends on pre-requisites
Q\ What if the only pre-requisite is .NET 2?
A\ TIP use Request.Browser.ClrVersion
dim verHave as Version Request.Browser.ClrVersio
n
dim verNeed as Version new Version("2.0.50727")
if ( verHave lt verNeed ) then
Response.Write("lta href""./Download/Setup.exe""gt
")
else
Response.Write("lta href""./Download/SSWDiagnosti
cs.application""gt")
end if

21
ClickOnce Deployment Prerequisites

Missing prerequisites must be installed using
separate redistributable packages.
The deployment tools in Visual Studio let you
install the .NET Framework and other
redistributables as a part of your installation
(bootstrapping).
Note Prerequisites can be downloaded
beforehand into a network location
to avoid redundant prerequisite
downloads on networks

22
ClickOnce Deployment Prerequisites

Before installing an application on a client
computer, ClickOnce will examine the client to
ensure that it has certain requirements specified
in the application manifest.
These include
The minimum required version of the CLR
The minimum required version of the Windows OS
The minimum version of any and all assemblies
that must be preinstalled in the GAC

Note 1 If you specify an alternate prerequisite
location, the packages must exist there these
errors are not handled with ClickOnce Note 2
While selecting your prerequisites, keep in mind
that prerequisites might need administrator
privileges to be installed.
23
ClickOnce DeploymentStrategies

Install from the Web or a Network Share
(Default Strategy) (a Setup.exe)

Install from a CD (a Setup.exe)
Run the Application from the Web or a Network
Share
24
ClickOnce Deployment Strategies Compared
25
ClickOnce DeploymentSetup Interface
26
ClickOnce DeploymentSetup Options Interface
27
ClickOnce UpdateHow it works?

ClickOnce uses the file version information
specified in an application's deployment manifest
to decide whether to update the application's
files.
After an update begins, ClickOnce uses a
technique called file patching to avoid redundant
downloading of application files.
But, what is a File Patching? Compares the hash
signatures of the files specified in the
application manifest for the current application
against the signatures in the manifest for the
new version.

Note 1 If you use Visual Studio to compile your
application, it will generate new hash signatures
for all files whenever you rebuild the entire
project. Note 2 File patching does not work for
files that are marked as data and stored in the
data directory C\Documents and
Settings\AdamCogan\Local Settings\Apps\2.0
28
ClickOnce UpdateHow it works?
Deployment Framework Service
Application Store
Yes
No
Installed
Startup SHIM
My Application
But, what is a SHIM? Its a small piece of
software that is added to an existing system
program or protocol in order to provide some
enhancement.
29
ClickOnce UpdateStrategies

Checking for Updates after Application Startup

background thread will run to locate and read the
deployment manifest
best for low-bandwidth network connections or for
larger applications
Specifying Update Intervals

30
ClickOnce UpdateStrategies

Checking for Updates before Application Startup

31
ClickOnce UpdateStrategies

Making Updates Required

32
ClickOnce UpdateOptional and Required Updates

For optional updates, the user can either accept
or skip the update.

This dialog will not appear when an update is
required. To make an update required in Visual
Studio 2005, you need to set the Minimum Required
Version field in the Updates dialog box to match
the version of the application youre currently
publishing We recommend just 4 prior versions
33
ClickOnce UpdateBlocking

Want more control over the update?
You may block update checking altogether and
provide UI for updates using Deployment API in
your application

34
What if you release a bad version???
35
AdvancedRolling back updates

The latest 2 versions of the application are
stored, the rest are removed.
Clients may restore back 1 application update.

36
Demo

Create a bad version and deploy it
Rollback to a previous version
Update again with a good version

37
AdvancedScalability

Server Processing is fineNormal activation of a
ClickOnce application is very inexpensive for
the server network
Bandwidth is an issueConsider network bandwidth
needed for initial application deployment
application updates
However, the standard methods techniques used
to scale web or file servers can be used for
ClickOnce applications (e.g server farms, etc)

38
AdvancedCache

Location for ClickOnce applications
On XP userprofile\Local Settings\Apps
On VISTA userprofile\AppData\Local\Apps
Cache quota is 250MB.
Data files do not count toward this limit
Modify by changing Registry key
HKEY_CURRENT_USER\Software\Classes\Software\Micros
oft\Windows\CurrentVersion\Deployment\OnlineAppQuo
taInKB

Note The value in the OnlineAppQuoteInKB
registry key is a DWORD that expresses the cache
size in kilobytes
39
BUGSProxy Servers on Client Machines

Issue
Clients accessing the internet through proxy
servers will get the error when launching the
application
The remote server returned an error (407) Proxy
Authentication Required
Default credentials to the proxy are not passed
through, ClickOnce attempts to download the files
without going through the proxy.
Workaround
A hot fix is available from Microsoft to replace
the System.Deployment.dll or wait until the next
service pack comes out for .Net 2. You must
contact Microsoft for it.
http//support.microsoft.com/kb/917952

Yet to be tested for .Net 3
40
BUGS Publish Version sync issues

Issue
The problem is that (rarely) the publish revision
number that Visual Studio has in memory sometime
gets out of sync with the publish revision number
that is stored is the user project file
(.xxproj.user).
Users would get the following
Error 68 Publish failed with the following error
Could not find a part of the path
Workaround
The easiest work around, which is to manually up
the publish revision number and choose File -gt
Save All.

Yet to be tested for .Net 3
41
Warnings ClickOnce and non-IE Browsers

Issue
ClickOnce doesnt work on non-IE browsers (by
default).
ClickOnce provides IE with a mime handler
interface for the mime type application/x-ms-appli
cation which is associated with .application
files on servers hosting ClickOnce application.
So what happens in firefox?
.application file is downloaded.
If manifest contains relative paths, it will
fall over.
If it contains full paths, it will fail due to
security checks (in place by ClickOnce team).
Workaround
Firefox There is an official Add-on
https//addons.mozilla.org/firefox/1608/
Non-Firefox ClickOnce helper is an attempted a
solution, however it is not tested
http//www.softwarepunk.com/cohelper/
Note The ClickOnce team will fix this in the
next release of the framework.

Yet to be tested for .Net 3
42
Warnings File Patching and Rebuilds

Issue
The File Patching model for assemblies (even
strong assemblies) is based entirely on file
hash.
Projects when rebuilt in VS often cause the same
assemblies (exactly same source) to have
different hashes. Hence if you are rebuilding
your entire v2.0 solution its possible that
assemblies that have not changed in terms of
functionality will still have a different hash
and hence be downloaded again by ClickOnce
instead of being copied locally.
Workaround
Dont hit rebuild unless you need to! (when
references mightve changed)

43
WarningsManifest Overwriting

Issue
The manifest file for the ltAppNamegt.exe.manifest
is overwritten, causes strange compile errors
when included in the solution.
Workaround
You dont need the manifest file in .Net 2 for XP
Styles. If you need it for any other reason, then
merge your manifest into the one built with
clickonce.
Note If you are running SSW Code Auditor, this
would not have been a problem ?

No Longer needed for .Net 2
44
Warnings File Compression

Issue
There are no file compression mechanisms in
ClickOnce. By default, your file will be
downloaded uncompressed across the
network/internet.
Workaround
ClickOnce supports HTTP 1.1 compression. Simply
enable this on your web server the files
downloaded will be compressed.

45
Suggestions Missing Features

Rollback Feedback
We want our clients to give us feedback as to why
they are rolling back a version
Rollback Count
Clients should be able to rollback back to a
certain number of versions (set by the developer)
Version Download/Update/Rollback Stats
What versions our clients are downloading,
updating to and rolling back from. Presented in
Reporting Services reports.
Microsoft should release MSN messenger as a
ClickOnce app.
Staged Rollout
Specify beta testers, and grouped downloads via
authentication
eg. MSN Messenger could let MVPs and RDs get the
latest beta
We want 10 released each day, to manage
bandwidth and transition.
Scalability
limit to x concurrent - the rest would not be
told of the new version until later.

46
Moving your Application to ClickOnce

You must consider
What about your previous Windows Installer
installation on the client machines?
Suggestion Create a prerequisite that checks
for and uninstalls the previous versions. (or
uninstall it in the start of your app)
Where is your data stored? ClickOnce uses
different App folders for each new version, for
each user.
Suggestion Use ApplicationData folder if the
settings are per user, otherwise
CommonApplicationData per application for all
users.
You must consider the Limitations

47
Limitations Overview

Cant install shared files, drivers, assemblies
in GAC, for multiple users, office addins, etc
Installation UI cannot be changed
Cant add application to Startup group, Favorites
menu
Bootstrappers still need admin privileges if
there are prerequisite redistributables
Cant register file types
No updating via FTP

48
Part2

Security

49
Security

Why do we need security in our applications?
Protect our investment keep malicious users out
Protect sensitive data
Medical records, customer details, salary info

50
Security in .NET

2 parts to .NET Security
Role-based security
protects the application from the bad users
Code Access Security (CAS)
protects the users system from bad application

51
Role-based Security

How do we know who is using our application?
(Authentication)
e.g. Who are you?
And how do we control what they can and cannot
do? (Authorisation)
e.g. employee info dont want employees to see
each others salaries

52
Authentication Authorisation

In .NET, Users Identities

53
Authentication Authorisation

In .NET, Groups Roles

54
Authentication Authorisation

Where can we store a list of valid users?
Active Directory
Database
Web Service
XML
Excel
etc.

Demo

56
Authentication Authorisation

We saw
Windows (Integrated) Authentication
Check against the user I am logged in as
Authorisation
Enable/disable button
This can obviously be extended
Locking methods e.g. ViewCreditCardInfo
Custom messages

57
Authentication Authorisation
Generic (Text-based)
Read from Database (Custom)

IIdentity (Authentication) IPrincipal
(Authorisation)

Active Directory (Windows Security)
58
Impersonation

What is Impersonation?
Tim goes to pick up a parcel for Adam
Tim goes to the PO but access is denied (only
Adam is allowed to have the parcel)
Tim returns with Adams ID
Staff says OK Tim gets the parcel

59
Impersonation

Running the code under another persons
permission. i.e. Doing something on someone
elses behalf
Webforms example
Accessing network share as domain user instead of
the default local ASPNET account
Winforms example
Manager in Supermarket has to login to offer the
customer the discount.

60
Impersonation

How does it work?
User logs in to website as DOMAIN\TomJones
IIS checks the login against Active Directory
If the login matches the one in Active Directory,
the user is now impersonating a Windows user
Application can now login to database, perform
any functions that the Windows user can

61
Impersonation

Impersonation (example)

Login via web as DOMAIN\TomJones
IIS checks login against Active Directory
.NET code is now impersonating Windows
User DOMAIN\TomJones
62
What about lots of users?

e.g. you have a public web site (blog, forums,
ebay etc.)
How would the user connect to the database?
Embed a login and password in your connection
string
VERY BAD this is stored in plain text
AD / Impersonation
BAD big list of users
BAD cant extend data
Give the web ASPNET account access to the
database
GOOD for unknown numbers of users (i.e. public
websites)
GOOD no stored credentials (using integrated
security)

63
Special case - Mixed

e.g. you want your company users to log in on a
public site
So that they can get to company-only information
Mixed mode
Check against AD
Check against Database
Nice and flexible

64
Code Access Security

Imagine a world without SPAM and SpyWare

65
Code Access Security

What is Code Access Security (CAS)?
Protect your system against evil code
Rules enforced by the .NET Framework

66
Code Access Security

Who should control CAS policies?
System administrators
Not developers!

67
Assembly Strong Naming

How do you know your software came from its
publisher?
e.g. SSW Registration
Someone could simply replace the DLLs in the
folder and your application would use that

68
Assembly Strong Naming

Enter Strongly Named Assemblies
Use a special private key to uniquely sign an
assembly (e.g. SSW Registration)
The caller (e.g. SSW Code Auditor) uses a public
key to unlock the code
This guarantees the authenticity of any external
components your application is using
Really easy to use

69
ClickOnce Security
70
ClickOnce SecurityPartial Trust Permission
Settings

Custom Permission settings can be set for the
following

71
ClickOnce SecuritySecurity Features

Zero-impact installation
Files cached under user profile
Cannot touch shared resources on machine
Code Access Security sandbox execution
Based on origin of files (deployment server)
Can elevate permissions through user prompting
Can elevate permissions automatically through
trust license
XML Signature
Signed manifests to ensure authentication and
integrity
Note VS.NET 2005 enforces permissions during
debugging ?

72
Useful links

Security in .NET
www.4guysfromrolla.com/webtech/121901-1.shtml

73
References

http//blogs.msdn.com/saurabh/archive/2006/03/02/5
41988.aspx
http//blogs.msdn.com/clickonce/
http//blogs.msdn.com/saurabh/archive/2006/01/25/5
17613.aspx
http//blogs.msdn.com/winformsue/archive/category/
11821.aspx
http//www.softwarepunk.com/cohelper/
http//msdn2.microsoft.com/en-us/library/142dbbz4.
aspx
http//www.windowsforms.net/FAQs/default.aspx?Page
ID3CategoryID24SubcategoryID27tabindex2
http//forums.microsoft.com/MSDN/ShowPost.aspx?Pos
tID615033SiteID1
http//www.code-magazine.com/article.aspx?quickid
0601041page3
http//msdn.microsoft.com/library/default.asp?url
/library/en-us/dnreal/html/realworld12012004.asp
http//www.windowsforms.net/articles/appupdater.as
px
http//forums.microsoft.com/MSDN/ShowPost.aspx?Pos
tID173747SiteID1
http//support.microsoft.com/kb/917952