MSDN Magazine - April 2008 - (Page 51) Figure 3 Raw WCF Client-Side Security Demands Scenario TCP IPC WS and WS Dual Basic and Web MSMQ Asynchronous calls, Duplex over TCP RM over TCP Windows security with interactive user credentials Windows security with alternative credentials Diagnostic tracing User-name credentials, Message security with service cert negotiation and without service cert validation User-name credentials, TCP message security with service cert negotiation and without service certificate validation Any certificate store access, Transaction propagation User-name credentials, Message security without service certificate negotiation or with service certificate validation, Certificate credentials Permissions Security permission with execution and unmanaged code, unrestricted DNS, socket permission to connect to port on target host Security permission with execution, unmanaged code, control policy, and control evidence Security permission with execution and unmanaged code, Web permission to connect to URI Security permission with execution, Web permission to connect to URI Security permission with execution and unmanaged code Security permission to control policy and evidence Security permission to control policy Environment permission to read USERNAME Security permission to control principal, Environment permission to read USERNAME Security permission with unmanaged code, Environment permission to read COMPUTERNAME Security permission to control policy and evidence, Store permission to enumerate certificates Security permission to control policy and evidence Full trust Full trust are the basic and Web bindings. The WS binding defaults to message security by default, resulting in an unmanaged code access permission demand. As you can see from Figure 3, key aspects of WCF such as transactions, reliable messaging, unlimited message security interaction, and certificate store access all require full trust, thus rendering my prior version of PartialTrustClientBase pointless in a partialtrust environment. Furthermore, demanding unmanaged code access by virtually all non-HTTP bindings (and the WS binding with message security) is unacceptable, negating the very idea of CAS for a partial-trust client. To enable appropriate, secure, and correct use of WCF by a partially trusted client, PartialTrustClientBase offers the Invoke method defined as: protected object Invoke(string operation,params object[] args); Structured Demands with PartialTrustClientBase } public MyContractClient(string endpointName) : base(endpointName) {} public void MyMethod() { Invoke(“MyMethod”); } Invoke accepts the name of the operation to invoke and its parameters in the form of a comma-separated params array of objects. Rather than using the Channel property for invoking the call, Invoke uses reflection. Here is a proxy deriving from PartialTrustClientBase using the Invoke method: public class MyContractClient : PartialTrustClientBase ,IMyContract { public MyContractClient() {} Invoke will first demand the appropriate CAS permissions according to the scenario of the calling client and the target service endpoint. If the client is granted those permissions—that is, no security exception was raised by the demands—Invoke will programmatically assert full trust and proceed to invoke the operation, satisfied that the client has the right permissions to call the service. I call such behavior a structured permission demand. Invoke cannot use an attribute to declaratively assert full trust, since that will mask any more granular permission it demands. Instead, the implementation of Invoke in Figure 2 first checks whether the call is invoked asynchronously (using the AsyncPattern flag of the operation contract). If it is, Invoke demands the appropriate permissions using the DemandAsyncPermissions helper method. Invoke then demands the synchronous permissions using the DemandSyncPermissions helper method. For the call itself, Invoke programmatically asserts full trust using my CodeAccessSecurityHelper class shown in Figure 4. The PermissionSetFromStandardSet method takes my enum value representing one of the standard .NET permission sets and returns the matching instance of PermissionSet (see Figure 5). PermissionSet, as its name implies, is a collection of permissions, but it Foundations april2008 51
Table of Contents Feed for the Digital Edition of MSDN Magazine - April 2008 MSDN Magazine - April 2008 Contents Toolbox CLR Inside Out Basic Instincts Cutting Edge Foundations Test Run Service Station Windows with C++ Going Places { End Bracket } MSDN Magazine - April 2008 MSDN Magazine - April 2008 - (Page Intro) MSDN Magazine - April 2008 - Contents (Page Cover1) MSDN Magazine - April 2008 - Contents (Page Cover2) MSDN Magazine - April 2008 - Contents (Page 1) MSDN Magazine - April 2008 - Contents (Page 2) MSDN Magazine - April 2008 - Contents (Page 3) MSDN Magazine - April 2008 - Contents (Page 4) MSDN Magazine - April 2008 - Contents (Page 5) MSDN Magazine - April 2008 - Contents (Page 6) MSDN Magazine - April 2008 - Contents (Page 7) MSDN Magazine - April 2008 - Contents (Page 8) MSDN Magazine - April 2008 - Contents (Page 9) MSDN Magazine - April 2008 - Contents (Page 10) MSDN Magazine - April 2008 - Toolbox (Page 11) MSDN Magazine - April 2008 - Toolbox (Page 12) MSDN Magazine - April 2008 - Toolbox (Page 13) MSDN Magazine - April 2008 - Toolbox (Page 14) MSDN Magazine - April 2008 - Toolbox (Page 15) MSDN Magazine - April 2008 - Toolbox (Page 16) MSDN Magazine - April 2008 - CLR Inside Out (Page 17) MSDN Magazine - April 2008 - CLR Inside Out (Page 18) MSDN Magazine - April 2008 - CLR Inside Out (Page 19) MSDN Magazine - April 2008 - CLR Inside Out (Page 20) MSDN Magazine - April 2008 - CLR Inside Out (Page 21) MSDN Magazine - April 2008 - CLR Inside Out (Page 22) MSDN Magazine - April 2008 - CLR Inside Out (Page 23) MSDN Magazine - April 2008 - CLR Inside Out (Page 24) MSDN Magazine - April 2008 - Basic Instincts (Page 25) MSDN Magazine - April 2008 - Basic Instincts (Page 26) MSDN Magazine - April 2008 - Basic Instincts (Page 27) MSDN Magazine - April 2008 - Basic Instincts (Page 28) MSDN Magazine - April 2008 - Basic Instincts (Page 29) MSDN Magazine - April 2008 - Basic Instincts (Page 30) MSDN Magazine - April 2008 - Basic Instincts (Page 31) MSDN Magazine - April 2008 - Basic Instincts (Page 32) MSDN Magazine - April 2008 - Basic Instincts (Page 33) MSDN Magazine - April 2008 - Basic Instincts (Page 34) MSDN Magazine - April 2008 - Cutting Edge (Page 35) MSDN Magazine - April 2008 - Cutting Edge (Page 36) MSDN Magazine - April 2008 - Cutting Edge (Page 37) MSDN Magazine - April 2008 - Cutting Edge (Page 38) MSDN Magazine - April 2008 - Cutting Edge (Page 39) MSDN Magazine - April 2008 - Cutting Edge (Page 40) MSDN Magazine - April 2008 - Cutting Edge (Page 41) MSDN Magazine - April 2008 - Cutting Edge (Page 42) MSDN Magazine - April 2008 - Cutting Edge (Page 43) MSDN Magazine - April 2008 - Cutting Edge (Page 44) MSDN Magazine - April 2008 - Cutting Edge (Page 45) MSDN Magazine - April 2008 - Cutting Edge (Page 46) MSDN Magazine - April 2008 - Foundations (Page 47) MSDN Magazine - April 2008 - Foundations (Page 48) MSDN Magazine - April 2008 - Foundations (Page 49) MSDN Magazine - April 2008 - Foundations (Page 50) MSDN Magazine - April 2008 - Foundations (Page 51) MSDN Magazine - April 2008 - Foundations (Page 52) MSDN Magazine - April 2008 - Foundations (Page 53) MSDN Magazine - April 2008 - Foundations (Page 54) MSDN Magazine - April 2008 - Foundations (Page 55) MSDN Magazine - April 2008 - Foundations (Page 56) MSDN Magazine - April 2008 - Foundations (Page 57) MSDN Magazine - April 2008 - Foundations (Page 58) MSDN Magazine - April 2008 - Foundations (Page 59) MSDN Magazine - April 2008 - Foundations (Page 60) MSDN Magazine - April 2008 - Foundations (Page 61) MSDN Magazine - April 2008 - Foundations (Page 62) MSDN Magazine - April 2008 - Foundations (Page 63) MSDN Magazine - April 2008 - Foundations (Page 64) MSDN Magazine - April 2008 - Foundations (Page 65) MSDN Magazine - April 2008 - Foundations (Page 66) MSDN Magazine - April 2008 - Foundations (Page 67) MSDN Magazine - April 2008 - Foundations (Page 68) MSDN Magazine - April 2008 - Foundations (Page 69) MSDN Magazine - April 2008 - Foundations (Page 70) MSDN Magazine - April 2008 - Foundations (Page 71) MSDN Magazine - April 2008 - Foundations (Page 72) MSDN Magazine - April 2008 - Foundations (Page 73) MSDN Magazine - April 2008 - Foundations (Page 74) MSDN Magazine - April 2008 - Foundations (Page 75) MSDN Magazine - April 2008 - Foundations (Page 76) MSDN Magazine - April 2008 - Foundations (Page 77) MSDN Magazine - April 2008 - Foundations (Page 78) MSDN Magazine - April 2008 - Foundations (Page 79) MSDN Magazine - April 2008 - Foundations (Page 80) MSDN Magazine - April 2008 - Foundations (Page 81) MSDN Magazine - April 2008 - Foundations (Page 82) MSDN Magazine - April 2008 - Foundations (Page 83) MSDN Magazine - April 2008 - Foundations (Page 84) MSDN Magazine - April 2008 - Foundations (Page 85) MSDN Magazine - April 2008 - Foundations (Page 86) MSDN Magazine - April 2008 - Foundations (Page 87) MSDN Magazine - April 2008 - Foundations (Page 88) MSDN Magazine - April 2008 - Foundations (Page 89) MSDN Magazine - April 2008 - Foundations (Page 90) MSDN Magazine - April 2008 - Foundations (Page 91) MSDN Magazine - April 2008 - Foundations (Page 92) MSDN Magazine - April 2008 - Foundations (Page 93) MSDN Magazine - April 2008 - Foundations (Page 94) MSDN Magazine - April 2008 - Foundations (Page 95) MSDN Magazine - April 2008 - Foundations (Page 96) MSDN Magazine - April 2008 - Foundations (Page 97) MSDN Magazine - April 2008 - Foundations (Page 98) MSDN Magazine - April 2008 - Test Run (Page 99) MSDN Magazine - April 2008 - Test Run (Page 100) MSDN Magazine - April 2008 - Test Run (Page 101) MSDN Magazine - April 2008 - Test Run (Page 102) MSDN Magazine - April 2008 - Test Run (Page 103) MSDN Magazine - April 2008 - Test Run (Page 104) MSDN Magazine - April 2008 - Test Run (Page 105) MSDN Magazine - April 2008 - Test Run (Page 106) MSDN Magazine - April 2008 - Service Station (Page 107) MSDN Magazine - April 2008 - Service Station (Page 108) MSDN Magazine - April 2008 - Service Station (Page 109) MSDN Magazine - April 2008 - Service Station (Page 110) MSDN Magazine - April 2008 - Service Station (Page 111) MSDN Magazine - April 2008 - Service Station (Page 112) MSDN Magazine - April 2008 - Service Station (Page 113) MSDN Magazine - April 2008 - Service Station (Page 114) MSDN Magazine - April 2008 - Windows with C++ (Page 115) MSDN Magazine - April 2008 - Windows with C++ (Page 116) MSDN Magazine - April 2008 - Windows with C++ (Page 117) MSDN Magazine - April 2008 - Windows with C++ (Page 118) MSDN Magazine - April 2008 - Windows with C++ (Page 119) MSDN Magazine - April 2008 - Windows with C++ (Page 120) MSDN Magazine - April 2008 - Windows with C++ (Page 121) MSDN Magazine - April 2008 - Windows with C++ (Page 122) MSDN Magazine - April 2008 - Going Places (Page 123) MSDN Magazine - April 2008 - Going Places (Page 124) MSDN Magazine - April 2008 - Going Places (Page 125) MSDN Magazine - April 2008 - Going Places (Page 126) MSDN Magazine - April 2008 - Going Places (Page 127) MSDN Magazine - April 2008 - { End Bracket } (Page 128) MSDN Magazine - April 2008 - { End Bracket } (Page Cover3) MSDN Magazine - April 2008 - { End Bracket } (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.