SynapseIndia dotnet website security development
- 1. Website Security ASP.NET is compiled to managed code before executing, so web pages can utilize the same role-based features as other .NET applications. Web.config can define built-in ASP.NET security providers such as “Forms”, “Windows” or set event handlers for custom providers. Web.config is an “application” level security policy file. Settings in higher level policy files take precedent, so administrators of shared web servers can breath.
- 2. Security & Managed Code Evidence-based security means that there is no guarantee your code has sufficient permission to run when the user executes it! .NET classes are free-threaded.
- 3. ASP.NET Programming model can handle client-side events on the server as if they happened on the server. Design-time provides GUI configuration of controls on the page. Microsoft provides controls that are fast and scalable for .NET (vs. VS6). Compiled code means 2-5 times faster execution. Session State is now fast and scalable.
- 4. ASP.NET Change Management • Version code just like any other .NET application! • Debug Using Trace! (instead of Response.Write) • Automated Unit Testing! • Deploy Assemblies Without Source Code! – Protect your Intellectual Property! • Publish web applications with simple XCopy! – Goodbye FrontPage Extensions! • Dynamic Code Replacement - Without Rebooting! • Concurrently Run Different Versions of Business Objects Side-By-Side! • Script Builds from Source Control
- 5. ASP.NET Cool Features Output Caching is automatic, but configurable by user, query, time or underlying data source AND at either the page or control level. ASP and ASP.NET can run in the same directory but do not share state. Use any .NET language. Use structured exception handling as implemented in the language. Debug from web pages down into business objects.
- 6. Writing XML Web Services Use the WebService directive in .ASMX pages. Code behind uses the WebMethod attribute and inherits from System.Web.Services.WebService. .NET will use reflection to automatically generate a WSDL and a simple human-readable testing and documentation page. Also, you can publish any COM+ object or .NET assembly by registering it in COM+ and checking a box. COM+ can use .NET remoting instead of HTTP for .NET to .NET calls. SQL and Exchange 2000 both provide XML Web Services access methods to their data.
- 7. Web Services Imports System.Web.Services <WebService(Namespace := "http://tempuri.org/")> _ Public Class Service1 Inherits System.Web.Services.WebService <WebMethod()> Public Function HelloPerson(ByVal YourName As String) As String HelloPerson = "Hello, " & YourName & "." End Function End Class
- 8. Consuming XML Web Services All Web Services are late-binding. Static bindings are Web References. Use them just like a referenced assembly. IntelliSense works! Dynamically bind to services at run-time by using UDDI and/or Disco. If necessary, configure proxy server and credentials in machine.config. Consume .NET Web Services from any platform.
- 10. ASP.NET Web Form
- 11. Web Services Private Sub Button_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles Button.Click Dim ws As New HelloService.Service1() Results.Text &= ws.HelloPerson(strName.Text) & "<br>" End Sub
- 13. Issues Only Windows 2000 and XP as servers. Windows 98 or better as clients. CE support is in beta and will be a subset. Transparency of Source Code – MSIL is relatively easy to reverse engineer to source code. Obfuscators and encryption will solve this in the future. Security of .NET is still questioned based on past experience with Microsoft.
- 14. .NET Myths Myth: Passport is required for authentication in .NET. BizTalk is required for XML Web Services. Windows CALs are required for access to “authenticated” IIS applications. Myth: J# is another Microsoft attempt to corrupt Java. Myth: The Microsoft .NET Pet Store benchmark proves ASP.NET is 15-28 times faster, requires ¼ the CPU, ¼ the code and supports 6-8x as many users as J2EE. Related Myth: Oracle’s latest Java Pet Store proves J2EE on Oracle is faster than .NET Myth: .NET is a huge mental leap for VB developers.
Editor's Notes
- #7: XML is the great cross-platform data exchange technology and XML Web Services provides both data exchange and procedural calls. Microsoft can now claim much greater interoperability, but so can other vendors like EpiCentric.
- #16: J# is actually one of two options in Microsoft’s JUMP (Java User Migration Path). It will take Java source code and let you expose it as XML Web Services and converts use of the Java base classes to .NET base classes. The other option, actually converts Java code to C#. So it isn’t about corrupting Java, but it is about getting Java developers to become Microsoft .NET developers. Microsoft’s .NET Pet Store was meant as a reference implementation for .NET, Sun’s Java Pet Store was meant as a reference implementation for J2EE. One of Sun’s claimed purposes was to use all the J2EE functionality and Sun used MVC (Model-View-Controller), neither of which lead to best performance. Oracle issued the benchmark challenge, not Sun, claiming to beat BEA and IBM by 3-4x. Microsoft hired a 3rd party to write both implementations and then tested. But MS had written in an optimized architecture for .NET and used Stored Procedures to tune performance. The results were stunning though – 15x faster response times; 28x faster response times with ASP.NET caching turned on. Microsoft supported 7.6x as many users as the Oracle benchmark. So Oracle and Sun whined and Oracle optimized a version of Pet Shop. They claimed that it now runs faster than the .NET Pet Shop, but Microsoft tested their code and didn’t get the same performance. Oracle also used different testing software and actually tuned the testing to reuse TCP connections! Bottom Line: Microsoft also asked an ISV to implement ZD Net’s Nile Benchmark application. ASP.NET was 3x faster than either EJB or JSP implementations. Conclusion: ASP.NET rocks!