About Fiddler:
Fiddler is a very handy and powerful tool in web debugging, analyzing and troubleshooting. I was able to resolve many of the MOSS issues within minutes which otherwise would have taken lot of effort and time. Thanks to my friend in Microsoft who recommended me to use Fiddler.
Although, I used Fiddler heavily for MOSS, Fiddler can used with any web page regardless of the web technology used. So you can use it with ASP.NET or JSP site the same way.
Fiddler is available at:
http://www.fiddler2.com/fiddler2/version.asp
Once you install fiddler, it is very easy to start your debugging. Videos and demos can be found at above site.
Uses of Fiddler:
1. To measure performance of the web page on client browser:
Fiddler trace gives you analysis of every single element downloaded and loaded on the web page. So it is very easy to Pin Point the heavy-weights on your page. Fiddler gives a nice graph for this. You can easily figure out which image or script is taking a lot of time.
2. To debug:
Fiddler gives facilities to view the HTTP form and script parameter. With this you can easily debug errors on the web page. For example, you can trace down a wrong value sent during HTTP Postback, view and resolve missing images at client end, common 404-Page Not Found errors, hard-to-trace wrong redirect from MOSS web part etc.
Thursday, January 7, 2010
Tuesday, January 5, 2010
CAS Trusted MOSS Web Parts
.NET provides a CAS (Code Access Security) as an addition to role based security. CAS restricts external activities of code and controls the way code can be reused or invoked. In this blog post we will look at web part deployment options and where CAS can be used to implement a secure web part deployment pattern.
A good introduction to CAS can be found at:
http://msdn.microsoft.com/en-us/library/aa302424.aspx#c08618429_002
CAS infrastructure in MOSS/WSS:
MOSS being an ASP.NET based application has its own extended implementation of CAS. In fact, MOSS/WSS minimum trust policy is an extended version of ASP.NET CAS minimum trust policy with additions to allow web part connections. CAS can configured in MOSS just like a .NET application.
There are two options to deploy web part:
http://msdn.microsoft.com/en-us/library/aa302424.aspx#c08618429_002
MOSS being an ASP.NET based application has its own extended implementation of CAS. In fact, MOSS/WSS minimum trust policy is an extended version of ASP.NET CAS minimum trust policy with additions to allow web part connections. CAS can configured in MOSS just like a .NET application.
There are two options to deploy web part:
- Bin Directory of the Virtual Server - This is more restrictive
- GAC of the web server – This is less restrictive
Following is a comparison matrix for both the deployment options:
Execution Mode | More restrictive execution. Access to most resources denied | More trusted execution with access to many resources granted by default |
Configuration Required | Create a CAS policy and set the trust level of web part in order to make it work | Need to set configuration of web part entry in web.config |
Choosing one of the two options:
Bin directory should be used when:
- Web Part code is not trusted. E.g. Third party web parts
- To ensure that the web part works regardless of server settings and deployment method. E.g. a web part vendor may opt for this
GAC should be used when:
- Web part code is trusted
- Intranet sites where risk of an attack is less
Microsoft recommends to deploy web part to Bin directory of the virtual server and set the appropriate CAS policy.
Advantages of using CAS to set trust level for MOSS/WSS Web Part:
- Setting correct CAS policy ensures that the web parts are run in correct level of trust. This allows web part to be run successfully regardless of the trust level of the application provided correct CAS policies are implemented. This is the biggest advantage of using CAS.
- CAS limits access to policy specifications. Hence, there are fewer loopholes for an attacker to gain access to critical system resources
- CAS requires tedious configurations. If something goes wrong, entire site will be affected by wrong configs.
- CAS is not a replacement to role based security. CAS is rather a defense mechanism to control and regulate access to resources
- CAS configurations require significant amount of knowledge and developer skill
Application Bin directory is best suited when web part code cannot be trusted. It requires CAS policy implementation to set the trust level. It will require configuration. Web part can be deployed to GAC, if the web part is trusted. This option is easy to implement but is less secure.
Subscribe to:
Posts (Atom)