Control permissions for resources by using the System.Security.Permission classes. (Refer System.Security.Permission namespace)
- SecurityPermission class
- PrincipalPermission class
- FileIOPermission class
- StrongNameIdentityPermission class
- UIPermission class
- UrlIdentityPermission class
- PublisherIdentityPermission class
- GacIdentityPermission class
- FileDialogPermission class
- DataProtectionPermission class
- EnvironmentPermission class
- IUnrestrictedPermission interface
- RegistryPermission class
- IsolatedStorageFilePermission class
- KeyContainerPermission class
- ReflectionPermission class
- StorePermission class
- SiteIdentityPermission class
I've really got to get going on these. I'm scheduled to take 70-552 next Sat, and I'm haven't gotten to the WinForms stuff yet.
These next two parts are on Code Access Security. Mike Downen (via Julie Lerman) has an intro article on CAS in 2.0.
Update via Zdenko - Michael Stiefel has some good articles on his site.
SecurityPermission class - This is the class that has a lot of base attributes: Execution, SkipVerification, UnmanagedCode, Assertion, BindingRedirects to name a few. There don't appear to be any new values from 1.1.
PrincipalPermission class - This class allows you to control access by the current identity. Note the important info in the documentation:
Prior to a demand for principal permission it is necessary to set the current application domain's principal policy to the enumeration value WindowsPrincipal. By default, the principal policy is set to UnauthenticatedPrincipal. If you do not set the principal policy to WindowsPrincipal, a demand for principal permission will fail. The following code should be executed before the principal permission is demanded:
AppDomain.CurrentDomain.SetPrincipalPolicy(PrincipalPolicy.WindowsPrincipal).
Kaushal Sanghavi has a good article demonstrating the use of PrincipalPermission.
FileIOPermission class - Controls access to file IO. There are 4 basic rights controlled : Read, Write, Append and Path Discovery.
StrongNameIdentityPermission class - Allows you to limit callers to a specific strongly named assembly. More information can be found at Morgan Skinner.
UIPermission class - Allows you to specify the permissions for UI (Winforms). Whether or not a window can be shown, whether or not more than one window can be shown, whether or not the application can access the clipboard, only a system specific clipboard, or no access whatsoever.
UrlIdentityPermission class - In the same spirit as StrongNameIdentityPermission, allows you to limit callers by a URL.
PublisherIdentityPermission class - Limits calls by a specific publisher (using Digital certificates)
GacIdentityPermission class - This is new in 2.0 - Allows you to limit access by whether or not an assembly is located in the GAC.
FileDialogPermission class - Controls whether or not the assembly can open a File dialog box.
DataProtectionPermission class - New to 2.0. Controls whether or not the assembly can use the new data protection (DPAPI) features. You can retrict the user to protect data, unprotect data, protect memory or unprotect memory.
EnviromentPermission class - Controls access to user and system environment variables.
IUnrestrictedPermission class - Allows a permission to expose an unrestricted state. Peter Torr has a nugget of trivia about this interface buried in his post.
RegistryPermission class - Controls access to the registry.
IsolatedStorageFilePermission class - Controls access to isolated storage. Can control the size (Quota) and the type of store (Application, Domain, or Assembly)
KeyContainerPermission class - New to 2.0. Controls access to Key Containers. You can control access by each CSP, or grant unrestricted rights.
ReflectionPermission class - Controls access to assembly metadata via reflection. You can control whether or not access to members is allowed, access to types, and whether or not assemblies can be dynamically generated.
StorePermission class - New to 2.0 Controls access to X.509 Certificate stores. Can control add/remove of certificates, opening of a store, enumeration of certificates, and the creation/deletion of stores.
SiteIdentityPermission class - Limit calls to a specific site (domain).
Next up -> Security.Policy
I will be speaking at the next meeting of the New England C# User's Group on New Features of the 2.0 Framework. If you're in the Manchester NH area, stop on by.
Encrypt, decrypt, and hash data by using the System.Security.Cryptography classes. (Refer System.Security.Cryptography namespace)
- DES class and DESCryptoServiceProvider class
- HashAlgorithm class
- DSA class and DSACryptoServiceProvider class
- SHA1 class and SHA1CryptoServiceProvider class
- TripleDES and TripleDESCryptoServiceProvider class
- MD5 class and MD5CryptoServiceProvider class
- RSA class and RSACryptoServiceProvider class
- RandomNumberGenerator class
- CryptoStream class
- CryptoConfig class
- RC2 class and RC2CryptoServiceProvider class
- AssymetricAlgorithm class
- ProtectedData class and ProtectedMemory class
- RijndaelManaged class and RijndaelManagedTransform class
- CspParameters class
- CryptoAPITransform class
- Hash-based Message Authentication Code (HMAC)
Knowing some basics about Cryptography is a big help with this objective. Dino Esposito has an article on DevX going over the basics. It's based on 1.1, but the ideas haven't changed.
For the most part this namespace hasn't changed. ProtectedData/Memory and HMAC are the new classes they want you to know about.
DES class - Abtract class that all (one) DES implementations derive from. DES is a symmetric encryption algorithm. It's an old algorithm that can be cracked in a matter of days.
DESCryptoServiceProvider class - Service provider class for DES encryption. Derives from DES and is the class you'd use when encrypting/decrypting with DES.
HashAlgorithm class - base class that all hash algorithms derive from. MSDN has an example implementation showing that you invoke the ComputeHash method to get the hash.
DSA class - base class that all (one) DSA implentations derive from. Richard Grimes has a blurb about digital signatures on his security workshop page.
DSACryptoServiceProvider class - provides an implementation of the DSA (Digital Signature Algorithm) .
SHA1 class - Abtract class for the SHA1 Hash algorithm. 160 bit hash size.
SHA1CryptoServiceProvider class - Implementation of the SHA1 hash algorithm. There's some concern that this algorithm is weak, so it's probably best to use a different hashing algorithm.
TripleDES class - Abtract class for the TripleDES encryption algorithm. TripleDES is a symmetric algorithm support key sizes of 128 or 192 bits.
TripleDESCryptoServiceProvider class - Implementation of the TripleDES encryption algorithm, which appears to encrypt the text by running DES 3 times.
MD5 class - Abtract class that all MD5 hash algorithms derive from. MD5 produces a 128 bit hash.
MD5CryptoServiceProvider class - Implementation of the MD5 Hash Algorithm. It appears there might be weaknesses with this algorithm as well.
RSA class - Abtract class that all RSA encryption algorithms derive from. RSA is an asymmetric algorithm supporting bit sizes between 384 - 16384 bits in increments of 8 bits.
RSACryptoServiceProvider class - Implementation of the RSA Encryption algorithm. There don't appear to be flaws in the RSA algorithm provided your key is >2k.
RandomNumberGenerator class - Abtract class that all Random Number generators are supposed to derive from. There is only one implementation of a random number generator - RNGCryptoServiceProvider. Christopher Wille has an example that creates random passwords using the RNGCryptoServiceProvider.
CryptoStream class - defines a stream that is used with cryptographic functions. The idea is to prevent storing the data in an intermediate area during cryptographic functions. It also handles buffering which I guess gets complicated with block ciphers.
CryptoConfig class - Documentation says that it is used to get cryptography configuration information. I don't see it doing that. It appears that the main method, CreateFromName, is used to get an instance of a specific CryptoServiceProvider. There is mention of the CryptoConfig being used in this best practices in Mono document.
RC2 class - Abtract class that all RC2 implementations derive from. RC2 is an Symmetric Encryption algorithm.
RC2CryptoServiceProvider class - Implementation of the RC2 Encryption algorithm. Key size is from 40-128 bits in 8 bit increments.
AssymmetricAlgorithm class - base class for all encryption methods that are classified as Assymmetric (meaning public key algorithms) Dr. Peter Bromberg has a simple example of using the RSA classes.
ProtectedData class - This is a new class for the 2.0 framework. It is a frontend to the DPAPI protect and unprotect methods, making it very easy to secure data using DPAPI. Remember that stuff protected by DPAPI can only be unprotected on the same machine.
ProtectedMemory class - Also a new class for the 2.0 framework. It works the same as ProtectedData. The difference is that ProtectedMemory is only valid until the machine reboots. Shawn has an informative post on his blog.
RijndaelManaged class - A managed implementation of the Rijndael encryption algorithm, also known as AES. Rijndael is a symmetric algorithm supporting key sizes of 128,192, and 256 bits.
RijndaelManagedTransform class - the actual class that does the encryption/descryption for the RijndaelManaged class.
CspParameters class - contains parameters that are passed to the CSP (Cryptographic Service Provider). This is used to pass specific parameters back to the Crypto subsystem. An example is specifying which key container to use. Gowri Paramasivm has an example using RSA.
CryptoAPITransform class - Represents a cryptographic algorithm that encrypts or decrypts data.
HMAC (Hash-based Message Authentication Code) - Abstract class that all implementations of HMAC derive from. HMAC is a way of verifying the authenticity and integrity of a message. These are new classes.
Next up -> Permissions
Implement a custom authentication scheme by using the System.Security.Authentication classes. (Refer System.Security.Authentication namespace)
- Authentication algorithms and SSL protocols
Another new namespace. Not much meat there. I think they're trying to get you to look at the AuthenticatedStream class in System.Net.Security. Keith Brown has a good example implementation in his "The .NET Developer's Guide to Windows Security"
The algorithms that are implemented appear to be:
NegotiateStream - "Uses the Negotiate security protocol to authenticate the client." Is there such a thing as the "Negotiate security protocol"? I'm not finding anything on it. Sample uses of this class appear to communicating with a server authenticating via Kerberos.
SslStream - "Provides a stream used for client-server communication that uses the Secure Socket Layer (SSL) security protocol to authenticate the server and optionally the client. " Dominick Baier has a nice simple example.
Next up -> Cryptography
Implement access control by using the System.Security.AccessControl classes.
- DirectorySecurity class, FileSecurity class, FileSystemSecurity class, and RegistrySecurity class
- AccessRule class
- AuthorizationRule class and AuthorizationRuleCollection class
- CommonAce class, CommonAcl class, CompoundAce class, GeneralAce class, and GeneralAcl class
- AuditRule class
- MutexSecurity class, ObjectSecurity class, and SemaphoreSecurity class
This is a completely new namespace. The .NET framework now has direct support for reading and maintaining ACLs (Access Control Lists, or NT Permissions). This was difficult to do previously because you had to use unmanaged calls to the Win32 subsystem.
You should probably have some rudimentary understanding of how the access control works. Wenfeng Yao has a nice post explaining the different terms.
Rich Strahl has a good simple example of how these classes work. Like he says, it's not to hard once you see how it's done. There's also an informative MSDN article (based on the beta) about the Access Control objects.
DirectorySecurity class - This embodies the access and audit information for a specific directory. Create an instance by passing in the path in the constructor.
FileSecurity class - Same thing, but for a specific file.
RegistrySecurity class - Same thing for a registry key.
FileSystemSecurity class - base class for both DirectorySecurity and FileSecurity.
AccessRule class - To borrow a database metaphor, this is the many to many table for security. It combines an Identity and an AccessControlType to represent a specific permission.
AuthorizationRule class - base class of AccessRule and AuditRule.
AuthorizationRuleCollection class - collection of AuthorizationRule instances. Typical collection, no new methods.
CommonAce class - Represents an Access Control Entry(ACE). These objects allow you to deal directly with ACE/ACLs, whereas the Security/Rule classes provide some abtraction and validation. "The CommonAce class represents the eight most common ACE types". But I can't find what the eight most common ACE types are. I looked at the class in reflector, I think they're talking about AccessAllowed, AccessDenied, SystemAudit, SystemAlarm, AccessAllowedCallback, AccessDeniedCallback, SystemAuditCallback, SystemAlarmCallback... But I'm not sure. There are a lot of opportunities for improvement in the documentation for these classes.
CommonAcl class - Represents an Access Control List(ACL). Meaning either SACL or DACL.
CompoundAce class - Represents a Compound ACE. As the only member of the CompoundAceType enum is Impersonation, I'm guessing that a compound ace has something to do with Impersonation. Looking further using reflector, it appears a CompoundAce object is created in the GenericAce.CreateFromBinaryForm when the AceType = AccessAllowedCompound. According to MSDN : "Defined but never used. Included here for completeness. "...
GeneralAce class - Represents a generic ACE. Base class for all ACE classes.
GeneralAcl class - Represents a generic ACL. Base class for all 4 ACL classes.
AuditRule class - This similiar to an AccessRule, but represents Audit information.
MutexSecurity class - Similiar to FileSecurity, but for Named Mutexes. For those of you unfamiliar with Named Mutexes (I was), look at King Ralph's blog entry.
ObjectSecurity class - Base class for all the xxxSecurity objects.
SemaphoreSecurity class - Similiar to MutexSecurity, but for Named Semaphores.
Next post - Authentication
On this week's MSDN flash, they released promo codes (meaning you can register for free) for 4 other beta exams:
The first three are exams you would take for the MCPD certification, unless you were already an MCSD or MCAD. The SQL Server one is part of the MCITP certification as a database developer.
Between now and March 10, I'm scheduled to take 5 exams... There go my weekends.
UPGRADE: MCAD Skills to MCPD Web Developer by Using the Microsoft .NET Framework
UPGRADE: MCAD Skills to MCPD Windows Developer by Using the Microsoft .NET Framework
UPGRADE: MCSD Microsoft .NET Skills to MCPD Enterprise Application Developer by Using the Microsoft .NET Framework: Part 1
Access files and folders by using the File System classes. (Refer System.IO namespace)
- File class and FileInfo class
- Directory class and DirectoryInfo class
- DriveInfo class and DriveType enumeration
- FileSystemInfo class and FileSystemWatcher class
- Path class
- ErrorEventArgs class and ErrorEventHandler delegate
- RenamedEventArgs class and RenamedEventHandler delegate
File class - Static class used for moving/renaming files. They've added quite a few methods for convience and better exposed the feature set of NTFS. Look at AppendAllText, Decrypt, Encrypt, GetAccessControl, ReadAllBytes, ReadAllLines, ReadAllText, Replace, SetAccessControl, WriteAllBytes, WriteAllLines, WriteAllText
FileInfo class - Each instance of this class represents a file. Members are similiar to the File class. Doesn't have some of the convenience methods like ReadAllText, WriteAllText...
Directory class - Static class used to manipulate file directories. Doesn't appear to have changed except GetAccessControl and SetAccessControl methods have been added.
DirectoryInfo class - Each instance of this class represents a directory. Members are similiar to the File class. Also has GetAccessControl and SetAccessControl methods.
DriveInfo class - New class that allows you to query to see what drives (logical) are attached to a system. Each instance represents a drive. You can get the capacity, volume label, free space, and the type of drive.
DriveType enum - enum that specifies the type of drive represented by the DriveInfo class. CDROM, Fixed, Network, RAM, Removeable (USB or floppy), unknown. There is also a NoRootDirectory member. I don't know what that is for. The enum is not decorated with the FlagsAttribute, so a DriveType can't be Fixed AND NoRootDirectory.
FileSystemInfo class - base class for both FileInfo and DirectoryInfo
FileSystemWatcher class - I hate this component. I used it in an project and kept missing files because the buffer would overflow and the error event wasn't consistently raised. Read the class description and understand the limitations of the component. It doesn't look like it has been changed(meaning new methods and properties).
Path class - Allows you do deal with filename strings in a controlled fashion. If you want to change the extension, call the ChangeExtension method, rather than doing the string parsing yourself. Has some interesting members that I didn't know about, such as GetTempFilename. There is a new method called GetRandomFilename. It returns a random temp filename, but doesn't create it. GetInvalidFileNameChars and GetInvalidPathChars are also new.
ErrorEventArgs - object that is supplied to the error event in the FileSystemWatcher when something goes wrong. GetException returns the exception object for the error. Like I said, I had problems with the FileSystemWatcher. Know it for the test, but don't use it in a real project.
RenamedEventArgs - object that is supplied to the rename event in the FileSystemWatcher. Has OldFullPath and OldName properties. Derived from FileSystemEventArgs
Next up - System.IO.Compression
I don't usually put personal stuff into this blog, but I think today can be an exception. We finalized the adoption of our daughter Sara today! She's officially a Denoncourt! If you haven't heard her story and can put up with a little preaching, you can hear it here.
I wish that more people would consider adoption. It's really a great chance to change the world. One of the things that I hear is that that people have the impression that there is a shortage of children available to be adopted. While it is true that there are not a lot of infants to be adopted, there are a lot of older children waiting for homes. Another consideration is that people think that it costs a lot to adopt a child. The costs of adopting an infant can be towards $50k for domestic, and between 10-30k for international infant. If you're willing to adopt a child through the state, you are eligible for a $10,000 tax credit (that's basically adding $10,000 to your tax return) and you might receive a monthly stipend as well. An excellent resource on the Internet is adoption.com. If you call your state's family protection department, you can find when they hold informational meetings. Adoption is an amazing experience. Ours was an open adoption, which means that the birth parents can still visit Sara and know her as she grows up.. But we are her parents. I think this takes a lot of the tension out of the process and is more healthy for everyone - baby, us, and the birth parents.
I'll get back to the study guide tomorrow. 
UPGRADE: MCAD Skills to MCPD Web Developer by Using the Microsoft .NET Framework
UPGRADE: MCAD Skills to MCPD Windows Developer by Using the Microsoft .NET Framework
UPGRADE: MCSD Microsoft .NET Skills to MCPD Enterprise Application Developer by Using the Microsoft .NET Framework: Part 1
Control the serialization of an object into XML format by using the System.Xml.Serialization namespace.
- Serialize and deserialize objects into XML format by using the XmlSerializer class.
- Control serialization by using serialization attributes.
- Implement XML Serialization interfaces to provide custom formatting for XML serialization.
- Delegates and event handlers provided by the System.Xml.Serialization namespace
So the basics of using the XmlSerializer hasn't changed. Create an XmlSerializer telling it to expect a particular type. Note that the type could be a Generic - typeof(SortedList<int>) . Know that you can supply override to the XML Attributes. See my post here. Know how to control namespaces using XmlSerializerNamespaces class.
Remember the performance problems with XML Serializer? Creating a new dynamic assembly each time the app was restarted for XML Serialization? There is a new tool, SGen.exe that creates the temporary serialization assemblies for you.
Here are the XML Attributes used to control serialization:
XmlRoot – Controls the XML root. ElementName, namespace..
XmlElementAttribute – Serialize the field/property as an element in the XML document.
XmlAttributeAttribute – Aside from being the victim of strict naming conventions, it tells the XML serializer to serialize field/prop as an attribute in the XML document
XmlIgnoreAttribute – Tells the XML Serializer to omit the field/property.
XmlEnumAttribute – Controls the name of an enumeration member (Not the enum name, a member of the enum)
XmlTextAttribute - Tells the XML Serializer that the member contains raw XML text.
XmlTypeAttribute - Controls the XML Schema (XSD) that is generated by the XmlSerializer. Used to specify other namespaces and types when serializing.
XmlIncludeAttribute - Allows the XmlSerializer to recognize a type when it serializes or deserializes an object. Used when deserializing custom types.
XmlChoiceIdentifierAttribute - Tells the XML Serializer that the type should be XSI:Choice. Used in conjuction with an enum field/prop in the class to tell the serializer where to get its info from.
XmlArrayAttribute Class - Specifies that the XmlSerializer must serialize a particular class member as an array of XML elements.
XmlArrayItemAttribute – Specifies the types that are contained in an XmlArray. This is used when you are serializing polymorphic classes .
XmlAnyAttributeAttribute – Any attributes that are not matched up during deserialization is placed in the field decorated with this attribute. Field must be an array of XmlAttribute.
XmlAnyElementAttribute – Any elements that are not matched up during deserialization is placed in the field decorated with this attribute. Field must be an array of XmlElement.
XmlNamespaceDeclarationsAttribute – Decorates a field that returns XmlSerializerNamespaces. That field will be use to get namespace prefixes during serialization.
XmlSchemaProviderAttribute – "When applied to a type, stores the name of a static method of the type that returns an XML schema and a XmlQualifiedName that controls the serialization of the type. " Used by WSDL.exe to return the schema for the class. Target class must implement IXmlSerializable. New to 2.0.
XmlSerializerAssemblyAttribute – Specifies the name of an assembly that the Xml Serializer can use. If specified, the Xml Serializer doesn’t need to create a temporary assembly. New to 2.0
XmlSerializerVersionAttribute – Signifies that the code was generated by the serialization infrastructure and can be reused for increased performance, when this attribute is applied to an assembly. I’m not sure I should use this attribute. I think this is used by code produced by sgen.
To completely control the XML Serialization of an object, you need to implement IXmlSerializable. This is not a new interface. In 1.1, the instructions where as follows: "not intended to be used directly from your code. Basically, you implement the ReadXML and WriteXML methods and you're done.
Here are the delegates and events:
UnknownAttribute event - thrown when the serializer encounters an unknown attribute. By default the Xml serializer ignores unknown attributes.
UnknownElement event - thrown when the serializer encounters an unknown element. By default the Xml serializer ignores unknown elements.
UnknownNode event -thrown when the serializer encounters an unknown node. By default the Xml serializer ignores unknown node.
UnreferencedObject event - section 5 of the SOAP document at w3c. Basically you can reference other object within the same Xml document. This event is thrown when it can't find the referenced object.
XmlSerializationCollectionFixupCallback delegate
XmlSerializationFixupCallback delegate
XmlSerializationReadCallback delegate
XmlSerializationWriteCallback delegate - All four of these delegates: "This delegate supports the .NET Framework infrastructure and is not intended to be used directly from your code."
Next post -> System.IO namespace
| |