Desaware Home
Products    Purchase    Publishing    Articles   Support    Company    Contact    



Contact Desaware and order today

Sign up for Desaware's Newsletter for the latest news and tech tips.

Desaware Articles

ASP.Net Hosting and Code Access Security

Learn how you can add flexibility and dramatically reduce costs for your hosted web sites.

Hosted solutions for web sites are becoming more and more popular. The increase in computer power, combined with lower costs for both performance and storage have resulted in dramatic reductions in the cost to host a web site. It's not unusual to be able to host a small or medium scaled ASP or ASP.Net web site for under $50/month.

The advantages of hosting are even greater when you consider administrative costs. Hosting services amortize the cost of backups, system updates and security over multiple sites and systems - costs which you have to bear yourself if you host your own sites.

Why then are some companies reluctant to use a hosted solution? Because historically there have been some crucial limits in what you can do on a shared host. One of those limits is in the use of components.

Any COM components you write for use with ASP are typically subject to added costs or restrictions by a hosting service. Obviously, such components are not permitted to access system resources, API's, the registry, or perform other tasks that could represent a security risk. In addition, a component that has a memory or resource leak could severely impact the system. For this reason, hosting companies typically insist on performing a code review before any such components are installed - and at prices that can easily reach $300/hour, this can quickly become prohibitive - especially if the component requires frequent updates.

The story changes when you switch to ASP.Net. First, ASP.Net components are not subject to the same kinds of memory leaks as traditional COM components. More important, a hosting service can accept ASP.Net components without requiring a design review. Why? Because of code access security.

With a COM component, once the component is installed on the system, it has full access to all of the resources of the system. The only way a hosting service can verify that it does not violate their security policies is to look at the code - an expensive and unreliable proposition. However it is easy for a hosting service to enforce their security policies in .NET. All they have to do is set the code access security policy for the component to restrict access to features they consider security risks. Code access security allows the .NET framework to tightly control access to almost every system resources. Any attempt by a component to access a secured resource will cause an exception.

This solves the problem from the perspective of a hosting service, allowing them to offer customers the ability to upload complex ASP.Net components and applications without requiring a code review. However, it adds complexity to the life of the ASP.Net developer: how do you make sure that your component complies with the security policy of the hosting service?

An effective way to do this is using a code access security testing tool. By plugging in a list of security restrictions provided by the hosting service, you can test your component's reaction not only to the entire security policy, but to each individual permission. This makes it easy to determine exactly which restrictions might cause problems, and identify the precise line of code where the security violation occurs.

Desaware's CAS/Tester makes it easy to test .NET class libraries and controls against a set of code access security permissions. It can be an effective way to test your code before uploading it to a hosted site, minimizing the chance that your application will fail or violate the terms of the hosting service. Better yet, once you have set up the test, you can quickly perform regression testing (retest after incorporating changes), allowing for rapid and safe updating of components as a site evolves.

For notification when new articles are available, sign up for Desaware's Newsletter.

Related Products:
Products    Purchase    Articles    Support    Company    Contact
Copyright© 2012 Desaware, Inc. All Rights Reserved.    Privacy Policy