Robert Hurlbut Blog

Thoughts on Software Security, Software Architecture, Software Development, and Agility

.Net and ES/COMPlus Security

Friday, November 14, 2003 Comments

 .NET  ASP.NET  COMPlus EnterpriseServices  Security 
Share:   Share on LinkedIn    Share on Twitter    Share on Facebook   

Regarding my earlier question about .Net and ES/COMPlus security, I found this older article from the MSDN docs that describe the relationship:

Interoperation with COMPlus 1.0 Security

You can extend an existing COMPlus 1.0 application with new .NET Framework managed components. The COMPlus 1.0 security context is still managed by COMPlus 1.0, and the COMPlus 1.0 administrative user interface is used to configure the application. Basically, from a COMPlus 1.0 application, .NET Framework objects look like COMPlus 1.0 objects.

To make .NET Framework objects visible to COMPlus 1.0 security services, you must run tools (such as Tlbexp.exe) supplied by the .NET Framework SDK to generate type libraries for the public interfaces and register the objects so that COMPlus 1.0 can locate them. COMPlus 1.0 administrative facilities must be used to configure roles and other role-based security behavior.

There are some limitations to COMPlus 1.0 security interoperability. COMPlus 1.0 security properties are not propagated across process or machine boundaries or to newly created execution threads within managed code.[Emphasis mine] COMPlus 1.0 security services can only be used by managed code on Windows 2000 systems.

The .NET Framework provides several managed wrappers in the System.EnterpriseServices namespace that allow access to COMPlus 1.0 security features.

I have not found any specific COMPlus 1.5 information that gives a different spin on this (as you may know, COMPlus 1.0 is used on Windows 2000 only, and COMPlus 1.5 is used on Windows XP/2003 only).

On another note, I was able to successfully create an ASP.NET demo page this week marked with Partial Trust, and created a sandbox wrapper GAC assembly marked with the “AllowPartiallyTrustedCallersAttribute“, and called a Full Trust ES/COMPlus component. Next, I am testing the best way to set up security through all layers when you use ASP.NET and ES/COMPlus. More to follow ...

Out of curiosity, has anyone else looked at Partial Trust ASP.NET pages and the issues you deal with (i.e. sandbox wrappers, etc.)? What have your experiences been so far?

Share:   Share on LinkedIn    Share on Twitter    Share on Facebook