Secure ASP.NET
LANGUAGES: ALL
ASP.NET VERSIONS: 2.0
More New Security Tools in Visual Studio 2005
IntelliSense in Zone, My.User, and the ASP.NET Configuration Tool
By Don Kiely
Last month I celebrated the launch of Visual Studio 2005 and version 2.0 of the .NET Framework with an introduction to some of the very useful new security tools and features (see New Security Tools in Visual Studio 2005). In this column, I ll continue with a look at a few more of my favorites.
IntelliSense in Zone
To be honest, Visual Studio has grown into what is sometimes a top-heavy tool that sometimes lumbers about falling over from its own bloated mass. That s a bit cynical, I know; but nevertheless, it is a great boost to productivity and one of the major reasons is its IntelliSense. (If you ve been writing code under a rock for the last millennium, IntelliSense is that list that pops up when you type a class name in the code editor and hit the period to add a property or method name.) I ve discovered that I m not the only developer who uses it as a form of mini-documentation, relying on it to find objects, properties, and methods when I can t remember or never knew the right feature to use. IntelliSense is almost always there; when it s not, it almost always means that I ve misspelled something or am trying to do something that isn t possible at that location in my code.
One of the problems in earlier versions of Visual Studio is that IntelliSense was sometimes a bit misleading, particularly when it came to security issues. One of the main problems is trying to use an object or one of its properties or methods that would cause a security exception when partially trusted code is run. Classic IntelliSense will display the class and its properties and methods whether or not they would cause security problems. For example, some ASP.NET trust levels don t allow Web service calls and the CLR doesn t grant that permission to the assembly. In that case, Web service-related classes and features are grayed out so you won t be tempted to use them.
But in Visual Studio 2005, you can specify a zone in which the code will run. When you do that, IntelliSense will gray out any items that require permissions the code won t have by virtue of being run from the specified zone. This is a great help in writing secure code, since you re never tempted to use the problem features.
Alas, IntelliSense in Zone is only available in Visual Basic 2005. This is one of many examples where the VB team has worked to make both the language and development environment more productive.
A related feature, Debug in Zone, lets you run and debug the application from within Visual Studio with the permissions the code will actually have at run time as a partially trusted application, even if you are working as an administrative user. This is another way that Visual Studio helps you write code that will run in lesser privilege environments. In fact, it is now far easier to use Visual Studio as a mere user a member of the Windows Users group rather than Administrators to develop almost any kind of application.
My.User
Visual Basic developers have another reason to be happy with their language choice. My.User is a much ballyhooed feature that makes it far easier to use the .NET Framework and Win32 API for common tasks. For security, My.User provides hooks into the security context of the principal running the code, whether that is an individual user or the ASPNET principal. It provides properties such as IsAuthenticated, CurrentPrincipal.Identity, IsInRole, and Name. These won t save reams of code, but it makes it much easier to remember how to get that information. And the easier something is, the more likely it ll be used to build more secure applications.
ASP.NET Configuration Tool
I ve saved the very best for last in this short overview of new security tools. The ASP.NET Configuration Tool is a GUI on top of the ASP.NET Configuration Class that manages roles, users, and access permissions. You can reach this tool from the Visual Studio Web site menu item with an ASP.NET Web site open. (By the way, the first time you create an ASP.NET 2.0 site, don t be confused by the lack of solution and project files they re history.) This tool is a great way to set up the security settings for a new Web site or to maintain the settings. It is the foundation for many of the other security-related tools in ASP.NET 2.0, and you can access it in code to make writing secure code much easier.
For now I ll let you explore the configuration tool on your own. I ll have a lot more to say about it in future columns.
There are many more security features and tools in Visual Studio 2005, such as FxCop s static code analysis that is built right into Visual Studio, as well as a ton of tools in Visual Studio s Team System edition for code policy enforcement, code coverage analysis, load and stress testing, and security and other bug tracking. Take the time to explore these many features so that you can put them to use to build secure applications and make the world a safer place for computing!
Don Kiely, MVP, MCSD, is a senior technology consultant, building custom applications as well as providing business and technology consulting services. His development work involves tools such as SQL Server, Visual Basic, C#, ASP.NET, and Microsoft Office. He writes regularly for several trade journals, and trains developers in database and .NET technologies. You can reach Don at mailto:[email protected] and read his blog at http://www.sqljunkies.com/weblog/donkiely/.
