Hey guys how are you?

After long conversation with my work colleague, I thought that I need to sharpen the evidences about Application Domains - aka AppDomain.

By .NET environment, the concept of an application domain, or AppDomain known as a process. The AppDomain is both a container and a boundary. The .NET runtime uses an AppDomain as a container for code and data, just like the operating system uses a process as a container for code and data. As the operating system uses a process to isolate misbehaving code, the .NET runtime uses an AppDomain to isolate code inside of a secure boundary.

An AppDomain belongs to only a single process, but single process can hold multiple AppDomains. An AppDomain is relatively cheap to create (compared to a process), and has relatively less overhead to maintain than a process. For these reasons, an AppDomain is a great solution for the ISP who is hosting hundreds of applications. Each application can exist inside an isolated AppDomain, and many of these AppDomains can exist inside of a single process – a cost savings.

Lets take an example from the REAL life:
Assume that you had created 2 ASP.NET aplpications in the same server, what will happen intior the system?

Firstable, the ASP.NET process that runs the web application will run both the applications (you can find the process name in the task manager as aspnet_wp.exe in Windows XP or as w3wp.exe in Windows 2003. Each application will have its own AppDomain including its Cache, Application, and Session objects.
BUT, the code of the same application runs under the same process!

What about static members or shared classes? In this case, each ApDomain will have its own copy of the static members (fields), but of course, the data and code is not shared and will be held safely isolated and inside of a boundary provided by the AppDomain.

Load some new assemblies..
Suppose you want to load an updated dll into the application folder or subdirectory, the ASP.NET runtime will recognize it and and will start a new AppDomain because it cannot insert it to the running AppDomain, the result is that running requests will finish its work and after it they will work against the new AppDomain that holds the new dll and executing code.

Last word...
I think that one of the good adventages of the AppDomain is that you can allocate the wanted memory for your application (under its AppDomain) as much as you want (bounded by the process capability of course) and if there is a runtime crash, the rest of the applciations that runs over the current process will not crash.

I will glad to hear some comments and additions... :)

Hey guys, how are you these hot and exhausting days?? I am pretty OK, except for the heat...

If you didn't hear about the ReSharper yet, some words about it:
ReSharper is an add-on to Visual Studio 2003 and 2005, It comes equipped with a rich set of features that greatly increase the productivity of C# and ASP.NET developers. With ReSharper you get intelligent coding assistance, on-the-fly error highlighting and quick error correction, as well as unmatched support for code refactoring, unit testing, and a whole lot more. All of ReSharper's advanced features are available right from Visual Studio.

This add-on includes features like: Error Highlighting and Quick-Fixes, Advanced Coding Assistance, Numerous Refactorings, Navigation and Search, Unit Testing, ASP.NET Editing, NAnt and MS Build Scripts Editing. More details you could read in the link attached below.

So, you can try using this good add-on by downloading a 30-day evaluation from the jetbrains.com site here, and if you will like it I suggest to buy it (on your company account of course :))

Hello!

Yesterday while surfing on the web in purpose to find some interesting tutorials and innovations, I encountered with a nice article that has been written by my college's mate, Evyatar Ben-Shitrit.

This control derives from ListBox, supports a horizontal scroll bar, and yet behaves like the ASP.NET ListBox control. More in this article, he explains the creation of the ScrollableListBox custom control (written by him).

So, I recommend reading this one at thecodeproject web site here.

Fare well...

Hello!

I am still working on a big web application in work. I will glad to tell you about the application, but this is for other conversation. I am glad to say that we are close to the end of the project and doing now last fine tuning on it.

The thing that I had to deal with for the last days is all the issue with publishing application errors in orderly fashion to the event viewer. The reason of doing it is to get the ability of tracking in runtime, bugs, errors or exceptions that can be appear while the application is in production. In this case we don't have the CLR debugger to find what was wrong (if something happend of course...), so we must publish the exception to the system's event viewer or just  to a simple Log file (which less recommended then publishing to the system's event viewer).

Now, to the implementation (the imporatnt thing!!!)

In order to publish error to the event viewer, we need to use the Microsoft.ApplicationBlocks.ExceptionManagement assembly of Microsoft. This assembly expose us all the publishing tools that we will need to publish an errors (and more...).

In my web application, in global.asax file, in Application_Error method, I wanted to publish the exception to the event viewer. It is very important to do it there, because in every application error, like runtime errors, exceptions and actions that the application and systme doesn't know to deal with, this method is being called (by the application of course).

Now, before publishing the error to the event viewer, you need to distinguish between the different exceptions. Do it with your own information about every exception that is happening but, it is important to know that also in every response's redirect (Response.Redirect (" ... ", true) or server's transfer (Server.Transfer (" ... ", true) an ThreadAbortException is being raised.

By this example you can see the publish exceptions handling.

Now, do not forget to declare in the web.config file the appliation name and the exceptions pulishing handling:

<exceptionManagement mode="on">
        <publisher assembly="Microsoft.ApplicationBlocks.ExceptionManagement" type="Microsoft.ApplicationBlocks.ExceptionManagement.DefaultPublisher" applicationname="APPLICATION_NAME"/>
</exceptionManagement>

One more thing... you need to register this assembly with the appliation name in the registry in purpose to let the application all the rights to publish the error in the event viewer, if you won't do it, the system won't let you write to the event viewer and you will get the exception: The event source ExceptionManagerInternalException does not exist and cannot be created with the current permissions. security exception and you will spend planty of time trying to solve it :) (like me...)

How to register this to the registry you ask?

Open notepad and write there this code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\APPLICATION_NAME]
"EventMessageFile"="C:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\EventLogMessages.dll"

Save this file with .reg extension and double click on it, this will register this to the system's registry.

So, bye for now...

Hello and good week to all!

These days I am starting to publish here (in my blog ofcourse) a series of articles that discusses with Web Serivces and the most important issue - Security over Web Services (using Microsoft technology ofcourse), because it is quite simple to write a web service that receives/retrieves data and 'do you thing...', but the complexity comes when you want to secure this data that runs over non-secured protocols or web-lines.

This article assumes that you are familier with web services, its porpuse and its implementation and assimilations, if not, you should read some basic tutorials before you start to read this article. (You can fine general example here).

Introduction
WS-SecurityProtocol defines all web services expansion security topics. Its goal is to let you build and use SOAP messages exchange in secured way. This term is quite flexble and it designed in a specific way in order to constitute the base of building a secured Web Service by the different security models like: SSL, Kerberos, PKI.
WS-SecurityProtocol supplies a full support for large number of security tokens, trusted domains, signature formats and encryption technologies.

This component supplies 3 basic mechanisms: Message Confindentiality, Message Integrity, Security Token Propagation. These mechanisms, each one by it own, doesn't supplies perfect security solution, therefore in actual fact, WS-SecurityProtocol builds a block that uses a combination of all there mechanisms and different enhancements to supply a perfect sucurity solution

Main Facts
Before I start explaining and showing the protocol's structure, I want to stand on the basic definitions and terms this protocol is uses:

• Claim - the client's claim (like: name, identity, key, group, rights and more...)
• Security Token - represent a set of tokens.
• Signed Security Token - this is a claimed and encrypted by a specific authority (like: Kerberos ticket or X.509 certificate) security token.
• Proof-of-possession - information that used by a specific "proof process" in purpose to describe the sender data.
• Integrity - a process that comes to note that the sent data hasn't changed while sending the message.
• Confidentiality - a process that comes to ensure that the data is protected and just specific authorized 'players' are allowed to watch it.
• Digest - an encrypted sum of the data sent stream.
• Signature - this is an encrypted communication between the Proof-of-possession and the digest. This action creates a symetric key and public signatures.
• Attachment - this is the physical data that is transfered using the SOAP messages, but is not a part of the SOAP envelop.

We want to ensure that the SOAP message is encrypted properly to avoid dangers, like:

1. The message could be readen and be changed by malicious user.
2. Malicious user can send fake message through the Web Service and by that to get secret information.

Message Security Model

The WS-SecurityProtocol works under the Message Security Model, that comes to prevent such cases like mentioned above. Its behavior is:

The Security Token declares on Claims and Signatures, this mechanism supplies a proof to the knowledge of the sender (in simple words, the data that the sender holds). In addition, the Signature can bind itself with the Claims in the Security Token (in assumption the token is secured).

Claim can be supported (or not) by "secured authority", which is a set of claims, which encrypted or digitally signed by this authority is usually represented by Signed Security Tokens. An example to Signed Security Token set is X.509 Certificate - which by this set of claims, the binding is executed between the client identity and the the public key.
Claim that is not supported by any "secured authority", can be secured only when the connection (binding) between the sender and the receiver is secured (secured line, like SSL etc...), for an example, they can agree on a specific message name that is accepted by both of them and by that only they will know that the message is meant for them (because they are both will look forward to get the same name).

Another type of non-secured claim (which is not supported by any "secured authority") called proof-of-possesion. As I descibed earlier, this term confirms that the user has "pieces" of knowledge that diagnosed by the other 'players' which related to it. For an example, lets take a look of username/password security token, the proof-of-possession here, combines another security token in order to confirm the sender's claim. I need to note here, that Digital integrity (see above if you already forgot) for a message can be used as a proof-of-possession, but in theis case it will not considered as a security token.

Message Protection

Another model that comes to prevent such cases as mentioned above (remember...?).
This model claims that all the messages that are being sent, supposed to be encrypted in order to not be negatively affected by hostile factors. The Integrity based message is supplied by leverage of an XML signature with security tokens, in order to notice that the messages has been sent with no data changes of bad influences. This mechanism supports many signatures and players.

A confidentiality (see above for a definition), based message, uses XML encryption with secutity tokens to ensure that the message's parts will be confidential.

In order to supply the the maximum security to the SOAP message, that we'll want to send, there is a need to build the XML file that includes all the filters and headers definitions.
The structure of the XML file includes the <Security> tag, which symbolizes the security definitions. Under this tag it is possible to define all the information about the message security issue.

An XML file cannot hold more that one security tag, this in purpose to allow that each tag (security XML) will taget to other destination. This tag and all its data under, represents the signature steps and the encryption type that the sender used with to send the message.

A typical WS-SecurityProtocol example:

Line 001 and 002, describes the SOAP envelope. Line 003 opens the headers definitions that describes the message. Line 004 to 008, describes the sending message type, the source and destination.

Line 009, open the Security's filters definitions. This label defines the security definitions that the receiver need to be up to (in order to watch the message ofcourse). This header label is closed in line 029.

Lines 010 to 012, describes the security token that message uses, here the usage is username token. (Here the assumption is that the password is well known by the service, and by that, only username is being sent).

Lines 013 to 028 defines the digital signature. By this example, the signature is based on the key that generated from the sender password. Lines 014 to 021, explains the digital signature. Line 015 defines how to normilize the sent information.

Lines 017 to 020, chooses the elements we want to signature. In this example (by line 017), we can see that the body is digitally signed (<s:Body> label, which you can see in line 031).

Line 022, holds tha signature value that derivated from the encrypted information. Lines 023 to 027, holds an information about the security token location, which combined with the signature. In more explicit, lines 024 - 025, defines that this token is located in a specific URL address.

Line 031 to 033 holds the message body.

That it for now. More tutorials at:

• http://www-128.ibm.com/developerworks/webservices/library/ws-secure/
• http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-securitypolicy.pdf

Comments will be appriciated...

Many articles and approaches claims that it doesn't matter what is the application security level, or what is the security level of the environment the application is stored in (like working under SSL using https protocol etc...), you should always save all passwords and secret data encrypted. That because there is always a chance, even little one, that someone could steal your confidential data.

There are many hashing functions and alogorithms, several are MD5, SHA1 and more... but, these algorithms are too old (compare to our modern days), there generates 'only' a 128 bits value, so the space of posible resulting values is 2¹²⁸ in size, which by creating a crack script, like the passcracking project the hash could be broken.

Because of these limitaions and cracking possibilities it is not recommended to use this type of hasing functions. Better solution you wiil see later... (hold on :) ).

One way Hash Functions

The following definitions are taken from the Bruce Schneier's Book: Applied Cryptography Second Edition:

A one-way hash function, H(M), operates on an arbitrary-length pre-image message, M. It returns a fixed-length hash value, h.

h = H(M), where h is of length m

Many functions can take an arbitrary-length input and return an output of fixed length, but one-way hash functions have additional characteristics that make them one-way [1065]:

Given M, it is easy to compute h.

Given h, it is hard to compute M such that H(M)= h.

Given M, it is hard to find another message, M’, such that H(M) = H(M’).

In some applications, one-wayness is insufficient; we need an additional requirement called collision-resistance.

It is hard to find two random messages, M and M’, such that H(M) = H(M’).

Now, by getting the main idea of the basic hashing algorithm by the Bruce Schneier's Book definitions, I want to show you better alternatives that comes to replace and enrich the old ones.

WHIRPOOL generates a 512 bits output, RIPEMD, uses 160, 128 or 320 bits output, but I want to focus in the SHA-2, function that generates 256, 512 bits ouputs, because there is available API in Microsoft.NET framework.

The main classes that implements this cryptografic algorithms are:

• System.Security.Cryptography.SHA256Managed
• System.Security.Cryptography.SHA384Managed

• System.Security.Cryptography.SHA512Managed

Now to the implementations. The following code below shows you an example how to use this function in porpuse to encrypt a password or just confidential data that you want to store hashed:

byte[] data, encryptedBytes;
string hashedPassword = string.Empty;

data = Encoding.Default.GetBytes(plainPassword);
System.Security.Cryptography.SHA256 sha2 = new System.Security.Cryptography.SHA256Managed();
encryptedBytes = sha2.TransformFinalBlock(data, 0, data.Length);
foreach (byte b in sha2.Hash)
   hashedPassword += Convert.ToString(b, 16).ToUpper().PadLeft(2, '0');

sha2.Clear();
// hashedPassword holds the hashed string

That's it, now use it properly and try to avoid as much as you can from brut attacking...

Hey all, how are you?

I bumped on very strange and awkward thing while working on Visual Studio 2005, you can see the pic attached:

Are you familier with this??? :)

p.s
This thing vanished just after I restart my Visual Studio, funny!

Didn't I tell you that I love .Net 2.0? If I didn't I am saying it now...

This is new a method in .NET 2.0, but who plays with it should know it by now. Instead of working hard trying to sort a collection (or a list which is a descendant of it) of some entities, now you have the Sort method, which does it for FREE and in better performence.
Any case I decided to show a simple example to whom that doesn't know it or just want to be impressed again from it.

* Comment: I assumes in this post that you are familier with Generics and delegates.

Let's assume that you have an entity structured like:

public struct Entity
{
   private int _id;
   private string _name;

   // and more...

   public int Id
   {
      get{return _id;}
      set{_id = value;}
   }
   public string Name
   {
      get{return _name;}
      set{_name = value;}
   }
}

Now, suppose you have a list of these entities and you want to sort it by their name and display it sorted. Follow the example code below and see how it easy using anonymous delegate: