.NET增强型客户端应用程序中的代码访问安全以及分发特性 (节选)
Code Access Security and Distribution Features in .NET Enhance Client-Side Apps
Jason Clark
This article assumes you're familiar with C#, Visual Basic .NET, and the CLR
本文需要您熟悉C#,Visual Basic.NET以及CLR。
Rich clients employ many of the features and conveniences of the operating system they run on, and the list of these features has been growing since the dawn of the PC. But as apps have migrated to the Web, the trend towards increasing client-side functionality has ground to a virtual halt. There are several reasons for this; chief among them are security and deployment problems. But that's all about to change. With the .NET Framework, you can participate in building the distributable rich client of the future.
      In this article, the author enumerates the pertinent features of .NET that will allow you to build safe, easily deployable controls. The features discussed include managed code, code access security, versioning control, Windows Forms classes, and isolation.. 
       本文中,作者列举了.NET的相关特性,使您可以建立安全,易发布的控件。这些即将讨论的特性包括托管代码,代码访问安全,版本控制,Windows Forms类以及隔离。
In all of the recent coverage of the Microsoft .NET Framework, I have yet to see discussed the return of the rich client. A rich client is any software running natively on a client machine. This includes traditional applications like word processors and spreadsheets, and also includes Web-deployed executables such as legacy ActiveX controls and the new Windows Forms controls. Examining the rich client requires a look at a number of seemingly unrelated features of the .NET Framework such as Windows Forms and security.
所有最近关于Microsoft .NET 框架的报道中,我还看到了有关富客户端回归的讨论。富客户端的意思是任何的软件全部运行在客户端机器上。这里包含传统的应用程序,如文字处理和空白表格程序,也包括基于网络执行的ActiveX空间以及新型的Windows Forms控件。检查富客户端的需求,似乎看起来和.NET框架的特性并无关系。
      So what makes the rich client rich? The rich client has access to the windowing and GUI features of the operating system on which it runs. This means drag and drop editing, toolbars and menus, animation, and all of the other bells and whistles. These are the features that are often difficult or impossible to implement using markup languages such as HTML or even DHTML.
      The rich client also has access to other local resources such as the file system, printers, and sound cards. Yet more and more software is being written with limited or no access to these features. Why is that?
      After I talk about what happened to the rich client, I will discuss trusted code and security as well as deployment of code that runs on the .NET Framework (managed code). These are the two features that play the most important roles in the rich client scenario. I will explore how .NET solves deployment issues and then cover other parts of the .NET Framework that provide a tool chest of features for developing rich client software. I'll also show an example that uses partially trusted code and code access security.
Where Did the Rich Client Go?
      Obviously, the rich client is not completely gone. I use Microsoft Outlook and Microsoft Word almost every day, both good examples of rich client software. However, while major software publishers publish software that fits this label, enterprise Web development is moving to Web interfaces handled completely by server-side processing. Of course, there are some good reasons for this trend; difficult deployment, isolation, and security models are a few of the unfortunate reasons for the shift away from the rich client. Fortunately, the .NET Framework goes a long way to alleviate these problems.
       很明显,富客户端还没有完全消失。我几乎每天都在使用Microsoft Outlook以及Microsoft Word,两个富客户端软件很好的例子。但是,当主要软件供应商都符合这个条件的时候,企业级WEB开发完全转移到完全由服务器端处理的WEB界面上。当然,对于这个趋势有一些很好的解释:部署困难、孤立以及安全模块因为一些不幸的原因从客户端移除。幸运的是,.NET框架通过长时间的发展缓和了这些问题。
      Let's start with deployment and installation. You've heard the term DLL Hell applied to the situation in which the installation of one application causes another to fail due to incompatibilities in updated versions of one or more DLLs. The sheer number of installation scenarios that need to be tested and tweaked before deploying applications and the deployment nightmares that can turn up later cost both the software publisher and the customer considerable time and money.
       让我们从部署与安装开始。您也许听说过DLL Hell,由于一个应用程序的安装更新了一个或者多个的DLL文件造成了其他软件因为DLL文件的更新而触发的不兼容错误。所有的安装方案在部署应用程序以及部署造成后期另软件供应商与客户花费相当多的时间与金钱的噩梦之前进行测试。
      Meanwhile, deploying a new Web page to a user's desktop is unlikely to affect the user's existing OS and application installations. In fact, from the system's point of view the same software is being run: the Web browser. It's no mystery why software publishers have been migrating their products to server-side Web-based tools, often at the cost of some functionality to the user. I will show you how the .NET Framework eradicates the deployment issues that have plagued you since the inception of the DLL.
      In an enterprise environment, deployment of rich clients is the primary issue. The Internet has two major considerations: compatibility and security. The .NET Framework is built to alleviate both of these issues to some degree.
      One reason not to use ActiveX controls in your Web-deployed software is security. The best-case scenario is that the user is presented with a confusing dialog box asking if they trust the software published by a certain publisher. Each time a user clicks the yes button they could possibly undermine their system. If the user says yes, then that ActiveX control can do anything on the system (it has as much access to the system as the user does). This means that a malicious control can undermine a user's system, and even a well-intentioned (but buggy) control can cause serious security problems. The bottom line is that up until now the rich client hasn't fit well into the world of Internet-deployed software.
.NET Framework to the Rescue
      Managed code strives to solve these problems. You can deploy a managed application in exactly the same manner that you would deploy a Web site. The Common Language Runtime (CLR) uses a new component-binding functionality for referencing managed assemblies (the managed version of a DLL) that alleviates versioning and DLL concerns.
      Managed code can run in a partially trusted state meaning that the code can perform functions such as drawing graphics and windows, creating toolbars, implementing drag and drop, and persisting data to the hard drive. Meanwhile, partially trusted code can be barred from general access to the network and file systems, access to the registry, and other protected resources of the system. All of this comes without ever asking the user if they trust the code contained in the control. This is a huge step forward.
Partially Trusted Code
      Before getting too deep into this topic, let's take a look at a simple example of partially trusted code. The code shown in Figure 1 is a very simple managed application written in C# that outputs the contents of a text file to the console window. As a matter of fact, the meat and potatoes of the application are in the second and third lines of the Main function, where an instance of the StreamReader object is used to retrieve the contents of a file, which is then written to the console.
Figure 1 Partially Trusted Code
// Source for FileToConsole.exe
using System;
using System.IO;
using System.Security;
class App{
   public static void Main(String[] args){
         StreamReader sr = new StreamReader(args[0]);
         Console.WriteLine("FileToConsole does not have sufficient"
            "security privileges to access the file!");
   static private void Usage(){
      Console.WriteLine("Usage:   FileToConsole [FileName]");
      Unspectacular though it may be, this application demonstrates one of the most interesting features of managed code: code access security. To try this out, follow these steps: build this application into an executable file, and run it once from the command line, passing the name of any text file as the argument, just to see it work. Now copy the executable to a shared volume on the network or better yet, map the directory on your local system where the file lives as a network share, using the command-line utility net.exe:
net use * //[machine name]/c$/[directory]
This will map your directory to a drive letter. Now, rerun the executable, and this time do it from the newly mapped drive. You should still reference the same file as the one you used on the previous attempt (using the local rather than the mapped drive letter).
      You should see a message that states that the application failed to open the file due to lack of security privileges. What really happened is that an exception of type SecurityException was thrown when the application attempted to instantiate the instance of StreamReader. The application then caught the SecurityException and displayed the error message to the console.
       您应该看到一段关于应用程序由于缺少安全权限而无法打开文件的状态消息。实际发生的是当应用程序试图创建StreamReader实例的时候一个SecurityException类型的异常被抛出。之后应用程序抓取到这个SecurityException 并且在控制台中显示出错误信息。
Code Access Security
      Code access security is a very powerful feature. It allows systems to be configured to execute partially trusted code without prompting the user. In fact, this is the default setting. Meanwhile, the partially trusted code is only allowed to do things appropriate to its level of trust.
      Before moving forward, I would like to clarify a couple of points. The system decides what privileges the application, or more specifically the managed assembly, is allowed based on the location of the assembly file. This is why the assembly file has different abilities when it is launched from an enterprise share as opposed to the local machine. (It is also important for you to note that managed security policy is very configurable.)
      Also, the abilities of the FileToConsole.exe file are not entirely based on the logged-on user account. Although restricted by this, code access security further restricts the application depending on where it came from. This ability will remove the user's fear of running code from the Internet. Furthermore, code access security is more flexible and robust than a sandbox, although it can be used to solve similar problems.
      Before setting the FileToConsole.exe aside, I would like to mention one other test you can try. If you launch the file from a share, let's say from the x: drive, then you are not allowed access to files on your local system. If you pass a file name relative to the x: drive, for example x:SomeText.txt, then the application will succeed because the file comes from the same location as the application. This further demonstrates the real flexibility of code access security.
      Code access security is used throughout the .NET Framework class library. It is the backbone of partially trusted code and is not restricted to file access, but rather affects everything from network access to windowing and more. When you use it in your own component code, users will be able to execute code regardless of origin (such as from an Internet site), and their systems will remain safe. This allows you to write code that is featureful, executes in native machine language, and is distributed across a LAN or even over the Internet. You can take advantage of this feature with only a minimal exposure to the underlying mechanics of code access security.
      All managed code, whether it is a standalone application, a control, or a DLL full of reusable types (or some mix of all of these), is packaged in a unit called an assembly (the unit of distribution, versioning, and security for managed code). For now, think of an assembly as a managed DLL or EXE file. When an application references a type or code from another assembly, the CLR must locate the file or files for the assembly and load them into your process. At assembly load time, the CLR associates security permissions with the newly loaded assembly based on evidence including, but not limited to, the location from which the assembly is loaded.
      Once the permissions are associated with the assembly, they will affect what the code in the assembly can do for the life of the application. Amazingly, an application can be comprised of multiple assemblies, each of which may be allowed or disallowed the use of different parts of the system based on the differing evidence found for each assembly.
      If this is starting to sound a little confusing, perhaps an example will help. Suppose you have written a managed executable named MyApp.exe that is installed locally. MyApp.exe also references another managed assembly named Types.dll that is installed on a network share. The reason to reference another assembly is simply to make use of a type in that assembly, so let's assume that the SomeTypes.dll assembly includes the implementation for the CoolType class.
      Your main assembly is MyApp.exe and is stored on your local file system. This file is likely to contain the definition for several classes, including one that implements the static Main method that is used as the entry point for your application. Because MyApp.exe is stored on your local file system, all of the methods in all of the types in your assembly have total access to the system.
      When a thread crosses the assembly boundary from MyApp.exe to Types.dll, the security will be restricted to the permissions awarded assemblies found on network shares. The thread crosses this boundary simply by calling into a method, constructor, or property in a type (such as CoolType) implemented in Types.dll. When the method eventually returns, the security permissions will be those of the more privileged MyApp.exe.
      Code access security is a stack-based algorithm. The abilities of the code differ depending on the location of the instruction pointer in the managed application. The system is able to detect which method is attempting to perform a protected action and then, depending on the permissions of the assembly in which the method exists, allow the action to be performed or throw an exception of type SecurityException.
      There are two significant points about code access security. Code that works great when launched from a local drive may begin to throw security exceptions when launched from a network share or when run as a control embedded in an HTML page. This is because your assembly no longer has the unbridled access that it enjoyed when run from the local drive. Furthermore, code access security eliminates the need for messy dialog boxes asking users whether they trust your network or code downloaded from the Internet. Your managed code will just run (albeit with limited system access). This makes your code more useable and is one reason why the rich client is back in use.
      If your software is going to be distributed over any kind of network, then it is likely that it will be partially trusted. This means that certain features of your application, such as file access, are likely to begin causing security exceptions. Your software should be able to recover from the security exceptions that might arise from its normal behavior as well as alter its functionality seamlessly.
Isolated Storage
      Sometimes your partially trusted code simply needs access to the file system without prompting the user for permission. Perhaps your code needs to cache user settings or a temporary data file but the default security cannot allow network-deployed code to access the general file system. The solution to this is a feature called isolated storage.
      Isolated storage is a great feature of the runtime. In fact, you should use isolated storage for storing your user configurations for managed applications regardless of whether your software is partially trusted. If your software is running in a Windows domain that supports roaming profiles, your user's isolated storage share will roam with the user's profile.
       隔离存储是运行时的一个重要特性。事实上无论您的软件是否是半信任的,您都应该使用隔离存储来存储您的用户的托管应用程序的设置。如果您的软件运行在一个支持概要漫游(roaming profiles)的Windows域中,您的用户的隔离存储共享将会随着用户的概要而漫游。
Troubleshooting Browser Control Code
      Browser controls are a very cool application model for certain types of software. Before addressing some of the problems that can occur with browser controls, I would like to give you a general word of advice. To the extent that it is possible, write your browser-deployed code so that it can also be executed outside of the browser host. The security permissions will differ, but you can use the Zoner.exe tool to address this. Getting the core functionality of your code up and running is much more doable if you are executing your code from the debugger outside of the browser. That said, you are still likely to run into some snags, so I hope that the following tips will help.
      Although it is generally unacceptable to write code that catches the base exception (System.Exception), with browser controls you have no choice. Owing to security restrictions, you cannot register an unhandled exception handler, and therefore all of your virtual method overrides and all of your public methods and constructors must catch System.Exception. Otherwise, the exception is caught by the class library (or worse, the host), and the user will be presented with a dialog box in the best case and a missing control in the worst case. I suggest creating a method that logs exception information and calling that method in the catch block of your exception blocks. This way you can find the unexpected exceptions during the testing phase and address them in some manner more appropriate than a catch for all exception types.
      The next tip is about virtual root settings. Surprisingly, if the IIS virtual root is set to allow execute permissions of "Scripts and Executables," your managed browser control will not be hosted by the browser because IIS will treat dll or exe like an ISAPI and try to run it. Setting the execute permissions for the virtual root to either "Scripts" or "None" will allow your control to be hosted.
      If your Control-derived type is not marked as public, and if it does not have a public default constructor, then it will not be hosted in the browser.
      Although Form is derived from Control, your browser control cannot be derived from Form. If it is, the host will refuse to embed your control in the page.
      Some security restrictions do not show themselves as a SecurityException. For example, if your type overrides WndProc (a restricted feature), your type simply won't load in the browser. No exception is thrown because the code never even gets the opportunity to run.
      Finally, if the control is not showing up in the browser, it is likely that it is because the object's constructor threw an exception that was not caught. You can use a blend of exception handling blocks and MessageBox.Show calls to find out if, and to what point, your code is being executed. If the constructor for your object is not being called at all, then it is most likely having trouble finding the assembly or finding the control type. In addition, the virtual root settings might also be wrong.
The Rich Client in the Future
      The possibilities for managed code as it matures are many. The infrastructure that code access security and CLR deployment bring to the table enables some cool possibilities. For example, clients that execute code such as Outlook and even Internet Explorer itself can be modified to allow administrators to enable the execution of managed code only. In systems where this is the case, users can freely execute attachments in mail messages as well as code across the Internet without worry of viruses or Trojans. Meanwhile, managed code executes in native machine language and enjoys rich access to OS features.
       托段代码随着它自己的成长,将有跟多的可能性。在代码访问安全以及CLR部署的基础上带来更多更酷的可能性。比如,客户端可以执行代码,比如Outlook甚至是Internet Explorer本身可以修改,允许只有管理员开启托段代码的执行。在这个实例的系统下,用户可以自由运行邮件信息中的附件以及在没有病毒与木马的担忧下访问英特网。同时,托管代码以本机语言执行,访问并享受丰富的操作系统特性。
      As the .NET Framework and managed infrastructure matures so will the rich client application. There are many exciting features yet to come. Meanwhile, the functionality available today allows you to create very compelling applications.
      The browser control and partially trusted code open the door to some very interesting possibilities using managed code. Enterprise applications can be installed on a share in the network and no more than a shortcut needs be deployed to the user's system. The code base can be updated on the share as needed without concern for installation and configuration problems.
      Meanwhile, browser deployed software can be as rich as any other application. For enterprise software the .NET Framework rich client is a real benefit since enterprise networks tend to enjoy the advantages of relatively homogeneous client machines and reliable bandwidth.


