If you define a web service param as byte[], it should be serialized as
base64. If you want to do it by hand, you can use a string parameter and
do Convert.ToBase64String() and Convert.FromBase64String().
Does that help?
-Original Message-
From: jeff Hughes [mailto:[EMAIL PROTECTED]
X509Certificate has two methods that get the public key. One
returns a byte
array, the other returns a hex string. All well and good, but
there's no
clear way to use these key formats in the
AsymmetricKeyExchangeFormatter
classes.
Well, hopefully someone more familiar with the managed
I
can't help but notice the docs for System.Security.Cryptography are
relatively sparse. It seems this branch of the framework is
somewhat lacking
in details.
Agreed.
Hopefully it will be fleshed out later one, but
for now I'm
going leave the X509 certificate stuff alone and use .NET
// The following code is faster
for(int i = 0; i 1; ++i)
{
// do anything here ... Console.WriteLine, assign i to
another variable,
it doesn't matter
}
// than this code
for (int = i; i 1; ++i)
// do anything here ... Console.WriteLine, assign i to
another
Rendering when the screen redrew or was invalidated worked fine ( as a
Dialog) its just when you had a loop to render as fast as
possible that it
would not trigger close events.
Sounds like we're in violent agreement. :) So you just added an
Application.DoEvents call in the render loop to
I can't say I totally understand your question. But I've written
controls that use Direct3D. Other than the fact that I'm not dealing
with Device loss due to screensaver startup, it works great for me.
Check out [1] for the code if you'd like to look at it.
Also, to answer the question I think
D'oh! Forgot the reference to the code:
http://staff.develop.com/candera/intelarticle.htm
You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced
DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
That's not the most earth-shattering way of doing things, but
it should slow
down any script-kiddie that gets the password file; he will
have to append
the username to every password try on every different table
row. It also
makes the salt different for each user, but is easier to
you should consider encrypting that fixed random salt with dpapi :)
I have to assume you're joking. Right?
You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced
DOTNET, or
subscribe to other DevelopMentor lists at http://discuss.develop.com.
The more I think about it, the more I come to realize that the salt
should never leave the server. It adds nothing, and takes away
something. It's whole purpose is to make it somewhat harder to perform
dictionary attacks against the password database. Transmitting it on the
wire is just going to
This seems rather strange to me. Why would I want my manifest in a
separate file? In what situations would you use .netmodules irl?
One of the most common uses seems to be to delay loading of
rarely used
code until it's actually needed (if ever).
Actually, I think the only really useful
There is a thread in the old DotNet archive that talks about
how to protect against replay attacks without using SSL. I
believe it has to do with the client requesting a token from
the server, then hashing the token with the password and
passing that to the sever on a second trip.
I'd
Err, I think your protocol is still subject to dictionary attacks
against weak passwords. E.g., I'm Mallory, I intercept
{h(h(P+S), N), S, N}
all of which are sent cleartext, then use a dictionary attack to recover
P by simply permuting P values and computing
h(h(P+S), N)
until he gets a
Hmm. Well, I've been playing with it rather a lot for the last month or
two (I've got some code up at [1]) and from what I can tell, it's not
really removing COM Interop per se. It appears to be a MC++ wrapper
around the existing COM interfaces. So there's still a .NET-COM
transition. Luckily, you
I thought Soundex had nothing to do with Sound, but a way of finding
string matches. Craig, maybe I am confused?
No, no, apparently I am the one who is confused. I have DirectX on the
brain recently. :p
Nothing like having a mailing list where you can say dumb things to
people ever so much
Hmm, this is not what I expected but is less work on their
part since so
much has been invested in COM and so much of DirectX is COM based. I
would have expected, as I have done several times, to take the body of
C++ code and wrap the raw C++ code itself with a MC++ wrapper. This is
much
I connect to MSDE databases named .\VSdotnet2003 and .\netsdk all the
time. That may not be much help to you...
-Original Message-
From: Martin Welch [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 18, 2002 4:18 AM
To: [EMAIL PROTECTED]
Subject: [ADVANCED-DOTNET] SqlConnection
One of the things I think it's important to realize is that there's a
big difference between load balancing and clustering. Depending on
whether you want scalability or availability, and depending on whether
you want a stateful or stateless system, you might choose one over the
other. Check out
It would be nice if I could do something like:
X,A1 x1 = new X,A1();
X,A2 x2 = new X,A2();
I've tried and can't find a way to do this, but maybe I'm missing
something.
You're not missing anything. The C# and VB.NET compilers are
fundamentally broken (in the sense of missing a crucial
Very interesting. But I have some questions.
Next, logon as each given user so it has a profile, load a PKCS#12
certificate into their respective Personal store so they have
a public and
private key, and load the X509 public keys of all the others
users as well.
Of course you must
hi there
I've been given a job to handle the security aspects of big banking
application.
Step 1) Read Secrets Lies
Step 2) Realize, after reading the book, that unless you're an expert in
cryptography, you're probably not qualified to build a secure system.
Seriously. The book is a
Why exectly do you believe that role-based security is not an
appropriate
solution for your problem? Role-based security allows you to
demand that a
user be a member of a particular role or have a particular
identity. Is it
possible that in your research you missed the point that a
Hi,
I'm creating a dynaminc assembly [1] and I need to serialize it. The
exception [2] says that it cannot be done because the assembly must be
physically saved on file system. Is there any workaround to
serialize a
type from a dynamic assembly. I know that XmlSerializer works on a
I think the problem comes down to calculating the SHA-160
hash of 2^63 (on average) public keys. Someone else might
know how much CPU that would take. Presumably it's not
prohibitively expensive, since MSFT makes the CLR do it
once every time it loads a signed assembly.
But you also
I would modify that statement:
It
does not look like relying on the CLR to ensure assemblies have not
been
tampered is a viable solution.
This is only true *in the absence of a secured underlying platform*.
IOW, don't bother relying on the CLR if you don't secure the OS.
However, If you do
Hello;
I'm learning .NET and trying to develop a well done way to work.
You should totally read Transactional COM+ by Tim Ewald. Not for any
of the COM+ details, but for the absolutely fabulous discussion of the
impact of the type of design you propose on performance. Chapter 1 in
particular.
I figured out that the problem arose from the fact that my interface
was
both implemented both in a specific assembly AND in the generated dll.
The
compiler always took the interface in the dll - so the compiler says -
and
BANG. Do you happen to know how to tell VS.NET what assembly to take
I've tried marking the Log class with both:
[Transaction(TransactionOption.NotSupported)]
and
[Transaction(TransactionOption.Disabled)]
But this (unsurprisingly) made no difference - how can I shield the
log
calls from the transaction taking place?
Actually, that is surprising.
I don't find any conceptual difference between Mutex and Monitor. Can
someone tell if there are any ?
Mutexes can be named, making them usable across process boundaries.
Monitors have Pulse and Wait functionality, making it easier for you to
lessen the risk of thread starvation.
I suspect
This talk of Mutexes and Monitors brings Semaphore to mind. Whats the
difference between a Semaphore and Mutex/Monitor ?
Well, one big difference is that we don't have Semaphores in the CLR
Libraries. :)
You can read messages from the Advanced DOTNET archive, unsubscribe from Advanced
I assume you wrote something like this:
%@ WebService language=C# class=MyService %
using System.Web.Services
public class MyService
{
[WebMethod]
public string TranslateToCanadian(string English)
{
return English + , eh?;
}
}
and saved it into helloworld.asmx ?
-Original
Interesting find! The compiler forgets to take the assembly identity
into account when doing the type checking. If you look at the IL code
for Client.Main it is obvious what is going wrong:
Yep. The fundamental problem is that C#/VB.NET give you no way to
indicate at the source level which
-DOTNET] CAS: what's the diff between FullTrust
and
Ever ything permission sets?
Craig Andera [mailto:[EMAIL PROTECTED]] wrote:
Yep. The fundamental problem is that C#/VB.NET give you no
way to indicate at the source level which assembly you're
working with. This is going to bite people
Isn't this why we should be using interfaces? Instead of passing
Customer, Account, and Loan around, pass ICustomer, IAccount, and
ILoan around. Now as long as V2 of Customer implements ICustomer
completely things are good. If there are new properties that need to
be added to CustomerV2,
Well, I also have to deal with XP home edition. Plus the network
admins
wouldn't like 1000 open IIS servers. It'd just make the LAN an
attractive
target for hackers. The appliction needs to be simple and relatively
self
sufficient. If I use IIS, I have to give directions to Joe Average on
I'm writing a secure P2P application for internal use for file
sharing.
Because of budget constraints, it wouldn't be feasible to buy new
dedicated
server hardware. But it needs to be secure, so files cannot be
intercepted
by packet sniffers. I have the following requirements for the
Interesting. Can you say more about your tests? Is it a do-nothing call?
Are the methods virtual? What language are you writing in? Are your
classes deriving directly from Object, or do you have a hierarchy where
the bottommost class is sealed?
I'd believe it for virtual methods, since that
1. What if you decide to use Oracle instead of MS SQL? Since the
Business
logic hasn't change there is no need to touch any part of that code
but
the
Data layer is now going to have to change where and maybe how it pulls
the
data. Keeping the layers separate garuntees that the Business
Hmm. Here's the thing, though: if you want to minimize database
roundtrips, you have to have sprocs that know what the business layers
wants. Which means that the data layer has to know, too. Which means
that the business layer is essentially coupled straight to the database.
It sounds like
In many (maybe most?) enterprise systems, tiers are built by different
developers. E.g. HTML/ASP/ASP.NET is written by one guy, business
logic
(VB
com(+), VC/ATL com(+), C#. VB.NET) by another, and database structure
and
stored procs - by yet another.
Yet, for scalable systems, when
I'm not sure I entirely follow what you're saying. I was talking about
physical layers. Were you referring to them as logical layers?
If so, I'm opposed to a separate data layer, where said data layer
consists of a set of objects. I think that the mid-tier (i.e. what the
presentation layer talks
The failed state tests the connection and it looks good, so he turns
everything back on, but then when the .fill tries to re-run I get:
There is already an open DataReader associated with this Connection
which must be closed first.
Is that from another connection in the pool? Do I need to
Yes, there's a story. Yes, we're encrypting before sending (for
Craig).
The reason for using NT domain usernames is (quite plainly) we
already
have
them, so let's use them. The reason for a distributed security model
is
so
no one else will reinvent the wheel. Basically, we're looking at a
Sounds like he has a mandate made for other than technical reasons that
says thou shalt use a domain controller/ActiveDirectory as the
authentication database. Which would eliminate Passport as an option, I
assume.
But I totally agree with you:
1) Reuse
2) Buy
2.5) Look again for something you
platform will come around to his vision eventually.
Doug
-Original Message-
From: Craig Andera [mailto:[EMAIL PROTECTED]]
Sent: Friday, August 16, 2002 9:26 AM
To: [EMAIL PROTECTED]
Subject: Re: [ADVANCED-DOTNET] Why aren't web services built on
remoting?
Is there any
Is there a way to get round this (without creating a set accessor in
the
interface/NormalUser object and throwing an exception in it's method)
-
properties in reality are functions (right?) so I should be able to do
this
from the CLR's point of view.
I haven't tried this recently, but I
strConnection = ConfigurationSettings.AppSettings[northwind]
how do I name the .config file so it will associate itself with my app
Two things:
1) It's appSettings not appsettings.
B) Name the file app.exe.config if your application is app.exe. Name it
gurgle.exe.config if your application is
That what I was thinking as well (except I would set the minimum to 1,
not the maximum, right?). With a COM+ object pooling solution, you
aren't tying yourself to ASP.NET. Sure - each pooled object is going
to
have its own copy of the data, but memory is cheap, and you can
control
how the
In COM world it was relatively easy - you
either write your COM components in VB6 or C++ and drop the components
in
the COM+ explorer and off you go.
To start with, I couldn't agree with this statement less. The idea that
COM+ somehow magically enables scalability is one of the biggest loads
Secondly, what's the purpose of the DataColumn.AutoIncrement property?
If
you enable this feature, and ADO.NET generates an auto-increment value
on
its own while disconnected, isn't there a good chance that this value
will
conflict with one generated by another disconnected client?
Keep in
Serialization has no way of inherently dealing with version issues. And
interfaces don't come in to it - serialization looks at your object's
internal state via reflection (or a similar mechanism - I don't know
that it uses reflection per se).
The best way to deal with this problem is to
Corrected code below:
void Application_OnError()
{
Exception error = Server.GetLastError();
error = error.InnerException;
string errors;
if (error is System.Web.HttpCompileException)
{
foreach (System.CodeDom.Compiler.CompilerError err in
((System.Web.HttpCompileException)
One solution is to create a class with all static const variables (it
that
even allowed?).
This is pretty much exactly what const fields are for. E.g.
class Foo
{
public const int THIS_VAL = 10;
public const int MAX_THAT = 255;
static void Main()
{
Console.WriteLine(MAX_THAT
Ian said the following:
In any case that's probably more trouble than you want to go to.
Presumably
you plan to ship your users a copy of the code. It's hard for you to
make
it impossible for them to use without your consent simply because they
can
easily run your component through
Let's generalize the problem: What kind of licensing tricks should I
apply
in order to make sure that only the customer to whom I sold an app is
going
to use it? (I guess making sure this won't happen is far too ambitious
---
but can we at least come up with a protection that is *difficult*
* Dynamically retrieving an assembly from a web service as an
array of bytes, then saving it to disk and running it with
Assembly.LoadFrom() and a local path.
* Downloading and running a shadow copy of an assembly using the
Assembly.LoadFrom() method with a URI to a remote server.
*
Just one note, still regarding .Net security, don't you find
unusual that relative and absolute paths for key files are
actually stored in the Assemblies Metadata (AssemblyKeyFile
attribute). I mean, you can just take VS Object browser,
check MS .Net assemblies and see that one of their keys
I don't think spanning a transaction across multiple method
calls on the business tier is a problem as long as all those
alls are wrapped in a single call to the business tier that
starts and commits the transaction.
Given that your database and your business tier machines are almost
never
58 matches
Mail list logo