SecureASP.NET
LANGUAGES: ALL
ASP.NET VERSIONS: 2.0
More New Security Tools in Visual Studio 2005
IntelliSense in Zone, My.User, and the ASP.NETConfiguration Tool
By Don Kiely
Last month I celebrated the launch of Visual Studio 2005and version 2.0 of the .NET Framework with an introduction to some of the veryuseful new security tools and features (see NewSecurity Tools in Visual Studio 2005). In this column, I?ll continue with alook at a few more of my favorites.
IntelliSense in Zone
To be honest, Visual Studio has grown into what issometimes a top-heavy tool that sometimes lumbers about falling over from itsown bloated mass. That?s a bit cynical, I know; but nevertheless, it is a greatboost to productivity and one of the major reasons is its IntelliSense. (If you?vebeen writing code under a rock for the last millennium, IntelliSense is thatlist that pops up when you type a class name in the code editor and hit theperiod to add a property or method name.) I?ve discovered that I?m not the onlydeveloper who uses it as a form of mini-documentation, relying on it to findobjects, properties, and methods when I can?t remember or never knew the rightfeature to use. IntelliSense is almost always there; when it?s not, it almostalways means that I?ve misspelled something or am trying to do something thatisn?t possible at that location in my code.
One of the problems in earlier versions of Visual Studiois that IntelliSense was sometimes a bit misleading, particularly when it cameto security issues. One of the main problems is trying to use an object or oneof its properties or methods that would cause a security exception whenpartially trusted code is run. Classic IntelliSense will display the class andits properties and methods whether or not they would cause security problems.For example, some ASP.NET trust levels don?t allow Web service calls and theCLR doesn?t grant that permission to the assembly. In that case, Web service-relatedclasses and features are grayed out so you won?t be tempted to use them.
But in Visual Studio 2005, you can specify a zone in whichthe code will run. When you do that, IntelliSense will gray out any items thatrequire permissions the code won?t have by virtue of being run from thespecified zone. This is a great help in writing secure code, since you?re nevertempted to use the problem features.
Alas, IntelliSense in Zone is only available in VisualBasic 2005. This is one of many examples where the VB team has worked to makeboth the language and development environment more productive.
A related feature, Debug in Zone, lets you run and debugthe application from within Visual Studio with the permissions the code willactually have at run time as a partially trusted application, even if you areworking as an administrative user. This is another way that Visual Studio helpsyou write code that will run in lesser privilege environments. In fact, it isnow far easier to use Visual Studio as a mere user ? a member of the WindowsUsers group rather than Administrators ? to develop almost any kind ofapplication.
My.User
Visual Basic developers have another reason to be happywith their language choice. My.User is a much ballyhooed feature that makes itfar easier to use the .NET Framework and Win32 API for common tasks. Forsecurity, My.User provides hooks into the security context of the principalrunning the code, whether that is an individual user or the ASPNET principal.It provides properties such as IsAuthenticated, CurrentPrincipal.Identity,IsInRole, and Name. These won?t save reams of code, but it makes it much easierto remember how to get that information. And the easier something is, the morelikely it?ll be used to build more secure applications.
ASP.NET Configuration Tool
I?ve saved the very best for last in this short overviewof new security tools. The ASP.NET Configuration Tool is a GUI on top of theASP.NET Configuration Class that manages roles, users, and access permissions.You can reach this tool from the Visual Studio Web site menu item with anASP.NET Web site open. (By the way, the first time you create an ASP.NET 2.0site, don?t be confused by the lack of solution and project files ? they?rehistory.) This tool is a great way to set up the security settings for a newWeb site or to maintain the settings. It is the foundation for many of theother security-related tools in ASP.NET 2.0, and you can access it in code tomake writing secure code much easier.
For now I?ll let you explore the configuration tool onyour own. I?ll have a lot more to say about it in future columns.
There are many more security features and tools in VisualStudio 2005, such as FxCop?s static code analysis that is built right intoVisual Studio, as well as a ton of tools in Visual Studio?s Team System editionfor code policy enforcement, code coverage analysis, load and stress testing,and security and other bug tracking. Take the time to explore these manyfeatures so that you can put them to use to build secure applications and makethe world a safer place for computing!
DonKiely, MVP, MCSD, is a senior technology consultant, building customapplications as well as providing business and technology consulting services.His development work involves tools such as SQL Server, Visual Basic, C#,ASP.NET, and Microsoft Office. He writes regularly for several trade journals,and trains developers in database and .NET technologies. You can reach Don at mailto:donkiely@computer.org and readhis blog at http://www.sqljunkies.com/weblog/donkiely/.