• Blog
  • Info Support
  • Career
  • Training
  • International Group
  • Info Support
  • Blog
  • Career
  • Training
  • International Group
  • Search
logo InfoSupport
  • Latest blogs
  • Popular blogs
  • Experts
      • All
      • Bloggers
      • Speakers
  • Meet us
  • About us
    • nl
    • en
    • .NET
    • 3D printing
    • Advanced Analytics
    • Agile
    • Akka
    • Alexa
    • Algorithms
    • Api's
    • Architectuur
    • Artificial Intelligence
    • ATDD
    • Augmented Reality
    • AWS
    • Azure
    • Big Data
    • Blockchain
    • Business Intelligence
    • Chatbots
    • Cloud
    • Code Combat
    • Cognitive Services
    • Communicatie
    • Containers
    • Continuous Delivery
    • CQRS
    • Cyber Security
    • Dapr
    • Data
    • Data & Analystics
    • Data Science
    • Data Warehousing
    • Databricks
    • DataOps
    • Developers life
    • DevOps
    • Digital Days
    • Digital Twin
    • Docker
    • eHealth
    • Enterprise Architecture
    • Event Sourcing
    • Hacking
    • Infrastructure & Hosting
    • Innovatie
    • Integration
    • Internet of Things
    • Java
    • Machine Learning
    • Microservices
    • Microsoft
    • Microsoft Bot Framework
    • Microsoft Data Platform
    • Mobile Development
    • Mutation Testing
    • Open source
    • Pepper
    • Power BI
    • Privacy & Ethiek
    • Python
    • Quality Assistance & Test
    • Quality Assurance & Test
    • Requirements Management
    • Scala
    • Scratch
    • Security
    • SharePoint
    • Software Architecture
    • Software development
    • Software Factory
    • SQL Server
    • SSL
    • Start-up
    • Startup thinking
    • Stryker
    • Test Quality
    • Testing
    • TLS
    • TypeScript
    • Various
    • Web Development
    • Web-scale IT
    • Xamarin
    • All
    • Bloggers
    • Speakers
Home » ASP.NET cache object unusable in Smart Client scenario due to CAS security
  • ASP.NET cache object unusable in Smart Client scenario due to CAS security

    • By Marcel de Vries
    • .NET 17 years ago
    • .NET 0 comments
    • .NET .NET
    ASP.NET cache object unusable in Smart Client scenario due to CAS security

    The past months I have been working for a large international company in building a new back office solution. This solution is based on the Smart Client concept where we use zero touch deployment from .NET 1.1 (There are some difficulties upgrading the desktops to XP SP2 and therefore we can’t use Click Once and .NET 2.0)


     


    In a smart client application that uses multiple back office service, you need to be very careful in terms of roundtrips you make to the services. Especially because our application is used for data entry purposes we need the application to perform really well. For that reason we need to cache data when possible and we decided in our design that we would use the ASP.NET cache object to provide us with a good cache implementation. The ASP.NET cache already implements the concept of removing items based on least recently used, provides expiration options like sliding window, absolute, etc and very well suits the needs for many .NET applications.


     


    The thing is that our client application gets deployed on a web server within the intranet. This means our application will run with the permission set of the local intranet zone!


     


    Now here we get to the point where out of the box “security” makes the cache object completely unusable…..


    Probably during a security push for ASP.NET they have decided to request the AspNetHostingPermission. when using the cache object. While this sounds good in a Web Scenario, this becomes a real big problem when using it outside this context. It also is no problem when you have used the cache object and have a full trust permission set like you get when deploying an application to the desktop but this bites you very hard when you want to use the cache in a scenario that hase any permission set below full.


     


    Now you can of course change the defaul permissionset the application gets when downloaded from the URL, but this requires you to change the configuration of the desktop machines. The change required is placed in your machine configuration and this is a big problem in large organizations. Updating a security policy on tens of thousands of desktops is very challenging from an organizational, procedural and policy perspective. The technical aspect is the least to worry about. So here we pay a very high price to the fact the AspNetHostingpermission is requested.


     


    I have asked around why the permission is demanded and there seems no real security reason to do so. The cache object is perfectly save to use outside the ASP.NET context but it seems that the request is added with a security push. It looks like the fact that the cache object is part of the System.Web namespace caused this permission request. I would say that the cache is a multipurpose component to use and the System.Web namespace is a wrong namespace in the first place.


     


    So I logged this issue now as a bug at the MSDN feedback center.( https://connect.microsoft.com/VisualStudio/feedback/ViewFeedback.aspx?FeedbackID=176368)  If you guys feel the same and would like to get this fixed in the next release of .NET, you might want to vote for this bug. Click the obove link and vote at the feedback center. Perhaps this can convince the team to remove it and then we can at least in the future use the cache outside the context of ASP.NET.


     


    While this is not a solution for my current project, I do hope it gets fixed. This will help a lot of developers out there to focus on stuff that brings business value in stead of writing pluming again.


     


     

    Share this

Marcel de Vries

View profile

Related IT training

Go to training website

Related Consultancy solutions

Go to infosupport.com

Related blogs

  • What's new in C# 12, a developer perspective

    What's new in C# 12, a developer perspective Tom van den Berg - 2 weeks ago

  • Continuous validation - Ensuring Availability and Resil…

    Continuous validation - Ensuring Availability and Resil… Tom van den Berg - 1 month ago

  • Continuous validation - Ensuring Availability and Resil…

    Continuous validation - Ensuring Availability and Resil… Tom van den Berg - 1 month ago

Data Discovery Channel

  • Data+AI Summit 2023

  • Blijf je Azure cloud omgeving de baas met CloudXcellence

  • MLOps

Nieuwsbrief

* verplichte velden

Contact

  • Head office NL
  • Kruisboog 42
  • 3905 TG Veenendaal
  • T +31 318 552020
  • Call
  • Mail
  • Directions
  • Head office BE
  • Generaal De Wittelaan 17
  • bus 30 2800 Mechelen
  • T +32 15 286370
  • Call
  • Mail
  • Directions

Follow us

  • Twitter
  • Facebook
  • Linkedin
  • Youtube

Newsletter

Sign in

Extra

  • Media Library
  • Disclaimer
  • Algemene voorwaarden
  • ISHBS Webmail
  • Extranet
Beheer cookie toestemming
Deze website maakt gebruik van Functionele en Analytische cookies voor website optimalisatie en statistieken.
Functioneel Always active
De technische opslag of toegang is strikt noodzakelijk voor het legitieme doel het gebruik mogelijk te maken van een specifieke dienst waarom de abonnee of gebruiker uitdrukkelijk heeft gevraagd, of met als enig doel de uitvoering van de transmissie van een communicatie over een elektronisch communicatienetwerk.
Voorkeuren
De technische opslag of toegang is noodzakelijk voor het legitieme doel voorkeuren op te slaan die niet door de abonnee of gebruiker zijn aangevraagd.
Statistieken
De technische opslag of toegang die uitsluitend voor statistische doeleinden wordt gebruikt. De technische opslag of toegang die uitsluitend wordt gebruikt voor anonieme statistische doeleinden. Zonder dagvaarding, vrijwillige naleving door uw Internet Service Provider, of aanvullende gegevens van een derde partij, kan informatie die alleen voor dit doel wordt opgeslagen of opgehaald gewoonlijk niet worden gebruikt om je te identificeren.
Marketing
De technische opslag of toegang is nodig om gebruikersprofielen op te stellen voor het verzenden van reclame, of om de gebruiker op een website of over verschillende websites te volgen voor soortgelijke marketingdoeleinden.
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Voorkeuren
{title} {title} {title}