Dot Net Dragon: September 2011

Wednesday, September 7, 2011

WEB SERVICES

Web services are application components
Web services communicate using open protocols
Web services are self-contained and self-describing
Web services can be discovered using UDDI
Web services can be used by other applications
XML is the basis for Web services

How Does it Work?

The basic Web services platform is XML + HTTP.
XML provides a language which can be used between different platforms and programming languages and still express complex messages and functions.
The HTTP protocol is the most used Internet protocol.
Web services platform elements:

SOAP (Simple Object Access Protocol)
UDDI (Universal Description, Discovery and Integration)
WSDL (Web Services Description Language)

Interoperability has Highest Priority

When all major platforms could access the Web using Web browsers, different platforms could interact. For these platforms to work together, Web-applications were developed.
Web-applications are simple applications that run on the web. These are built around the Web browser standards and can be used by any browser on any platform.

Web Services take Web-applications to the Next Level

By using Web services, your application can publish its function or message to the rest of the world.
Web services use XML to code and to decode data, and SOAP to transport it (using open protocols).
With Web services, your accounting department's Win 2k server's billing system can connect with your IT supplier's UNIX server.

Web Services have Two Types of Uses

Reusable application-components.
There are things applications need very often. So why make these over and over again?
Web services can offer application-components like: currency conversion, weather reports, or even language translation as services.
Connect existing software.
Web services can help to solve the interoperability problem by giving different applications a way to link their data.
With Web services you can exchange data between different applications and different platforms.

What is SOAP?

SOAP is an XML-based protocol to let applications exchange information over HTTP.
Or more simple: SOAP is a protocol for accessing a Web Service.

SOAP stands for Simple Object Access Protocol
SOAP is a communication protocol
SOAP is a format for sending messages
SOAP is designed to communicate via Internet
SOAP is platform independent
SOAP is language independent
SOAP is based on XML
SOAP is simple and extensible
SOAP allows you to get around firewalls
SOAP is a W3C standard

What is WSDL?

WSDL is an XML-based language for locating and describing Web services.

WSDL stands for Web Services Description Language
WSDL is based on XML
WSDL is used to describe Web services
WSDL is used to locate Web services
WSDL is a W3C standard

What is UDDI?

UDDI is a directory service where companies can register and search for Web services.

UDDI stands for Universal Description, Discovery and Integration
UDDI is a directory for storing information about web services
UDDI is a directory of web service interfaces described by WSDL
UDDI communicates via SOAP
UDDI is built into the Microsoft .NET platform

Difference between machine.config and Web.config

ASP.NET configuration files are XML-based text files--each named web.config--that can appear in any directory on an ASP.NET
Web application server. Each web.config file applies configuration settings to the directory it is located in and to all
virtual child directories beneath it. Settings in child directories can optionally override or modify settings specified in
parent directories. The root configuration file--WinNT\Microsoft.NET\Framework\\config\machine.config--provides
default configuration settings for the entire machine. ASP.NET configures IIS to prevent direct browser access to web.config
files to ensure that their values cannot become public (attempts to access them will cause ASP.NET to return 403: Access
Forbidden).
At run time ASP.NET uses these web.config configuration files to hierarchically compute a unique collection of settings for
each incoming URL target request (these settings are calculated only once and then cached across subsequent requests; ASP.NET
automatically watches for file changes and will invalidate the cache if any of the configuration files change).
http://samples.gotdotnet.com/quickstart/aspplus/doc/configformat.aspx

Data Caching

<%@ OutputCache Duration="60" VaryByParam="none" %>
<%@ OutputCache Duration="60" VaryByParam="*" %>
<%@ OutputCache Duration="60" VaryByParam="name;age" %>

The OutputCache directive supports several other cache varying options
VaryByHeader - maintain separate cache entry for header string changes (UserAgent, UserLanguage, etc.)
VaryByControl - for user controls, maintain separate cache entry for properties of a user control
VaryByCustom - can specify separate cache entries for browser types and version or provide a custom GetVaryByCustomString method in HttpApplicationderived class

SQL injection

An SQL injection attack "injects" or manipulates SQL code by adding unexpected SQL to a query.
Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password.
Username: ' or 1=1 ---
Password: [Empty]
This would execute the following query against the users table:
select count(*) from users where userName='' or 1=1 --' and userPass=''

Diffrent types of Authentication modes in the .NET environment

<authentication mode="Windows|Forms|Passport|None">
       <forms name="name"
                          loginUrl="url"
                          protection="All|None|Encryption|Validation"
                          timeout="30" path="/" >
                          requireSSL="true|false"
                          slidingExpiration="true|false">
          <credentials passwordFormat="Clear|SHA1|MD5">
             <user name="username" password="password"/>
          </credentials>
                    </forms>
       <passport redirectUrl="internal"/>

</authentication>

Attribute	Option	Description
mode		Controls the default authentication mode for an application.
	Windows	Specifies Windows authentication as the default authentication mode. Use this mode when using any form of Microsoft Internet Information Services (IIS) authentication: Basic, Digest, Integrated Windows authentication (NTLM/Kerberos), or certificates.
	Forms	Specifies ASP.NET forms-based authentication as the default authentication mode.
	Passport	Specifies Microsoft Passport authentication as the default authentication mode.
	None	Specifies no authentication. Only anonymous users are expected or applications can handle events to provide their own authentication.

Application and Session Events

The ASP.NET page framework provides ways for you to work with events that can be raised when your application starts or stops or when an individual user's session starts or stops:

Application events are raised for all requests to an application.
For example, Application_BeginRequest is raised when any Web Forms page or XML Web service in your application is requested. This event allows you to initialize resources that will be used for each request to the application. A corresponding event, Application_EndRequest, provides you with an opportunity to close or otherwise dispose of resources used for the request.
Session events are similar to application events (there is a Session_OnStart and a Session_OnEnd event), but are raised with each unique session within the application. A session begins when a user requests a page for the first time from your application and ends either when your application explicitly closes the session or when the session times out.

You can create handlers for these types of events in the Global.asax file.

What is cookie less session? How it works?
By default, ASP.NET will store the session state in the same process that processes the request, just as ASP does. If cookies are not available, a session can be tracked by adding a session identifier to the URL. This can be enabled by setting the following:
http://samples.gotdotnet.com/quickstart/aspplus/doc/stateoverview.aspx

Diffrence between Web User Control and Web Custom Control

Web custom controls are compiled components that run on the server and that encapsulate user-interface and other related functionality into reusable packages. They can include all the design-time features of standard ASP.NET server controls, including full support for Visual Studio design features such as the Properties window, the visual designer, and the Toolbox.
There are several ways that you can create Web custom controls:

You can compile a control that combines the functionality of two or more existing controls. For example, if you need a control that encapsulates a button and a text box, you can create it by compiling the existing controls together.
If an existing server control almost meets your requirements but lacks some required features, you can customize the control by deriving from it and overriding its properties, methods, and events.
If none of the existing Web server controls (or their combinations) meet your requirements, you can create a custom control by deriving from one of the base control classes. These classes provide all the basic functionality of Web server controls, so you can focus on programming the features you need.

If none of the existing ASP.NET server controls meet the specific requirements of your applications, you can create either a Web user control or a Web custom control that encapsulates the functionality you need. The main difference between the two controls lies in ease of creation vs. ease of use at design time.

Web user controls are easy to make, but they can be less convenient to use in advanced scenarios. You develop Web user controls almost exactly the same way that you develop Web Forms pages. Like Web Forms, user controls can be created in the visual designer, they can be written with code separated from the HTML, and they can handle execution events. However, because Web user controls are compiled dynamically at run time they cannot be added to the Toolbox, and they are represented by a simple placeholder glyph when added to a page. This makes Web user controls harder to use if you are accustomed to full Visual Studio .NET design-time support, including the Properties window and Design view previews. Also, the only way to share the user control between applications is to put a separate copy in each application, which takes more maintenance if you make changes to the control.

Web custom controls are compiled code, which makes them easier to use but more difficult to create; Web custom controls must be authored in code. Once you have created the control, however, you can add it to the Toolbox and display it in a visual designer with full Properties window support and all the other design-time features of ASP.NET server controls. In addition, you can install a single copy of the Web custom control in the global assembly cache and share it between applications, which makes maintenance easier.

Web user controls	Web custom controls
Easier to create	Harder to create
Limited support for consumers who use a visual design tool	Full visual design tool support for consumers
A separate copy of the control is required in each application	Only a single copy of the control is required, in the global assembly cache
Cannot be added to the Toolbox in Visual Studio	Can be added to the Toolbox in Visual Studio
Good for static layout	Good for dynamic layout

Constructors and Destructor in Dot Net

Constructor:

1. The Constructor is the first method that is run when an instance of a type is created. In visual basic a constructor is always Sub new ().

2. Constructor are use to initialize class and structure data before use. Constructor never returns a value and can be overridden to provide custom initialization functionality.

3. The constructor provides a way to set default values for data or perform other necessary functions before the object available for use.

Destructor:

Destructors are called just before an object is destroyed and can be used to run clean-up code. You can’t control when a destructor is called.
Points to remember:
1. Destructors are invoked automatically, and cannot be invoked explicitly.
2. Destructors cannot be overloaded. Thus, a class can have, at most, one destructor.
3. Destructors are not inherited. Thus, a class has no destructors other than the one, which may
be declared in it.
4. Destructors cannot be used with structs. They are only used with classes.

Destructor and finalize
Generally in C++ the destructor is called when objects gets destroyed. And one can explicitly call the destructors in C++. And also the objects are destroyed in reverse order that they are created in. So in C++ you have control over the destructors.
In C# you can never call them, the reason is one cannot destroy an object. So who has the control over the destructor (in C#)? it's the .Net frameworks Garbage Collector (GC). GC destroys the objects only when necessary. Some situations of necessity are memory is exhausted or user explicitly calls System.GC.Collect() method.
Points to remember:
1. Destructors are invoked automatically, and cannot be invoked explicitly.
2. Destructors cannot be overloaded. Thus, a class can have, at most, one destructor.
3. Destructors are not inherited. Thus, a class has no destructors other than the one, which may be declared in it.
4. Destructors cannot be used with structs. They are only used with classes.
5. An instance becomes eligible for destruction when it is no longer possible for any code to use the instance.
6. Execution of the destructor for the instance may occur at any time after the instance becomes eligible for destruction.
7. When an instance is destructed, the destructors in its inheritance chain are called, in order, from most derived to least derived.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpguide/html/cpconfinalizemethodscdestructors.asp

What is the difference between Finalize and Dispose (Garbage collection)
Class instances often encapsulate control over resources that are not managed by the runtime, such as window handles (HWND), database connections, and so on. Therefore, you should provide both an explicit and an implicit way to free those resources. Provide implicit control by implementing the protected Finalize Method on an object (destructor syntax in C# and the Managed Extensions for C++). The garbage collector calls this method at some point after there are no longer any valid references to the object.
In some cases, you might want to provide programmers using an object with the ability to explicitly release these external resources before the garbage collector frees the object. If an external resource is scarce or expensive, better performance can be achieved if the programmer explicitly releases resources when they are no longer being used. To provide explicit control, implement the Dispose method provided by the IDisposable Interface. The consumer of the object should call this method when it is done using the object. Dispose can be called even if other references to the object are alive.
Note that even when you provide explicit control by way of Dispose, you should provide implicit cleanup using the Finalize method. Finalize provides a backup to prevent resources from permanently leaking if the programmer fails to call Dispose.

Difference between type constructor and instance constructor? What is static constructor, when it will be fired? And what is its use?
(Class constructor method is also known as type constructor or type initializer)
Instance constructor is executed when a new instance of type is created and the class constructor is executed after the type is loaded and before any one of the type members is accessed. (It will get executed only 1st time, when we call any static methods/fields in the same class.) Class constructors are used for static field initialization. Only one class constructor per type is permitted, and it cannot use the vararg (variable argument) calling convention.
A static constructor is used to initialize a class. It is called automatically to initialize the class before the first instance is created or any static members are referenced.

What is Abstract Class, Interfaces and Multiple inheritence in Dot Net

Static Class:

A Class which cannot be instantiated is called static class.
You can use the class but cannot create object of it
like: You can use inbuilt classes System.Math , System.IO etc.

Abstract Class:

Abstract classes are classes which cannot be instantiated
Abstract classes are classes which can contain both Signature as well as the implementation.
When You derive the abstract class you may or may not write the implementation depending upon the base class.

Interfaces:
Interfaces are used for Multiple inheritance
Interface contains only the Signatures.
The derived class has to write the implementation if using the interface.

Multiple Inheritance :

In .Net practically Multiple inheritance is not possible .
But we need to Find out some way by which we can use multiple inheritance as its a very crucial function of OOPS.
So we created Interfaces for that.
We cannot inherit multiple classes but we can do multiple inheritance by using Interfaces or by inheriting multiple interfaces.
In Interfaces we have to define only the signatures .

Can we call a base class method without creating instance?

Its possible If its a static method.
Its possible by inheriting from that class also.
Its possible from derived classes using base keyword

Feature	Interface	Abstract class
Multiple inheritance	A class may implement several interfaces.	A class may extend only one abstract class.
Default implementation	An interface cannot provide any code at all, much less default code.	An abstract class can provide complete code, default code, and/or just stubs that have to be overridden.
Constants	Static final constants only, can use them without qualification in classes that implement the interface. On the other paw, these unqualified names pollute the namespace. You can use them and it is not obvious where they are coming from since the qualification is optional.	Both instance and static constants are possible. Both static and instance intialiser code are also possible to compute the constants.
Third party convenience	An interface implementation may be added to any existing third party class.	A third party class must be rewritten to extend only from the abstract class.
is-a vs -able or can-do	Interfaces are often used to describe the peripheral abilities of a class, not its central identity, e.g. an Automobile class might implement the Recyclable interface, which could apply to many otherwise totally unrelated objects.	An abstract class defines the core identity of its descendants. If you defined a Dog abstract class then Damamation descendants are Dogs, they are not merely dogable. Implemented interfaces enumerate the general things a class can do, not the things a class is.
Plug-in	You can write a new replacement module for an interface that contains not one stick of code in common with the existing implementations. When you implement the interface, you start from scratch without any default implementation. You have to obtain your tools from other classes; nothing comes with the interface other than a few constants. This gives you freedom to implement a radically different internal design.	You must use the abstract class as-is for the code base, with all its attendant baggage, good or bad. The abstract class author has imposed structure on you. Depending on the cleverness of the author of the abstract class, this may be good or bad. Another issue that's important is what I call "heterogeneous vs. homogeneous." If implementors/subclasses are homogeneous, tend towards an abstract base class. If they are heterogeneous, use an interface. (Now all I have to do is come up with a good definition of hetero/homogeneous in this context.) If the various objects are all of-a-kind, and share a common state and behavior, then tend towards a common base class. If all they share is a set of method signatures, then tend towards an interface.
Homogeneity	If all the various implementations share is the method signatures, then an interface works best.	If the various implementations are all of a kind and share a common status and behavior, usually an abstract class works best.
Maintenance	If your client code talks only in terms of an interface, you can easily change the concrete implementation behind it, using a factory method.	Just like an interface, if your client code talks only in terms of an abstract class, you can easily change the concrete implementation behind it, using a factory method.
Speed	Slow, requires extra indirection to find the corresponding method in the actual class. Modern JVMs are discovering ways to reduce this speed penalty.	Fast
Terseness	The constant declarations in an interface are all presumed public static final, so you may leave that part out. You can't call any methods to compute the initial values of your constants. You need not declare individual methods of an interface abstract. They are all presumed so.	You can put shared code into an abstract class, where you cannot into an interface. If interfaces want to share code, you will have to write other bubblegum to arrange that. You may use methods to compute the initial values of your constants and variables, both instance and static. You must declare all the individual methods of an abstract class abstract.
Adding functionality	If you add a new method to an interface, you must track down all implementations of that interface in the universe and provide them with a concrete implementation of that method.	If you add a new method to an abstract class, you have the option of providing a default implementation of it. Then all existing code will continue to work without change.

Different Types if access-specifiers available in c#

Private
Protected
Public
Internal
Protected Internal

Explain about Protected and protected internal, “internal” access-specifier?
protected - Access is limited to the containing class or types derived from the containing class.
internal - Access is limited to the current assembly.
protected internal - Access is limited to the current assembly or types derived from the containing class.

Diffrence Between Value Type and Refrence type

Most programming languages provide built-in data types, such as integers and floating-point numbers, that are copied when they are passed as arguments (that is, they are passed by value).
In the .NET Framework, these are called value types. The runtime supports two kinds of value types:

Built-in value types
The .NET Framework defines built-in value types, such as System.Int32 and System.Boolean, which correspond and are identical to primitive data types used by programming languages.
User-defined value types
Your language will provide ways to define your own value types, which derive from System.ValueType. If you want to define a type representing a value that is small, such as a complex number (using two floating-point numbers), you might choose to define it as a value type because you can pass the value type efficiently by value. If the type you are defining would be more efficiently passed by reference, you should define it as a class instead.

Variables of reference types, referred to as objects, store references to the actual data.
Following are the Reference types:

class
interface
delegate

Following are the built-in reference types:

object
string

Managed and Unmanaged code in Dot Net

Managed Code:
The .NET Framework provides a run-time environment called the Common Language Runtime, which manages the execution of code and provides services that make the development process easier. Compilers and tools expose the runtime's functionality and enable you to write code that benefits from this managed execution environment. Code that you develop with a language compiler that targets the runtime is called managed code; it benefits from features such as cross-language integration, cross-language exception handling, enhanced security, versioning and deployment support, a simplified model for component interaction, and debugging and profiling services.

The managed execution process includes the following steps:

Choosing a compiler.
To obtain the benefits provided by the common language runtime, you must use one or more language compilers that target the runtime.
Compiling your code to Microsoft intermediate language (MSIL).
Compiling translates your source code into MSIL and generates the required metadata.
Compiling MSIL to native code.
At execution time, a just-in-time (JIT) compiler translates the MSIL into native code. During this compilation, code must pass a verification process that examines the MSIL and metadata to find out whether the code can be determined to be type safe.
Executing your code.

The common language runtime provides the infrastructure that enables execution to take place as well as a variety of services that can be used during execution.

Unmanaged Code:
The code, which is developed outside .NET, Framework is known as unmanaged code.
Applications that do not run under the control of the CLR are said to be unmanaged, and certain languages such as C++ can be used to write such applications, which, for example, access low - level functions of the operating system. Background compatibility with code of VB, ASP and COM are examples of unmanaged code.
Unmanaged code can be unmanaged source code and unmanaged compile code.
Unmanaged code is executed with help of wrapper classes.

Wrapper classes are of two types:

CCW (COM Callable Wrapper)
RCW (Runtime Callable Wrapper)

Wrapper is used to cover difference with the help of CCW and RCW.
COM callable wrapper unmanaged code execution

(COM)

What is Interop Services?
The common language runtime provides two mechanisms for interoperating with unmanaged code:

Platform invoke, which enables managed code to call functions exported from an unmanaged library.
COM interop, which enables managed code to interact with COM objects through interfaces.

Both platform invoke and COM interop use interop marshaling to accurately move method arguments between caller and callee and back, if required.

RCW (Runtime Callable Wrappers)
The common language runtime exposes COM objects through a proxy called the runtime callable wrapper (RCW). Although the RCW appears to be an ordinary object to .NET clients, its primary function is to marshal calls between a .NET client and a COM object.

CCW (COM Callable Wrapper)

A proxy object generated by the common language runtime so that existing COM applications can use managed classes, including .NET Framework classes, transparently.

Pinvoke:
Platform invoke is a service that enables managed code to call unmanaged functions implemented in dynamic-link libraries (DLLs), such as those in the Win32 API. It locates and invokes an exported function and marshals its arguments (integers, strings, arrays, structures, and so on) across the interoperation boundary as needed.
Is it true that COM objects no longer need to be registered on the server?
Answer: Yes and No. Legacy COM objects still need to be registered on the server before they can be used. COM developed using the new .NET Framework will not need to be registered. Developers will be able to auto-register these objects just by placing them in the 'bin' folder of the application.

Can .NET Framework components use the features of Component Services?
Answer: Yes, you can use the features and functions of Component Services from a .NET Framework component.
http://msdn.microsoft.com/library/techart/Pahlcompserv.htm

Reflection in .Net

All .NET compilers produce metadata about the types defined in the modules they produce. This metadata is packaged along with the module (modules in turn are packaged together in assemblies), and can be accessed by a mechanism called reflection.
The System.Reflection namespace contains classes that can be used to interrogate the types for a module/assembly.
Using reflection to access .NET metadata is very similar to using ITypeLib/ITypeInfo to access type library data in COM, and it is used for similar purposes - e.g. determining data type sizes for marshaling data across context/process/machine boundaries.
Reflection can also be used to dynamically invoke methods (see System.Type.InvokeMember), or even create types dynamically at run-time (see System.Reflection.Emit.TypeBuilder).

Serialization in .NET

Serialization is the process of converting an object into a stream of bytes.
Deserialization is the opposite process of creating an object from a stream of bytes. Serialization/Deserialization is mostly used to transport objects (e.g. during remoting), or to persist objects (e.g. to a file or database).
Serialization can be defined as the process of storing the state of an object to a storage medium. During this process, the public and private fields of the object and the name of the class, including the assembly containing the class, are converted to a stream of bytes, which is then written to a data stream. When the object is subsequently deserialized, an exact clone of the original object is created.

Binary serialization preserves type fidelity, which is useful for preserving the state of an object between different invocations of an application. For example, you can share an object between different applications by serializing it to the clipboard. You can serialize an object to a stream, disk, memory, over the network, and so forth. Remoting uses serialization to pass objects "by value" from one computer or application domain to another.
XML serialization serializes only public properties and fields and does not preserve type fidelity. This is useful when you want to provide or consume data without restricting the application that uses the data. Because XML is an open standard, it is an attractive choice for sharing data across the Web.
SOAP is an open standard, which makes it an attractive choice.

There are two separate mechanisms provided by the .NET class library -
XmlSerializer and SoapFormatter/BinaryFormatter.
Microsoft uses XmlSerializer for Web Services,
Soap Formatter/Binary Formatter for remoting. Both are available for use in your own code.

Why do I get errors when I try to serialize a Hashtable?
XmlSerializer will refuse to serialize instances of any class that implements IDictionary, e.g. Hashtable. SoapFormatter and BinaryFormatter do not have this restriction.

Application Domain in .Net

Application Domain in .Net
The primary purpose of the AppDomain is to isolate an application from other applications.
Win32 processes provide isolation by having distinct memory address spaces. This is effective, but it is expensive and doesn't scale well. The .NET runtime enforces AppDomain isolation by keeping control over the use of memory - all memory in the AppDomain is managed by the .NET runtime,
so the runtime can ensure that AppDomains do not access each other's memory.
Objects in different application domains communicate either by transporting copies of objects across application domain boundaries, or by using a proxy to exchange messages.
MarshalByRefObject is the base class for objects that communicate across application domain boundaries by exchanging messages using a proxy. Objects that do not inherit from MarshalByRefObject are implicitly marshal by value. When a remote application references a marshal by value object, a copy of the object is passed across application domain boundaries.

How does an AppDomain get created?
AppDomains are usually created by hosts.
Examples of hosts are the Windows Shell, ASP.NET and IE. When you run a .NET application from the command-line, the host is the Shell.
The Shell creates a new AppDomain for every application.
AppDomains can also be explicitly created by .NET applications. Here is a C# sample which creates an AppDomain, creates an instance of an object inside it, and then executes one of the object's methods. Note that you must name the executable 'appdomaintest.exe' for this code to work as-is.

Diffrence between Object pooling and Connection pooling

Object pooling is a COM+ service that enables you to reduce the overhead of creating each object from scratch. When an object is activated, it is pulled from the pool. When the object is deactivated, it is placed back into the pool to await the next request.
You can configure object pooling by applying the ObjectPoolingAttribute attribute to a class that derives from the System.EnterpriseServices.ServicedComponent class.
Object pooling lets you control the number of connections you use, as opposed to connection pooling, where you control the maximum number reached.

Following are important differences between object pooling and connection pooling:

Creation. When using connection pooling, creation is on the same thread, so if there is nothing in the pool, a connection is created on your behalf. With object pooling, the pool might decide to create a new object. However, if you have already reached your maximum, it instead gives you the next available object. This is crucial behavior when it takes a long time to create an object, but you do not use it for very long.
Enforcement of minimums and maximums. This is not done in connection pooling.
The maximum value in object pooling is very important when trying to scale your application. You might need to multiplex thousands of requests to just a few objects. (TPC/C benchmarks rely on this.)

COM+ object pooling is identical to what is used in .NET Framework managed SQL Client connection pooling. For example, creation is on a different thread and minimums and maximums are enforced.

Code Access Security CAS in .Net

Code Access Security (CAS)?
CAS is the part of the .NET security model that determines whether or not a piece of code is allowed to run, and what resources it can use when it is running. For example, it is CAS that will prevent a .NET web applet from formatting your hard disk.
How does CAS work?
The CAS security policy revolves around two key concepts - code groups and permissions.
Each .NET assembly is a member of a particular code group, and each code group is granted the permissions specified in a named permission set.
For example, using the default security policy, a control downloaded from a web site belongs to the 'Zone - Internet' code group, which adheres to the permissions defined by the 'Internet' named permission set. (Naturally the 'Internet' named permission set represents a very restrictive range of permissions.)
Who defines the CAS code groups?
Microsoft defines some default ones, but you can modify these and even create your own. To see the code groups defined on your system, run 'caspol -lg'

How do I define my own code group?
Use caspol. For example, suppose you trust code from www.mydomain.com and you want it have full access to your system, but you want to keep the default restrictions for all other internet sites. To achieve this, you would add a new code group as a sub-group of the 'Zone - Internet' group, like this:
caspol -ag 1.3 -site www.mydomain.com FullTrust
Now if you run caspol -lg you will see that the new group has been added as group 1.3.1:

1.3. Zone - Internet: Internet
1.3.1. Site - www.mydomain.com: FullTrust

Note that the numeric label (1.3.1) is just a caspol invention to make the code groups easy to manipulate from the command-line. The underlying runtime never sees it.
How do I change the permission set for a code group?
Use caspol. If you are the machine administrator, you can operate at the 'machine' level - which means not only that the changes you make become the default for the machine, but Can I create my own permission set?
Yes. Use caspol -ap, specifying an XML file containing the permissions in the permission set. To save you some time, here is a sample file corresponding to the 'Everything' permission set - just edit to suit your needs. When you have edited the sample, add it to the range of available permission sets like this:
caspol -ap samplepermset.xml
Then, to apply the permission set to a code group, do something like this:
caspol -cg 1.3 SamplePermSet (By default, 1.3 is the 'Internet' code group)
I'm having some trouble with CAS. How can I diagnose my problem?
Caspol has a couple of options that might help. First, you can ask caspol to tell you what code group an assembly belongs to, using caspol -rsg. Similarly, you can ask what permissions are being applied to a particular assembly using caspol -rsp.

I can't be bothered with all this CAS stuff. Can I turn it off?
Yes, as long as you are an administrator. Just run:
caspol -s off

Different Types of TRUST LEVELS

http://msdn.microsoft.com/en-us/library/tkscy493.aspx

Required String attribute.

Specifies the trust level under which the application will run. Each trust level is mapped to an individual XML policy file that uses a trustLevel element in the configuration file. The policy file lists the set of permissions that are granted by each trust level. For information about ASP.NET and policy files, see ASP.NET Trust Levels and Policy Files.

This attribute can be a user-defined value, if there is a matching security policy mapping defined in a trustLevel element in the securityPolicy Element (ASP.NET Settings Schema) element or one of the following possible values, in increasing order of restrictiveness.

ValueDescription
FULL:
Full Specifies unrestricted permissions. Grants the ASP.NET application permissions to access any resource that is subject to operating system security. All privileged operations are supported. This setting is named Unrestricted in the AspNetHostingPermissionLevel enumeration.

High:
High Specifies a high level of code access security, which means that the application cannot do any one of the following things by default:

Call unmanaged code.
Call serviced components.
Write to the event log.
Access Microsoft Message Queuing queues.
Access ODBC, OleDb, or Oracle data sources.

Medium:
Medium Specifies a medium level of code access security, which means that, in addition to the restrictions for High, the ASP.NET application cannot do any of the following things by default:

Access files outside the application directory.
Access the registry.
Make network or Web service calls (using the System.Net.HttpWebRequest class, for example).
Low:
Low Specifies a low level of code access security, which means that, in addition to the restrictions for Medium, the application cannot do any of the following things by default:

Write to the file system.
Call the Assert method.

Minimal:Minimal Specifies a minimal level of code access security, which means that the application has only execute permissions.

The default is Full (no restrictions).

You can read more on :

http://www.codeproject.com/dotnet/UB_CAS_NET.asp

http://www.codeproject.com/KB/security/UB_CAS_NET.aspx

Tuesday, September 6, 2011

.Net FrameWork

*What is .NET Framework?
The .NET Framework has two main components:
The common language runtime CLR and the .NET Framework class library.
You can think of the runtime as an agent that manages code at execution time, providing core services such as memory management, thread management, and remoting, while also enforcing strict type safety and other forms of code accuracy that ensure security and robustness.

*What is CLR, CTS, CLS?
The .NET Framework provides a runtime environment called the Common Language Runtime or CLR (similar to the Java Virtual Machine or JVM in Java), which handles the execution of code and provides useful services for the implementation of the program. CLR takes care of code management at program execution and provides various beneficial services such as memory management, thread management, security management, code verification, compilation, and other system services. The managed code that targets CLR benefits from useful features such as cross-language integration, cross-language exception handling, versioning, enhanced security, deployment support, and debugging.

*Common Type System (CTS) describes how types are declared, used and managed in the runtime and facilitates cross-language integration, type safety, and high performance code execution.
*Common Type System (CTS):
.NET also defines a Common Type System (CTS). Like CLS, CTS is also a set of standards. CTS defines the basic data types that IL understands. Each .NET compliant language should map its data types to these standard data types. This makes it possible for the 2 languages to communicate with each other by passing/receiving parameters to/from each other. For example, CTS defines a type Int32, an integral data type of 32 bits (4 bytes) which is mapped by C# through int and VB.Net through its Integer data type.

*The CLS is simply a specification that defines the rules to support language integration in such a way that programs written in any language, yet can interoperate with one another, taking full advantage of inheritance, polymorphism, exceptions, and other features. These rules and the specification are documented in the ECMA proposed standard document, "Partition I Architecture"

Earlier we used the term '.NET Compliant Language' and stated that all the .NET compliant languages can make use of CLR and FCL. But what makes a language '.NET compliant language'? The answer is Common Language Specification (CLS). Microsoft has released a small set of specification that each language should meet to qualify as a .NET Compliant Language. As IL is a very rich language, it is not necessary for a language to implement all the IL functionality, rather it meets the small subset of it, CLS, to qualify as a .NET compliant language, which is the reason why so many languages (procedural and OO) are now running under .Net umbrella. CLS basically addresses to language design issues and lays certain standards like there should be no global function declaration, no pointers, no multiple inheritance and things like that. The important point to note here is that if you keep your code within CLS boundary, your code is guaranteed to be usable in any other .Net language.

*Framework Class Library (FCL):

.NET Framework provides huge set of Framework (or Base) Class Library (FCL) for common, usual tasks. FCL contains thousands of classes to provide the access to Windows API and common functions like String Manipulation, Common Data Structures, IO, Streams, Threads, Security, Network Programming, Windows Programming, Web Programming, Data Access, etc. It is simply the largest standard library ever shipped with any development environment or programming language. The best part of this library is they follow extremely efficient OO design (design patterns) making their access and use very simple and predictable. You can use the classes in FCL in your program just as you use any other class and can even apply inheritance and polymorphism on these.

*What is MSIL, IL?
When compiling to managed code, the compiler translates your source code into Microsoft intermediate language (MSIL), which is a CPU-independent set of instructions that can be efficiently converted to native code. MSIL includes instructions for loading, storing, initializing, and calling methods on objects, as well as instructions for arithmetic and logical operations, control flow, direct memory access, exception handling, and other operations. Microsoft intermediate language (MSIL) is a language used as the output of a number of compilers and as the input to a just-in-time (JIT) compiler. The common language runtime includes a JIT compiler for converting MSIL to native code.

*What is JIT (just in time)
Before Microsoft intermediate language (MSIL) can be executed, it must be converted by a .NET Framework just-in-time (JIT) compiler to native code, which is CPU-specific code that runs on the same computer architecture as the JIT compiler.
Rather than using time and memory to convert all the MSIL in a portable executable (PE) file to native code, it converts the MSIL as it is needed during execution and stores the resulting native code so that it is accessible for subsequent calls.

*Just In Time Compilers (JITers):
When our IL compiled code needs to be executed,
CLR invokes JIT compilers which compile the IL code to native executable code (.exe or .dll) for the specific machine and OS.
JITers in many ways are different from traditional compilers as they, as their name suggests, compile the IL to native code only when desired e.g.,
when a function is called, IL of function's body is converted to native code; just in time of need.

So, the part of code that is not used by particular run is not converted to native code. If some IL code is converted to native code then the next time when its needed to be used, the CLR uses the same copy without re-compiling. So, if a program runs for sometime, then it won't have any just in time performance penalty. As JITers are aware of processor and OS exactly at runtime, they can optimize the code extremely efficiently resulting in very robust applications. Also, since JITer knows the exact current state of executable code, they can also optimize the code by in-lining small function calls (like replacing body of small function when its called in a loop, saving the function call time). Although, Microsoft stated that C# and .Net are not competing with languages like C++ in efficiency, speed of execution, JITers can make your code even faster than C++ code in some cases when program is run over extended period of time (like web-servers).

When the program is executed the CLR activates JIT compiler ,inturn this JIT converts the MSIL Code (Non Executable) to Native Code(Executable) on demand basis as each part of Program is needed

Types Of JIT Compilers are as stated below :
(1) PRE JIT
(2) ECONO JIT
(3) NORMALE JIT

(1) PRE JIT : It Compiles complete source code to native code In a single Compilation.
(2) ECONO JIT : It compiles only those methods that are called at Runtime.
(3) NORMALE JIT : It compiles only those methods that are called at Runtime and are stored in cache.When these methods called again they retrieve from cache.

I think default JIT is PRE Jit .

*Garbage Collector (GC):
CLR also contains Garbage Collector (GC) which runs in a low-priority thread and checks for un-referenced dynamically allocated memory space. If it finds some data that is no more referenced by any variable/reference, it re-claims it and returns the occupied memory back to the Operating System; so that it can be used by other programs as necessary. The presence of standard Garbage Collector frees the programmer from keeping track of dangling data.