Why Azure Web Role by default runs in the Full Trust? - azure

When I create an Azure ASP.NET application, by default .NET trust level is Full trust. I always change it to Windows Azure partial trust which is similar to ASP.NET's medium trust level.
You can do it either by using GUI when you select Properties on the Role or by setting enableNativeCodeExecution to false in the definition file (.csdef) just like below:
<WebRole name="ServiceRuntimeWebsite" enableNativeCodeExecution="false">
As a security conscious developer I want by default to run my application in partial trust mode that provides a higher level of security. If I need to use something like Reflection or P/Invoke, as a developer I want to make the decision to lower that trust level by myself.
I'm sure there's a reason why Microsoft decided to use Full trust as a default .NET trust level, I just fail to see it. If you know the reason, or you think you know it, please let me know.

Full trust is not only required for P/Invoke for .NET reflection as well. As a bottom line result, nearly all moderately sized apps need full trust because nearly all widespread libraries need it too (NHibernate for example). Actually, I have been asking from the exact opposite question on the Azure forums too.

The issue of full or partial trust pertains to the environment in which your application runs. The more control and/or "ownership" of the environment and assemblies you have, the more acceptable it is to have full-trust settings.
For example, if you create an Azure web site (July 2012 capability) and, mimicking wordpress or Umbraco, your web site allows arbitrary assembly plugins to be downloaded and installed, then it is important to have a partially-trusted environment. It is possible that one of the plugins downloaded and executed, which you don't control or own, contains malware. Not only does this impact the security and stability of your web site, but some may argue it impacts other (multi-tenant) hosted web-sites which have no relation to yours.
Certainly your web site will rely on 3rd party libraries, such as Log4Net or StructureMap, but those are extremely well-known and vetted libraries that are not in question regarding their security impact. Ergo, if you are running an Azure web-role (a much less "multi-tenant" type affair) and you are merely running such "trusted" 3rd party apps, then there really is not an issue with running as full-trust.

Yes, unfortunately it is still very hard (if not impossible) to write large .NET apps that run in partial trust.
We need much better technology and tools (like CAS.NET)

Because Medium Trust is now officially obsolete. If you start a new web project in Visual Studio, it already requires Full Trust (and doesn't work partial trust). Microsoft says: Do not depend on Medium Trust, instead, use Full Trust, and isolate untrusted applications in separate application pools.
Sources:
Stackoverflow answer: Quoted response ASP.NET team
Microsoft: ASP.NET Partial Trust does not guarantee application isolation
Microsoft: ASP.NET web development best practices

Related

Using a custom culture in Azure web sites

I have an app we've developed that will be translated to tagalog. No big deal, I thought. We've done translation dozens of times. However, apparently this culture is not supported by default. So I looked and found CultureAndRegionInfoBuilder, but that requires admin privileges, something my azure web site most definitely will not have.
Is there a way to use a custom culture without registering it, or alternatively, register a custom culture on a reserved Azure web site instance?
I find it absolutely mind boggling that I might have to use something other than Azure Websites simply because of the lack of forethought and design surrounding globalization.
I know this question is old but I did end up finding an alternative.
https://github.com/turquoiseowl/i18n
It sits outside your app as an IHttpModule that intercepts responses and does localization by replacing screens with a specific delimiter ([[[ and ]]] respectively, by default). It uses gettext/po standards and IMHO, is everything ASP.NET localization should have been from the beginning.

Are there any embeddable browsers available for WinRT?

The html + css standards difficulties of supporting IE as a browser translate into using it as part of the WebView control where there are further limitations on functionality.
Other difficulties include:
It renders on top of the XAML
- Using the recommended approach of WebViewBrush isn't a valid scenario if your pages have dynamic content on them.
It doesn't support HTML5
You can't access the content
You can't access the content
- Trying to debug issues with it is nigh on impossible.
Are there any alternative embeddable browsers available or in the works?
To answer your question, I think Jim is correct that there are no other embeddable browsers available, and it's not something I'd expect to see.
I would also recommend that you review the Windows Store Certification requirements, as many may be applicable in this case, including:
2.4 "The primary experiences your app provides must take place within the app" (as opposed to coming from the web)
3.6 "Your app must fully support touch input, and fully support keyboard and mouse input" which covers requirements for touch, including the need for your app's touch support to be consistent with the Windows 8 touch language.
While it's obviously appealing to re-use content across platforms, it's also important to keep in mind that this may lead to degraded experiences for end-users. If those experiences are too far afield of the established behaviors for Windows Store apps, they could also result in your app failing store certification.
For more info on Windows Store app development, register for Generation App.

Is it possible to develop a Web Part without .NET

Is it possible to develop a Web Part without usage of .NET technologies? I'm looking for possibilities of integration of legacy (for example java) applications into SharePoint.
Any valid way for .Net CLR to call your code will do what you want. However with that said, it is likely to be very low level, very obscure and very difficult to do.
A more straightforward approach to reusing your Java or whatever code was if there was some sort of public cross language interface for you to exploit in your .Net skeleton. The obvious answer is a REST or SOAP wrapper around the Java code but it doesn't have to be that. It could be CORBA or JMS or all sorts of things.
Even if you want to integrate Java apps, the web Part will be coded in .NET.
There are a few ways to accomplish this, all of which involve a .NET web part exposing external data. All of your common integration methods apply including exposing the legacy application through web services or even directly accessing the database - you could use whatever your organization is accustomed to with other integrations.
Another possible option, depending on your SharePoint version is the Business Data Catalog (2007) or Business Connectivity Services (2010). These options, while can be a little bit of a pain to set up (though third party tools are available) do allow for some automatic integration of other applications into SharePoint.

Can existing .net application be converted to MonoDroid?

Can existing .net application(in C#) be converted to MonoDroid? or
Can we port an existing .NET web app to Android using MonoDroid?
MonoDroid is intended to allow you to develop applications in C# as opposed to Java; not as a means to drop an existing application into place.
You asked about a web app, but I'm assuming you mean an ASP.NET web app, which wouldn't map to the Android API, and couldn't simply be copied over. Even taking your HTML and dropping it into something like Titanium would still require a lot of JS tweaking to make it work.
I have a feeling you're looking at a re-write. Maybe if you can provide more details (is this an ASP.NET app, etc.), I could give a better answer.
Yes no problem. But it wouldn't be an automatic process, nor a particularly simple one. All the UI elements, persistence stuff and so on (the platform specific parts of your application) will need to be redone. Depending on your app, and how it is written, this may be a major part, or a relatively small one. The more corners that were cut originally, the more it will cost to port over.
In addition to Tom's answer, I would say it has some limitations(link 1 and link 2) . I blogged some other interesting moments here.
Here is a good example of cross-platform mobile application (monoDroid, monoTouch, WP7).

Fighting with Protected Mode in Vista

Our application commonly used an ActiveX control to download and install our client on IE (XP and prior), however as our user base has drifted towards more Vista boxes with "Protected Mode" on, we are required to investigate.
So going forward, is it worth the headache of trying to use the protected mode API? Is this going to result in a deluge of dialog boxes and admin rights to do the things our app needs to do (write to some local file places, access some other applications, etc)?
I'm half bent on just adding a non-browser based installer app that will do the dirty work of downloading and installing the client, if need be... this would only need to be installed once and in large corporate structures it could be pushed out by IT.
Are there some other ideas I'm missing?
This client, is it a desktop application and not some software that runs inside the browser? In that case, please just supply a regular download installer application. My personal experience with browser-hosted installers is that they are just confusing and the few I have seen seemed to be poorly coded in some way.
If you use an MSI based installer I'm sure lots of Windows domain administrators will love you too, as Microsoft has tools to deploy MSI based installations onto large sets of machines remotely.
Its far better to do this right than put it off any longer. Vista is Microsoft's way of saying they aren't letting people get away with ignoring security issues any more and encouraging people to update their code.
I'm sure other users here will be able to point you are some MSDN best practices about writing ActiveX controls.
Have you checked out Microsoft's ClickOnce Deployment?
If I remember correctly you can embed a manifests which would help with dealing with protected modes automatically, saving you those headaches with the APIs.
I believe ClickOnce is geared for the same thing your ActiveX installer was designed to do.
Since you say your IT dept could push this out, I assume you could use this kind of technology as well.
Even though you might not be writing applications on the .NET CLR, you can use Visual Studio to generate those manifest and installers for you.

Resources