Strong Names and Web Assemblies

Discussion in 'ASP .Net Security' started by Toby Considine, Oct 16, 2003.

  1. I have an assembbly that consists of several .NET DLLs, some of which I
    compile in advance, some of which customized for the indivudual user
    (skins). On machines that I has control over, no problem. As soon as I
    deployed them on publicly hosted sites, I had to add strong naming lest I
    get security exceptions.

    The service DLL is now strongly named, compiled, and placed in the Site BIN
    directory, just as it was before.

    Here is the problem.

    How do I compile the Web app to be strongly named? Using the [barely]
    documented features described in the Auto-generated AssemblyInfo.cs, I get:

    // For local projects, the project output directory is defined as
    // <Project Directory>\obj\<Configuration>. For example, if your
    KeyFile is
    // located in the project directory, you would specify the
    AssemblyKeyFile
    // attribute as [assembly: AssemblyKeyFile("..\\..\\mykey.snk")]
    // For web projects, the project output directory is defined as
    // %HOMEPATH%\VSWebCache\<Machine Name>\<Project
    Directory>\obj\<Configuration>.

    I can figure out how to comile it locally.

    This leaves me at a loss as to where I should put the snk on a remotely
    hosted site.

    thanks

    tc
     
    Toby Considine, Oct 16, 2003
    #1
    1. Advertising

  2. You are compiling on the user's machine? You only need the key pair during
    compilation - the public key (which is the only key the end user should ever
    see) is placed directly in the compiled file.

    One thing you don't want to do is post your private key (and an snk file
    contains the full key pair) because then everybody can compile using this
    key, and it would appear as if they are you.

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows XP
    Windows XP Associate Expert
    --
    More people read the newsgroups than read my email.
    Reply to the newsgroup for a faster response.
    (Control-G using Outlook Express)
    --

    "Toby Considine" <> wrote in message
    news:...
    > I have an assembbly that consists of several .NET DLLs, some of which I
    > compile in advance, some of which customized for the indivudual user
    > (skins). On machines that I has control over, no problem. As soon as I
    > deployed them on publicly hosted sites, I had to add strong naming lest I
    > get security exceptions.
    >
    > The service DLL is now strongly named, compiled, and placed in the Site

    BIN
    > directory, just as it was before.
    >
    > Here is the problem.
    >
    > How do I compile the Web app to be strongly named? Using the [barely]
    > documented features described in the Auto-generated AssemblyInfo.cs, I

    get:
    >
    > // For local projects, the project output directory is defined as
    > // <Project Directory>\obj\<Configuration>. For example, if your
    > KeyFile is
    > // located in the project directory, you would specify the
    > AssemblyKeyFile
    > // attribute as [assembly: AssemblyKeyFile("..\\..\\mykey.snk")]
    > // For web projects, the project output directory is defined as
    > // %HOMEPATH%\VSWebCache\<Machine Name>\<Project
    > Directory>\obj\<Configuration>.
    >
    > I can figure out how to comile it locally.
    >
    > This leaves me at a loss as to where I should put the snk on a remotely
    > hosted site.
    >
    > thanks
    >
    > tc
    >
    >
     
    Chris Jackson, Oct 16, 2003
    #2
    1. Advertising

  3. Perhaps I misinderstnad your question. My app has two parts.

    One - business logic, compiled locally by me and placed in bin directory of
    web site on shared hosting machined.

    "Skins" consisting of ASPX's/ASCX's on remote machine. It is my
    understanding that each time the ASPX's are changed, the site modified, the,
    the JIT compile funtion of DOT/NET takes over and a new dll is created.

    BTW, it appears that this also happens in IIS after a restart, causing the
    first load of ASPX-based apps to be characteristically slow.

    When I do standard FORMS/based authentication, I get Security Exceptions
    thrown off by MSCORLIB. MSCORLIB is being asked about the current
    authetication state by the precompiled "LOGI" DLL. It is my understanding
    that is addressed by using a SNK file, generated in the usual way before the
    DDL is ever deployed.

    The probelm is that "On-The-Fly" DLL. I can't seem to prevent it. It is
    compiled on the fly after each change. It does not like the new SNd DLL.
    - Do I need to tell that new App to trust the new StrongNamed DLL?
    - IF so, should this be by reference to the "Public" key only (well
    probably).
    - How do I refernece that Public Key, then, in the remote compile?

    Hope this is clearer.

    tc




    "Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
    news:...
    > You are compiling on the user's machine? You only need the key pair during
    > compilation - the public key (which is the only key the end user should

    ever
    > see) is placed directly in the compiled file.
    >
    > One thing you don't want to do is post your private key (and an snk file
    > contains the full key pair) because then everybody can compile using this
    > key, and it would appear as if they are you.
    >
    > --
    > Chris Jackson
    > Software Engineer
    > Microsoft MVP - Windows XP
    > Windows XP Associate Expert
    > --
    > More people read the newsgroups than read my email.
    > Reply to the newsgroup for a faster response.
    > (Control-G using Outlook Express)
    > --
    >
    > "Toby Considine" <> wrote in message
    > news:...
    > > I have an assembbly that consists of several .NET DLLs, some of which I
    > > compile in advance, some of which customized for the indivudual user
    > > (skins). On machines that I has control over, no problem. As soon as I
    > > deployed them on publicly hosted sites, I had to add strong naming lest

    I
    > > get security exceptions.
    > >
    > > The service DLL is now strongly named, compiled, and placed in the Site

    > BIN
    > > directory, just as it was before.
    > >
    > > Here is the problem.
    > >
    > > How do I compile the Web app to be strongly named? Using the [barely]
    > > documented features described in the Auto-generated AssemblyInfo.cs, I

    > get:
    > >
    > > // For local projects, the project output directory is defined as
    > > // <Project Directory>\obj\<Configuration>. For example, if your
    > > KeyFile is
    > > // located in the project directory, you would specify the
    > > AssemblyKeyFile
    > > // attribute as [assembly: AssemblyKeyFile("..\\..\\mykey.snk")]
    > > // For web projects, the project output directory is defined as
    > > // %HOMEPATH%\VSWebCache\<Machine Name>\<Project
    > > Directory>\obj\<Configuration>.
    > >
    > > I can figure out how to comile it locally.
    > >
    > > This leaves me at a loss as to where I should put the snk on a remotely
    > > hosted site.
    > >
    > > thanks
    > >
    > > tc
    > >
    > >

    >
    >
     
    Toby Considine, Oct 16, 2003
    #3
  4. If you are using ASP.NET, and hence have code behind, then there are two
    times when pages are compiled. Your code behind is compiled before you
    deploy, and your pages themselves are compiled when you access them. (When
    the last session is dropped, then the application is shut down, and you must
    recompile the aspx page at this point.)

    I am unaware of a way to strong name the compiled code that is dynamically
    generated. (That doesn't mean it doesn't exist, just that I don't know about
    it.)

    --
    Chris Jackson
    Software Engineer
    Microsoft MVP - Windows XP
    Windows XP Associate Expert
    --
    More people read the newsgroups than read my email.
    Reply to the newsgroup for a faster response.
    (Control-G using Outlook Express)
    --

    "Toby Considine" <> wrote in message
    news:...
    > Perhaps I misinderstnad your question. My app has two parts.
    >
    > One - business logic, compiled locally by me and placed in bin directory

    of
    > web site on shared hosting machined.
    >
    > "Skins" consisting of ASPX's/ASCX's on remote machine. It is my
    > understanding that each time the ASPX's are changed, the site modified,

    the,
    > the JIT compile funtion of DOT/NET takes over and a new dll is created.
    >
    > BTW, it appears that this also happens in IIS after a restart, causing the
    > first load of ASPX-based apps to be characteristically slow.
    >
    > When I do standard FORMS/based authentication, I get Security Exceptions
    > thrown off by MSCORLIB. MSCORLIB is being asked about the current
    > authetication state by the precompiled "LOGI" DLL. It is my understanding
    > that is addressed by using a SNK file, generated in the usual way before

    the
    > DDL is ever deployed.
    >
    > The probelm is that "On-The-Fly" DLL. I can't seem to prevent it. It is
    > compiled on the fly after each change. It does not like the new SNd DLL.
    > - Do I need to tell that new App to trust the new StrongNamed DLL?
    > - IF so, should this be by reference to the "Public" key only (well
    > probably).
    > - How do I refernece that Public Key, then, in the remote compile?
    >
    > Hope this is clearer.
    >
    > tc
    >
    >
    >
    >
    > "Chris Jackson" <chrisjATmvpsDOTorgNOSPAM> wrote in message
    > news:...
    > > You are compiling on the user's machine? You only need the key pair

    during
    > > compilation - the public key (which is the only key the end user should

    > ever
    > > see) is placed directly in the compiled file.
    > >
    > > One thing you don't want to do is post your private key (and an snk file
    > > contains the full key pair) because then everybody can compile using

    this
    > > key, and it would appear as if they are you.
    > >
    > > --
    > > Chris Jackson
    > > Software Engineer
    > > Microsoft MVP - Windows XP
    > > Windows XP Associate Expert
    > > --
    > > More people read the newsgroups than read my email.
    > > Reply to the newsgroup for a faster response.
    > > (Control-G using Outlook Express)
    > > --
    > >
    > > "Toby Considine" <> wrote in message
    > > news:...
    > > > I have an assembbly that consists of several .NET DLLs, some of which

    I
    > > > compile in advance, some of which customized for the indivudual user
    > > > (skins). On machines that I has control over, no problem. As soon as

    I
    > > > deployed them on publicly hosted sites, I had to add strong naming

    lest
    > I
    > > > get security exceptions.
    > > >
    > > > The service DLL is now strongly named, compiled, and placed in the

    Site
    > > BIN
    > > > directory, just as it was before.
    > > >
    > > > Here is the problem.
    > > >
    > > > How do I compile the Web app to be strongly named? Using the [barely]
    > > > documented features described in the Auto-generated AssemblyInfo.cs, I

    > > get:
    > > >
    > > > // For local projects, the project output directory is defined

    as
    > > > // <Project Directory>\obj\<Configuration>. For example, if your
    > > > KeyFile is
    > > > // located in the project directory, you would specify the
    > > > AssemblyKeyFile
    > > > // attribute as [assembly: AssemblyKeyFile("..\\..\\mykey.snk")]
    > > > // For web projects, the project output directory is defined as
    > > > // %HOMEPATH%\VSWebCache\<Machine Name>\<Project
    > > > Directory>\obj\<Configuration>.
    > > >
    > > > I can figure out how to comile it locally.
    > > >
    > > > This leaves me at a loss as to where I should put the snk on a

    remotely
    > > > hosted site.
    > > >
    > > > thanks
    > > >
    > > > tc
    > > >
    > > >

    > >
    > >

    >
    >
     
    Chris Jackson, Oct 17, 2003
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Dmitry Bond.

    problems with strong named assemblies

    Dmitry Bond., Oct 31, 2005, in forum: ASP .Net
    Replies:
    1
    Views:
    425
    Dmitry Bond.
    Nov 1, 2005
  2. namekuseijin

    Re: "Strong typing vs. strong testing"

    namekuseijin, Sep 27, 2010, in forum: C Programming
    Replies:
    214
    Views:
    3,356
    Nick Keighley
    Oct 17, 2010
  3. namekuseijin

    Re: "Strong typing vs. strong testing"

    namekuseijin, Sep 27, 2010, in forum: Python
    Replies:
    229
    Views:
    3,461
    Gregory Ewing
    Oct 29, 2010
  4. Chris Mohan

    Private Assemblies & Strong Names??

    Chris Mohan, Jul 13, 2004, in forum: ASP .Net Security
    Replies:
    1
    Views:
    228
    Jim Cheshire [MSFT]
    Jul 13, 2004
  5. Greg Stangler
    Replies:
    5
    Views:
    222
    Greg Stangler
    Feb 9, 2005
Loading...

Share This Page