Challenge to all you ASP gurus - free beers to the winner!

[Martin]

Ok, this is a challenge to the gurus out there - I thought I was a
guru too, but cannot get this to work for the life of me, so, a 6-pack
of beers to the first person who can help!

I have an existing Windows.Forms.Usercontrol. This control is an
emulator for a portable device my company uses in it's factories and
warehouses. The control connects to a domain SQL Server and carries
out read and write operations on the database.

The usercontrol is currently hosted in a Windows application on a
windows form.

What I need to do is to host the control on a webpage, so that users
can access it through the intranet. The control must be a client-side
control, and will only be available on the company intranet.

So, I've managed to host the control in a webpage succesfully using
the object tag:

<Object Classid="http://myServer/myEmulator.dll#Controls.Emulator>

This all works ok, and the control displays.

However, when the control attempts to connect to the SQL Server, it
fails due to a security exception.

Fair enough, I understand why that's happening. The framework is
limiting access to local system resources to stop malicious code being
executed.

First thing I tried was to add my site to the Trusted sites list -
this had zero effect!

The next thing I tried, was impersonation. Using the LogonUser api, I
attempted to logon the control to a domain user account, and run it
under those credentials. Unfortunately, the framework security does
not allow access to the LogonUser api call!

My final attempt - which I thought MUST work - was to move all the
database functionality out into a webservice, and use this webservice
object from the existing usercontrol. Unfortunately, this didn't work
either - I get a security exception when connecting to the webservice
- apparently this is denied as well.

I know I could rewrite the control as a webcontrol, but that would
really be re-inventing the wheel. Am I being naive in thinking that
there must be a way to reuse my existing component?

Any help at all on this - even if it's to tell me I'm being a moron -
will be greatly appreciated!

Martin

 

[Martin]

Meant to add, it's .NET Framework 1.1 on an XP box.

TIA,
Martin

 

[Cowboy \(Gregory A. Beamer\)]

Ok, this is a challenge to the gurus out there - I thought I was a
guru too, but cannot get this to work for the life of me, so, a 6-pack
of beers to the first person who can help!

I have an existing Windows.Forms.Usercontrol. This control is an
emulator for a portable device my company uses in it's factories and
warehouses. The control connects to a domain SQL Server and carries
out read and write operations on the database.

The usercontrol is currently hosted in a Windows application on a
windows form.

What I need to do is to host the control on a webpage, so that users
can access it through the intranet. The control must be a client-side
control, and will only be available on the company intranet.

So, I've managed to host the control in a webpage succesfully using
the object tag:

<Object Classid="http://myServer/myEmulator.dll#Controls.Emulator>

You can move the actual functionality deeper and duping the UI portion only
in a user control. Of course, you have the option of copying the code to a
server control (composite control?), but you will end up writing the HTML
output. The user control will be quicker, as long as the actual
functionality is encapsulated in its own class(es) (separation of concerns).

Another possibility is placing the control on a form and using Click Once to
push it out. Or, making a non-GUI way to interact and calling the "Process"
from the web app.

Steve Orr also has an article on embedding windows controls into ASP.NET:
http://steveorr.net/articles/WinformControls.aspx

It briefly talks about the sandbox. An even better article, from the
standpoint of accessing a web service, is this one:
http://www.15seconds.com/issue/030610.htm

This all works ok, and the control displays.

However, when the control attempts to connect to the SQL Server, it
fails due to a security exception.

You have, potentially, both a sandbox issue and a context issue.

Fair enough, I understand why that's happening. The framework is
limiting access to local system resources to stop malicious code being
executed.

This is one of two things that can be happening (maybe both). It could be a
sandbox issue (your view of the issue), but it could also be SQL login
failure, as the embedded control is not getting a user context that the
server trusts. If the former, you may not be able to break through the walls
of the box without completely compromising security. If the later, you have
to either find context from the user or open security up.

And, it is probably a bit of both.

First thing I tried was to add my site to the Trusted sites list -
this had zero effect!

The site is not running the code on the browser side, so this will have no
effect.

The next thing I tried, was impersonation. Using the LogonUser api, I
attempted to logon the control to a domain user account, and run it
under those credentials. Unfortunately, the framework security does
not allow access to the LogonUser api call!

You are very limited on what you can actually do on the box. Calling local
APIs, for example, is frowned apon if it could compromise security (as the
LogonUser API can).

My final attempt - which I thought MUST work - was to move all the
database functionality out into a webservice, and use this webservice
object from the existing usercontrol. Unfortunately, this didn't work
either - I get a security exception when connecting to the webservice
- apparently this is denied as well.

Remoting is completely verbotten in an embedded windows control. You should
be able to use Web Services, however. Check out the articles.

I know I could rewrite the control as a webcontrol, but that would
really be re-inventing the wheel. Am I being naive in thinking that
there must be a way to reuse my existing component?

Once again, separation of concerns is the key, at least for me. I do not see
it as "reinventing the wheel". But, it is not as simple as dropping a
pre-made control on a page.

Rewriting as a user control or server control need not be rewriting the
entire logic. Refactor all of the working bits into a library of classes and
make the windows control a small skin. At this point, flipping to another UI
is a matter of creating a new "view". The refactoring will take a bit of
time, but then when you decide to go to Silverlight, you can easily slap
another UI on top.

If you look at it, this is precisely what MS is trying to solve with the MVC
Framework (force separation of concerns) as well as WPF (Silverlight or XBAP
in browsers).

Any help at all on this - even if it's to tell me I'm being a moron -
will be greatly appreciated!

I would read the articles first. I would then consider putting functionality
into a library and making the UI thin, even if you are only refactoring as a
"just in case". Even if you skip this step, I would consider treating the UI
piece as a control and feeding it the parameters. In addition, I would
consider putting up a factory method for your database access, as there will
likely be some differences in how the access is done.

 

[bruce barker]

1.1 is a bummer. this is the part that get improved with each release. the
security is implemented by .net not IE, so you need to configure .net
security. for 1.1 there is only the caspol.exe utility. it command line, and
must be run on the client box.

http://msdn2.microsoft.com/en-us/library/cb6t8dtz(VS.71).aspx

you will probably have to write a application to run caspol for your users.

-- bruce (sqlwork.com)

 

[Martin]

Hi Gregory,

Thanks for the comprehensive reply - really appreciated. The article
on 15Seconds.com has given me some really useful pointers - it appears
I should be able to interact with a webservice from the embedded
control, so that looks like the path I will go down - initially at
least. But you've also given me some good alternatives to look at as
well.

So, where do I send those beers?

Martin

 

[Martin]

Hi Bruce,

Yeah, I'm trying to get my company to join the 21st century, but for
now 1.1 is the standard!

I had looked at the Caspol utility, but got scared!

Thanks for the response.

Martin