February 20, 2006
@ 07:00 PM
Comments [3]
WCF and Partial Trust

Just read this on Robert Hurlbut's blog (via Dominick, source is Doug)

As Doug indicates, the issue here is not "we don't want to do it", but that we need to ship. 

The problem is that partial trust is incredibly hard (and very time consuming) to test for a communication platform that is supposed to have rock solid security (no paradoxon here) and shall perform well. It's just as hard to provide meaningful exceptions (and -messages) in case we'd stumble into a CAS exception. You wouldn't want us to just bubble up some aribtrary security exception, but instead will want us tell you what's causing the problem and how you could fix it. There are (give or take some) 20 base permissions in the framework, most of them allow parameterization, and the system is extensible with custom permissions as well. You can do the math for where that takes you in terms of required combinations and test cases for achieving satisfying test coverage across the whole of Indigo, let alone all the special casing in the actual product code-base.

I wonder how many applications written to support partial trust actually take that complexity into account in their test strategy (hint, hint) ;-)

That said, I will clarify once more that this doesn't mean "we will never do that". It's just not possible to fit this into our V1 schedule in a way that we and you would find the outcome acceptable. 

Categories: Indigo
Tracked by:
http://friends.newtelligence.net/clemensv/PermaLink,guid,e75402c6-bdd6-438c-9bf2... [Pingback]
http://www.25hoursaday.com/weblog/PermaLink.aspx?guid=ca19f6b9-8afd-4e93-b4f6-8c... [Pingback]
"WCF and (no) Partial Trust" (Sam Gentile) [Trackback]
"Some thoughts about CAS and Partial Trust - Documentation first!" (Michael Will... [Trackback]
http://staff.newtelligence.net/michaelw/PermaLink,guid,6c8a591f-95a5-40b9-a19f-0... [Pingback]
"ClickOnce and WCF" (Matias Woloski) [Trackback]
"WCF & ClickOnce" (Clemens Vasters: Enterprise Development and Alien Abductions) [Trackback]
http://friends.newtelligence.net/clemensv/PermaLink,guid,0890e4b4-52cf-4447-8c18... [Pingback]
"WCF & ClickOnce" (Clemens Vasters and the Indigettes) [Trackback]
http://localhost/CS2/articles/39.aspx [Pingback]
".NET Resources" (mattonsoftware.com) [Trackback]
http://mattonsoftware.com/archive/2006/05/06/9.aspx [Pingback]
"http://guzahm.org/www-hacres-com.html" (http://guzahm.org/www-hacres-com.html) [Pingback]
"http://su3t0xy.com/weather-in-independence-missouri.html" (http://su3t0xy.com/w... [Pingback]
"http://samgentile.com/Web/wcf/wcf-and-no-partial-trust/" (http://samgentile.com... [Pingback]
« MIX'06 | Home | The case of the missing "durable messagi... »
Tuesday, February 21, 2006 3:31:59 AM UTC
In addition to providing WS-Security for Partial Trust, we really really need a good _durable_ WS-ReliableMessaging implementation for Partial Trust. This will be huge for sometimes-offline ClickOnce clients.

Beats me how they can pull this off since FileStream.Flush (or the IsolatedStorage equivalent) doesn't actually flush to disk unless you P/Invoke it, so your ACKs are lying if the power goes off. Maybe this would be possible with TxNTFS on Vista, assuming they have enough time in their schedule to give us a Partial Trust API in V1...

Quick question to Clemens: where is the extensibility point for adding my own durable store for WS-RM?
Oran
Tuesday, February 21, 2006 11:18:34 AM UTC
Thanks Clemens for your comments, and I understand the difficulty of the task. I also appreciate you are not saying "we will never do that". That is reassuring.

I know as well as others security is not easy, and it is especially not easy to test. You don't test security, typically, in an application by seeing how it succeeds, but how it fails, and if it fails "securely" without opening potential security holes and vulnerabilities. That testing takes time and effort and certainly special skill and determination.

However, there was a decision somewhere in the timeline to drop partial trust as a feature in WCF/WWF for v1. Why? Was it the sheer complexity? Was it the lack of developers to testers ratio (I absolutely admire and applaud Microsoft for doing this in the past when deciding to drop features because there were not enouth testers on hand)? Was this decision impacted by a well-followed SDL (Security Development Lifecycle) plan? This is a curiousity point to me more than anything else.
Robert Hurlbut
Sunday, May 07, 2006 9:24:38 PM UTC
ok
free sex
Comments are closed.