I have an ILog interface that has multiple implementations. One will be writing to a database, one on Windows Event Log, another on an xml file, some on text files for different vendors.
Implementations of this interface are dynamically loaded using Ninject. With the growing number and the recent news on hacks and malwares sleeping on some networks, I would like to know if there is a way to filter the assemblies to only the trusted ones?
We are trying to prevent someone from just creating their own implementation of our interfaces and dropping the dll into the bin folder then they get access to the flow of our information.
Please note that we load assemblies that follows the ILog interface.
It is rather useless to try preventing this. If piece of malware can already write to the application folder, all your attempts to 'filter out' illegal dlls will always fail. The attacker can for instance simply replace the .exe and will run in the context of the user and can do everything that your application can do.
Related
change a config.properties file in a jar / war file in runtime and hotdeploy the changes ?
my requirement is something as follows, we have a "config.properties" in a jar/war file , i have to open the file through a webpage and after the user has made necessary changes to it, i have to update the "config.properties" in jar/war file and hot deploy it. can we achieve this feat ? if so can you please point me to relevant sites/documents so that i can jumpstart on this.
I will strongly recommend your architecht rethink this solution. What you describe should be done through JNDI or a similar technique, not through reloading properties.
Deployments should be considered static - that any given web container allows for magic trickery should not be depended on, and WILL break some day (most likely at the most inconvenient time).
You've got a couple of problems off the top of my head:
ensuring that nothing is holding static references to a java.util.Properties that has previously loaded your config.properties file.
most servlet engines will unpack your war to a working directory so the properties file you load won't be the one in the war, it will be the unpacked one. This means your changes
will be overwritten when you restart the servlet engine because this is typically one of the points the war is unpacked.
While these problems aren't insurmountable I've always found it much easier to implement this sort of behavior by storing the properties in JNDI (as Thorbjørn suggests) or a database (while being careful about the static references I mentioned in point 1).
The JNDI/database solution has the nice side effect of easing deployment into multiple environments because each typically has it's own registry/database.
Even that I agree with the comments explained before, I could suggest one solution:
Apache Commons Configuration extension gives you the posibility to do something like:
config.setReloadingStrategy(new FileChangedReloadingStrategy());
That could make the trick to change the configuration file on a runtime basis with no code at all.
However, like JNDI and other methods of web application configuration, the security is a concern. Be careful on which parameters you can/must be able to configure.
PLEASE NOTE: None of the answers in the link above (which I don't seem to be able to remove) helped me. As I explain below, I had already tried all that stuff
I have a web site, developed in VS2013 using ASP.NET MVC5/WebAPI2, which has several related projects such as a service layer, repository layer, etc. Down at the bottom of the stack is a class library that holds an EF model. I have separated the actual entities into another class library, to allow them to be reused without requiring the model library.
All of this has been working fine. The web site was running, and I could make calls to the WebAPI methods as well.
I just uploaded the latest version to the production server, and all is working fine there. Then came back to VS to carry on work, and when I try to run up the web site, I get an exception
Unable to load the specified metadata resource
Searching around, it seems that the cure for this is to modify the connection string to point to the actual assembly name instead of using the default . I have two problems with this, first is that none of the config files in the solution have been touched today (by me at least, and the file history form source control confirms this), so there's no reason why it should suddenly stop working after being deployed, and second, even if I add the assembly name, I get the same exception.
Anyone any ideas what I can do? I'm completely stuffed now. Can't do anything.
Edit: I tried again to specify the assembly in the connection string, and now get the exception Unable to resolve assembly. I have checked the assembly name in a decompiler, and I'm pretty sure got it right.
Edit again: I just pulled the version that I deployed from source control, and that gives the same exception, so I'm sure this is nothing to do with any files I've changed (or even that have been changed by VS). The version on the production server is still working, but the source code that drives that exact same version gives the exception. So, I'm certain that the answer is NOT to be found in the myriad other versions of this question, but is somewhere else.
Found the problem, and am posting it here in the hope that it will help someone else, as I don't think this was clear in any of the other posts on this issue.
I have a layered solution, with the web project referencing a service layer, which references a repository layer which in turn references the model project. It seems to for EF to work, whichever layer actually causes the database to be accessed requires a reference to the model project. My service layer project, which was where ToList() was being called (thus enumerating the query, and causing the database to be hit) didn't have a reference to the model project, so was failing to load the assembly.
I didn't need to alter the metadata part of the connection string either, as once the service layer had a reference to the model project, it was able to find the resources by itself. Having said that, one thing I did learn from all of this is that you can speed up the creation of the model (slightly) by specifying the assembly containing the resources explicitly, as this saves the framework having to search through all loaded assemblies to find them. I'm not sure if this will make any noticeable difference, but it can't harm.
I still can't explain how this had been working up until now, and suddenly stopped, as I hadn't changed any references, nor the way I was doing the data access. Still, it seems to be working now, which is all that matters.
Hope this helps someone.
We have to maintain a lot of classic ASP and VB/ASP.Net applications that link to many different parts of a static website.
The master pages are littered with various
<!-- #include virtual="/site/footer.something" -->
and similar, where there are many many combinations of what /site/ can be.
The problem is, when you're debugging etc. when you try to run one of these sites locally, you're almost guaranteed to get a parser error.
What I want to do is come up with a generic handler so that I can just insert a blank file for any #include file that doesn't exist.
I tried to setup a URL Rewrite rule, which works in the browser (just redirects to an empty html file) but I'm guessing the ASP parser doesn't include as a webrequest as it still generates a parser error.
I don't want to have to copy the static content to my workstation everytime I open a new app and I don't want to edit the master pages to exclude the links as one day I'm just going to forget and deploy something broken.
So the question is, is there a way to serve a default file for these declarations, or some other method ?
Edit: To consider a different fix to this problem; is there some way to insert some kind of file-system handler that can pick up requests for missing files in specific locations and return predefined content ?
Yeah, I know that's a really offbeat direction and probably a very bad idea in practise, but this is quite a frustrating problem in the office now.
What's irritating is that even though IIS has SSI disabled, the ASP processer still honours #include directives. Is there a way to either disable that, or perhaps some way to override the behaviour in some kind of generated class ?
The problem you will encounter is that includes are processed before any of your code runs. The server gathers all of the resources referenced in the scripts then compiles and runs your code. By the time your code is running, the missing include has already thrown a compiler error.
Further, what you're asking could potentially run into other problems. Often times includes contain code (procedures, constants, variable declarations, etc.) that other scripts rely on. So, even if you were to replace the missing include with an empty file, you still may encounter other parser errors if the including script expects that include to contain specific code.
Probably your best bet is to make a console app or something similar that parses your files looking for the include statements, resolves the relative path based on your directory structure and does what you want - write an empty file if it doesn't exist. You could then run your projects through this parser and at least eliminate that issue.
Additionally, you mention the possibility of accidentally deploying something that you've edited to circumvent this problem. I would assume then, that if you were to write out these "dummy" includes, there is no possibility of you accidentally deploying them and overwriting good files?
I'm having some trouble merging the localization satellite assemblies into the plugin DLL for CRM2011.
Either that, or I don't know how to use the merged resources afterwards.
I create a few plugins and create a basic resource file (default - English) and one for a specific culture (at the time of writing it's for Polish localizations, but later I'll need to add French as well).
I make sure not to sign the assembly itself, as ILMerge will sign the finished assembly itself.
This is the command I use to merge the extra satellite assembly:
ilmerge /targetplatform:v4,C:\Windows\Microsoft.NET\Framework\v4.0.30319 /log:log.txt /keyfile:KeyFile.snk /out:Plugins.dll DynamicsCRM2011.Plugins.dll pl-PL\DynamicsCRM2011.Plugins.resources.dll
As you can see, the plugins are in .NET 4.0 and I've got the required .config file for ILMerge to use the required assemblies for merging.
The generated file appears fine, I can register it with CRM plugin-registrator, add new steps and so forth.
However, it will always use the default language. I've tried changing the System.Threading.Thread.CurrentThread.UICulture, but this didn't help. When I created a ResourceManager class and used GetString("ErrorMessage", new System.Globalization.CultureInfo("pl-PL")), I got an Exception that the specified ResourceManager doesn't know what to do with the specified culture.
I know of this question here. However, the posted solution seems to be an old one. The generated resource .cs files do not use a ComponentResourceManager. Also, parts of the code posted there have been marked as deprecated.
I'm not really sure what I'm am to do now, or how to further debug this, as I have very little experience when it comes to working with assemblies themselves. Please, help me get those satellite assemblies under control.
Update:
I've been working with sandbox plugins for a while now, and thus I no longer have access to things such as CurrentCulture (or at least I cannot change such things). I've tried tackling this problem once more: I've created a simple plugin which is fired when a new Account is saved. Nothing fancy. Here's the actual plugin code:
ResourceManager rm = new ResourceManager(typeof(Properties.Resources));
var s = rm.GetString("ErrorAlreadyPosted", new System.Globalization.CultureInfo("pl-PL"));
throw new InvalidPluginExecutionException(s);
The code no longer throws an exception about not being able to find the specified culture... also the code obviously throws an exception at the end, but the important thing is WHAT the exception message is. I'd expect it to be in Polish.
Alas, it is not. The string returned by GetString is still in English.
The command I used for ILmerge is the same as before, but with the /lib parameter specified so that I don't have to copy all the CRM SDK dlls...
Apparently it is not possible to read resources from with the context of a Plugin.
Read up on MSDN: http://msdn.microsoft.com/en-us/library/hh670609.aspx#BKMK_UseXMLWebResourcesAsLanguageResources
Quote: When a plug-in requires localized text, you can use an XML web resource to store the localized strings so the plug-in can access them when needed. The structure of the XML is your option, but you may want to follow the structure used by ASP.NET Resource (.resx) files to create separate XML web resources for each language. For example, the following is an XML web resource named localizedString.en_US that follows the pattern used by .resx files.
This is all I know so far - have yet to build my own solution for localization of a crm plugin.
If you use a reflector tool to look at the generated assembly, do you see your resource(s) embedded correctly? You may be experiencing the bug as outlined in the link you posted.
Try setting Thread.CurrentThread.CurrentUICulture and\or Thread.CurrentThread.CurrentCulture.
Also try hooking into the AppDomain.CurrentDomain.AssemblyLoad and\or AppDomain.CurrentDomain.AssemblyResolve to debug which assemblies are being attempted to load and from where. You might need to customize their behavior so that instead of loading an external assembly to load an internal resource instead.
You can try embedding project references as resources instead of using ilmerge as well.
See this: http://bartlomiej.net/dotnet/embeded-assembies-into-an-executable/
The way we eventually handled this is by adding the localization XML files (generated by Visual Studio) as CRM resources, and created a bit of custom code which seeks the appropriate resource and then seeks the localization text inside.
It's, obviously, not as simple as just using the generated C# localization class, and requires some prep work. However, with that prep-work in place and with using nameof it's now almost as simple as the aforementioned resource classes.
I have a question about my ActiveX control not always working in IE on other machines.
Context: I'm working on an internal app for my company. It is designed to be a standalone web-page config tool for viewing a static customized version of our web app. The user may select the colors, images, and other settings they would like to see, and these will be present in the static mockup/preview version on their machine when they click a button.
Implementation: my javascript file creates a filesystem/activex object that essentially creates a temporary javascript file to which a list of values are written. Then when the user previews the configuration, the javascript file is located and values are loaded dynamically into the dom, etc etc. Naturally this functionality only works in Internet Explorer and is shady at best, but is my only way of implementing a purely zero configuration, client-side dynamic webapp.
Problem: When I test out my script, Internet Explorer prompts me twice about ActiveX controls and I say "yes" to them and the ActiveX functions work. I do this every single time I open my page. But sometimes when I send the file to another person so they can use it, they don't get the notifications so it doesn't work. However sometimes they do get notifications and it does work! I am using default security settings for IE so there should be no difference between my settings and theirs.
Could this be related to my user permissions vs theirs, or the fact that the files are read-only (because they are coming from source control and are also being made read-only when put on the shared drive.) or unknown dark Microsoft forces beyond human comprehension?
Thanks,
Josh
I believe you may want to create an HTA (HTML Application) instead of a web page. Writing HTA's gives you more privileges as far as ActiveX objects are concerned. Check out this page from Microsoft: http://msdn.microsoft.com/en-us/library/ms536496(v=vs.85).aspx.
To answer your question about privileges, I believe that some of your coworkers' IE settings probably prevent web pages from using ActiveX objects. Your settings may be such that you are prompted whenever ActiveX object are about to be created.