Handling Request too large and identify limits in ASP.NET

For security reasons request sizes are limited by default. This is configurable in the web.config file through the httpRuntime sections maxRequestLength attribute. The value is an integer and it’s default value is 4096 (KB) and therefor is 4,153,344 bytes or 4 MB. The configured values can easily be read using the .NET configuration API: If an request is larger than this value a HttpException is thrown when the HttpRequest properties Forms, Files or InputStream are accessed. The HttpException class has a property named WebEventCode which contains a value of the WebEventCodes lookup class: RuntimeErrorPostTooLarge which is an integer with the value 3004. If you catch this exception you can handle the error in your application code and for instance return a custom error message. But… When hosted in Internet Information Services (IIS) there might be another barrier: The request filtering module. This also has a section to configure the maximal length of a request using the requestLimits section and its maxAllowedContentLength property. By default this is set to 30,000,000 (bytes) and therefore is 29.297 KB or 28.61 MB. If this limit is hit IIS will return a HTTP error 404 with sub status code 13 with the reason phrase “Content Length Too Large”. The .NET configuration API refuses to load this section. And even if accessed raw using the system.webServer sections SectionInformation property and its GetRawXml method the possible inheritance is not reflected. So values configured on server and not on site level divergent from the default cannot be found here. IIS at startup create a configuration file located at *{windows drive}\inetpub\temp\appPools\{appPoolName}\{appPoolName}.config. The IIS application pool identity (the account running our web application) of course has read access to the file. To build up the path we need to get the application pool name at runtime. There is a server variable called APP_POOL_ID that will provide the neccessary information. The following code get the local overwritten values from the web.config, the server level configured, the default value or null if request filtering is not installed: At application startup the configuration can now be validated – request filtering schould always have a bigger value when you want to handle these kind of errors in your application code – and the values of a maximal request length can be read and possibly displayed.

Using credentials based on a SecureString that is disposed

Today I was building a credential store API. One implementation against the Windows Credentials Manager (CredMan), the other one persisting information in a database. Of course the data is not persisted in clear text. I use either the MachineKey functionality or a RSA certificate based encryption.So far so good, but I want the passwords to be secure in memory to. The .NET Framework already has a Type built in for that purpose: SecureStringThe SecureString class implements the IDisposable interface and having a property in a class of that type means losing control of the destruction.The implementation will return ICredentials instances to authenticate mostly web requests or provide proxy authentication. So I created a test to figure out how the combination of NetworkCredential and SecureString behaves. All green – It’s possible to use a NetworkCredential object that is constructed with a SecureString even after the SecureString has been disposed. Looking inside the credential object using redgate's Reflector reveals that NetworkCredential internally uses the copy method to clone the SecureString. When a normal string is passed to the constructor it is wrapped into a SecureString also.Sadly the NetworkCredential class does not implement IDisposable. So the issue is carried out to the user code.Keep in mind: When using NetworkCredential to call SecurePassword.Dispose() after the credentials aren’t required any more!

.NET Licensing - ode to monolithic applications?

The Microsoft .NET Framework has a built in licensing technology. It can be found in the namespace System.ComponentModel and System.ComponentModel.Design. Here is a small sample implementation of the minimal required classes: A lot of component producers use this licensing model – so does Tx Text Control – the component that I wanted to use. As a user you just create a *.licx-file, include it into the project as “embedded resource” and add the components that should be licensed by their fully qualified type names – one per line: During the build the LC-Task executes the license compiler (LC.exe). The license compiler is part of the .NET SDK that is part of the Windows SDK. If you have the Windows SDK 8.1 or Visual Studio 2013 installed it can be found at “C:\Program Files (x86)\Microsoft SDKs\Windows\v8.1A\bin\NETFX 4.5.1 Tools\”. The result is the “Licensing.dll.licenses” file that is embedded by the C#-Compiler (Csc.exe) in the next step. During runtime the LicenseProvider-attribute is evaluated and the defined license provider is handed over to the System.ComponentModel.LicenseManager’s Validate method. This call forwards to the internal method ValidateInternalRecursive which then calls the GetLicense method of the LicenseProvider. The first argument of the GetLicenseCall is of type LicenseContext and at runtime filled with the static held instance of the internal class RuntimeLicenseContext. To resolve the license key the method GetSavedLicenseKey is called on the LicenseContext. The implemention offers two options to resolve the key: Resolve from URI: new Uri(new Uri(AppDomain.CurrentDomain.SetupInformation.ApplicationBase), AppDomain.CurrentDomain.SetupInformation.LicenseFile) Resolve from Embedded Resource: The lookup on references/loaded assemblies is only processed, if there is NO entry assembly - for instance within ASP.NET that is the case. But my intend was to create a build task for MsBuild that converts Microsoft Word’s DOCX files into PDF documents. So I have an entry assembly (MsBuild.exe). The entry assembly knows nothing about TX TextControl – and that is a good thing! I have no control over the entry assembly (MsBuild.exe). A situation I guess to find in every composite UI/modular desktop application. No wonder the monolith is often the preferred architecture especially on the desktop! After an intense debugging session through the framework sources (supported by red gate’s Reflector) I wrote a small helper class. WARNING: I use reflection to access internal types and private fields and modify their values – this means: If Microsoft decides to change their internal implementation it might not work anymore. But as we as can see the code was written for .NET 1.0 and has not been updated in the last 10 years: It’s not very likely that changes will happen. Now I just need to call LicenseLoader.LoadLicensesFromCallingAssembly() before the Tx Text Control component is instantiated the first time and everything works as expected. HTH

Adobe, trust, WTF

Mixed language content was in the past a good indicator for phishing – just not as professional as the real provider. Today I received an e-mail by Adobe that asks me to change my password, as they were being hacked in the past and beside passwords (not even hashes? what the hell), program code as well as certificates have been stolen or compromised. I was a bit scared that Adobe now offers a mixed language site especially after what happened to them…  

Setting up a local SSL development environment for multiple sites

The environment should also work on a notebook while working at a coffee shop. The need for a NIC that is always connected. 1. Add a loopback adapter... [WIN] + [R] | hdwwiz.exe 2. Open the “Network and Sharing Center” … 3. Click “Change adapter settings” and identify the loopback adapter… 4. Rename the loopback adapter… 5. Open loopback adapter’s properties… 6. Disable IP v6… 7. Edit IP v4 settings and assign an IP Address… 8. Click advanced an add another IP address for each SSL-Site to be hosted… 9. Open “IIS Manager” and click “Server Certificates”… 10. Click “Create self signed certificate” for each SSL site to be hosted and choose the host name as friendly name… 11. Assign each site to be hosted a dedicated IP address plus certificate… 12. Associated IP addresses with host names in the hosts file (or install DNS Services when on Server 2008)… Done!

NRW Conf 09

Auch in diesem Jahr veranstaltet der Just Community e.V. wieder das größte Developer und IT-Pro Community Event. Unter dem Motto „Check-In zum Wissensvorsprung“ holen wir am 28.08.2009 zahlreiche nationale und internationale Speaker nach Wuppertal. Neben den Vorträgen haben Sie natürlich auch dieses Jahr wieder viel Zeit für das Networking mit anderen ITlern aus Nah und Fern. Alle Informationen, wie die Agenda und eine Übersicht über die Speaker gibt es unter http://www.nrwconf.de/. Wir freuen uns, Ihnen auch dieses Jahr sowohl bekannte Gesichter, als auch neue Speaker vorstellen zu dürfen. Die Veranstaltung wurde in diesem Jahr möglich durch unsere Sponsoren: Hewlett Packard, devcoach, Microsoft Deutschland, Brockhaus AG, Itemis AG, sepago GmbH, MT AG, sowie weiteren Unternehmen. Eine weitere Neuerung in diesem Jahr ist der Workshop Day, der am Vortag der eigentlichen Konferenz – sprich am 27.08.2009 – in den Räumlichkeiten unseres Sponsoren Ontaris GmbH stattfindet. Der Developer-Workshop befasst sich mit der Microsoft Web Platform und behandelt die Themen Rich Internet Applications mit Silverlight 3.0 und Web 2.0 Applikationen mit ASP.NET AJAX und JQuery. Die Workshops haben eine begrenzte Teilnehmerzahl (je acht) um den Lernerfolg zu garantieren. Also schnell einchecken…