Jason Mauss' Blog Cabin

Because someone's got to do the dirty work

Blog-Flair

Blogroll

Links

Security through obscurity...

I was talking with another developer recently about distributed web application architecture - security in particular. He told me about a classic ASP (3.0) web application he had done before. The entire web application consisted of one .asp file and several COM DLL's. The one .asp file had contents like this:

<%

   Set obj = Server.CreateObject(“MyLibrary.ClassName“)

   obj.ProcessRequest Request, Response, Application

%>

The COM DLL referenced the ASP 3.0 type library of course, and accepted the Request, Response and Application objects as parameters to the ProcessRequest method. I had never thought to do something like this.

He went on to explain how the data access components were part of a COM+ package that used impersonation to access the database using a trusted connection. To implement a session state, the only thing used was a GUID placed in a cookie. When pages required session-type information, the GUID from the cookie was used like an ID value to perform the necessary lookups.

The obvious benefits I could think of right away were:

  1. Huge performance gains. Say goodbye to script interpreting and hello to compiled code execution. Hmm...sounds kinda like ASP.NET doesn't it?
  2. No more dependency on ASP session state management.
  3. No database connection strings with a username or password, .. anywhere.
  4. If an intruder got access to your web server, all they get is an .asp file with 2 lines of script in it.
  5. Scalability - Since there is no dependency on ASP session state management, more hardware could be thrown at it.

The burdens to this I could think of are:

  1. Maintainability might become an issue. Even if you needed to change some HTML or CSS it would require recompiling. This might not be that much of an issue - I've had to do the same thing for some ASP.NET applications.
  2. Development time might increase for someone not used to building a web application this way.

Now, since the ASP.NET execution model does not include interpreting script, this takes away the performance gain. What I'm still thinking about though, is, is this really a viable security technique for an ASP.NET application?

Posted: Mar 01 2004, 10:05 PM by jamauss | with 5 comment(s)
Filed under:

Comments

Hannes Preishuber said:

since i am a web consultance i have seen solutions like this.
The "high end" is to store the HTMl Layout in database
there are always wrong

- no visual designer
- debugging
- development cost
- changes of code need much knowledge
- changes of design need compilation
- its not faster
- no support from standard asp technologies like caching,

bad the most badest thing from own "frameworks" is that there is no way back.
Alle the code and design is lost if you want to step into asp.net
# March 2, 2004 1:33 AM

Marcus Greenwood said:

I've actually worked on systems like this. They're completely insane! Why not worry about making your web-server secure rather than waste time and write code which is far more complex than it need be.

Obviously with the advent of ASP.NET, this problem is solved much more nicely!
# March 2, 2004 4:19 AM

Pat Piccolo (patpiccolo@piccoloenterprises.com) said:

Actually, this was one of the easier ways to do websites with VB6. I think the buzzword of the day was 'Web Classes'. Jerry Ablan and Matthew Reynolds wrote an excellent book on the subject:

http://www.amazon.com/exec/obidos/tg/detail/-/186100222X

I'm so spoiled with ASP.Net. I started using Beta 1 from the PDC back in 2000 when it was ASP+ . I must say though, the best book for the money (free) thats a must-read for anyone who crawled their way through classic ASP / VB6 is to download the 'Design And Implementation Guidelines for Web Clients' from the Microsoft Patterns and Practices website

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnpag/html/diforwc.asp
# March 2, 2004 8:24 AM

Jason Mauss said:

Pat,
Thanks for that link to the Patterns & Practices page. I must have missed that PDF - because I've downloaded and read just about all of them.
# March 2, 2004 1:21 PM

TrackBack said:

You've been Taken Out. Thanks for the good post.
# March 2, 2004 10:43 PM
Leave a Comment

(required) 

(required) 

(optional)

(required)