Oddur Magnusson

Object reference not set to an instance of a human being

Is there any way to limit which assemblies can reference another assembly ?

What I have is our DAL assembly (let's call it product.dal.dll) which takes care of all our communication with our DB. Now I don't want people being able to reference this assembly and wrecking havoc to our (clients) data.

If I could somehow specify that product.gui.dal is the only assembly that could reference the product.dal.dll assembly.

Protecting your connection strings, locking the database server in a hidden bunker with a crazy gnome guarding it makes no sense if anybody can reference the DAL assembly !

Posted: Nov 06 2003, 02:01 PM by oddurmag | with 9 comment(s)

Comments

TrackBack said:

# November 6, 2003 6:27 AM

James Avery said:

Personally I would not include your connection string in your data access layer, I would store it towards the front of your application (SI or BC). This way if you needed to you could run different methods on different databases. (The connection string would a parameter to all of your data access layer methods)

-James
# November 6, 2003 9:05 AM

Thomas Tomiczek said:

No, no way. Referencing can not be limited.

You CAN, though, limit that the assemblies calling a particular method directly have to have a special digital signature.

@Jame:
::(The connection string would a parameter to all of your data access layer methods)

BAD. Ever heard of Object Oriented Programming? Turn it in when you construct a DAL object.
# November 6, 2003 9:25 AM

Frans Bouma said:

The connection string is normally stored in f.e. the web.config file. Referencing the DAL assembly will not make it possible to connect to the database, because the person also needs to supply a .config file with the correct connection string to the executable/website the person references your DAL with. In other words: the person needs access to runtime information on the server. When that happens, your application's security is gone anyway (because he can replace any assembly with is own to achieve what he wants.)
# November 6, 2003 9:26 AM

Frans Bouma said:

"You CAN, though, limit that the assemblies calling a particular method directly have to have a special digital signature."
Ah, this is interesting :) Can you elaborate this a bit?
# November 6, 2003 9:27 AM

Oddur Magnusson said:

But in our application, 3rd party developers can add inn modules that goto /bin and therefore run in the same appdomain as the DAL.dll.

so what I got is:
/web.config (connection string)
/bin
- product.gui.dll
- product.dal.dll
- 3rdpartyModule.dll

The 3rd party module could reference the dal.dll.
# November 6, 2003 10:02 AM

Robert McLaws said:

You could use XHEO|Licensing to hand this, to where only assemblies with your Public Key could use the assembly in question. You can find out more about it at http://www.dotnetlicensing.com
# November 6, 2003 10:07 AM

Paul Laudeman said:

You can use a strong name to sign uniquely identify an assembly in .NET. So, with a strong name, you can decorate your DAL assembly with a check to only allow callers with a particular strong name to call your assembly. Specificaly, you'll need to add the "StrongNameIdentityPermissionAttribute" to either the assembly as a whole, a class, or a method, and within that attribute specify the StrongName that you want to exclusively access your code.

See "Securing Method Access" and "StrongNameIdentityPermissionAttribute Class" in the .NET Framework SDK for more information.
# November 6, 2003 10:27 AM

Oddur Magnusson said:

Thanks Paul, I'll take a look at it. It seems this is exacly what I was looking for. I knew the framework had it somewhere !

Frans : It's my plan to alter the LLBLGen templates to output secure DAL assemblies, I'll let you know how that goes ;)
# November 6, 2003 10:34 AM
Leave a Comment

(required) 

(required) 

(optional)

(required)