February 2006 - Posts

SecurePasswordTextBox - A textbox that uses the SecureString class
Sunday, February 26, 2006 8:00 PM

In a previous post, I mentioned that I was working on a small side project to develop a version of a standard Winforms textbox control that utilises the SecureString class from the System.Security namespace in .Net V2. Well I have finally released this 'SecurePasswordTextBox' control for others to use and comment upon. It comes with full source code so you can see what I have done. Note that I have not done anything particularly elegant in the way it handles textual input, however its small, and works for the very brief testing I performed.

Note that this is something I have been tinkering with as I continuing to write the last chapter I have due for the upcoming 'Beginning AJAX with ASP.NET' book, hence why not too much testing has gone into it. I kind of poke around in this little pet project for a while when my head gets too full of book writing and needs a quick break.

I really wanted this for my own (yet another) personal project of moving my password manager application which I wrote way back in .Net V1.1 days (oh how I remember.....). In its new incarnation as a .net V2 app, I wanted to utilise the SecureString class to hold the password instances, but its not that easy getting text into it via a windows forms app, without using a standard form of input. None of which supports the SecureString. So, I wrote this little control.

You can download it here ( http://www.theglavs.com/DownloadItem.aspx?FileID=46 ).

I'd love to hear any feedback, or even if you just find it useful. If you happen to do any bug fixes, or have any suggestions I'd be particularly interested in those.

It doesn't come with any documentation. you simply drag it into a form and use it like a textbox. It does NOT display any textual entry, but rather uses whatever is defined in the 'PasswordChar' property field to display when you have typed a character. Ifno character is defined, then it defaults to an asterisk.

You can access the contents of whatever is input via 2 new properties.

'SecureText' - is an instance of the SecureString class with whatever data has been entered into it.
'CharacterData' - is a byte array that will return the characters held within the SecureStrig instance as a byte array. Not as safe as using the SecureString instance, but more for convenience.

The source code comes with a very minimalistic demo app to show you how to use it.

P.S. Add the control to your control toolbox to mkae things easier at design time.

Making use of the SecureString
Sunday, February 19, 2006 10:32 PM

In .Net V2, there is a class called the SecureString in the System.Security namespace. Its a nifty little class that stores its contents in encrypted form, and is not subject to managed heap garbage collection side effects, where copies of the string are left around while waiting to be collected, and also its string value is not sitting in memory for all to see, nor are multiple copies made each time a character is added and a whole bunch of other things I have talked about previously. Basically, it allows secure storage, in memory, of a string, such that tools that can pry into your memory, don't see things they are not supposed to.

Problem is, to use this class in any meaningful way from a user interface perspective, you usually have to enter your string first into some UI element such as a textbox, or other control, and these controls themselves dont utilise a secure string class. Rather, they use standard string mechanisms to store their data, so even though you may have immediately copied the contents to a secure string class, they are still loitering around in memory, waiting to be collected (or worse yet, with a valid reference to them, and not being collected for some time).

I have been wanting to upgrade my personal password manager application for some time now, as it was only written as a little micky mouse app to try out some UI elements a very long time ago, but ended up proving very useful. Its implementation is not what I would call good practice code though. In V2, I wanted to utilise the secure string class to store my passwords in memory, however its not so easy from a UI perspective, as already mentioned. To that end, I have started to develop a 'SecureTextBox' control which allows textual entry like a textbox with a password character defined, however all internal storage is via a secure string. No standard managed string instance is used at all. Its in a semi-working form right now, and will be finished soon. I'll release it for others to use ofcourse. I'd be interested in hearing if there are already implementations out there around this.

Oh well, back to it....

Playing the XBox 360 in Oz
Friday, February 17, 2006 9:16 PM

Since I have been working at the Microsoft SDC here in Sydney (North Ryde actually), Australia, I have been lucky enough to have a play with the XBox 360 units that are available. They haven't been released in Australia yet (March 22nd I think) so its pretty cool being able to give it a test drive. Only some demo games have been loaded on them though like King Kong, Call of Duty 2, and kalea (or something like that).

Here is me looking silly

And here is Rob Sanders,  a colleague who also works for readify, doing the 360 thang....


Call of Duty 2 is great fun, BTW.

by Glav | with no comments
I have been slack - ASP.NET Podcast Show #37 - January CTP of Atlas
Thursday, February 16, 2006 11:18 PM

I have been reallybusy lately and have not posted about the latest podcast that Wally did. No wonder he hasn't been talking to me much lately....

So here it is:

ASP.NET Podcast Show #37
Subscribe – Go ahead, everybody's doin' it.

Show Notes:

by Glav | with no comments
Atlas and error handling
Saturday, February 11, 2006 11:09 PM

Was playing around with the January CTP of Atlas which was recently released and found the error handling within Atlas interesting.

As you may already know, you must place an <atlas:ScriptManager> control within your Atlas enabled page. To handle an error situation, you can add an error template to the script manager control as shown in the following example:

        <atlas:ScriptManager ID="ScriptManager1" runat="server" EnablePartialRendering="True" >
                <br />
                Error is:
                <asp:Label ID="errorMessageLabel" runat="server" Text="Label"></asp:Label>
                <asp:Button ID="okButton" runat="server" Text="Clear Error" />

Now, when an exception is generated on the server through one of the async methods, the error template you have defined will display. You'll notice a label and button with an id of 'errorMessageLabel' and 'okButton' respectively. These id names are specific names and Atlas will hook up special behaviour to these controls. For the 'errorMessageLabel' control, the text of the exception will be placed here for you. For the 'okButton', clicking this will cause the error/exception display to be cleared from your browser screen.

The id names are effectively special names that Atlas recognises and attributes special behaviour to. You can see this in the generated page output. Doing a view source on a page that contains the ScriptManager control above yields the following XML script:

    <button targetElement="okButton">
        <invokeMethod target="_PageRequestManager" method="clearError" />
    <label targetElement="errorMessageLabel">
        <binding dataContext="_PageRequestManager" dataPath="pageErrorMessage" property="text" />

Here you can see the 'okButton' calling the 'clearError ' method of the _PageRequestManager object, and also binding the 'errorMessageLabel' control to the 'pageErrorMessage' property of the _PageRequestManager object.

Now I dont know if this is new to the January CTP or not, but I thought it was interesting none the less.

DOMValidators go public
Saturday, February 4, 2006 8:57 PM

Its a little late, and I should have done this a very long time ago, but I have finally made the DOMValidator control set a public, open source project on GotDotNet for other to join and contribute to. Its is available here (http://www.gotdotnet.com/codegallery/codegallery.aspx?id=2c7a6f50-e57b-4606-91a2-ad35bdda6ab7) or http://codegallery.gotdotnet.com/domvalidators - its all the same place.

For those who dont know what the DOMValidators are, they are a set of validator controls that target the .Net V1.0/V1.1 framework. The mimic the functionality of the supplied validators except that they work in almost all browsers with support for DHTML. If they dont immediately work in a browsers, they can be made to by addition of uplevel browser detection statements within the web.config (<browsercaps> section).

I have received an incredible amount of emails from people submitting fixes for various bugs, people asking general questions about them, and a whole range of things. I kind of thought interest in them would have waned once ASP.NET V2.0 was released because of the improved validator support in that, howsever just the opposite seems to have occurred. I am seeing more interest than ever.

As a result of that, I can simply not keep up with the amount of suggested fixes, feature enhancements so I decided to make em public. Hopefully they will continue to be valuable for those who need them.

I would like to send a big thank you to all who have submitted bugs, fixes, and features over the period of their development. Your assistance has been greatly appreciated.

More Posts

This Blog