Comments on: Securing Your Agatha Service Layer http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/ Trying to walk that thin line between intelligence and ignorance Thu, 29 Jul 2010 20:54:12 +0000 hourly 1 http://wordpress.org/?v=3.0 By: Davy Brion http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/comment-page-1/#comment-26529 Davy Brion Fri, 29 Jan 2010 08:00:38 +0000 http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/#comment-26529 @Rory what i was trying to make clear in the setter injection post was that i sometimes use it for _required_ dependencies to avoid having to put it in the constructor of each derived class. I'm not really gonna keep arguing about the validity of that, because i explained my reasons in the other post (and its comments). I'm not sure if you read it thoroughly though since you seem to think i'm talking about optional dependencies. thanks for the link btw :) @Rory

what i was trying to make clear in the setter injection post was that i sometimes use it for _required_ dependencies to avoid having to put it in the constructor of each derived class. I’m not really gonna keep arguing about the validity of that, because i explained my reasons in the other post (and its comments). I’m not sure if you read it thoroughly though since you seem to think i’m talking about optional dependencies.

thanks for the link btw :)

]]> By: Rory Primrose http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/comment-page-1/#comment-26495 Rory Primrose Thu, 28 Jan 2010 23:37:46 +0000 http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/#comment-26495 Busted link - try <a href="http://msdn.microsoft.com/en-us/magazine/ee321570.aspx" rel="nofollow">http://msdn.microsoft.com/en-us/magazine/ee321570.aspx</a> Busted link – try http://msdn.microsoft.com/en-us/magazine/ee321570.aspx

]]> By: Rory Primrose http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/comment-page-1/#comment-26494 Rory Primrose Thu, 28 Jan 2010 23:36:07 +0000 http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/#comment-26494 I read your post that discusses setting injection. I won't go down the path of others and argue that point as it is done against that post already. However, if this is the pattern you go forward with for optional parameters, then you need to check whether Authenticator is null before referencing it to avoid potential NullReferenceExceptions. The code here describes that Authenticator is a required value. In this case it should be injected via the constructor with a guard clause. Another point of note is that it might be a good idea to also pass the AssemblyQualifiedName of the type that created the hash of the password. This implementation creates an unspoken contract between the client and server about how to calculate the hash. The hash type used is an assumption at best. If the API allows the client to specify how the hash type then there is no assumption in play. Bryan Sullivan wrote an article in the August 2009 MSDN mag about Cyrptographic Agility (<a href="//msdn.microsoft.com/en-us/magazine/ee321570.aspx\" rel="nofollow">here</a>) which addresses this issue very well. I read your post that discusses setting injection. I won’t go down the path of others and argue that point as it is done against that post already. However, if this is the pattern you go forward with for optional parameters, then you need to check whether Authenticator is null before referencing it to avoid potential NullReferenceExceptions. The code here describes that Authenticator is a required value. In this case it should be injected via the constructor with a guard clause.

Another point of note is that it might be a good idea to also pass the AssemblyQualifiedName of the type that created the hash of the password. This implementation creates an unspoken contract between the client and server about how to calculate the hash. The hash type used is an assumption at best. If the API allows the client to specify how the hash type then there is no assumption in play.

Bryan Sullivan wrote an article in the August 2009 MSDN mag about Cyrptographic Agility (here) which addresses this issue very well.

]]> By: The Morning Brew - Chris Alcock » The Morning Brew #527 http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/comment-page-1/#comment-26416 The Morning Brew - Chris Alcock » The Morning Brew #527 Thu, 28 Jan 2010 08:35:44 +0000 http://davybrion.com/blog/2010/01/securing-your-agatha-service-layer/#comment-26416 [...] Securing Your Agatha Service Layer - Davy Brion talks about implementing security within his Agatha Service Layer project, which can be achieved by the usual WCF security methods, or as Davy explores in this piece by implementing custom authentication into the request processing. [...] [...] Securing Your Agatha Service Layer – Davy Brion talks about implementing security within his Agatha Service Layer project, which can be achieved by the usual WCF security methods, or as Davy explores in this piece by implementing custom authentication into the request processing. [...]

]]>