views:

241

answers:

1

I have a .Net DLL that I created that implements a WCF client that talks to a WCF service, allowing the end-user to pipe data to the server where the service resides.

I use this DLL in client programs I developed for work, but now I wish to use this .Net DLL in a web page so the client can be delivered to an end-user on the net.

ASP.Net has this great feature that allows one to reference a .Net DLL in a web page using the object tag pattern:

<object id="demolib" classid="DemoLib.dll#DemoLib.DemoClass"></object>

What this does is alert the client's runtime environment that specific functionality is available in a .Net DLL (DemoLib.dll in the code above) that may not be present on the client machine. If the requested functionality does not exist, the DLL is transferred to the client and set up in the client's GAC for use by the web page.

I have made it work locally, as well as remotely in a full-trust environment, without an installer. The DLL is delivered via the web page and installed into the GAC for the end-user without problem.

The problems arises when I try to deliver the DLL outside full trust. I don't want end-users to have to set the site that they are connecting to to full trust in order to access the DLL. I have no problem strongly-naming and signing the .Net DLL with a valid certificate. The trust for this DLL should be implicit, but it does not seem to be the case.

I believe that there must be a way to allow the user to authorize the delivery and use of the DLL if they wish, but I have not been able to model such a delivery without failure.

The question then is, what is the strategy I should use to allow the user to authorize the DLL's delivery and functionality using the object tag patter above without forcing them to install it (OneClick, MSI, etc.)?

+1  A: 

So- you want to silently deliver a .NET assembly to a client machine, outside full trust, and have it communicate in the background with a WCF service? This is precisely what the trust system is designed to prevent.

I think you should consider a OneClick deployment. Users should be aware when they are installing software that communicates with the cloud.

Dave Swersky
A very astute point. I agree with your assessment as well, although "silent delivery" was not in my question. I specifically *want* authorization. As I understand it, this mechanism for delivering "partially trusted" code exists, given that the code adheres to certain rules. Under those rules, the onus for authorization lies with the end-user and not the delivery agent. I expect that the .Net runtime will want to pop up a message "Are you sure you wish to run this code from XYZ?" that shows a valid, researchable certificate for "XYZ" from VeriSign. And that would be perfect. Can it be done?
William Daniel
Because of character constraints, I could not complete my last comment with the following:Thank you very much, Dave, for your observation. I really appreciate your quick response to my query.
William Daniel
No problem, glad I could pitch in. To your point about authorization- I don't think there is a way to grant authorization using the <object> tag. That hearkens back to ActiveX-style installation, which is what ClickOnce is designed to replace, I believe.
Dave Swersky
Internet Explorer 8 is doing away with this method of <object> tag usage and I hear ClickOnce might be doomed as well. We went instead to good (not so certain) old fashioned (very certain) method of ActiveX delivery and COM registration. Ah well... You cannot win every time.
William Daniel