Additional security when calling JSON serialized services
A security feature of ASP.NET web services that are JSON serialized through the ASP.NET AJAX extensions is that they must be requested in a specific way. This is an important deterrent against your services being used in XSS attacks. Scott Guthrie has a great post providing detailed information on the particulars. It boils down to is two things:
- The request must be an HTTP POST request
- The request’s content-type must be: “application/json; charset=utf-8?
When you register and call a web service through ASP.NET AJAX’s ScriptManager, you may safely enjoy blissful ignorance of these requirements. The framework transparently handles everything for you.
However, if you want to use a third party AJAX framework to request the JSON serialized output, you may run into trouble due to these security features.
Remoting
Remoting provides a framework that allows objects to interact one another accross application domains
It is the concept of working in different application domains. In a net connected application http Protocols are stateless by default. To bring in the objects of different types and get their information as which method property is being used and getting them invoked from a remote machine is Remoting. Remoting actually works across different domains and processes and getting information about the objects used by them through the runtime environment.
Benefits of exceptions
Exceptions provide the ability to handle or clean up code in a localized place. Also, they allow clean-up code to execute in case of error. The application becomes easier to write and maintain when clean-up code is in a centralized place.
Also—and maybe more importantly—, exceptions can be used to find bugs within the code; because, the CLR walks up the stack of the thread to get the call history. With this, it is possible to find the location of the failure within the code. Further, it is possible to add additional information within the exception, so that a developer can describe the kind of error more precisely.
The biggest problem with exceptions is performance because of some information overhead. So, they should be used only where preemptive programming is inappropriate. Unfortunately, most developers tend to use exceptions improperly—i.e. catch (Exception e); which will be discussed later—or too seldom, so debugging proves harder.
What is Exception.InnerException in .NET
When an exception X is thrown as a direct result of a previous exception Y, the InnerException property of X should contain a reference to Y.
Use the InnerException property to obtain the set of exceptions that led to the current exception.
You can create a new exception that catches an earlier exception. The code that handles the second exception can make use of the additional information from the earlier exception to handle the error more appropriately.
Suppose that there is a function that reads a file and formats the data from that file. In this example, as the code tries to read the file, an IOException is thrown. The function catches the IOException and throws a FileNotFoundException. The IOException could be saved in the InnerException property of the FileNotFoundException, enabling the code that catches the FileNotFoundException to examine what causes the initial error.
The InnerException property, which holds a reference to the inner exception, is set upon initialization of the exception object.
Re-Throwing Exceptions
When an exception is caught in a catch block, the exception is considered to have been processed and code execution continues as normal. In some situations it is useful to catch the exception but still have it thrown to be caught again. For example, a method may catch all exceptions so that they can be logged and then re-throw the exception to be handled appropriately by the calling function.
When an exception is thrown explicitly using the syntax previously discussed, a new exception object is constructed. This exception object contains only the basic information set by the programmer; information such as the StackTrace property of the original exception is lost. To re-throw the exception and retain this additional information, the throw command is used without specifying an exception object. This is achieved using the following syntax:
The following example code demonstrates how this syntax can be used. For simplicity, the methods called are not defined so this code cannot be directly executed.
What is a good exception?
1. throwing an exception when an invalid parameter is passed to a method. The ArgumentException or one of its derived exception classes should be thrown in this situation.
2. throwing an exception when a call is made to a method that cannot operate because other information must be initialised or other methods must be called beforehand. An InvalidOperationException could be thrown in this case.
Exceptions Overview in .NET
- Exceptions are types that all ultimately derive from System.Exception.
- Exception objects contain detailed information about the error, such as the state of the call stack and a text description of the error
- Code in a finally block is executed even if an exception is thrown. Use a finally block to release resources, for example to close any streams or files that were opened in the try block.
- Use a try block around the statements that might throw exceptions.
- Once an exception occurs in the try block, the flow of control jumps to the first associated exception handler that is present anywhere in the call stack. In C#, the catch keyword is used to define an exception handler.
- If no exception handler for a given exception is present, the program stops executing with an error message.
- Do not catch an exception unless you can handle it and leave the application in a known state. If you catch System.Exception, rethrow it using the throw keyword at the end of the catch block.
- If a catch block defines an exception variable, you can use it to obtain more information about the type of exception that occurred.
- Exceptions can be explicitly generated by a program by using the throw keyword.
?
