310 likes | 478 Views
Enterprise Library Exception Handling Application Block. Scott Densmore Software Design Engineer Microsoft. Tim Shakarian Software Design Engineer Avanade Ron Jacobs Product Manager Microsoft. Exception handling guidance from patterns & practices
E N D
Enterprise LibraryException Handling Application Block Scott Densmore Software Design EngineerMicrosoft Tim Shakarian Software Design EngineerAvanade Ron JacobsProduct ManagerMicrosoft
Exception handling guidance from patterns & practices Describe implementation of exception handling scenarios and guidance using the Exception Handling Application Block Demonstration Questions Agenda
Sound familiar? • The same logging code is pasted throughout your code in catch blocks • Difficulty in ensuring exception handling actions are consistent from developer to developer, and application to application • Changing your policy regarding exception handling results in source code changes
Exception Handling Needs • You need consistent exception handling behavior throughout your application • You need to implement best practice guidance for exception handling • Don’t inadvertently disclose security sensitive information to remote callers • Add context to exceptions by wrapping or replacing exceptions with more relevant exceptions • You need to make it simple to add exception management boilerplate code
Threats and Countermeasures • Revealing Implementation Details • Exceptions that are allowed to propagate to the client can reveal internal implementation details that make no sense to the end user but are useful to attackers. Applications that do not use exception handling or implement it poorly are also subject to denial of service attacks. • Vulnerabilities • Attacker reveals implementation details • Denial of service • Countermeasures • Use exception handling throughout your application’s code base. • Handle and log exceptions that are allowed to propagate to the application boundary. • Return generic, harmless error messages to the client. • Thoroughly validate all input data at the server Improving Web Application SecurityThreats and Countermeasures Chapter 2 – Threats and Countermeasures
Exception Handling Application Block • Provides simple mechanism that allows you to consistently deal with exceptions throughout your application • Define “Exception Policies” which link an exception to an action • Exceptions of type ApplicationException should be logged • Exceptions of type SqlClientException should be caught and wrapped with an exception of type DataLayerException and re-thrown • Exceptions of type SecurityException should caught and replaced with an AccessDeniedException which will be thrown
Exception Handling Application Block • Actions provided include • Logging • Wrapping one exception with another • Replacing one exception with an other • Create your own actions…
Exception Handling Application Block Scope Platform functionality Application block assistance Recovery code is context-specific
Exception Handling Application Block Configuration • Configuration allows multiple policies • Policies have one or more exception types • Types have one or more exception handlers
Exception Handling Policies • Determines how a set of exception types are to be handled • Each policy contains one or more Exception Type • Multiple policies can be configured per application
Exception Propagation • Let the exception propagate automatically • Catch and rethrow the original exception • Original exception contains the original application stack trace • The return value from HandleException indicates whether the application should rethrow the original exception
Exception Propagation • Catch, wrap, and throw the wrapped exception
Exception Propagation • A word of caution • Do not allow exception details to propagate from your Web applications back to the client. A malicious user could use system-level diagnostic information to learn about your application and probe for weaknesses to exploit in future attacks. • Countermeasure: catch, replace, and throw the new exception Improving Web Application SecurityThreats and Countermeasures Chapter 19 – Securing Your ASP.NET Application and Web Services
Exception Type • A System.Exception or derived class • Each Exception Type contains one or more Exception Handler • Behaves identically to .NET type-filtered handling. Any exception of a specified class or any of its derived classes are handled
Exception Type Filtering Example • In the following example, “My Policy” is handled identically to the example code:
Exception Handler • Encapsulates exception handling logic. • Logging • Wrapping • Replacing • Are “chained” for a specific order of execution. • Each handler has an opportunity to modify the original exception. • Each handler passes its version of the exception to the next handler in the chain.
Post Handling Action • Occurs after all Exception Handlers have executed • Specifies the following actions: • None • NotifyRethrow • ThrowNewException
Exception Formatting • Formats any System.Exception object • Can be used for logging or displaying exception details • Reflects all properties of an exception, as well as additional context information • Formats inner exceptions
Shipped Exception Formatters • TextExceptionFormatter • Creates a text representation for display on screen, logging, or any other situation in which someone would read the exception details. • XmlExceptionFormatter • Creates an XML representation of the exception. • Each exception property is stored as a separate XML element.
Handling Correlation • Provides a means of tracking an exception handling instance. • A “HandlingInstanceID” GUID is generated when an exception is handled. Each handler can use this ID for correlation.
Custom Exception Handlers • Allows you to encapsulate and reuse custom business handling routines. Usage scenarios include: • Filing an incident with a trouble ticketing system. • Business specific wrapping or replacing logic. • Logging to a custom logging solution (i.e. Log4Net). • Configurable to allow for flexibility across policies and types
Creating a Custom Exception Handler • Any class that implements IExceptionHandler • Uses a “data” object for xml serializeable configuration data. • Should be simple in operation to avoid “Exception Handling Exceptions”
Key Extensibility Points • Custom exception handlers • Custom exception formatters • Plus… • Anything and everything – you have the source code! • Please post extensions and suggestions to the community
Enterprise Library v1 Caching Exceptions Legend Security Data Access Logging Dependency Plug-in Crypto Configuration Config Tool
Announcing: Enterprise Library 1.0 Download it Today! http://www.microsoft.com/practices
patterns & practices Live! • 3/22 Enterprise Library Cryptography Application Block • 3/24 Enterprise Library Security Application Block • 3/28 Building your own block • 3/31 Enterprise Library Applied http://www.pnplive.com
http://www.microsoft.com/practicesEnterprise Library Communityhttp://go.microsoft.com/fwlink/?linkid=39209&clcid=0x09