14 May, 2008

ClickOnce - Deployment and Security aspects

What is ClickOnce?
ClickOnce is a deployment technology used for WPF, Windows and Console applications. A ClickOnce application can be configured to download updates automatically or from a remote location like web page, network share or even from a CD. Further, a ClickOnce application can run in offline mode as well.
Unlike Windows Installer, ClickOnce provides several advanced features viz. update from web, custom permission sets, etc. Enabling or configuring ClickOnce can be done easily via the Security page of the Project Designer, while publishing can be done through the Publish page of the Project Designer.
The core ClickOnce deployment architecture is based on two XML manifest files: an application manifest and a deployment manifest.
The application manifest describes the application itself. This includes the assemblies, the dependencies and files that make up the application, the required permissions, and the location where updates will be available.
The deployment manifest describes how the application is deployed. This includes the location of the application manifest, and the version of the application that clients should run.

Trust Levels
In Partial Trust mode, the permission set can be custom or inherited from zones like Internet and Local Intranet. When specific zones are used, permission elevation (where end user can grant permission for uncommon actions) is supported.
It's quite easy to configure ClickOnce in Partial Trust when the smart client application performs actions such as File IO, Isolated Storage File IO, web service access or SQL database access. Each permission can be included in a custom permission set and tested during debugging itself.
Enterprise Library 3.1 blocks do not support partial trust out of the box. A small tweak is required to able partial trust. This involves adding the attribute “AllowPartiallyTrustedCallers” in the AssemblyInfo.cs file of the ObjectBuilder source code.
However, SQL Server CE 3.5 does not support partial trust currently and hence full trust mode has to be used.

Suggested Best Practices
1) ClickOnce is a good deployment option, with useful features viz. automatic updates, Partial Trust support, etc.
2) The Calculate Permissions button on the Security page of the Property Designer estimates permissions very conservatively and is not a viable measure of required permissions. It is better to determine the minimum set of permissions manually.
3) When ClickOnce is deployed in Partial Trust mode, it is possible to debug the application in the partially trusted security context. This would identify any issues, even prior to deployment.
4) If EL 3.1 blocks are to be used in Partial Trust, the tweak (see References) would serve you well.
5) SQL Server CE does not support partially trusted callers and requires Full Trust.

1) Detailed information about ClickOnce can be found here.
2) Partial trust support for SQL Server CE is ruled out in this MS forum post.
3) This blog post provides the tweak to run Enterprise Library 3.1 in partial trust mode.
4) Permission sets needed for various EL 3.1 blocks are given here.

No comments: