clr: designing managed addins for reliability, security, and versioning jim miller, architect, clr...
TRANSCRIPT
CLR: Designing Managed AddIns For CLR: Designing Managed AddIns For Reliability, Security, And VersioningReliability, Security, And Versioning
Jim Miller, Architect, CLRJim Miller, Architect, CLRThomas Quinn, Architect, VSTAThomas Quinn, Architect, VSTAFUN309FUN309Microsoft CorporationMicrosoft Corporation
AgendaAgenda
AddIn ModelsAddIn Models
Object-Oriented AddIn ModelsObject-Oriented AddIn Models
Demo (hand-built)Demo (hand-built)
Visual Studio Tools for Applications Visual Studio Tools for Applications (VSTA)(VSTA)
Demo (VSTA)Demo (VSTA)
Prescriptive GuidancePrescriptive Guidance
TerminologyTerminology
““Components”Components”Hosts and their components Hosts and their components are tested are tested togethertogether
Testing is against known versions, and later “mix and Testing is against known versions, and later “mix and match” is not permittedmatch” is not permitted
Components may (or may not) be dynamically Components may (or may not) be dynamically discovered and loadeddiscovered and loaded
““AddIns”AddIns”New versions of a host New versions of a host need notneed not test against test against all existing addins (example: Microsoft Word)all existing addins (example: Microsoft Word)New versions of an addin New versions of an addin need notneed not test test against all existing hosts (example: Windows against all existing hosts (example: Windows Media Player)Media Player)AddIns are always dynamically discovered and AddIns are always dynamically discovered and loadedloaded
1.1. DeployingDeploying the addin the addin2.2. DiscoveringDiscovering the addin and its implementation the addin and its implementation
codecode3.3. QualifyingQualifying the addin to ensure it meets the the addin to ensure it meets the
constraintsconstraints4.4. ActivatingActivating an instance of the addin object an instance of the addin object
a)a) Creating the instance in the appropriate Creating the instance in the appropriate environmentenvironment
b)b) Building the communication pathBuilding the communication pathc)c) Calling methods, throwing exceptions, calling Calling methods, throwing exceptions, calling
callbacks, raising events, etc.callbacks, raising events, etc.
AddIns: The ProblemsAddIns: The Problems
Host ObjectHost Object AddIn ObjectAddIn Object
A complete addin model, like COM, A complete addin model, like COM, supplies a solution to all four of these supplies a solution to all four of these problemsproblems
Problems:Problems:• Can’t unload the addinCan’t unload the addin• Same CLR and Framework for Same CLR and Framework for
host and addinhost and addin• Same security domain for host Same security domain for host
and addinand addin• If host is updated, addin must If host is updated, addin must
be recompiled to avoid type be recompiled to avoid type mismatches (and vice-versa)mismatches (and vice-versa)
Host App Domain
AddIns: Tightly CoupledAddIns: Tightly Coupled
Host ObjectHost Object AddIn ObjectAddIn Object
Problems:Problems:• Can’t unload the addinCan’t unload the addin• Same CLR and Framework for Same CLR and Framework for
host and addinhost and addin• Same security domain for host Same security domain for host
and addinand addin• If host is updated, addin must If host is updated, addin must
be recompiled to avoid type be recompiled to avoid type mismatches (and vice-versa)mismatches (and vice-versa)
AddIn App DomainHost App Domain
AddIns: Isolation AddIns: Isolation BoundaryBoundary
Host ObjectHost Object AddIn ObjectAddIn Object
New ProblemsNew Problems::
• Requires serialization or marshal-Requires serialization or marshal-by-ref objectsby-ref objects
• Performance penaltyPerformance penalty
Problems:Problems:• Can’t unload the addinCan’t unload the addin• Same CLR and Framework for Same CLR and Framework for
host and addinhost and addin• Same security domain for host Same security domain for host
and addinand addin• If host is updated, addin must If host is updated, addin must
be recompiled to avoid type be recompiled to avoid type mismatches (and vice-versa)mismatches (and vice-versa)
AddIn App DomainHost App Domain
AddIns: Version-ResilientAddIns: Version-Resilient
Host ObjectHost Object AddIn ObjectAddIn Object
ProxyProxy AdaptorAdaptor
New ProblemsNew Problems::
• Requires serialization or marshal-Requires serialization or marshal-by-ref objectsby-ref objects
• Performance penaltyPerformance penalty
• Design of a stable contractDesign of a stable contract
• Implementation of Proxy and Implementation of Proxy and AdaptorAdaptor
Stable Contract
Problems:Problems:• Can’t unload the addinCan’t unload the addin• Same CLR and Framework for Same CLR and Framework for
host and addinhost and addin• Same security domain for host Same security domain for host
and addinand addin• If host is updated, addin must If host is updated, addin must
be recompiled to avoid type be recompiled to avoid type mismatches (and vice-versa)mismatches (and vice-versa)
AddIn ProcessHost Process
AddIns: Cross-ProcessAddIns: Cross-Process
Host ObjectHost Object AddIn ObjectAddIn Object
ProxyProxy AdaptorAdaptor
New ProblemsNew Problems::
• Requires serialization or marshal-Requires serialization or marshal-by-ref objectsby-ref objects
• Performance penaltyPerformance penalty
• Design of a stable contractDesign of a stable contract
• Implementation of Proxy and Implementation of Proxy and AdaptorAdaptor
• Threading and re-entrancyThreading and re-entrancy
• Hosting of addin process and Hosting of addin process and lifetime issueslifetime issues
even even higherhigher
, , but can’t use but can’t use process-process-local resourceslocal resources
Stable Contract
Microsoft Microsoft RecommendationRecommendation
Tightly Coupled ModelTightly Coupled ModelFor components (“tested together”)For components (“tested together”)
Some dynamic language scenarios (eg. SmallTalk Some dynamic language scenarios (eg. SmallTalk environment)environment)
Isolated Model is for components onlyIsolated Model is for components only
Version-Resilient Model in-processVersion-Resilient Model in-processBest model for most addinsBest model for most addins
Cross-Process ModelCross-Process ModelWhen addin might require a later version of the CLR or When addin might require a later version of the CLR or FrameworkFramework
When OS isolation is required (addin calls unsafe code)When OS isolation is required (addin calls unsafe code)
To avoid process resource exhaustion (32-bit address To avoid process resource exhaustion (32-bit address space)space)
Cross-Machine (not supported by addin model)Cross-Machine (not supported by addin model)Use Service-Oriented architecture, not Object-Oriented Use Service-Oriented architecture, not Object-Oriented modelmodel
Status (Office 12 Status (Office 12 Timeframe)Timeframe)
COM provides a complete solutionCOM provides a complete solutionYou know its advantages and its limitationsYou know its advantages and its limitationsOne limitation is the lack of an object-oriented modelOne limitation is the lack of an object-oriented modelAnother limitation is that in-process COM activation isn’t Another limitation is that in-process COM activation isn’t isolatedisolated
VSTA provides a more secure solutionVSTA provides a more secure solutionProvides an object-oriented model, for both managed Provides an object-oriented model, for both managed and unmanaged codeand unmanaged codeProvides isolation via an App Domain or a processProvides isolation via an App Domain or a process
System.AddIn and System.AddIn.Contract will become System.AddIn and System.AddIn.Contract will become part of the platform, shipping first in VSTApart of the platform, shipping first in VSTA Deployment, discovery, and qualification fundamentals Deployment, discovery, and qualification fundamentals are included in V1are included in V1
Future directionFuture directionWe intend to integrate VSTA (for addins) and WCF (for We intend to integrate VSTA (for addins) and WCF (for services)services) Deployment, discovery, and qualification will be more Deployment, discovery, and qualification will be more fully addressed after Windows Vista/Office-12fully addressed after Windows Vista/Office-12
AgendaAgenda
AddIn ModelsAddIn Models
Object-Oriented AddIn ModelsObject-Oriented AddIn Models
Demo (hand-built)Demo (hand-built)
Visual Studio Tools for Applications Visual Studio Tools for Applications (VSTA)(VSTA)
Demo (VSTA)Demo (VSTA)
Prescriptive GuidancePrescriptive Guidance
Version-Resilient Version-Resilient ArchitectureArchitectureThe Communication PipelineThe Communication Pipeline
HostHost defines an object model it will use to call methods in defines an object model it will use to call methods in the addinthe addin
The host addin view (The host addin view (HAVHAV), an interface or abstract class), an interface or abstract class
AddInAddIn implements an object model implements an object modelThe The addin baseaddin base, typically an abstract base class, typically an abstract base class
A A stable contractstable contract connects the two object models connects the two object modelsThe stable contract is an interface which never versionsThe stable contract is an interface which never versions
The host calls a The host calls a host-to-contract adaptorhost-to-contract adaptor ( (HCAHCA) that maps ) that maps the host’s object model to the stable contractthe host’s object model to the stable contract
The contract is implemented by a The contract is implemented by a contract-to-addin adaptorcontract-to-addin adaptor ((CAACAA) that maps the stable contract to the addin’s object model) that maps the stable contract to the addin’s object model
If the addin needs to call methods on the host, a reverse If the addin needs to call methods on the host, a reverse pipeline pipeline is requiredis required
Sample: Host Creates Sample: Host Creates AddInAddIn
MenuAddIn MenuAddIn MyAddInMyAddIn = = MenuAddIn MenuAddIn.Load(manifest);.Load(manifest);
MyAddIn.Show();MyAddIn.Show();
Host AddIn View (HAV) from HostSDK
Calls infrastructure to
create AD, construct pipeline,
load addin, and activate it
Specifies assembly
and type nameHAV: Host AddIn ViewHAV: Host AddIn View
HCA: Host-to-Contract AdaptorHCA: Host-to-Contract Adaptor
CAA: Contract-to-AddIn AdaptorCAA: Contract-to-AddIn Adaptor
HCAHCAHAVHAV
HostHostAddIn AddIn CommunicationCommunication
HostHost
Host-Side ObjectsHost-Side Objects
CAACAAcontractcontract
AddInAddInAddInAddInBaseBase
Abstract base class/interfaceAbstract base class/interface
Reference passed to constructorReference passed to constructor
AddIn-Side ObjectsAddIn-Side Objects
AddIn Model (supplied by host or addin)AddIn Model (supplied by host or addin)
Infrastructure createdInfrastructure created
HAV: Host AddIn ViewHAV: Host AddIn View
HCA: Host-to-Contract AdaptorHCA: Host-to-Contract Adaptor
CAA: Contract-to-AddIn AdaptorCAA: Contract-to-AddIn Adaptor
contractcontractCAACAA
Bidirectional Bidirectional CommunicationCommunication
HostHost
Host-Side ObjectsHost-Side Objects AddIn-Side ObjectsAddIn-Side Objects
HCAHCAHAVHAV CAACAAcontractcontract
AddInAddInAddInAddInBaseBase
Abstract base class/interfaceAbstract base class/interface
Reference passed to constructorReference passed to constructor
Infrastructure createdInfrastructure created
HAVHAVHCAHCA
HAV: Host AddIn ViewHAV: Host AddIn View
HCA: Host-to-Contract AdaptorHCA: Host-to-Contract Adaptor
CAA: Contract-to-AddIn AdaptorCAA: Contract-to-AddIn Adaptor
Versioning In Action: V1Versioning In Action: V1
AddInAddIn
V1.0V1.0
CAACAA
V1.0V1.0
AddIn-Side ObjectsAddIn-Side Objects
AddInAddInBaseBase
V1.0V1.0
contractcontract
Host-Side ObjectsHost-Side Objects
Infrastructure createdInfrastructure created
HosHost t V1.V1.00
HCHCAV1AV1.0.0
HAHAVV1VV1.0.0
HAV: Host AddIn ViewHAV: Host AddIn View
HCA: Host-to-Contract AdaptorHCA: Host-to-Contract Adaptor
CAA: Contract-to-AddIn AdaptorCAA: Contract-to-AddIn Adaptor
HCHCAV2AV2.0.0
Versioning In Action: V1Versioning In Action: V1
AddInAddIn
V1.0V1.0
AddIn-Side ObjectsAddIn-Side Objects
AddInAddInBaseBase
V1.0V1.0
CAACAA
V1.0V1.0contractcontract
Host-Side ObjectsHost-Side Objects
Infrastructure createdInfrastructure created
HCHCAV1AV1.0.0
HosHost t V1.V1.00
HAHAVV1VV1.0.0
HosHost t V2.V2.00
HAHAVV2VV2.0.0
V2V2
HAV: Host AddIn ViewHAV: Host AddIn View
HCA: Host-to-Contract AdaptorHCA: Host-to-Contract Adaptor
CAA: Contract-to-AddIn AdaptorCAA: Contract-to-AddIn Adaptor
AgendaAgenda
AddIn ModelsAddIn Models
Object-Oriented AddIn ModelsObject-Oriented AddIn Models
Demo (hand-built)Demo (hand-built)
Visual Studio Tools for Applications Visual Studio Tools for Applications (VSTA)(VSTA)
Demo (VSTA)Demo (VSTA)
Prescriptive GuidancePrescriptive Guidance
Demo Code as AddIn Demo Code as AddIn ModelModel
Host-to-AddIn PipelineHost-to-AddIn Pipeline
HostHost
Host-Side Host-Side ObjectsObjects
AddIn-Side AddIn-Side ObjectsObjects
HCAHCAHAVHAV CAACAAcontractcontract
AddInAddInAddInAddInBaseBase
Infrastructure createdInfrastructure created
HAV: Host AddIn ViewHAV: Host AddIn View
HCA: Host-to-Contract AdaptorHCA: Host-to-Contract Adaptor
CAA: Contract-to-AddIn AdaptorCAA: Contract-to-AddIn Adaptor
HAV: HAV: MenuAddInMenuAddIn
HCA: HCA: MenuContractAdapatorMenuContractAdapator
Contract: Contract: IMenuItemContractIMenuItemContract
CAA: MenuBaseCAA: MenuBase
V2 Demo ExplanationV2 Demo Explanation
Host AD AddIn AD
WinFormsControl
MenuAddIn addin (a Dance.v1)
HostShape addin (a RemotelyControlledShape)
Host Code
Passed to constructor for DancePassed to constructor for Dance
Created and called on demandCreated and called on demand
AddIn callsAddIn calls
GetBackColor, GetLabel, etc.
GetMenuItems, GetName, etc.
Demo Code As AddIn Demo Code As AddIn ModelModel
Host-to-AddIn PipelineHost-to-AddIn Pipeline
AddIn-to-Host PipelineAddIn-to-Host Pipeline
CAA: CAA: RemotelyControlledShapeRemotelyControlledShape
Contract: Contract: IShapeContractIShapeContract
HCA: HCA: ShapeContractAdaptorShapeContractAdaptor
HAV: HostShapeHAV: HostShape
contractcontractCAACAA
HostHost
Host-Side Host-Side ObjectsObjects
AddIn-Side AddIn-Side ObjectsObjects
HCAHCAHAVHAV CAACAAcontractcontract
AddInAddInAddInAddInBaseBase
HAVHAVHCAHCA
Infrastructure createdInfrastructure created
HAV: HAV: MenuAddInMenuAddIn
HCA: HCA: MenuContractAdapatorMenuContractAdapator
Contract: Contract: IMenuItemContractIMenuItemContract
CAA: MenuBaseCAA: MenuBase
AgendaAgenda
AddIn ModelsAddIn Models
Object-Oriented AddIn ModelsObject-Oriented AddIn Models
Demo (hand-built)Demo (hand-built)
Visual Studio Tools for Applications Visual Studio Tools for Applications (VSTA)(VSTA)
Demo (VSTA)Demo (VSTA)
Prescriptive GuidancePrescriptive Guidance
Visual Studio Tools For Visual Studio Tools For ApplicationsApplications: SDK: SDK
ProxyGenProxyGenTool to generate proxy classes from metadata Tool to generate proxy classes from metadata or COM TypeLibor COM TypeLib
Generates source code and XML “tweak” fileGenerates source code and XML “tweak” file
Uses built-in late-binding contracts – no new contracts Uses built-in late-binding contracts – no new contracts necessarynecessary
However, allows iteration on code, and custom However, allows iteration on code, and custom contractscontracts
SamplesSamples
Projects and WizardsProjects and Wizards
Full DocumentationFull Documentation
AgendaAgenda
AddIn ModelsAddIn Models
Object-Oriented AddIn ModelsObject-Oriented AddIn Models
Demo (hand-built)Demo (hand-built)
Visual Studio Tools for Applications Visual Studio Tools for Applications (VSTA)(VSTA)
Demo (VSTA)Demo (VSTA)
Prescriptive GuidancePrescriptive Guidance
AgendaAgenda
AddIn ModelsAddIn Models
Object-Oriented AddIn ModelsObject-Oriented AddIn Models
Demo (hand-built)Demo (hand-built)
Visual Studio Tools for Applications Visual Studio Tools for Applications (VSTA)(VSTA)
Demo (VSTA)Demo (VSTA)
Prescriptive GuidancePrescriptive Guidance
Design It Right From V1Design It Right From V1
Think in terms of a host, an SDK, and an addinThink in terms of a host, an SDK, and an addinA very useful design discipline even for componentsA very useful design discipline even for components
Design the contract(s) you need carefullyDesign the contract(s) you need carefullyThis isn’t a place to skimp!This isn’t a place to skimp!These interfaces “live forever, unchanged”These interfaces “live forever, unchanged”All types used are either contracts or base types All types used are either contracts or base types (integers, string, etc.)(integers, string, etc.)Strongly consider deriving from IContractStrongly consider deriving from IContract
Keep it clean: separate the five partsKeep it clean: separate the five partsSeparating the HCA and CAA may seem like wasted Separating the HCA and CAA may seem like wasted effort in V1, but without them you can’t move on to V2!effort in V1, but without them you can’t move on to V2!Host should Host should never never reference a contract, HCA, or CAA reference a contract, HCA, or CAA directly (just the HAV)directly (just the HAV)AddIn should AddIn should never never reference a contract, HAV, or HCA reference a contract, HAV, or HCA directly (just implement the CAA)directly (just implement the CAA)
DiscoveryDiscoveryFinding AddIns for this HostFinding AddIns for this Host
What Makes a What Makes a CompleteComplete AddIn Model AddIn ModelHost specifies the addin view (HAV)Host specifies the addin view (HAV)System locates all candidate addinsSystem locates all candidate addins
System searches all possible pipelinesSystem searches all possible pipelinesEach addin has a name, description and constraintsEach addin has a name, description and constraints
What’s Needed to Implement ItWhat’s Needed to Implement ItRegistration of the contracts and adaptorsRegistration of the contracts and adaptors
What To Do What To Do TodayTodayDiscovery based on directory location: host specifies a Discovery based on directory location: host specifies a directory where addins must be storeddirectory where addins must be storedUse a manifest to allow the actual code file to be stored in Use a manifest to allow the actual code file to be stored in the GAC (for shared components) or the application-specific the GAC (for shared components) or the application-specific directory directory as neededas needed
QualificationQualificationNegotiating ConstraintsNegotiating Constraints
What Makes a What Makes a CompleteComplete AddIn Model AddIn ModelAttributes on the addin and the HAV specify restrictions on Attributes on the addin and the HAV specify restrictions on use (isolation boundary, security, etc.)use (isolation boundary, security, etc.)
System chooses settings acceptable to both host and addinSystem chooses settings acceptable to both host and addin
What’s Needed to Implement ItWhat’s Needed to Implement ItStandard attributes and constraintsStandard attributes and constraints
Registration of addins and their adaptorsRegistration of addins and their adaptors
What To Do What To Do TodayTodayAddIn manifest specifies constraintsAddIn manifest specifies constraints
Host manually inspects manifest, validates it, and rejects it if Host manually inspects manifest, validates it, and rejects it if unacceptableunacceptable
ActivationActivationCreating an Instance of the AddInCreating an Instance of the AddIn
What Makes a What Makes a CompleteComplete AddIn Model AddIn ModelSystem activates addin in an environment System activates addin in an environment that satisfies the constraints of both the host that satisfies the constraints of both the host and the addinand the addin
What’s Needed to Implement ItWhat’s Needed to Implement ItProcess hosting infrastructureProcess hosting infrastructure
Lifetime managementLifetime management
What To Do What To Do TodayTodayUse VSTA loader and toolsUse VSTA loader and tools
© 2005 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.