Bob Grommes
7/14/2004 4:50:00 AM
This is exactly why I think certification exams and the whole cottage industry surrounding them are a load of cr*p.
In the first place it''s a fallacy to suppose that you can accurately gauge software development skill by asking a bunch of multiple-choice questions. I''d rather have someone working for me that would flunk an exam for lack of having memorized a bunch of sterile facts, but who has common sense, good problem-solving skills, and knows how to RTFM, STFW, or pick up the blasted reference books next to his or her desk when confronted with something new or obscure.
Add to this sloppily worded questions with indifferent editing, like the example under consideration here, and you have yourself a real mess. Nothing infuriates me more than someone making judgments about my skills based on prose like this, that can''t even clearly frame the question. Time and again you find yourself thinking, not "what is the correct answer"? But rather, "I wonder what they''re fishing for?" A testee should never have to read the test author''s mind!
I am acquainted with how this stuff is developed; as a former seminar developer / instructor, I''ve been offered writing assignments through intermediary contractors for MSFT tests. I have three words to describe this process, at least the parts of it I''ve witnessed: Pa thet ic.
--Bob
"Greg" <gregjq@msn.com> wrote in message news:e1bubfTaEHA.3756@tk2msftngp13.phx.gbl...
Well, this question was from the Practice Exam of the Microsoft official study guide Developing XML Web Services and Server Components with Microsoft Visual Basic .NET and Microsoft Visual C# .NET for exam 70-310.
But apparently 3 Code Access security is the correct answer. The study guide says You can use code-access security to secure remote objects. But the study guide also mentions that If you host remote objects in IIS, you can use the security feature of IIS and SSL to secure remote objects. IIS hosting provides SSL, which allows you to secure messages sent to or received from remote objects. In addition, you can use Integrated Windows Authentication or Kerberos to secure the remote objects hosted in IIS.
So go figure.
"Ken Kolda" <ken.kolda@elliemae-nospamplease.com> wrote in message news:OkqrTjRaEHA.1840@TK2MSFTNGP11.phx.gbl...
> I agree with Sunny that this is pretty vaguely worded... it says you want to
> "restrict the resources a remote object can access" -- it doesn''t say
> anything about whether that''s based on the identity of the user invoking the
> object''s methods. So, to me, that implies code access security (i.e.
> independent of identity). But, since the server is in control of what
> objects get remoted, it would seem silly to remote an object that could
> perform operations you don''t want to allow.
>
> So, I''d probably go with #4, HttpChannel security, because this is what
> allows the client to pass to the server the identity info with the object''s
> method calls. But, I would think you''d use this in conjunction with
> role-based security on the server side.
>
> Ken
>
>
> "Sunny" <sunny@newsgroups.nospam> wrote in message
> news:e1vnkgOaEHA.808@tk2msftngp13.phx.gbl...
> > Hi Greg,
> >
> >
> > In article <uyNaO0IaEHA.2972@TK2MSFTNGP12.phx.gbl>, gregjq@msn.com
> > says...
> > > I have a sample question:
> > >
> > > You are creating a .NET remoting application for hosting on an IIS
> server.
> > > You need to restrict the resources a remote object can access on a
> computer.
> > > You implement ____ to control the resources a remote object can access
> on a
> > > computer. (Choose one correct option)
> > >
> > >
> > > 1.. Role-base security
> > > 2.. SSL security
> > > 3.. Code Access security
> > > 4.. HttpChannel Web Security
> > > What is the correct answer and why?
> > >
> > >
> > >
> >
> > I do not think that the question is very clear, but I''ll bet on Role-
> > base security. IIS hosted objects are running as ASPNET user by default,
> > or if impersonated, with some other user''s rights. And what a user can
> > do with machine resources is controlled by this users rights. I.e. role-
> > based security is the most right answer in my view.
> >
> > Sunny