Where to find CachingCallHandler?

Topics: User Discussion
Aug 5, 2010 at 10:15 PM

Can someone point me to the download that contains CachingCallHandler? Also, will this download work with Enterprise Library 5? I'm slightly confused about the nature of the contrib projects versus the enterprise library dlls.

It is located in this namespace but the latest download did not have this class. The documentation pointed that this was deprecated in 5.0 but available from the contrib project.

using Microsoft.Practices.EnterpriseLibrary.PolicyInjection.CallHandlers;

Thanks for helping to clarify!

Oct 7, 2010 at 2:31 PM


This page says that CachingCallHandler is removed from Enterprise Library: http://entlib.codeplex.com/wikipage?title=EntLib5ChangeLog

"The CachingCallHandler in the Policy Injection Application Block has un-resolvable security vulnerabilities, and has been removed from the Policy Injection Application Block."

It is still available in Enterprise Library Contrib.

I would like to use the CachingCallHandler as well, but "un-resolvable security vulnerabilities" doesn't sound very good. Does someone know any details of those vulnerabilities?

Oct 14, 2010 at 4:36 PM

The "un-resolvable security vulnerabilities" has to do with the fact that under the hood it's using the ASP.NET cache to store the cached results. The ASP.NET cache doesn't track the current user, so in a multiuser system you could have one user get user-specific sensitive data, and then another user does it too, but since there's a cache hit it the second user sees the first one's data.

Combine this possibility with additional issues around forming the hash key, and you end up with possibly random data exposure across users. You'd have to be VERY careful to eliminate the possibility. With the amount of documentation and "negotiation" with our security review folks we'd have needed to do to get it out the door, we felt the prudent thing was to pull it.