Application Security Testing: An Integral Part of DevOps
Windows Forms (also known as a fat client) applications traditionally have provided a rich UI experience, but difficulty of deployment has limited their reach. Without sophisticated deployment software, deploying a Windows Forms application to thousands of desktops has been a daunting feat. This is in part why Web-based applications have proliferated during the past several years. Web applications reach a mass audience by removing installation requirements.
Although rich UIs can be constructed as browser-based applications, they are often more complex to create and quickly become browser specific. This has led to the rich-versus-reach debate that architects face when designing applications. The idea of the smart client evolved from the desire for both the rich client experience of a Windows Forms application and the reach of Web applications.
Windows Forms applications already have the rich UI. The reach component to provide deployment is what has been missing, and ClickOnce provides this infrastructure. The Microsoft Patterns and Practices team released a .NET Framework 1.1 preview of ClickOnce in the form of the Updater Application Block. It allows you to detect, download, and apply application updates that are deployed from a central location through a pull model by which the client self-updates. It also includes samples that demonstrate how to deploy the code within your application.
Microsoft has simplified the Updater Application Block and evolved it into ClickOnce, which is included with the Microsoft .NET Framework 2.0, and the wizard functionality included with Visual Studio 2005. ClickOnce can be applied to Windows Forms or console applications.
How ClickOnce Works
The concept behind ClickOnce deployment is fairly straightforward. You start by building your Windows Forms or console application through the software development lifecycle process of your choice. Once completed, you publish your application to a deployment server, which can be either a Web server or network file share. (You also can use some other removable media such as a CD, but this article focuses on more automated methods for auto updating.) The end result is an application that is available for initial install from the published location.
Two XML manifest files control ClickOnce: the application manifest and the deployment manifest. The application manifest describes the assemblies, dependencies, application files, and required permissions, as well as the location where updates will be available. The deployment manifest contains information on the version of the application that clients should be running and the location of the application manifest. You can generate both XML manifests using the Publish Wizard in Visual Studio 2005 or the manifest generation tool (mage.exe or mageui.exe) in the .NET Framework SDK. Each updated version of the application updates the application and deployment manifests as well. The manifest files and all of the application files are copied to the deployment location.
ClickOnce deployment operates in either launched or installed mode. Launched mode is similar to no-touch deployment in .NET 1.x, where nothing is installed locally and the application must be connected to the installation source every time the application runs. It is similar to Web applications and is best used when the application is used infrequently. Installed mode allows the application to operate even when it is disconnected from the installation source. This is the more traditional and common installation.
As previously stated, to make your application available, you publish it to a Web server, network file share, or removable media such as CD. The Publish Wizard in Visual Studio 2005 makes this a relatively straightforward process. Figures 1–4 illustrate publishing to a UNC file share.
Figure 1: Where to Publish
Figure 2: How Users Install
Figure 3: Control Application Available Offline or Not
Figure 4: Ready to Publish