The document discusses architecting C# for managing cross-cutting concerns like security and logging through method interception using Castle Dynamic Proxy. It emphasizes the importance of architectural guidelines to reduce complexity and ensure compliance while avoiding common pitfalls like copy-paste coding. The use of aspect-oriented programming and method interception is proposed as a solution to enforce security and other concerns uniformly across an application.

1. Inspired Software Solutions. Measurable Results.
Architecting C# for
Cross-Cutting
Concerns
Method Interception using Castle Dynamic Proxy
Michael Byrne
Practice Director
https://www.linkedin.com/in/mikebyrne/

2. Inspired Software Solutions. Measurable Results.
Application Architecture Challenges
• On large projects, we want all developers to follow standard
approaches to cross-cutting concerns
• Security
• Logging
• Error Handling
• Instrumentation

3. Inspired Software Solutions. Measurable Results.
Entropy in Software Systems
• Following or inventing new patterns in a large system can result in
unintended problems
• For security
• Leakage of multi-tenant data
• Failure to enforce proper security checks
• Privilege escalation
• Logging
• Non-uniform approach
• Error Handling
• Non-uniform handling
• Parameter checks
• Lehman’s Second Law - Software entropy drives systems towards
more complexity (unless work is done to maintain or reduce it)

4. Inspired Software Solutions. Measurable Results.
Architecture Design vs Development
• Both Developers and Architects can write code
• Developers write code for getting software features built
• Architects design and write code which reduces risk by
encouraging (and sometimes compelling) following the
guidelines of the application architecture, so that unintended
consequences can be mitigated or avoided completely

5. Inspired Software Solutions. Measurable Results.
Security as a Cross-Cutting Concern
• The samples are simplified from real code and projects for
illustration
• They are NOT meant to be a complete solution.

6. Security in Controller?
If you see blocks of code like this in your
application…
You have a problem.
You are relying on each member of your
development team to properly apply a copy-
and-paste security architecture for each
function in your application.
(Also Note the copy-paste errors on line 27
with the controller and method name!)
Lots of code, but no business logic is a
symptom of a cross-cutting concern.

7. Anti-Pattern: Copy-
Paste Coding
As application complexity increases,
the number of places where copy-paste code
is applied increases,
and as the number of developers performing
copy-paste operations increases,
The probability for transcription errors
increases.
Changes must be applied and maintained in
an ever increasing number or locations.
See Lehman’s Second Law - Software entropy
drives systems towards more complexity
(unless work is done to maintain or reduce it)
Comment out security…
just until I get everything
else working
I’ll pull and copy
Jerry’s work. It looks
like what I need.
I have to get the new
API done tonight, I’ll
copy this one

8. Inspired Software Solutions. Measurable Results.
Security is a Cross-Cutting Concern
• It has be enforced in many areas of the application
• But we do not want to rewrite it in many places, since that will
lead to errors
• Previous example, lots of code, but no business logic

9. Inspired Software Solutions. Measurable Results.
How can we solve cross-cutting
problems?
• Aspect oriented programming
• Proxy pattern

10. Inspired Software Solutions. Measurable Results.
Architecture Diagram
Client
ISearchService
DoSearch()
SearchService
DoSearch()
Autofac DI
Generate
Proxy
IServiceInterceptor
SearchServiceProxy
Custom
Interceptor
Code
Castle Proxy generates a
proxy class around each
service.
Each interceptor in the
pipeline is called,
eventually calling the
proxied object.
Results are passed back
up the pipeline to the
client.

11. Aspect Oriented
Programming
In C# we create a custom attribute so that we
can decorate a method to indicate what
security claims (View, Insert, Update, Delete)
need to be applied.
In this case we also supply an AllowAny flag
to indicate whether all the claims are
required (View and Delete) or any of the
claims are required (Insert or Update).

12. Service Interceptor
Next we add a class implementing the
Autofac Castle Dynamic Proxy
IInterceptor interface.
This class uses reflection to make sure
the method we are calling is
decorated with a ClaimsPermission.
In this case we are using a method on
the BaseService to check our security
claims authorizations (lines 23-28)
This forces all developers to explicitly
apply a ClaimsPermission to methods
called through the Proxy (lines 31-32)

13. Service Registration
In our Autofac RegisterServices process
We register all our services with the
ServiceInterceptor (here they are all
decorated with an IContractService interface)
And register the ServiceInterceptor itself
with Autofac

14. Apply to a Service
All the services inherit from IContractService
to support Autofac Dependency Injection
registration.
On our Search method, security checks can
now be implemented using our custom
ClaimsPermission attribute, and will be
automatically checked and enforced by the
ServiceInteceptor

15. Inspired Software Solutions. Measurable Results.
Method Interception Best Practices
• Use multiple interceptors to address different cross-cutting
concerns
• Use different interface definitions for to enable different interceptors
• Use these only for cross-cutting concerns, not one-off items
• Don’t use for any one-off code implementations
• Use method interception to enforce architecture guidelines
• Consider using pros and cons of allowing by-pass of an
interceptor depending on it’s purpose (e.g for convenience
methods such as parameter validation)

16. Inspired Software Solutions. Measurable Results.
Summary
• Method Interception based on Attributes and Castle Proxy
IInterceptor can provide a uniform way for development teams
to cleanly handle cross-cutting concerns
• Security
• Logging
• Error Handling
• Instrumentation
• Other areas depending on the application
• Teams can check attributes to make sure code is properly
decorated to enforce certain behaviors