2

What would you recommend as a best practice to separate production and development environments, but from the aspect of code itself.

Example: imagine application using Active Directory which should authenticate based only on the domain controller, without taking local users and group setting from windows into account. For production environment, code should ignore local users and groups so that security hole is avoided. For development environment (dev machines, build machines...), these local settings should be allowed for easier development / testing whatever (lets say setting up a domain controller for tests is somewhat expensive, and local group participation can be changes easily so that developers could test around different test cases).

The concrete example I have stated here is not important, the situation that could occur because of anything similar what should be enabled / disabled in the real production is important. And also, bear in mind that I am not talking about having different config files for the application, the setting for development environment should somehow be completely hidden from the customers because it would allow some very serious security problems).

Cœur
  • 37,241
  • 25
  • 195
  • 267
Denis Biondic
  • 7,943
  • 5
  • 48
  • 79
  • 1
    I'd suggest the ugly but safe idea of using compiler directives (#if ... #endif) and use the appropriate compilation symbols for development / production builds. – M.A. Hanin Jul 16 '13 at 12:02
  • In my scenario I have a web.config file and two transformation files, one for release and one for debug. Inside the debug file, authentication mode is set to forms, in the release file, it is set to windows authenticatio. – gustavodidomenico Jul 16 '13 at 12:04
  • And you can check the authentication mode: http://stackoverflow.com/questions/91831/detecting-web-config-authentication-mode – gustavodidomenico Jul 16 '13 at 12:05

1 Answers1

1

One of the obvious options would be via an IoC pattern - in this way, you can substitute the real authentication for a mock one when it is appropriate to do so (and similarly, use the real one, as required)

Rowland Shaw
  • 37,700
  • 14
  • 97
  • 166
  • yes, but where to configure (register) which implementation we want to use; I mean how to distinguish the production and development enviroment in this case? – Denis Biondic Jul 16 '13 at 12:59
  • 1
    Why not define it in your app.config? There's no reason to deploy the assembly containing the "developer use" mocks to your customer. – Rowland Shaw Jul 16 '13 at 15:54