If you looked at the simple demo project on the previous page you will have seen that the ActiveX Control we created was placed on a web page using the <OBJECT> tag with a CLASSID attribute.

The simple example - changing the text displayed in the button's caption - could quite easily have been implemented using client-side JavaScript or VBScript. Its purpose here was to illustrate the steps necessary to create and use a control, not to demonstrate the power of an ActiveX Control!

In the example we benefitted from VB writing the class id to the local registry, allowing us to search for it and copy it into our HTML. That obviously won't work on the machines of you web site's visitors, even if you could persuade them to try!

You can use the simple demo on your development machine without using the codebase= attribute, too, since VB has registered the control and Windows can locate it. The codebase="Project1.ocx" is a link to the control's ocx file that allows the visitor's browser to download the control. The link is realtive to the page containing the control.

So, when you upload a page that contains an ActiveX Control, don't forget to put the control's ocx file on the web server, too. Also, when testing, bear in mind that - on your machine - everything is already in place to run the control. So you'll have to get out there and find another machine that has never been exposed to your control.

Signing and Security

Since the control we've just created is unsigned it is treated with suspicion by web browsers. Usually visitors to the site will see a dialog box asking permission to download and use the ActiveX Control. (Some users may have ActiveX completely disabled, in which case they'll never know what they're missing. Setting the option for ActiveX to prompt is no less secure than disabled since nothing happens without your permission.)

Signing an ActiveX Control is also the first step towards licensing it.

Signing a control is something you have to pay a third party to do - A company like Verisign will evaluate an ActiveX Control to determine both whether it is purposefully malicious (that it might deliberately cause harm to the client PC, that is) and whether the control itself has any unintended security problems. If the signing authority determine that the integrity of the client system is not threatened by the control they will assign it a digital signature.

There are, of course, costs involved in this and you should bear in mind that every time you recreate the ocx file (finding and correcting a typo on the control or tweaking the hue of a graphic then recompiling the project) your digital signature becomes invalid. You will then have to resubmit (and pay again) for a fresh evaluation.

If you're implementing the control on an intranet it is cheaper and just as effective to set up the intranet zone security to run the control and forget all about signing it.

If you have had your control evaluated and signed you will need to add a license file to protect it from illicit use. (Everyone wants a control that says Click me, afetr all!) You can - I'm told - also license an unsigned ocx or ActiveX cab file although I'm not sure who would use it!

Microsoft provide a licensing tool called LPK (Search microsoft.com for LPKTool or, if you have a Visual Studio CD you should be able to find a version in the Tools folder)

If you run LPK_Tool.exe you can select the ActiveX Control you want to license and when you click on Add, to add the control to the licenced software collection, LPK creates a licence file. You can then save the licence file (Project1.lpk, for instance) and use it in the control's parameters on the web page:

<OBJECT
   classid="clsid:6CDB7371-FCF2-41FC-9245-9CA782510D91"
   codebase="Project1.ocx">

      <PARAM NAME="LPKPath" VALUE="Project1.lpk">

</OBJECT>