|
>
 Friday, March 23, 2007
 |
|
 |
|
|
|
|
|
I just spent the last week at SD West in San Jose...this year the conference was bigger than ever before! Thanks to everone that attended my tutorials and sessions, I really enjoyed the questions and discussions...as I hope you did. As promised, here is a list of all my resources from the conference talks. Enjoy! Intro to Web Services (Tutorial) - Christian Gross and myself presented this one, discussing everything from POX, REST, RSS, SOAP/WSDL, WS* and SOA.
- Code I demonstrated in this tutorial is from the .NET Web Services tutorial next.
.NET Web Services TODAY (Tutorial) Microsoft Technology Avalanche (Tutorial) Top 10 Web Service Standards You Need To Know WCF Contracts and Versioning - Demonstrations in both of these talks are based on WCF code from my book here: http://www.thatindigogirl.com/LearningWCFCode.aspx
- See \Security, \ReliableSessions, \Transactions in particular for the WS* discussion
- See \DataContracts, \AdvancedSerialization, and \ServiceContracts for the contracts discussion
CardSpace - Demonstrations in this talk can be found here:
The Amazing World of Federated Security - This talk was mostly discussion of standards and architectures however the demonstrations I used to illustrate a few points are based on my claims-based samples here:
- And, my STS sample here (NOTE: this sample will be updated shortly with an upcoming article, stay tuned!):
|
|
|
 |
|
 |
Sunday, November 12, 2006
|
|
|
|
|
|
|
|
|
A big thanks to all the participated in this monstrous tutorial at Dev Connections. Whew, I can fully admit it was a lot of work to put all the information together in one place, but I hope that you got a lot out of it. For those that didn't attend, the goal of the tutorial was to provide an overview of the current state of the various technologies and tools for Microsoft developers, with an emphasis on the reasons for moving forward with each technology stack, and hopefully some enlightenment on when you might choose each technology. I'll be keeping this one day session current for future conferences, and for on-site sessions with clients. If you are interested in such a thing, contact me at IDesign: www.idesign.net.
Here are the resources I promised from the tutorial.
Development Tools
In this section I reviewed the stack of development tools and explained how to choose between them.
Language Enhancements
In this section I talked about moving from .NET 1.1 to 2.0, and discussed the key features of 2.0 that folks should be leveraging. Then, I focused on the language enhancements forthcoming with C# 3.0 and VB 9.0.
Demos:
Data Access
In this section I focused on data access technologies, designing the data access tier, and key features of ADO.NET 2.0, vNext and LINQ to give you some idea how to prepare for the next set of innovations.
Demos:
- When you install ADO.NET vNext and LINQ there are numerous overview documents, tutorials, and samples that will really help you get up to speed here. These are the demos that I showed in the tutorial.
Windows Development
In this section I reviewed Windows Forms 2.0 innovations, primarily ClickOnce, and then talked about how to prepare for WPF and who should use it today.
Demos:
Web Development
In this section I showed an ASP.NET sample application that illustrates key features of ASP.NET 2.0 and practical application of those features. Then we looked at AJAX and discussed trends on the Web compared to Windows development.
Popular AJAX Frameworks:
Demos:
Distributed System Programming
In this section I reviewed the typical use for earlier distributed computing technologies like remoting, enterprise services and ASMX web services with WSE, and compared them with WCF.
BPM and Workflow
In this section I discussed BPM, BizTalk and workflow.
|
|
|
|
|
|
|
Monday, March 20, 2006
|
|
|
|
|
|
|
|
|
Updated 04/09/06
See the previous few entries with code for my interoperability tutorial, and web services tutorial. Collectively they include the code for this session. Thanks!
|
|
|
|
|
|
|
Monday, November 28, 2005
|
|
|
|
|
|
|
|
|
Thank you to everyone who attended the webcast this morning on interop. I wanted to share with you some resources I have on interoperability, and some future plans happening at IASA.
First, resources:
IASA plans:
- Earlier this year I kicked off 3 interop events for IASA (International Association of Software Architects). They were user group driven events, where java and .NET communities (among others) united to enjoy some human interop as well as get some top notch interop experts to show their stuff. If your user groups want to do this locally, IASA can help. And don't worry, we are non-profit...and the events can be free if there is enough support of the community and sponsorship. All we need is to get the user group leads to buy in and say “we want an interop event too!!!“
- We are building knowledge communities (just now!) related to architecture, including interop...I have not had a chance to post much there yet (blogs links, articles) but we 'd love to get your feedback, and referrals if you run across something poingnant that should be referenced here...let me know and participate in the growth of the community resource!
More stuff...
- I found some very interesting things as I tested WSE 3.0 and Workshop 8.1 SP5 - keep an eye on this blog for more on that!
- WebLogic 9.0 is the go forward stack to use, since it supports more WS* and will have an integrated IDE summer-ish 2006...to replace Workshop today. Use Workshop if you need WS* today and can't take the time to be a plumber...if you can, use the WL 9.0 stack now (already released with better WS-Security among other standards support)
- We have another big interop event coming at SD West 2006, so you can expect some content out of that one in Q1 2006, including some of the original Apache Axis founding members helping us out!
|
|
|
|
|
|
|
Friday, November 18, 2005
|
|
|
|
|
|
|
|
|
Well folks, it's that time again...MSDN is pulling together a “best of” series for the webcasts presented this year. I'm presenting two of those web casts. The links below will take you to the master list of webcasts coming up...and remember they are free! From there you can find my two events and register.
MSDN Webcast: Building Secure and Interoperable Web Services with WSE (Level 300)
Monday, November 28, 2005
10:00 am - 11:00 am, Pacific Time
In this webcast I'll be showing WS-Security between WSE 3.0 and the WebLogic Workshop stack. Great way to get a feeling for the state of interop today on WS-Security.
----
MSDN Webcast: Going Global Gets Easier with the New Localization Features in ASP.NET 2.0 (Level 300)
Wednesday, November 30, 2005
10:00 am - 11:00 am, Pacific Time
In this webcast I'll be showing off the new globalization features. I was taped doing this presentation at Tech Ed this year, but the VS Beta was bombing on me, a few times, so we didn't have a good run at it...this time will be on the RTM and I can tell you it works just beautifully from my presentations last week at Dev Connections :)
|
|
|
|
|
|
|
Wednesday, November 16, 2005
Wednesday, September 21, 2005
Saturday, June 11, 2005
|
|
|
|
|
|
|
|
|
Thanks very much to everyone who attended this talk in Orlando. The demonstration code can be found here:
WSESecurityDemo_MemberRoles.zip
You’ll also notice that there is some set up required to run the code, so be sure and review the readme document for those instructions. The sample uses the 1.1 version of the MemberRoles API.
I also have a resource site where other WSE samples have been posted, many that do not require the database setup:
http://www.dotnetdashboard.net/resources/wse.aspx
This may help those of you that are newer to the subject get your arms around it as well.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In this talk I demonstrated the following WSE 2.0 example for WS-Security implementation, followed by a demonstration of .NET and BEA interoperability. The BEA interoperability sample is available from the InteropWarriors site, however keep in mind that this requires you to set up a BEA Workshop 8.1 machine, and deploy the project files accordingly. The .NET examples shows the end to end code used for WS-Security that is also demonstrated with Workshop sandwiched in the middle, so this will still be useful to you for the .NET perspective.
WSESecurityDemo_MemberRoles.zip
I also have a resource site where other WSE samples have been posted, many that do not require the database setup:
http://www.dotnetdashboard.net/resources/wse.aspx
This may help those of you that are newer to the subject get your arms around it as well.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In this rather lengthy post I cover the issues I encountered incorporating the MemberRoles API for 1.1 with a WSE 2.0 service. The issues are related to storing hashed passwords in the database, handling that on the server side with WSE’s UsernameTokenManager, and how to work around limitations of the API that prevented me from easily retrieving hashed passwords and generating a hashed version of the UsernameToken for WSE to compare.
|
|
|
|
|
|
|
Friday, May 13, 2005
|
|
|
|
|
|
|
|
|
I recently received this question at SearchWebService.com...
How can I call a Web page from my Web service page after extracting an XML file into a dataset? My Web page will display data from a created dataset into a DataGrid control. Can I return data directly into a Web service page using Visual Studio .NET?
Probably because I have had to go through some interesting integration patterns in the past, I answered the question with two flavors...discussions welcome.
Here's my answer:
I think the best way to tackle your question is to review the workflow between client, Web service and Web application (pages). If the client application is the Web application, then the workflow looks something like this:
1. User browses to a page.
2. During the Page.Load event you invoke a Web service to get the dataset, before binding that dataset response to a DataGrid control on the Web page.
3. The page is returned to the browser with the populated DataGrid rendered as HTML.
The call chain looks like this:
Browser->Web Page->Web Service
What may be misleading about your question is the statement “call a Web page from my Web service”. Web services are data centric calls. They do not return HTML that can be displayed in a browser, therefore they should not be responsible for “calling” a Web page. Rather, the Web page should call the Web service to gather data, and present it. The driver behind the activity is the user who navigates to a page that leverages the service.
That said there is another possibility that can be interesting. Consider this workflow:
- User interacts with a Windows client application.
- The application at some point invokes a Web service to gather data from a remote server. The Web service establishes a session for the caller, and allocates the dataset to the session. The Web service returns XML that includes a link to a Web page exposed by the same server.
- The client application retrieves the XML response, which includes a URL to a Web page to navigate to (with session established) and the client application launches a browser (or, has an embedded custom browser) to the URL.
- The requested URL (page) retrieves the dataset from the session object, and displays the page fully populated.
So, the call chain is now:
Windows App->Web Service
Windows App -> Browser -> Web Page
This type of workflow may seem disconnected, however it is one technique whereby a legacy application can integrate with a modern user interface (through the browser) when the legacy app wants to integrate the modern application’s services as part of a user interface workflow, in addition to data exchange. For example, the insurance industry has many legacy agency management system applications, some even DOS-based entry screens, that “work” therefore will not be replaced. These agency management systems hold important data necessary to create certificates of insurance, a service often provided by external, modern applications. These modern vendor applications rely on data from the agency management system to function, therefore a data exchange must be automated as part of the workflow, enabling the modern application interface to pick up where the legacy system left off, and finish the job.
|
|
|
|
|
|
|
Wednesday, April 20, 2005
|
|
|
|
|
|
|
|
|
Yesterday I whipped over to Arizona to deliver an INETA (www.ineta.org) presentation for the Arizona .NET User Group run by Scott Cates (who I didn't realize, even thought we have met several times, is the owner of www.kbalerts.com!). My fellow RD Michael J. Palermo dropped in as well, you know, the one that wrote the hilarious Valentine's Day blog:
I was shocked to arrive and find that people (like Scott) are still somehow finding my 1996 glam shot photo, the one with all the big hair, and posting it in places (like their user group site) that I'm not aware of. THis is crazy, when will that photo go away! It only demonstrates that I still had 80's hair in the 90's...how embarrassing!!! Ok, well it's not that big of a deal...but I always laugh when I see that thing...what people must be thinking!
On to more serious matters, the PDF for my presentation, and my reference materials for the group after my talk. Here are the links you are looking for.
My PDF with slides for this event: wsesecurity_arizonaineta.zip (162.16 KB)
My resource site for WSE materials is here: http://www.dotnetdashboard.net/resources/wse.aspx. You'll find links to my WSE article for CoDe Magazine and the latest code sample link which demonstrates everything I did in the talk last night and more.
WSE 2.0 is now on SP3, so you'll want to download that: http://www.microsoft.com/downloads/details.aspx?FamilyId=1BA1F631-C3E7-420A-BC1E-EF18BAB66122&displaylang=en. Not all of my code samples are yet up to date with SP3, but the larger sample for my article is up to SP2 right now, stay tuned for changes on this site as I post more samples. Easier to go forward than go back to all my past work :)
For my interop demonstration, see www.interopwarriors.com.
For information about IDesign go to: www.idesign.net. You'll be able to find a list of all my articles on the site, plus IDesign utility downloads (not specifically for WSE, but lots of other interesting things).
I had a great time, thanks for having me present! You're fantastic hosts and a great, interactive crowd.
|
|
|
|
|
|
|
Monday, March 21, 2005
|
|
|
|
|
|
|
|
|
Yet another review of WS-Security, where we dug into the meat of the issues, including key management issues and the benefits of WS-Trust, WS-SecureConversation, and SAML. I did demonstrate some .NET samples in this talk, and you can find code for this on this WSE resource page: http://www.dotnetdashboard.net/resources/wse.aspx
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
This is just a note to thank everyone for attending our interoperability presentation at SD West. Presenters included Michele Leroux Bustamante, Chris Haddad, Anant Kadiyala and Malek Kemmou. We started out by hooking our laptops together on a router/hub and creating a simple HelloWorld round-robin between .NET, WebSphere and WebLogic. The purpose of this to introduce newcomers to Web services, client proxies and the tooling around it. Next we focused on DIME/SwA and demonstrated .NET to Axis interop using DIME. Finally we presented on WS-Security interoperability discussing Axis test results from past events, and demonstrating .NET with WSE 2.0 and BEA WebLogic Workshop 8.1.
Our BEA security tests are posted already to the InteropWarriors site here: http://www.interopwarriors.com/PermaLink.aspx?guid=8b01c523-59d6-47be-9843-139f710c5a84
We're also pulling together some spreadsheets with test results for WS-Security across platforms. Stay tuned!
|
|
|
|
|
|
|
Wednesday, February 23, 2005
|
|
|
|
|
|
|
|
|
I recently received a question from a J2EE developer, who wanted to know how to get started with a multi-tiered architecture for .NET Web services.
The question:
I have some experience with J2EE and know that one good design is to create a multi-tier architecture. That is to say create control servers that will request processing from business tire (using some rpc) then forward the result to the display JSPs. I have never used .NET and need to build a web services application using this framework. My question is: what is the .NET alternative for that design? and where can I get the right information and documentation??
My answer:
.NET Web services are hosted within the ASP.NET runtime environment. They are exposed through .asmx endpoints which have what is known as a code-behind file that has a WebService-derived class linked to it. This class is essentially “the service”, and its methods (those marked with [WebMethod] attribute) are exposed as part of the automatically generated WSDL contract.
As a side note, typical of most platforms today, developers are building classes and methods to generate WSDL, however the better approach would be to create the WDSL contract first, and map that to business objects that handle processing. It requires discipline to follow this approach today.
The code that is encapsulated by the WebService object should never contain business logic, rather defer to other .NET assemblies that can be invoked in-process or out-of-process to perform the work required to execute the requested service method, and return a response (if not a one way method). That usually means that some form of façade layer is required to pull any business logic from the service class, and choreograph invocations to reusable business logic components (see Figure 1)
If you design your business logic in terms of logical, distributable services, then you should end up with a coupling of isolated sets of functionality that comprise an entry point assembly, one or more additional supporting assemblies, and some form of output or data store. For example, in Figure 1, you see that the application server tier has three entry point services: Service A, B and C. Imagine that Service C is a logging service that simply logs the Web service request “happened”; Service B is a service that handles the actual request processing, gathering data from the database, possibly committing some business information to the database; and Service A is a set of messaging and file IO services that handle generating some document output, like a PDF or email generated from the Web service request. Each of these business services can be isolated and distributed to whatever tiers you may desire, or be hosted entirely on the Web server tier, depending on your scalability requirements.
So, to your question, how do you distribute components and invoke them across tiers? Assuming your system is designed for reuse and distribution in this way, you can choose from Enterprise Services, Remoting or Web Services (these are the typical three choices).
- Enterprise Services is the best approach if you want to migrate to future technologies like Indigo, since the programming model will follow this route. That means registering Service A assembly (for example) as a serviced component with COM+, which implies it will be invoked over DCOM with binary serialization messaging format. The beauty of this is that you can leverage COM+ to handle object pooling, encryption, authorization services, runtime identity services and distributed transactions. A recommended resource for this is Juval Lowy’s book, COM and .NET Component Services.
- There are a few reasons why Enterprise Services may not be an option for you. One reason could be that restrictions were placed on the system deployment that precludes enabling COM+ services and MSMQ. This is usually an issue on inexpensive host domains (your $10/month service provider dilemma) or because the company imposes these restrictions (sometimes for no reason, sometimes for good reason). Remoting is an option for these cases, because it is a completely hand-rolled solution for invoking objects across process boundaries. Of course, this means rolling your own authentication, encryption, runtime identity impersonation, object pooling. No built-in support for distributed transactions will be provided here. A recommended resource for Remoting is Ingo Rammer’s book, Advanced .NET Remoting.
- Lastly, you can slap a Web service in front of the business services shown on the application tier. Note, I call them business “services” because they are services in their own right, a la “service-oriented” system design. Each major function within the system should be designed in a service-oriented way so that distribution of the components of that business service can be accomplished transparent to how the entire system cohesively functions. In addition, those services could be reused by other “systems”.
So, the entry point to a business service can be through the remote invocation techniques described in 1 & 2, or through Web services if the business service either a) already exposed Web services due to its reuse outside of the firewall, or b) if the input to the service should be XML, and you want to reduce parsing overhead between the outer Web service and the business service. Behind the firewall, binary serialization over a speedy TCP/UDP protocol layer will perform better than XML over HTTP. The options for serialization and protocol selection will be seamless in future releases of the .NET framework (Indigo) however today it is a design decision that requires considering the deployment and invocation model during the design phase of the system.
Figure 1
|
|
|
|
|
|
|
Wednesday, February 09, 2005
|
|
|
|
|
|
|
|
|
In a few weeks I'll be heading to Santa Clara in a few weeks to participate in the SD Expo conference. This is one of my favorite conferences because it brings together such a diverse crowd. Not only does this conference draw one of the largest C++ followings in terms of conferences, but you'll meet Java, XML, .NET, Security, Web Services and other types of experts that participate in the various tracks. I find this a great place to go if you want to mingle and learn from developers coming from other areas of expertise, or to dabble in some sessions in “the other world” from which you spend most of your time.
So, if you plan to join me there, be sure and come to my talks too!!!
Christian Gross and I are giving another joint tutorial on Web Services. Christian is one of my favorites speakers, a true philosopher, and this set of tutorials was very well received last year so we're updating it to the latest and greatest and joining forces once again:
(112) Web Services Part One: Web Services Theory
Time/Date: Monday (March 14, 2005) 8:30am - 12:00pm
(117) Web Services Part Two: Implementing Web Services Using .NET
Time/Date: Monday (March 14, 2005) 1:30pm - 5:00pm
(131) Web Services Part Two Continued: Implementing Web Services Using .NET Time/Date: Tuesday (March 15, 2005) 8:30am - 12:00pm
Then, we are doing a special tutorial presented by several of the Interop Warriors (www.interopwarriors.com), focused on WS* interoperability for Web Services platforms:
(140) Web Services Tools and Platform Interoperability
Time/Date: Tuesday (March 15, 2005) 1:30pm - 5:00pm
And I have some other general sessions throughout the week as well:
Best Practices for .NET Versioning and Deployment
Time/Date: Wednesday (March 16, 2005) 1:45pm - 3:15pm
Making Sense of all these Crazy Web Services Standards
Time/Date: Wednesday (March 16, 2005) 3:30pm - 5:00pm
Mastering the Offline Experience with Smart Clients
Time/Date: Friday (March 18, 2005) 8:30am - 10:00am
The Good, the Bad and the Ugly of Web Services Security
Time/Date: Friday (March 18, 2005) 1:45pm - 3:15pm
Designing Scalable ASP.NET Applications
Time/Date: Friday (March 18, 2005) 3:30pm - 5:00pm
We also plan to have an interesting discussion around the REST-ful Web Services topic, with some passionate followers on both sides in the room, this will be interesting!!!
Rest vs. Soap
Time/Date: Thursday (March 17, 2005) 7:30pm - 9:00pm
Hope to see you there....
|
|
|
|
|
|
|
Saturday, January 08, 2005
|
|
|
|
|
|
|
|
|
I recently recieved this question from a SearchWebServices.com reader:
I am designing a sample app that has 3 tiers - Web browser, .NET application & DB server. I believe (correct me if I am wrong) that given that each individual user will not be connecting to SQL server directly (except maybe for DB Admin's etc) it is desirable to create a login for IIS to connect to the server and a user login to connect to the DB in question with the appropriate permissions. The .NET application will be connecting to the DB using ADO.NET. Is this true, or am I barking up the wrong tree?
Interestingly this is a subject I have been writing about recently. Here's the answer I posted for this question.
Let’s first clarify the physical tiers you describe here. The Web browser on the client tier, but really doesn’t participate in the description of tiers for the server-side application. Users will provide credentials through the browser that must ultimately be authenticated by IIS or passed through to ASP.NET for custom authentication. The .NET application I presume is hosted on the Web server physical tier, along with IIS. The database server physical tier hosting…well…the database application. potentially The server-side then has two physical tiers. If this is an intranet-based application, the Web site is likely configured for Windows authentication in IIS, which means IIS will authenticate the user within the Windows domain. Authorized requests will be forwarded to the ASP.NET runtime for processing, and if the application is configured to impersonate the authenticated user, application code will be governed by what the impersonated account is authorized to do:
<identity impersonate=”true” />
For example, if the logged in user is authorized to access the database (which really means, whichever database objects the account is granted access to, and for whatever type of access like db_datareader, dbdatawriter) then functionality to access the database will execute without exception. But this is not realistic as you mention. That means the code that tries to access the database must first impersonate an account that is granted appropriate access to the database objects. If the intranet application impersonates the logged in user, then this impersonation must be handled on the fly, and must be reverted so that the logged in user is once again the identity under which the remainder of the request thread executes.
If the application does not impersonate the logged in user, ASP.NET application requests will be executed with the ASP.NET identity configured in the <processModel> section of the machine.config. This is usually the NETWORKSERVICE account, which has limited privileges (by design). In theory you could have the application impersonate a higher privilege account for all requests that also has access to the appropriate database objects. BUT - DO NOT DO THIS. This is the lazy man’s solution to gaining access to protected resources, and it seriously compromises the safety of the application. If a hacker were to gain access to an executing thread inside the worker process, they will have access whatever privileges have been granted that thread. By default, we prefer this to be the NETWORKSERVICE account, or the account of the logged in user for intranet applications.
So, the solution?
- Either impersonate the logged in user or run the application under the NETWORKSERVICE account
- For calls to the database, either impersonate a privileged account at runtime, or use EnterpriseServices to invoke a serviced component that runs with the required account with database privileges (better). This decouples the configuration of the required account to access the database from the code, allowing it to be modified as needed through serviced component configuration (COM+). This also has the benefit that later you could distribute the database access component to another tier for scalability and security requirements.
What accounts do you need?
- It is useful to have an account that can only read the database (db_datareader privileges to appropriate objects), and another that can read and write (db_datareader and db_datawriter privileges). This way, during read operations you are not vulnerable to write attacks.
For more information on this subject, see my article on The Server Side.NET referenced here in my blog: http://www.dasblonde.net/PermaLink.aspx?guid=aa616d20-1089-4a24-8f0c-14326f2a731c
|
|
|
|
|
|
|
Tuesday, December 07, 2004
Saturday, November 13, 2004
|
|
|
|
|
|
|
|
|
If you were up at 8am for this session at VS Connections, I hope you had a coffee first because we covered a lot of ground! My resources for this talk are on this site:
http://www.dotnetdashboard.net/resources/wse.aspx
Some of my new code samples I showed you in the talk have been written with WSE SP2 (pre-release version), so I'll post those shortly once the service pack is public. Should be very very soon.
Also, you'll notice my DIME example on this site is pre SP1, I am working on an article to discuss the specifications around attachments, and will compare DIME with SwA for interoperability between platforms. Stay tuned for an update there. (this was not part of the security session, of course)
|
|
|
|
|
|
|
Tuesday, October 26, 2004
Saturday, September 25, 2004
|
|
|
|
|
|
|
|
|
Thanks to everyone that attended this on Thursday night, it's one of my favorite topics! I mentioned several resources you could access now, and that I'm adding some new content for an upcoming article and an advanced presentation at Dev Connections.
For now, get my latest version of these resources here:
http://www.dotnetdashboard.net/Resources/wse.aspx
I will be updating this site with more in late October, when I formalize my new code samples. That will include my password hashing example.
Thanks again!
|
|
|
|
|
|
|
Wednesday, September 22, 2004
|
|
|
|
|
|
|
|
|
This entry has references for both of my talks at SD Best Practices (www.sdexpo.com) in Boston this week. I apologize that the slide decks are not on the conference CD, however I was invited to cover another speaker, therefore my materials were not part of the materials submission deadline as they were different talks from those originally scheduled.
I have added some supporting resources to the link below, related to security as well. Enjoy!
http://www.dotnetdashboard.net/resources/scalability.aspx
THank you for attending both talks, and please email me with any questions we could not get to within the timeframe.
|
|
|
|
|
|
|
Sunday, September 19, 2004
|
|
|
|
|
|
|
|
|
I'm having a deja-vue here, because I think I've answered this question a number of times, pre-blog. However, since I once again have received the question, I'll go ahead and answer it once more, here.
The question: How do I invoke a Web service that supports session state, and maintain the session across posts?
The answer: The Web service proxy class, which derives from SoapHttpClientProtocol, has a property called CookieContainer. If you intialize this to an instance of the System.Net.CookieContainer type, it will store cookies returned to the client. When the same proxy, with the same instance of the cookie container, is used to invoke service methods, the proxy serializes cookies in the cookie container with the reqest, as a properly formed HTTP header. Before calling methods that support session state, be sure to create the CookieContainer and initialize the proxy like so:
System.Net.CookieContainer cookies = new System.Net.CookieContainer();
localhost.SessionService1 svc = new localhost.SessionService1();
svc.CookieContainer = cookies;
svc.UpdateHitCounter();
For a working demo, download this example, WSSessionCookie.zip. Be sure and note that a single instance of the cookie container is scoped for the lifetime of the application. If you assign a new cookie container to the proxy, previously stored session ID (or, other cookies) will not be passed with the request.
NOTE: I don't generally recommend using session state with Web services. The typical argument for its use is to support login-once scenarios. However, to maintain a logged in state this way, there isn't sufficient security to prevent replay attacks or sniffing session ID from the wire. OASIS WS-Security specifications describe how to safely pass tokens, including session-based tokens that have adequate expiry rules. Furthermore, they describe how to encrypt and sign the message to be sure no tampering has been done. For other types of session-based tokens, see WS-SecureConversation, WS-Trust and SAML specifications.
|
|
|
|
|
|
|
Tuesday, August 03, 2004
|
|
|
|
|
|
|
|
|
Tonight I'm presenting at our local .NET Developers Group in San Diego how to secure your Web services with WS-Security and WS-SecurityPolicy using WSE 2.0. I will post any new code samples or slides here for reference after the talk, but my current resources page on this subject can be found here:
http://www.dotnetdashboard.net/resources/wse.aspx
After spending the past week *immersed* in mostly ASP.NET 2.0, primarily using all the new localization features for a whitepaper I just completed (cool stuff, more on that later), today I'm *immersing* myself in my WSE 2.0 presentation content. Surely I will soon have new things to share on that subject...just a matter of time to post them between deadlines :)
|
|
|
|
|
|
|
Saturday, July 24, 2004
|
|
|
|
|
|
|
|
|
Some great discussions are going on regarding the choice of Enterprise Services, .NET Remoting and Web Services for .NET applications. I'm adding on, so sit yourself down...this has really long blog written all over it...
|
|
|
|
|
|
|
Thursday, June 17, 2004
|
|
|
|
|
|
|
|
|
In many presentations of late I have mentioned to folks the preference of Enterprise Services over .NET Remoting. In part to reduce the risk associated with rolling your own security model across boundaries (among other things), and due to the fact that the Indigo team at Microsoft recommends Enterprise Services as the way to build your component architecture today, to better migrate to Indigo tomorrow.
Here are some references I found on the subject on Rich Turner's blog (he's a PM) and a video on the MSFT site. If I find more, I'll add to comments. If you have your own proof, or have questions/concerns on this subject, YOU add to comments :)
Cheers.
|
|
|
|
|
|
|
Wednesday, June 16, 2004
Saturday, June 12, 2004
Monday, June 07, 2004
|
|
|
|
|
|
|
|
|
In less than 10 minutes I just created a VB.NET demo for an upcoming SearchVB.com webcast, using WSE 2.0. Policy rocks! However...even though I've been through this before, once again I was momentarily baffled by the fact that my service seemed to be authorizing my UsernameToken even though I submitted a bad password. Well, that's the policy cache baby!
Steps to create the sample:
- Create a Web service project, enable WSE 2.0 extensions for the service
- Add a custom UsernameTokenManager class to handle, well, UsernameToken authentication.
- Add code to authenticate by performing a database lookup and returning the password from the AuthenticateToken method. In this case, I'm just returning password, clearly not a real example.
Public Class CustomUsernameTokenManager
Inherits UsernameTokenManager
Protected Overrides Function AuthenticateToken(ByVal token As UsernameToken) As String
Return GetUserPassword(token)
End Function
End Class
Even without specifying a service side policy that requires a UsernameToken, the UsernameTokenManager will be invoked on each request and will validate the <wsse:UsernameToken> element passed with any requests. You should specify a policy as a best practice
- Create a Windows Forms client, add WSE 2.0 support BEFORE you add a Web reference to the Web service just created. This ensures that you get a WSE-aware proxy class.
- Add a couple of textboxes and a button to the Form, and handle the button click event by creating an instance of the WSE-enabled proxy, and invoking the service.
- Create a policy for the client to require UsernameToken signature
- Add code BEFORE invoking the WebMethod to create a UsernameToken object, and add it to the policy cache. Note: Here you'll notice that I'm clearing the cache before adding the token to the cache. This is where you'll run into trouble since the cache is not cleared unless you explicitly clear it.
Dim svc As New localhost.Service1Wse
Dim userToken As New
UsernameToken(Me.TextBox1.Text, Me.TextBox2.Text, PasswordOption.SendNone)
PolicyEnforcementSecurityTokenCache.GlobalCache.Clear() PolicyEnforcementSecurityTokenCache.GlobalCache.Add(userToken) Dim s As String = svc.GetSecret()
This brings up an interesting point about the policy cache. When should you populate it? When should it be cleared? Should we create policy cache managers that handle updating existing tokens when a new password is supplied?
Of course, this is a demo, so on most occasions, we wouldn't happily modifying passwords for the same user during the same session. However, a new UsernameToken is still added to the cache even if it refers to the same user, so beware of a) bloating the cache with tokens, and b) sending the wrong token (the first on in the cache wins!). In short, based on your client application, determine an efficient way to keep the cache free of junk. Perhaps store the token in the cache at login time, and reuse that token for each Web service request.
|
|
|
|
|
|
|
Tuesday, May 25, 2004
|
|
|
|
|
|
|
|
|
This talk started out with a bang as Don and Doug collected a list of questions from the audience that they planned to answer throughout. The best part about this was that the questions were really great. For example: When should you use .NET Remoting vs. Enterprise Services? What will happen to COM+? When does COM matter? Should we use ASMX?.
After this, they proceeded to go through exactly 3 slides. Cool bullets…
- There is only one program and it is still being written.
- Choice is an illusion.
- Objective interpretation is an oxymoron.
The question is, what do the bullets really mean? Clearly, Don and Doug are great philosophers who enjoy abstracting the meaning of technology, where have we been, where are we going, how do we get there…all that. So, I’ll give you my interpretation (which we know from the bulleted list will not be shared by everyone).
First of all, the meaning of SOA (something the masses struggle with big time) is that we need to design systems (or, services) as well encapsulated, autonomous chunks of functionality that can be consumed by other systems, across departmental, enterprise, and possibly industry boundaries. This is one big program (the matrix anyone?)…metaphorically speaking…although of course not literally. If we design systems with the expectation that we cannot control where and who consumes them, we will fit within the SOA model. Contracts for these services, once published, must remain constant…because we have no idea who is consuming them, nor when.
In a related topic of discussion regarding the definition of service interfaces, we must consider that there can be many interpretations of a service schema. For example, if an industry like ACORD (for insurance) defines what XML looks like for a certificate of insurance, does that mean all systems following that standard will interpret EVERY element of the schema in the same way? Or, might there be different (valid) renditions of this schema? For example, could an xsd:int value be delivered as an xsd:string instead and still be meaningful? Sure it can. Could a subset of the schema be used by the destination endpoint? Absolutely. Thus, by definition we need extensibility and we need to be prepared for variant interpretations. In addition, the object model behind a service will rarely look exactly like xsd-generated classes. Services must be able to interpret XML payloads in their own way, and process them according to the needs of the system. What all of these competing Web service vendor platforms can agree on is the goals of SOA and the protocols (WS*) that are required to interoperate. Proof of this of course is in my recent experience with the Web Services Interoperability Education Day. This is exciting stuff, to see emerging standards work across platforms…we will continue on our quest there.
I enjoyed the philosophy shared during the talk, but must admit that the questions asked at the beginning were so compelling that I was really looking forward to their answer. I almost think they could have done two complete presentations. One for the philosophy, another for the Q&A. So, although there wasn’t a lot of time for answers at the end, here’s a summary of what I captured:
- COM will not disappear, it will be part of hybrid solutions, and transparent to the service interface.
- Remoting is useful for crossing app domains, but not for crossing machine boundaries. Use it for fault tolerance within a process (one app domain goes down, the main process stays alive).
- Crossing machines and processes, DCOM is fastest binary protocol, and can be secured, which means EnterpriseServices (ES). This also facilitates DTC transactions. Oh, and MSMQ is integrated here so you can also guarantee message delivery.
- On ASMX serialization vs. binary serialization with remoting, ASMX will be faster than .NET remoting, short term performance gains using remoting today will not position your applications for future releases (I.e., Indigo). You can expect better performance with ASMX in future as programming models change, and frankly what impacts performance most is usually bad architecture, including hardware choices and physical tier distribution. One thing that will also support performance improvement at a more granular level is also XML parsers…something the team is working on.
- How many WS* protocols do we need? Less. SOAP/XML is a great start. WS-Security is critical for end to end message integrity. We need standard protocols for interoperability, thus we need tools to assist with serialization, such as WSE 2.0.
- WSE 2.0 gives us a chance to work with WS* protocols now, while waiting for Indigo. The important thing is to realize it is taking you in the right direction. It keeps you in the game. These standards move fast, so does the WSE team. Indigo will just swallow it all making it even easier once standards are more stable.
- MTOM is the future of DIME.
- SAML will be supported, because WSE is extensible. Actually, Benjamin Mitchell and I worked on a SAML sample for our interoperability demonstration with Axis/SourceID…so we kinda already have a start on that!
- Your ES investment with COM+, MSMQ will be supported by the world of Indigo. Of course!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Get it here
Rebecca Dias hung out with keynote Steve Ballmer and announced the release of WSE 2.0, the successor to 1.0 component libraries with support for OASIS WS-Security protocols in addition to several features of WS-Policy (specifically WS-SecurityPolicy) and WS-Trust/WS-SecureConversation. This is truly an attribute to .NET’s extensibility model that the WSE team can build support for emerging standards (as they emerge) through use of HTTP handlers and SOAP extensions. The WSE team has one of the fastest release cycles at Microsoft, and I expect they will continue to plung forward to support more of the WS* standards so that we can have tools at our fingertips to interact with these protocols with a lot less pain (or, WS-Pain as I call it).
NOTE: If you’re at Tech Ed, come see my talk on HTTP handlers, modules and SOAP extensions. DEV410: Inside the ASP.NET Runtime: Intercepting HTTP Requests, Wednesday 8:30am in Room 8.
This release gives developers a simple way to use Web services security protocols that enable:
- Passing security tokens
- Authenticating callers
- Ensuring message integrity
- Ensuring message confidentiality
This tool has the best support out there today for generating WS-Security and WS-Policy XML, and help you see the value of the actual standard.
Becky, can I have a WSE T-shirt now?
|
|
|
|
|
|
|
Monday, May 24, 2004
|
|
|
|
|
|
|
|
|
After a long week trouble-shooting last minute issues between .NET, WSE 2.0, BEA Workshop 8.1, Apache Axis and SourceID...we pulled off our Web services event without a hitch! What does that mean? Well...for one, all the demos worked. This is significant because although we each had our own test plans hitting remote and local endpoints...the first we were able to get together and test on the actual machines for the demo was Friday when each speaker arrived to San Diego. Here's how Friday played out:
- Heinrich arrives at San Diego airport at 1pm, we head to my technology palace to hook our machines up to the NAT router and have his BEA code hit the token issuer on my machine (which would be Ben's machine later that night), and the Axis web service on Chris' remote server.
- Anant meets Heinrich and myself at UCSD to test the configuration at the event venue, and we switch to Anant running the Axis service. This didn't quite work (configuration was fragile, too many settings to modify each time we moved service endpoints) so I left them (and my machine) to figure it out while I was off to pick Ben up at the airport
- Ben's plane is late, I call Anant and Heinrich, they come to the airport so we can trouble-shoot the configuration issues while we wait. We can't afford to lose time...it's already 7pm
- Ben arrives and immediately spots us. We were sitting at the airport, connected machines via router, people staring (what the?)...as they walked by. It's 8:30pm
- We head back to my place, call for pizza on the way, Adam Cogan waiting on us (he wanted to see our demo...give us feedback). We work on configuration with Ben's machine, then proceed to run through the demos and discussions. By 2am we were ready...a few hours of sleep later and we were setting up at UCSD!
Ted Neward gave an incredible keynote, not only educating us on interesting historical facts while explaining that we are destined to repeat the same mistakes over and over again if we don't approach SOA, Web services and enterprise component architectures incorporating lessons learned from the failure of past architectures such as CORBA and DCOM. He is a phenomenal speaker, and great philosopher, and what I really like about Ted is that he backs up every statement he makes with cold hard facts and reasoning.
We ended up spending some time describing Web services, and what the purpose of WS-Security and WS-Policy were, before we got to demos...however the audience truly seemed to appreciate the overview, as much as they enjoyed the demonstrations to follow. I'll get some links up soon that make reference to resources. In the meantime, some detailed discussions of the event went are already up on John and Benjamin's respective blogs. Benjamin writes about the panel discussion that followed the code demonstrations. He also summarized Ted's keynote.
I plan to summarize some of the interesting things I noticed while trouble-shooting the code as our human interoperability tester...stay tuned...
|
|
|
|
|
|
|
Sunday, May 16, 2004
|
|
|
|
|
|
|
|
|
Well, I couldn't be more thrilled today...after rebuilding my machine on Friday (sun shining outside, 80 degrees) and following Chris Haddad's flawless instructions to set up my machine with the latest JDK, Ant, Tomcat, and Axis yesterday (sun shining outside, 80 degrees)...we were ready to start testing Ben's .NET SAML implementation. Setup was time consuming, yet surprisingly painless... a far cry from the hell I went through several years ago when Axis was in its infancy ...back then it took me 3 days to get HelloDuke() to run properly...mind you that could have been related to my J2EE container, ATG Dynamo.
Yesterday Anant and I both set up our machines to run Axis demos and between phone calls and IM Chris and I tested his remote Axis endpoint with Ben's SAML token issuer. We discovered a few things related to how Axis handles SOAP messages, for example you have to manually indicate understanding for *mustUnderstand* headers like wsse:Security (a good one to understand wouldn't you say?).
Today we continue (sun shining...80 degrees...sigh)...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
As I mentioned earlier a bunch of us are pulling together some *wicked* demos (that's Canadian for *awesome*) for first ever Web Services Interoperability Education Day.
We crafted a plan for the tiered demonstration in late February and everyone broke off into their respective coding frenzy. Benjamin Mitchell took on extending .NET WSE 2.0 to create a SAML token issuer. Heinrich Gantenbein is extending the existing interop example he already created between .NET WSE and BEA Workshop 8.1/WebLogic Server. And Chris Haddad stepped up big time to build us an Apache Axis/Source ID Web service to receive SAML token signed messages and verify with the token issuer. (We switched to open source since we discovered it was VERY difficult to get our hands on a trial version of Tivoli to support our IBM WebSphere example...and the clock was ticking...).
Throughout all of this, John Bristowe and myself have been waving pom poms (John's term) and supporting the group either by testing code, discussing issues, and general coordination. In addition, Anant Kadiyala (run's the local BEA user group in San Diego, and teaches Web Services at UCSD Extension with me) stepped up to support the open source side, working with me configuring machines for the demos, and we'll be trouble-shooting the entire system here in San Diego before our esteemed speakers arrive.
Now, I have to admit that it was really very difficult for me NOT to *own* a specific part of the code for this event...given that I work with WSE 2.0, have a past with Axis and also know enough BEA to be dangerous :)... and I'm sure John and Anant may have similar feelings despite bandwidth issues we all have...however, this couldn't be a better display of teamwork in action. As issues come up, there is a support team to research issues, test code and find solutions...fast. We're running into x.509 certificate serialization issues, Web service specification implementation issues, and other configuration bottlenecks. Not to mention that coordinating all of this with the actual presentation is just a ton of work since we will be networked through a NAT router and hitting each others machines...good things...so, in short, this is a really great experience.
It is a honor to work with all of these guys...really.
|
|
|
|
|
|
|
Saturday, May 08, 2004
|
|
|
|
|
|
|
|
|
We're putting on an event right before Tech Ed San Diego, hosted by UCSD Extension. This Web Services Interoperability Education Day, on May 22nd, is geared at showing the community some of the .NET and Java tools that help developers implement solutions with WS-Security (now OASIS standard) and WS-Policy support. This event is an extension of the IDesign whitepaper and webinar comparing .NET/WSE and BEA Workshop 8.1 support for emerging Web services standards, and showing their interoperability.
I am really fortunate to have so many great people contributing their time to make this a success (see the site for a list of presenters, although a few are not listed yet, I guess those php sites take time to update ). The diverse backgrounds, and various perspectives of each presenter and panelist will definitely make for some very interesting post-demo discussions, and certainly should help to keep you awake during our Q&A period during the BOF.
Of course, we have prizes too...XBOX anyone? How about an iPod? T-shirt? Cap? Mug? The list is endless...
|
|
|
|
|
|
|
|
|
ON THIS PAGE
|
|
|
|
SEARCH
|
|
|
|
CATEGORIES
|
|
|
|
ARCHIVES
|
| | Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|
| 28 | 29 | 30 | 1 | 2 | 3 | 4 | | 5 | 6 | 7 | 8 | 9 | 10 | 11 | | 12 | 13 | 14 | 15 | 16 | 17 | 18 | | 19 | 20 | 21 | 22 | 23 | 24 | 25 | | 26 | 27 | 28 | 29 | 30 | 31 | 1 | | 2 | 3 | 4 | 5 | 6 | 7 | 8 |
|
|
BLOGROLL
|
|
|
|
|
 |
|