|
>
 Friday, March 23, 2007
 |
|
 |
|
|
|
|
|
I just spent the last week at SD West in San Jose...this year the conference was bigger than ever before! Thanks to everone that attended my tutorials and sessions, I really enjoyed the questions and discussions...as I hope you did. As promised, here is a list of all my resources from the conference talks. Enjoy! Intro to Web Services (Tutorial) - Christian Gross and myself presented this one, discussing everything from POX, REST, RSS, SOAP/WSDL, WS* and SOA.
- Code I demonstrated in this tutorial is from the .NET Web Services tutorial next.
.NET Web Services TODAY (Tutorial) Microsoft Technology Avalanche (Tutorial) Top 10 Web Service Standards You Need To Know WCF Contracts and Versioning - Demonstrations in both of these talks are based on WCF code from my book here: http://www.thatindigogirl.com/LearningWCFCode.aspx
- See \Security, \ReliableSessions, \Transactions in particular for the WS* discussion
- See \DataContracts, \AdvancedSerialization, and \ServiceContracts for the contracts discussion
CardSpace - Demonstrations in this talk can be found here:
The Amazing World of Federated Security - This talk was mostly discussion of standards and architectures however the demonstrations I used to illustrate a few points are based on my claims-based samples here:
- And, my STS sample here (NOTE: this sample will be updated shortly with an upcoming article, stay tuned!):
|
|
|
 |
|
 |
|
|
|
|
|
|
|
|
|
I created a presentation in November of last year with the goal of helping folks make sense of the vast number of Microsoft technologies from development tools, language, data, windows, web and SOA development. This blog post holds the latest links to resources and code for each section. System Requirements The links below use the following technology platforms: - Visual Studio 2005 and .NET 2.0
- .NET 3.0
- NET 3.0 Runtime (installed with Vista)
- Windows SDK for .NET 3.0
- Visual Studio 2005 Orcas Extensions for .NET 3.0:
- WCF&WPF (Nov 2006)
- WF (Nov 2006)
- ADO.NET and LINQ CTP for VS 2005 (May 2006)
- LINQ CTP
- ADO.NET vNext CTP
- ADO.NET vNext Entity Data Model Designer Prototype, CTP
- Visual Studio Orcas CTP (March 2007)
Development Tools In this section I reviewed the stack of development tools and explained how to choose between them. Language Enhancements In this section I talked about moving from .NET 1.1 to 2.0, and discussed the key features of 2.0 that folks should be leveraging. Then, I focused on the language enhancements forthcoming with C# 3.0 and VB 9.0. Demos: Data Access In this section I focused on data access technologies, designing the data access tier, and key features of ADO.NET 2.0, vNext and LINQ to give you some idea how to prepare for the next set of innovations. Demos: - When you install ADO.NET vNext and LINQ there are literally 100s of samples that will really help you get up to speed here. I show a selection of these in this presentation.
Windows Development
In this section I review Windows Forms 2.0 innovations, primarily ClickOnce, and then talk about how to prepare for WPF, explaining the various deployment models. I also talk about practical approaches to choosing the right platform for your development efforts. Demos:
Web Development
In this section I showed an ASP.NET sample application that illustrates key features of ASP.NET 2.0 and practical application of those features. Then we looked at AJAX and discussed trends on the Web compared to Windows development. Popular AJAX Frameworks: Demos: Distributed System Programming In this section I reviewed the typical use for earlier distributed computing technologies like remoting, enterprise services and ASMX web services with WSE, and compared them with WCF. BPM and Workflow In this section I discussed BPM, BizTalk and workflow and trends for BizTalk vNext. DinnerNow To pull it all together, there is a sample you can download here: www.dinnernow.com that illustrates all of the technologies in a practical example. It includes WCF, WF, WPF, AJAX, Vista gadgets and mobile apps.
|
|
|
|
|
|
|
Sunday, February 19, 2006
|
|
|
|
|
|
|
|
|
After rebuilding my machine a few weeks ago, once again I find myself running into old problems and trying to remember how to repair them. This time, generating keys to strongly name my asesmblies through the Signing tab in Visual Studio 2005. I thought I would share it this time in case others have seen this problem...and struggled with it...
The Scenario:
For a Windows client application, open the Properties for the project, navigate to the Signing tab, check Sign the assembly and create a new key. In the Create Strong Name Key dialog, provide a new key name, provide a password, and click "OK".
The Problem:
An error message is presented: Create strong name key the operation could not be completed. Access is denied.
The problem repeats itself when I tried to use the strong name utility (sn.exe), with this error: Failed to generate strong name key pair. Access is denied.
The Solution:
I had to give my user account access to the key container in C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys. It turns out, even administrator rights were disabled on my machine! I am not sure if this was the default installation (I rebuilt the machine a few weeks ago) or if this is modified when I install WinFX, or if when I granted ASP.NET and NETWORK SERVICE access it somehow lost the inherited permissions that were granted when I installed the OS. In any case, at least it seems predictable, you need access to the key store in order to generate keys, makes sense!
How does it work?
Each container created using sn.exe -i is located in the MachineKeys directory (unless you specify elsewhere). The default key container that is used by sn.exe is also in that location.
In the event you reset your key container to a new one, and forget where it is...you can reset the key container for the strong name utility using sn.exe -c. So, if the account access fix doesn't work, you may be using an alternate key store so a reset may be in order.
I googled this topic a bit before writing this blog, and was surprised that very little has been written on this subject for a solution...furthermore...many people actually rebuilt their machines to solve the problem!!!! I hope this blog entry prevents a few more of those!!!
|
|
|
|
|
|
|
Monday, September 12, 2005
|
|
|
|
|
|
|
|
|
We put on a 1 day seminar at UCSD Extension on Saturday for those interested in getting up to speed on the upcoming release of .NET 2.0. I'm posting a bunch of 2.0 samples here directly related to the topics we covered at the event.
Dave McCarter gave a great overview of the VS 2005 IDE and its productivity features. No code to share on that one, you have to be there to see it!
I presented a talk on VB.NET and C# language enhancements. Samples include a few new VB.NET samples:
Several C# samples that are posted on the IDesign site:
I also presented a talk on ClickOnce and Smart Clients...the code sample is better seen in “live demo“ but here's the finished product of what I demonstrated:
And to wrap things up, Scott Mitchell gave a great talk on ASP.NET 2.0...he did most of his demos live, but I told him I'd post some of my finished ASP.NET 2.0 samples here that were related to his talk...since I have them handy:
aspnet20samples.zip
For more IDesign samples go here:
http://www.idesign.net/idesign/DesktopDefault.aspx?tabindex=5&tabid=8
Enjoy!
|
|
|
|
|
|
|
Friday, May 13, 2005
|
|
|
|
|
|
|
|
|
I recently received this question at SearchWebService.com...
How can I call a Web page from my Web service page after extracting an XML file into a dataset? My Web page will display data from a created dataset into a DataGrid control. Can I return data directly into a Web service page using Visual Studio .NET?
Probably because I have had to go through some interesting integration patterns in the past, I answered the question with two flavors...discussions welcome.
Here's my answer:
I think the best way to tackle your question is to review the workflow between client, Web service and Web application (pages). If the client application is the Web application, then the workflow looks something like this:
1. User browses to a page.
2. During the Page.Load event you invoke a Web service to get the dataset, before binding that dataset response to a DataGrid control on the Web page.
3. The page is returned to the browser with the populated DataGrid rendered as HTML.
The call chain looks like this:
Browser->Web Page->Web Service
What may be misleading about your question is the statement “call a Web page from my Web service”. Web services are data centric calls. They do not return HTML that can be displayed in a browser, therefore they should not be responsible for “calling” a Web page. Rather, the Web page should call the Web service to gather data, and present it. The driver behind the activity is the user who navigates to a page that leverages the service.
That said there is another possibility that can be interesting. Consider this workflow:
- User interacts with a Windows client application.
- The application at some point invokes a Web service to gather data from a remote server. The Web service establishes a session for the caller, and allocates the dataset to the session. The Web service returns XML that includes a link to a Web page exposed by the same server.
- The client application retrieves the XML response, which includes a URL to a Web page to navigate to (with session established) and the client application launches a browser (or, has an embedded custom browser) to the URL.
- The requested URL (page) retrieves the dataset from the session object, and displays the page fully populated.
So, the call chain is now:
Windows App->Web Service
Windows App -> Browser -> Web Page
This type of workflow may seem disconnected, however it is one technique whereby a legacy application can integrate with a modern user interface (through the browser) when the legacy app wants to integrate the modern application’s services as part of a user interface workflow, in addition to data exchange. For example, the insurance industry has many legacy agency management system applications, some even DOS-based entry screens, that “work” therefore will not be replaced. These agency management systems hold important data necessary to create certificates of insurance, a service often provided by external, modern applications. These modern vendor applications rely on data from the agency management system to function, therefore a data exchange must be automated as part of the workflow, enabling the modern application interface to pick up where the legacy system left off, and finish the job.
|
|
|
|
|
|
|
Monday, May 09, 2005
|
|
|
|
|
|
|
|
|
What a great turnout for the .NET conference in Long Beach last Saturday! I was amazed at how many faced I recognized from San Diego, Orange County and LA!!!
Anyhow, my slide deck for the presentation is here as promised:smartclient_ocevent1.zip (412.28 KB)
I'll update this blog post tonight with the code sample. Just cleaning up some things that I had converted for Beta 2. Stay tuned!
Updated 05/09/05 - code sample from demo:ClickOnceDemos.zip (368.13 KB)
|
|
|
|
|
|
|
Sunday, May 08, 2005
|
|
|
|
|
|
|
|
|
Ok, I noticed a few other little things about the publishing process through Visual Studio 2005, related to Beta 2. So, in an effort to save you all the 45 minutes I wasted on some of these things, here's the list. Luckily, I was somewhat aprised of this before I did my presentation yesterday, however, it still ate up some demo time given that things didn't always work the first time...
1. Publishing will continue even if you can't successfully build (see my previous post), so I recommend you always try to build first and watch your output. I know what you are thinking: “Oh, I'll just publish and check the output window for errors before I run the app”. But, I guarantee you will be sometimes seduced by that little browser window with the “Install” button...and you'll forget...and you'll find a bug...and you'll try to think about what the problem is but really you didn't get the latest assembly (or, worse, the assembly you're referencing never was built).
2. The “Properties” tab doesn't appear to be saved as part of the build step. So, if you make changes they won't be reflected when you publish...another ghost. The problem is, it still increments the published version, so you “think“ you have it.
3. Sometimes, not always, if you don't version your assemblies, the updated code is not deployed with the newly published version. This problem seems strange to me, since the published application version has been incremented...however I haven't had time yet to inspect what the cause of this is, in terms of the server deployment and its files.
If I see any more problems, or find a solution for these issues...I'll update this post. Feel free to comment if you find it before I do, I'm about to bury myself in ASP.NET 2.0 and Indigo for the next few weeks, I won't have much time for ClickOnce...
|
|
|
|
|
|
|
Friday, May 06, 2005
|
|
|
|
|
|
|
|
|
Ok, so I just had a long discussion with one of the smartest guys I know, my colleague, mentor and friend - Juval. We were talking about strong names, full trust the global assembly cache and .NET assemblies. It started out innocently enough, however as the discussion continued, we both insisted on being right...and as it turns out, we were both right...but I still lost $1 due to my own muddy description of the bet. Perhaps you've been confused by this as well? Read on...
She said:
When you deploy assemblies to the GAC, they get full trust.
He said:
No, you're wrong. The GAC has nothing to do with the assignment of privileges. You want to bet? I can prove it.
She said:
No, I'm sure of this, I do it all the time with my ASP.NET applications when I deploy business objects to the GAC. They get full trust. This is important because it is the only way I can reduce the privileges of the ASP.NET application assemblies (using the <trust> element as I discuss in my article here: http://www.theserverside.net/articles/showarticle.tss?id=SandboxingComponents), and then elevate privileges as needed to invoke assemblies that demand full trust or other permissions. The stack walk would fail, if I were not able to elevate privileges at some point, and assert to circumvent the stalk walk. I certainly don't want ASP.NET application assembly to run with full trust if I can avoid it.
He said:
Ha, I'm right. You see?
So, he demos his client app (EXE), with a dependency on another assembly (DLL) that was deployed to the GAC. He removed full trust for assemblies deployed to local machine. Then he invoked a .NET assembly that required full trust. Sure enough, the permission demand fails.
She said:
Crap. Thinking thinking thinking...Well, wait a minute, you need the policy to at least grant full trust based on the strong name or something like that? Darn it, what is it? I know there is something...ok I didn't describe this right...(fumbling)...I mean...er...I wasn't trying to say GAC = full trust, but that you need to deploy to the GAC, at least with ASP.NET...to get full trust...hmmm...ok, here's your damn dollar.
ABOUT AN HOUR LATER
She said:
Aha! I went and reread my article (above) and it jogged my memory...basically, ASP.NET runtime uses different security policies to assign permissions. Inside the security policies for ASP.NET such as web_lowtrust.config, web_hightrust.config, etc...there is a setting that pulls in full trust for GAC assemblies, automatically.
<CodeGroup
class="UnionCodeGroup"
version="1"
PermissionSetName="FullTrust">
<IMembershipCondition
class="UrlMembershipCondition"
Url="$Gac$/*"
version="1"
/>
If only I could remember these things in the heat of discussion, I would be $1 richer right now.
Ok, you were right...but so was I :) Ego somewhat repaired.
|
|
|
|
|
|
|
Friday, April 29, 2005
Monday, April 25, 2005
Saturday, March 26, 2005
|
|
|
|
|
|
|
|
|
In the short hour we had together on this subject, we looked at many features of Windows and Web localization for .NET 2.0. Big topic, so you’ll want references and code samples to ponder on, and I have collected my globalization resources here:
http://www.dotnetdashboard.net/sessions/globalization.aspx
Code samples I showed in the session are related directly to samples for my articles, but keep an eye on this reference page for updates coming for Beta 2! Also, the articles will help to review things in depth that we had limited time to touch on.
Oh, and stay tuned for more samples in May/June, when I’ll be writing some new articles based on the .NET 2.0 code base. Any requests on solutions you’d like to see added to the resource page? Email me!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I delivered not one, but two talks on this subject at the conference in Orlando…the first a fundamentals session, followed by a more advanced session that ended with ClickOnce. I have written some tutorials and articles on the subject that can be found here:
http://www.dotnetdashboard.net/sessions/versiondeploy.aspx
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In this tutorial I reviewed the issues we revisit with our return to building Windows client (thick client, smart client) applications, including design, deployment and versioning, automatic updates, and ultimately we discussed what ClickOnce brings to the table.
My gui samples were mostly ad-hoc, but I'll be posting more resources on this subject for you soon, for 2.0. In the meantime, the versioning, deployment and security aspects I discussed can be found here, including a full tutorial of the process:
http://www.dotnetdashboard.net/session/versiondeploy.aspx
|
|
|
|
|
|
|
Monday, March 21, 2005
|
|
|
|
|
|
|
|
|
In this session I walked through some live demos using .NET 2.0 and ClickOnce, to demonstrate how the smart client story is evolving to solve deployment, versioning, automatic updates, offline/online connectivity, and more. Here are some more resources on the subject:
http://www.softinsight.com/bnoyes/
that's my colleague Brian Noyes blog, he writes pleny on ClickOnce, has many reference to other articles he's written on the subject, and is my own personal ClickOnce hero
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnreal/html/realworld11022004.asp
a fellow Regional Director, Mauro Sant'Anna, writes fantastic article on ClickOnce, also a must read
And, in addition, resources for .NET 1.1 versioning, deployment, update and security issues at this blog entry:
http://www.dasblonde.net/PermaLink.aspx?guid=544e8515-afa0-46d3-8586-8512e686a911
|
|
|
|
|
|
|
Wednesday, February 23, 2005
|
|
|
|
|
|
|
|
|
I recently received a question from a J2EE developer, who wanted to know how to get started with a multi-tiered architecture for .NET Web services.
The question:
I have some experience with J2EE and know that one good design is to create a multi-tier architecture. That is to say create control servers that will request processing from business tire (using some rpc) then forward the result to the display JSPs. I have never used .NET and need to build a web services application using this framework. My question is: what is the .NET alternative for that design? and where can I get the right information and documentation??
My answer:
.NET Web services are hosted within the ASP.NET runtime environment. They are exposed through .asmx endpoints which have what is known as a code-behind file that has a WebService-derived class linked to it. This class is essentially “the service”, and its methods (those marked with [WebMethod] attribute) are exposed as part of the automatically generated WSDL contract.
As a side note, typical of most platforms today, developers are building classes and methods to generate WSDL, however the better approach would be to create the WDSL contract first, and map that to business objects that handle processing. It requires discipline to follow this approach today.
The code that is encapsulated by the WebService object should never contain business logic, rather defer to other .NET assemblies that can be invoked in-process or out-of-process to perform the work required to execute the requested service method, and return a response (if not a one way method). That usually means that some form of façade layer is required to pull any business logic from the service class, and choreograph invocations to reusable business logic components (see Figure 1)
If you design your business logic in terms of logical, distributable services, then you should end up with a coupling of isolated sets of functionality that comprise an entry point assembly, one or more additional supporting assemblies, and some form of output or data store. For example, in Figure 1, you see that the application server tier has three entry point services: Service A, B and C. Imagine that Service C is a logging service that simply logs the Web service request “happened”; Service B is a service that handles the actual request processing, gathering data from the database, possibly committing some business information to the database; and Service A is a set of messaging and file IO services that handle generating some document output, like a PDF or email generated from the Web service request. Each of these business services can be isolated and distributed to whatever tiers you may desire, or be hosted entirely on the Web server tier, depending on your scalability requirements.
So, to your question, how do you distribute components and invoke them across tiers? Assuming your system is designed for reuse and distribution in this way, you can choose from Enterprise Services, Remoting or Web Services (these are the typical three choices).
- Enterprise Services is the best approach if you want to migrate to future technologies like Indigo, since the programming model will follow this route. That means registering Service A assembly (for example) as a serviced component with COM+, which implies it will be invoked over DCOM with binary serialization messaging format. The beauty of this is that you can leverage COM+ to handle object pooling, encryption, authorization services, runtime identity services and distributed transactions. A recommended resource for this is Juval Lowy’s book, COM and .NET Component Services.
- There are a few reasons why Enterprise Services may not be an option for you. One reason could be that restrictions were placed on the system deployment that precludes enabling COM+ services and MSMQ. This is usually an issue on inexpensive host domains (your $10/month service provider dilemma) or because the company imposes these restrictions (sometimes for no reason, sometimes for good reason). Remoting is an option for these cases, because it is a completely hand-rolled solution for invoking objects across process boundaries. Of course, this means rolling your own authentication, encryption, runtime identity impersonation, object pooling. No built-in support for distributed transactions will be provided here. A recommended resource for Remoting is Ingo Rammer’s book, Advanced .NET Remoting.
- Lastly, you can slap a Web service in front of the business services shown on the application tier. Note, I call them business “services” because they are services in their own right, a la “service-oriented” system design. Each major function within the system should be designed in a service-oriented way so that distribution of the components of that business service can be accomplished transparent to how the entire system cohesively functions. In addition, those services could be reused by other “systems”.
So, the entry point to a business service can be through the remote invocation techniques described in 1 & 2, or through Web services if the business service either a) already exposed Web services due to its reuse outside of the firewall, or b) if the input to the service should be XML, and you want to reduce parsing overhead between the outer Web service and the business service. Behind the firewall, binary serialization over a speedy TCP/UDP protocol layer will perform better than XML over HTTP. The options for serialization and protocol selection will be seamless in future releases of the .NET framework (Indigo) however today it is a design decision that requires considering the deployment and invocation model during the design phase of the system.
Figure 1
|
|
|
|
|
|
|
Wednesday, February 09, 2005
|
|
|
|
|
|
|
|
 
Dev connections is now the premier .NET developers conference out there. There are three main tracks: Visual Studio (C#/VB.NET/Framework/Visual Studio), ASP.NET and SQL Server. Many of my favorite speakers will be there and you'll get the latest from Microsoft on Indigo, Visual Studio Team Systems, and Visual Studio Tools for Office...all very cool technologies and platform tools.
So, in between visits to the poolside bar, and short bursts of sunny indulgence, you can slink your way over to a few of my talks too!!!
Pre-conference workshop: VPR202: Return of the thick client? What do I do now? (1:00 PM - 4:00 PM)
Sessions:
APF301: The Quest for Scalability: The Right Way to Design ASP.NET Applications
VFE205: Deploying and Versioning .NET Applications--Essentials
VDP351: Best Practice Approaches to .NET 2.0 Localization Architecture
Post-conference workshop:
VPS301: Fundamentals Track-- .NET Fundamentals Advanced Class (9:00 AM - 4:00 PM)
So...come on down, over or up to Florida for Dev Connections, wherever you may be today...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In a few weeks I'll be heading to Santa Clara in a few weeks to participate in the SD Expo conference. This is one of my favorite conferences because it brings together such a diverse crowd. Not only does this conference draw one of the largest C++ followings in terms of conferences, but you'll meet Java, XML, .NET, Security, Web Services and other types of experts that participate in the various tracks. I find this a great place to go if you want to mingle and learn from developers coming from other areas of expertise, or to dabble in some sessions in “the other world” from which you spend most of your time.
So, if you plan to join me there, be sure and come to my talks too!!!
Christian Gross and I are giving another joint tutorial on Web Services. Christian is one of my favorites speakers, a true philosopher, and this set of tutorials was very well received last year so we're updating it to the latest and greatest and joining forces once again:
(112) Web Services Part One: Web Services Theory
Time/Date: Monday (March 14, 2005) 8:30am - 12:00pm
(117) Web Services Part Two: Implementing Web Services Using .NET
Time/Date: Monday (March 14, 2005) 1:30pm - 5:00pm
(131) Web Services Part Two Continued: Implementing Web Services Using .NET Time/Date: Tuesday (March 15, 2005) 8:30am - 12:00pm
Then, we are doing a special tutorial presented by several of the Interop Warriors (www.interopwarriors.com), focused on WS* interoperability for Web Services platforms:
(140) Web Services Tools and Platform Interoperability
Time/Date: Tuesday (March 15, 2005) 1:30pm - 5:00pm
And I have some other general sessions throughout the week as well:
Best Practices for .NET Versioning and Deployment
Time/Date: Wednesday (March 16, 2005) 1:45pm - 3:15pm
Making Sense of all these Crazy Web Services Standards
Time/Date: Wednesday (March 16, 2005) 3:30pm - 5:00pm
Mastering the Offline Experience with Smart Clients
Time/Date: Friday (March 18, 2005) 8:30am - 10:00am
The Good, the Bad and the Ugly of Web Services Security
Time/Date: Friday (March 18, 2005) 1:45pm - 3:15pm
Designing Scalable ASP.NET Applications
Time/Date: Friday (March 18, 2005) 3:30pm - 5:00pm
We also plan to have an interesting discussion around the REST-ful Web Services topic, with some passionate followers on both sides in the room, this will be interesting!!!
Rest vs. Soap
Time/Date: Thursday (March 17, 2005) 7:30pm - 9:00pm
Hope to see you there....
|
|
|
|
|
|
|
Thursday, January 13, 2005
|
|
|
|
|
|
|
|
|
<blatantmarketing>
Here's a list of local classes I'll be teaching in San Diego at UCSD Extension this quarter. For the Master class, UCSD also helps international students to coordinate a visit to San Diego for the course...
 &  |
January 24-28, 2005 (8:00am-5:00pm): IDesign's .NET Master Class - outline, registration
UCSD Extension partners with IDesign to deliver IDesign's .NET Master Class, an intensive 5-day hands-on training experience, taught exclusively by IDesign. The next class will be held Jan 24-28, 2005.
Feb 8 & 10, 2005 (5:30-9:30pm): .NET Security - outline, registration
At UCSD Extension, new collection of advanced short courses targeting the busy professional are now being offered. This Winter learn .NET Security in one week by spending two evenings with Michele Leroux Bustamante of IDesign, Feb 8 & 10, 2005. Other certificate courses also available (see C# and VB. NET ). |
</blatantmarketing>
|
|
|
|
|
|
|
Wednesday, January 12, 2005
|
|
|
|
|
|
|
|
|
Tonight was my turn to present as part of Regional Directors presentation month in southern california. Tim Huckaby presented at the San DIego .NET Developer's Group last week, I presented to the VBUG in Orange County (with a good collection of C# UG members also present), and Paul Sheriff is next, presenting to the San Diego .NET User Group the last week of January.
Tonight I test drove my latest materials on .NET 2.0 ClickOnce and related subject matters for Smart Clients such as offline connectivity and data storage, versioning and deployment, security evaluation and elevation, and so forth. The slide deck is in PPT format here:
versiondeploysmartclient20.zip (979.02 KB)
Related links I showed at the end of my talk:
http://www.idesign.net - See some of the .NET 2.0 webcasts delivered by my colleagues
http://www.dotnetdashboard.net/sessions/versiondeploy.aspx - see my resources on .NET 1.1 versioning and deployment
Other Microsoft resources for smart clients:
http://www.windowsforms.net
http://msdn.microsoft.com/smartclient
|
|
|
|
|
|
|
Thursday, January 06, 2005
|
|
|
|
|
|
|
|
|
Yet another article published in December 2004, the architecture-focused continuation of the 15 Seconds article mentioned in my last blog entry. This one talks about architecture for ASP.NET applications to run with least privilege, design and allocate components, and handle runtime security elevation as needed while starving the application runtime of privileges to prevent hackers from getting in. Part 1 focuses on a solution without allocating other processes with Enterprise Services.
http://theserverside.net/articles/showarticle.tss?id=SandboxingComponents
Part 2 is being written as I write this...well, not exactly...but after I write this I'll get back to it...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
VSTO (or, Visual Studio Tools for Office) 2005 is pretty darned cool. Yeah, I know about it...yeah, I've thought about it...and yeah, I know some day I'll spend some time using it...but not yet.
So, I stayed for Tim's presentation at the San DIego .NET Developer's group this past Tuesday, and realized that I can actually build better spreadsheets now, as a developer, using VSTO, than I ever stood a chance of doing just by using Excel directly. I suck at Excel macros, I never cared for VBA, but I love VSTO. The sheer idea of my own developer environment that I know and love letting me write some “code-behind” for my Excel spreadsheets and Word documents, letting me drag and dop buttons to create forms in a natural design environment, and letting me debug this like I would any other application...wow.
I know, it is nothing new, but I feel like I really “saw” it for the first time this week. Was it Tim's good looks, his killer presentation, or was I just ready to accept the promise of VSTO? We may never know the answer, but it doesn't matter, I'm going to build killer spreadsheets....er....as soon as I get a few minutes free...
Want to know more? Clearly I have no sample code to share (yet) but you can go here to get started:
http://msdn.microsoft.com/office/understanding/vsto/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
On Tuesday night this week I volunteered to do the 101 talk for the .NET Developer's group, before the famous and infamous Tim Huckaby did his killer, wicked Visual Studio Tools for Office (VSTO) presentation.
For my talk, I took a much deeper, advanced talk I do, which articulates 10 steps to versioning and deployment success, and I basically c-o-v-e-r-e-d t-h-e f-i-r-s-t b-u-l-l-e-t w-e-r-y w-e-r-y s-l-o-o-o-w-l-y to turn it into 1 hour of deep discussion on the subject of strong names, their value from a security and versioining perspective, some of the pains of using them, and some demonstrations to go along. The complete list of materials for this subject can be found on my versioning and deployment resource site:
http://www.dotnetdashboard.net/sessions/versiondeploy.aspx
The next time I do a 101 talk for this group, if Dave and Woody invite me back ;), I'll move to bullets 2 and three of the 10 step presentation...and so on, and so on, and so on...
What are the 10 steps I discuss in the advanced talk?
- 1.Use strongly named assemblies
- 2.Think before you GAC
- 3.Covet all private keys
- 4.Get to know Code Access Security
- 5.Evaluate runtime security requirements
- 6.Run with least privilege
- 7.Protect your intellectual property
- 8.Master assembly versioning
- 9.Design a deploy/upgrade strategy
- 10.Prepare for future of .NET
Enjoy :)
|
|
|
|
|
|
|
Tuesday, December 07, 2004
Wednesday, November 24, 2004
|
|
|
|
|
|
|
|
|
Glad to see everyone last night at this presentation, it was quite enjoyable, great questions from the audience as well which always makes my day! Here's the link to the site with access to my slide deck and other resources:
http://www.dotnetdashboard.net/resources/scalability.aspx
You can get the Enterprise Services sample from there, and a reference to my article which provide more detail. In addition, I demonstrated some asynchronous handler examples, but I found a great article from Fritz Onion on the subject, so here's the link to his article with access to his samples for the article, that will be even more detailed from that I demonstrated:
http://msdn.microsoft.com/msdnmag/issues/03/06/Threading/default.aspx
If you are new to handlers, check out my handlers page, with reference to some other articles I've written as well:
http://www.dotnetdashboard.net/sessions/handlers.aspx
Enjoy!
|
|
|
|
|
|
|
Saturday, November 13, 2004
|
|
|
|
|
|
|
|
|
Thanks to everyone who attended my talk at VS Connections this week in Vegas, despite the temptation to hit the Casino instead! You may have noticed my site was actually down all week, I had to move it to a new location, and I thank you for your patience.
Here's the link to my Versioning and Deployment Resource page which you may have already visited (that site wasn't down). I have updated the site with new content, however, so check it own again and let me know if you have any questions.
http://www.dasblonde.net/PermaLink.aspx?guid=17d12fa3-59c9-4c49-9cc6-9b62f959df19
Also, don't forget to check out the slides for my talk, there are many links in there to other resources.
Nostrovia!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I recently wrote up an article that discusses best practices for versioning and deployment of .NET components. In the article, and in my sessions on this subject I emphasize code access security, running with least privilege, versioning issues, publisher policies and more. Check it out here: http://www.15seconds.com/Issue/041103.htm
On a related resource page, you can find the tutorial I wrote for the code sample: http://www.dotnetdashboard.net/sessions/versiondeploy.aspx
This month, you can expect an article explaining .NET runtime security and sandboxing.
Cheers!
|
|
|
|
|
|
|
Wednesday, November 03, 2004
|
|
|
|
|
|
|
|
|
Hey everyone, I recently updated my localization resources page with the latest links to my articles, webcasts and code. Let me know if you want to see more!
http://www.dotnetdashboard.net/sessions/globalization.aspx
Look to this page first for updates to any of my article code, for example. I periodically updated my way of thinking about a problem, so this page will always have my latest best practices.
|
|
|
|
|
|
|
Saturday, October 16, 2004
|
|
|
|
|
|
|
|
|
Thought I'd christen my newly repaired blog (crossing fingers) with a new post about Service Pack 1 for the .NET Framework 1.1 - which has been available for over a month now (yes, I have been busy):
SP1 - http://www.microsoft.com/downloads/details.aspx?familyid=A8F5654F-088E-40B2-BBDB-A83353618B38&displaylang=en
Yesterday I finally had a chance to update my machines and take a closer look. Ironically, on the same day I had a fantastic conversation with Vivek Nirkhe from the VS 2005 Team System group ( http://lab.msdn.microsoft.com/vs2005/teamsystem/ ) on the issues of versioning; updating assembly version versus file version; and best practices for build process to handle distribution during development, the pass to QA and final release. He was kind enough to provide feedback on some of my concerns about SP1.
Much to my surprise, SP1 doesn't version the updated .NET Framework assemblies, which happen to contain a long list of fixes. My immediate thought was:
Why aren't they versioning their assemblies and shipping a publisher policy?
A publisher policy makes it possible for you to deploy updated assemblies to the GAC, and all installed applications will automatically bind to those updated assemblies. UNLESS, they override policy in their own app.config file. Therein lies the problem, according to the following blog post by Junfeng Zhang on the subject:
http://blogs.msdn.com/junfeng/archive/2004/10/11/240822.aspx
In summary he states:
- The service pack is security related, and we don't want customers to opt-out by publisher policy override
- The main reason for the concern in #1 is because through publisher policy override you must specify which assembly to override. Since SP1 includes multiple files, it is possible that applications will forget to include ALL of the assemblies in the override, and thus create a situation where some assemblies are 1.1, others SP1.
Ok, so this is a good call, because we all know this would happen and create a support nightmare. But, this exposes an inherent limitation to assembly versioning in .NET 1.1, which I have spoken about in some of my talks on the subject.
Assembly redirection, publisher policy overrides, and related assembly binding concepts can be configured in XML, through the local app.config or web.config for particular applications and subdirectories. But, you have to specify individual assemblies one-by-one even if you are configuring a single policy that should apply to multiple assemblies. If you miss one, time to trouble-shoot. But, if all SP1 files all carry the same version number, and no other group of updates carry that number, then shouldn't it be possible to specify a publisher policy override in one fell swoop, by identifying the version number the override applies to?
My wish list on this subject:
- Make it possible to deploy a publisher policy-like DLL to my local app.config, that supplies a binding policy that could group a number of assemblies and policies in a single DLL. Easier than an open XML config file that can be edited, and less error prone because it can be tested and deployed to clients.
- With this, SP1 could have updated version, shipped a publisher policy, and provided a publisher policy override in assembly format for anyone to override just in their application. They might need to do this, if for example they need some time to update fixed to their application for the service pack. I know, it is supposed to be backward compatible, however sometimes clients depend even on bugs in previous versions, for their code to work...strange and lame, but true.
- With this, deployment of fixes to local applications not installed in the GAC could include policy DLLs instead of hand-rolled updates to the local app.config/web.config. What if the customer has edited those config files? That means our installations have to edit the config, not ship a new one. This is painful. Let me ship a DLL that specifies a policy.
We don't have these options today, readily available, so they made the right choice for SP1 and vendors will have to make sure their apps function against it. And, there are plans to improve the versioning and deployment of framework vs. application assemblies in the future. Find out more in this insightful article by Cathi Gero and Jeffrey Ritcher:
http://www.theserverside.net/articles/showarticle.tss?id=AssemblyVersioning
So, the dogfood is just ok, and that's why with SP1, MSFT opted out of eating it. For single-assembly updates, it tastes a little bit better.
|
|
|
|
|
|
|
Wednesday, September 22, 2004
|
|
|
|
|
|
|
|
|
Before I get to the resources for this event, I have to tell you about the events surrounding it...just for fun. I landed in Boston Sunday at 4:30pm last Sunday, took a beautful drive to Richmond, VT to present at the .NET user group run by Julie Lerman. The drive from Boston to Richmond was really beautiful, and, even as the night fell the moonlight accentuated the walls of trees around the otherwise pitch-black highway. When I arrived a Julie's, starving, she was the most fabulous host - she had a home-cooked meal waiting in the oven, and a freshly made (delicious) apple pie saved for us (Julie, her husband and myself) to eat afterward. Yum. The next morning, we each worked and chatted for a while, then went for a 2 hour hike up one of the many mountain trails (I can see why you'd want to be an outdoorsy person in VT, really really beautiful views) and some lunch, before getting ready to go to the user group. I thoroughly enjoyed myself, thank you so much Julie, for the great hospitality and for taking time off to show me around a little bit :)
Thanks also to the group for coming out for this talk. It seemed like the topic was really well appreciated, and that always makes me a very happy camper.
Ok, so I have a few relevant resource pages for this talk here:
http://www.dotnetdashboard.net/sessions/handlers.aspx
http://www.dotnetdashboard.net/sessions/soapext.aspx
I am always updating these pages, so please do check them periodically for updates (I try to mark the date of each updated sample).
|
|
|
|
|
|
|
Sunday, September 19, 2004
|
|
|
|
|
|
|
|
|
I'm having a deja-vue here, because I think I've answered this question a number of times, pre-blog. However, since I once again have received the question, I'll go ahead and answer it once more, here.
The question: How do I invoke a Web service that supports session state, and maintain the session across posts?
The answer: The Web service proxy class, which derives from SoapHttpClientProtocol, has a property called CookieContainer. If you intialize this to an instance of the System.Net.CookieContainer type, it will store cookies returned to the client. When the same proxy, with the same instance of the cookie container, is used to invoke service methods, the proxy serializes cookies in the cookie container with the reqest, as a properly formed HTTP header. Before calling methods that support session state, be sure to create the CookieContainer and initialize the proxy like so:
System.Net.CookieContainer cookies = new System.Net.CookieContainer();
localhost.SessionService1 svc = new localhost.SessionService1();
svc.CookieContainer = cookies;
svc.UpdateHitCounter();
For a working demo, download this example, WSSessionCookie.zip. Be sure and note that a single instance of the cookie container is scoped for the lifetime of the application. If you assign a new cookie container to the proxy, previously stored session ID (or, other cookies) will not be passed with the request.
NOTE: I don't generally recommend using session state with Web services. The typical argument for its use is to support login-once scenarios. However, to maintain a logged in state this way, there isn't sufficient security to prevent replay attacks or sniffing session ID from the wire. OASIS WS-Security specifications describe how to safely pass tokens, including session-based tokens that have adequate expiry rules. Furthermore, they describe how to encrypt and sign the message to be sure no tampering has been done. For other types of session-based tokens, see WS-SecureConversation, WS-Trust and SAML specifications.
|
|
|
|
|
|
|
Thursday, September 16, 2004
|
|
|
|
|
|
|
|
|
Tonight I delivered a speech to the Orange County Architecture User Group in Irvine, CA. I definitely enjoyed all the great comments and questions from the group, thanks for attending the talk everyone!
Here is a link to my presentation slides in PDF format:
http://www.dasblonde.net/downloads/versiondeploybestpractices.zip
Some of the items mentioned during the talk:
And, here is a link to my versioning & deployment page:
http://www.dotnetdashboard.net/sessions/versiondeploy.aspx
On this page you'll find sample code with a detailed script that takes you through many of the demonstrations I showed tonight, in a single sample. Also in there are steps for versioning and handling publisher policy, but I have more links to add to this site when I post my slides. Stay tuned.
-------------------------------
NOW - I invite you to tell me your versioning and deployment pain points, I have many code samples, references and other resources and may not be organized on my site at this time...but if you ask for something that will give me incentive to post it. Tell me what you want to hear more about...
|
|
|
|
|
|
|
Saturday, September 11, 2004
|
|
|
|
|
|
|
|
|
How about that. Just one less thing to think about, when you need to map Win32 APIs to .NET [DllImport] statements, check out the PInvoke.NET wiki.
http://pinvoke.net/
What the .NET Framework class libraries don't provide, surely the Win32 API does. Everything from message constants to callback functions (delegates) and function declarations are provided. Of course, in community spirit what you can't find, please contribute after you figure it out.
For example, remember custom Windows messages with WM_USER? Well, search for WM_ and a list of defined message constants appears. No need to search through your dust-covered back-up CDs with those trusty C++ message definition headers. private const UInt32 WM_USER = 0x0400;
Search for EnumWindows, and you get all related definitions, including the callback EnumWindowsProc (in delegate form):
delegate int EnumWindowsProc(IntPtr hWnd, IntPtr lParam);
Several related functions including EnumChildWindows, EnumWindowStations, and EnumWindows (shown here):
[DllImport("user32.dll")]
static extern bool EnumWindows(EnumWindowsProc lpEnumFunc, IntPtr lParam);
You can even look up COM interfaces for exposing a specific interface (GUIDs and all) from a .NET assembly. The wiki also links you to the MSDN documentation on the requested element.
I, for one, think this was a great idea. And, it is much better organized than your average wiki, thus you can actually be productive with your searches.
|
|
|
|
|
|
|
Monday, August 16, 2004
|
|
|
|
|
|
|
|
|
While researching how to select unique rows from an existing DataSet I ran across many Google references to the following knowledge base article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;326176
NOW THAT YOU KNOW WHERE THE LINK IS, FORGET ABOUT IT!!!! In ADO.NET 2.0 this is now part of the DataView class built-in functionality, and the following article encapsulates this extended functionality in a more object-oriented manner for 1.x:
http://www.aspheute.com/english/20040123.asp
In 2.0, this functionality is available through the DataView class. Consider the following XML file stored as a string resource to indicate supported languages for a Web site:
<?xml version="1.0" encoding="utf-8" ?>
<supportedCultures>
<culture>
<culturecode>en</culturecode>
<language>English</language>
<country></country>
</culture>
<culture>
<culturecode>en-CA</culturecode>
<language>English</language>
<country>Canada</country>
</culture>
<culture>
<culturecode>en-US</culturecode>
<language>English</language>
<country>USA</country>
</culture>
<culture>
<culturecode>es</culturecode>
<language>Spanish</language>
<country></country>
</culture>
<culture>
<culturecode>es-EC</culturecode>
<language>Spanish</language>
<country>Ecuador</country>
</culture>
<culture>
<culturecode>es-ES</culturecode>
<language>Spanish</language>
<country>Spain</country>
</culture>
</supportedCultures>
If I want to populate a DataList with all supported languages, there are dupes in the file. But, I need the dupes to associate language with Country, for another purpose.
As the following code demonstrates, if I load a DataSet with XML (shown below using a StringReader to demonstrate how to load XML from a string resources, another hidden gem), grab the default view for the (only) table, set a filter on the view to exclude <language> elements that are empty, sort by language, then invoke the DataView.ToTable() overload that supports passing in DISTINCT requirements:
DataSet ds = new DataSet();
System.IO.StringReader rdr = new StringReader(cultures);
ds.ReadXml(rdr);
rdr.Close();
DataView dv = ds.Tables[0].DefaultView;
dv.RowFilter="language <> ''";
dv.Sort="language";
string [] distinct = {"language"};
DataTable tbl = dv.ToTable(true, distinct);
this.dlLanguages.DataSource = tbl;
this.dlLanguages.DataBind();
This is very useful if you are working with offline DataSets from within a smart client, or a cached DataSet supporting a Web application, and you want to bind different perspectives of the data to controls using consistent binding methods. No need to roll your own code to populate rows, or requery the data source.
|
|
|
|
|
|
|
Tuesday, August 03, 2004
|
|
|
|
|
|
|
|
|
Tonight I'm presenting at our local .NET Developers Group in San Diego how to secure your Web services with WS-Security and WS-SecurityPolicy using WSE 2.0. I will post any new code samples or slides here for reference after the talk, but my current resources page on this subject can be found here:
http://www.dotnetdashboard.net/resources/wse.aspx
After spending the past week *immersed* in mostly ASP.NET 2.0, primarily using all the new localization features for a whitepaper I just completed (cool stuff, more on that later), today I'm *immersing* myself in my WSE 2.0 presentation content. Surely I will soon have new things to share on that subject...just a matter of time to post them between deadlines :)
|
|
|
|
|
|
|
Wednesday, July 28, 2004
|
|
|
|
|
|
|
|
|
Sometimes we take for granted that everyone knows the productivity tricks available to developers in Visual Studio .NET 2003. One of the coolest tricks provided through Class View is a built-in feature that will generate shell functions for any interface your class implements. Here’s how it works. Add a new class to a project, and create a class definition that includes the interface implementation list. In this example, I'm creating a new HTTP Module:
public class ErrorsGoHomeModule: IHttpModule
{
public ErrorsGoHomeModule()
{
}
}
Then, go to Class View:
Right click on the interface, in this case, IHttpModule, and select Add/Implement Interface…
This generates the following code in my example:
#region IHttpModule Members
public void Init(HttpApplication context)
{
// TODO: Add ErrorsGoHomeModule.Init implementation
}
public void Dispose()
{
// TODO: Add ErrorsGoHomeModule.Dispose implementation
}
#endregion
Now you’re ready to implement required members!
|
|
|
|
|
|
|
Saturday, July 24, 2004
|
|
|
|
|
|
|
|
|
Some great discussions are going on regarding the choice of Enterprise Services, .NET Remoting and Web Services for .NET applications. I'm adding on, so sit yourself down...this has really long blog written all over it...
|
|
|
|
|
|
|
Sunday, July 04, 2004
|
|
|
|
|
|
|
|
|
Slight delay posting this, had a little trouble with the wireless in my Amsterdam hotel, and have been flying for a day to get back home!
I have resource sites related to the topic of this session, they are listed here in my post from Tech Ed San Deigo.
Thanks so much for the great feedback I received so far on this talk. I will be posting an update to my sample code in a few days, as soon as I get caught up on some seriously pressing deadlines. Right now, the code sample has everything I demonstrated with the exception of the HTTP handler that forces "Save As" download for configured resources such as XML files.
If you have other ideas for modules, handlers and SOAP extensions you are completely welcome to ask me, I may have some code lying around that I haven't cleaned up and posted yet!
Cheers!
|
|
|
|
|
|
|
Thursday, July 01, 2004
|
|
|
|
|
|
|
|
|
Thank you for attending my session last evening. As I mentioned, I gave this talk previously at Tech Ed San Diego, but since then I have actually added some more code samples and discussion points that I unfortunately didn't have time to explore during the session.
My globalization resource page can be found here:
http://www.dotnetdashboard.net/sessions/globalization.aspx
Look for a new sample with a script for versioning and deployment shortly. I'll update this blog entry when it is finally there. Thanks for coming to the session!
|
|
|
|
|
|
|
Thursday, June 24, 2004
Tuesday, June 22, 2004
Friday, June 18, 2004
|
|
|
|
|
|
|
|
|
In the code sample that started these recent blog posts, I was using GetHashCode() to display a unique value for a thread in a simple example, for visually unique identifier for a thread, without bothering to set the Thread.Name property. For this simple type of example, GetHashCode() has always done the trick (and I've always referred to this as the logical thread ID) because I didn't care if I was displaying the physical (Win32) thread ID, accessible via AppDomain.GetCurrentThreadId(). In an application that requires maintenance of a list of running threads, I usually set the Name of each thread (better for debugging as well) and hold on to each Thread reference:
ThreadStart del = new ThreadStart(Start);
Thread t = new Thread(del);
m_newThreads.Add(t); // ArrayList scoped globally
t.Name="Thread #" + m_newThreads.Count;
t.Start();
To display thread information:
this.listBox1.Items.Clear();
foreach (object o in m_newThreads)
{
Thread t = (Thread)o;
this.listBox1.Items.Add(t.Name + ": " + t.GetHashCode());
}
Notice that from each thread reference t I cannot access the physical thread ID since such a property doesn't exist on the Thread type. If I required this information I could always create a thread wrapper class that returns this information using AppDomain.GetCurrentThreadId().
This sample demonstrates this and a few other things related to the subject of process and thread identities. For example, you'll note that the process identifier accessed through Process.GetCurrentProcess().Id always returns the same process ID, whereas Process.GetCurrentProcess().GetHashCode() returns a different value for each thread. This is not because they are running in a different process but because the underlying code for GetCurrentProcess actually creates a new Process object reference based on the actual physical process:
return new Process(".", false, NativeMethods.GetCurrentProcessId(), null);
Of course, consistent with the purpose of GetHashCode() discussed in Lazy Blogger's references, this generates (you guessed it) a new hash code for the object reference.
|
|
|
|
|
|
|
Friday, June 11, 2004
Thursday, June 10, 2004
|
|
|
|
|
|
|
|
|
Thank you to everyone who attended the Security Summit in Anaheim this past Tuesday.
I promised you some links to resource sites, and here is my page devoted to the event:
http://www.dotnetdashboard.com/sessions/securitysummit.aspx
Here you will find links to the official Microsoft site for the event and the resources provided by Microsoft. I pulled some of the Microsoft links for topics mentioned throughout the day and put them on this site so you can find them more easily.
In addition, I have supplied a number of my own resource sites that will lead you to code samples I presented, in addition to more advanced samples.
If you have any questions, let me know!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
A the Security Summit this week, several people asked me about the .mspx extension Microsoft uses for some of its resources. You can create a custom HTTP handler to process requests for custom extensions. That means you first have to register IIS to pass request for that extension to ASP.NET. This article mentions how to do this. Then, you create a custom handler to process the request, by registering an HTTP handler or handler factory (see more resources on handlers and factories) to do the work. The handler factory's job is to return the right HTTP handler for the request, so ultimately, you are building a handler. The handler might even generate HTML on the fly.
In the case of .mspx extensions, Microsoft uses this extension to generate XML-driven HTML content. This article talks more about the architecture.
http://www.microsoft.com/backstage/bkst_column_46.mspx
|
|
|
|
|
|
|
Monday, June 07, 2004
|
|
|
|
|
|
|
|
|
In less than 10 minutes I just created a VB.NET demo for an upcoming SearchVB.com webcast, using WSE 2.0. Policy rocks! However...even though I've been through this before, once again I was momentarily baffled by the fact that my service seemed to be authorizing my UsernameToken even though I submitted a bad password. Well, that's the policy cache baby!
Steps to create the sample:
- Create a Web service project, enable WSE 2.0 extensions for the service
- Add a custom UsernameTokenManager class to handle, well, UsernameToken authentication.
- Add code to authenticate by performing a database lookup and returning the password from the AuthenticateToken method. In this case, I'm just returning password, clearly not a real example.
Public Class CustomUsernameTokenManager
Inherits UsernameTokenManager
Protected Overrides Function AuthenticateToken(ByVal token As UsernameToken) As String
Return GetUserPassword(token)
End Function
End Class
Even without specifying a service side policy that requires a UsernameToken, the UsernameTokenManager will be invoked on each request and will validate the <wsse:UsernameToken> element passed with any requests. You should specify a policy as a best practice
- Create a Windows Forms client, add WSE 2.0 support BEFORE you add a Web reference to the Web service just created. This ensures that you get a WSE-aware proxy class.
- Add a couple of textboxes and a button to the Form, and handle the button click event by creating an instance of the WSE-enabled proxy, and invoking the service.
- Create a policy for the client to require UsernameToken signature
- Add code BEFORE invoking the WebMethod to create a UsernameToken object, and add it to the policy cache. Note: Here you'll notice that I'm clearing the cache before adding the token to the cache. This is where you'll run into trouble since the cache is not cleared unless you explicitly clear it.
Dim svc As New localhost.Service1Wse
Dim userToken As New
UsernameToken(Me.TextBox1.Text, Me.TextBox2.Text, PasswordOption.SendNone)
PolicyEnforcementSecurityTokenCache.GlobalCache.Clear() PolicyEnforcementSecurityTokenCache.GlobalCache.Add(userToken) Dim s As String = svc.GetSecret()
This brings up an interesting point about the policy cache. When should you populate it? When should it be cleared? Should we create policy cache managers that handle updating existing tokens when a new password is supplied?
Of course, this is a demo, so on most occasions, we wouldn't happily modifying passwords for the same user during the same session. However, a new UsernameToken is still added to the cache even if it refers to the same user, so beware of a) bloating the cache with tokens, and b) sending the wrong token (the first on in the cache wins!). In short, based on your client application, determine an efficient way to keep the cache free of junk. Perhaps store the token in the cache at login time, and reuse that token for each Web service request.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
I just had an email exchange with the famous Kimberly Tripp (who is rumored to be blogging soon, look out!) about best practices for setting up security architecture for distributed Web applications and services. My eyebrows were raised at some demo code I saw that used a hard-coded account for ASP.NET to impersonate:
<identity impersonate=true userName=dbaccess password=whatever />
The names of the accounts have been hidden to protect the source of the demo ;)
I know, it's only a demo, but people use this stuff so I gave some thought to what I would do, and checked in with my pal Kimberly to see what she would do on the SQL side.
First of all, the ASP.NET worker process runs under the identity as configured in the <processModel> setting by default. (BTW this is a low privilege account that should probably be renamed since all potential attackers will know the default account name for default ASP.NET system deployments.) This account has access to the temporary ASP.NET file folder, so if you use impersonation, you may be required to give impersonated accounts access to the same folder, depending on what resources the Web application accesses. IMHO, database access accounts have no business being related to the ASP.NET worker process account, in terms of permissions, in general. Besides, there is likely to be a separate application server that handles all business logic including database access. Also, attack prevention is about adding layers of protection, and isolating resource ownership, so it makes more sense to let the ASP.NET worker process run under its account, and create appropriate accounts for database access (admin, readonly, readwrite, writeonly) that are configured in SQL server with appropriate permissions. Another further consideration is scalability with impersonation when invoking database resources. Connection pooling is isolated by security context.
So, if we don't want to impersonate, how do we access the database resource through a Windows account? Also, should we use Windows accounts? Kimberly says: In general the best way to protect access is to allow Windows authentication only, making sure that the sa account has a strong password (regardless of it being disabled). Also be sure to keep the sa account as a back door in the event that Admin accounts are removed from the Windows ACL list (inadvertently, but possible) so that you still have access to DB resources.
So, your Windows ACLs will include perhaps a few limited privilege accounts that are specifically configured in SQL server for read and/or write access to specific tables. These accounts can also be used as the identity under which various components in your DALC layer (probably serviced components) run, thus they are able to propogate credentials to SQL when invoking ADO.NET calls. If the serviced component (living on the application server tier) is securely invoked by the ASP.NET application front end (living on the Web server tier) because the application has verified the user's credentials (custom role-based security for typical non-Intranet application) and verified they (or the application) has the right privilege to invoke the DALC component...we are good to go.
Of course, every application deserves its own architecture review, so the real point of this short note is:
- Impersonation adds configuration overhead,
- Design for distribution of your Web application components, thus expect to require a secure invocation across tiers (Enterprise Services, registered components),
- Have a trusted component run with appropriate identity to talk to the database, so that credentials are propogated through integrated Windows security between components and SQL Server. One way to do this is to use a registered COM+ component (Enterprise Services) as the DALC layer,
- Configure limited access Windows accounts for this communication to reduce the affect of any potential hacker exploits (if they can even get this far down the pipeline, past your DMZ to the application tier presumably)
- Limit the number of Windows accounts configured in SQL to control access to resources, to optimize connection pooling
Nuff said.
|
|
|
|
|
|
|
Monday, May 31, 2004
Friday, May 28, 2004
|
|
|
|
|
|
|
|
|
Thanks to everyone for getting up so early (two days in a row, some of you!) to attend this session! The resources for this talk are here:
The latest code is up there now!
|
|
|
|
|
|
|
Wednesday, May 26, 2004
|
|
|
|
|
|
|
|
|
Thanks to everyone for getting up so early to attend this session! Wow, what a turn out! The resources for this talk are here:
The latest code is already uploaded to the site, and more samples are bound to be there soon...
|
|
|
|
|
|
|
Tuesday, May 25, 2004
|
|
|
|
|
|
|
|
|
This talk started out with a bang as Don and Doug collected a list of questions from the audience that they planned to answer throughout. The best part about this was that the questions were really great. For example: When should you use .NET Remoting vs. Enterprise Services? What will happen to COM+? When does COM matter? Should we use ASMX?.
After this, they proceeded to go through exactly 3 slides. Cool bullets…
- There is only one program and it is still being written.
- Choice is an illusion.
- Objective interpretation is an oxymoron.
The question is, what do the bullets really mean? Clearly, Don and Doug are great philosophers who enjoy abstracting the meaning of technology, where have we been, where are we going, how do we get there…all that. So, I’ll give you my interpretation (which we know from the bulleted list will not be shared by everyone).
First of all, the meaning of SOA (something the masses struggle with big time) is that we need to design systems (or, services) as well encapsulated, autonomous chunks of functionality that can be consumed by other systems, across departmental, enterprise, and possibly industry boundaries. This is one big program (the matrix anyone?)…metaphorically speaking…although of course not literally. If we design systems with the expectation that we cannot control where and who consumes them, we will fit within the SOA model. Contracts for these services, once published, must remain constant…because we have no idea who is consuming them, nor when.
In a related topic of discussion regarding the definition of service interfaces, we must consider that there can be many interpretations of a service schema. For example, if an industry like ACORD (for insurance) defines what XML looks like for a certificate of insurance, does that mean all systems following that standard will interpret EVERY element of the schema in the same way? Or, might there be different (valid) renditions of this schema? For example, could an xsd:int value be delivered as an xsd:string instead and still be meaningful? Sure it can. Could a subset of the schema be used by the destination endpoint? Absolutely. Thus, by definition we need extensibility and we need to be prepared for variant interpretations. In addition, the object model behind a service will rarely look exactly like xsd-generated classes. Services must be able to interpret XML payloads in their own way, and process them according to the needs of the system. What all of these competing Web service vendor platforms can agree on is the goals of SOA and the protocols (WS*) that are required to interoperate. Proof of this of course is in my recent experience with the Web Services Interoperability Education Day. This is exciting stuff, to see emerging standards work across platforms…we will continue on our quest there.
I enjoyed the philosophy shared during the talk, but must admit that the questions asked at the beginning were so compelling that I was really looking forward to their answer. I almost think they could have done two complete presentations. One for the philosophy, another for the Q&A. So, although there wasn’t a lot of time for answers at the end, here’s a summary of what I captured:
- COM will not disappear, it will be part of hybrid solutions, and transparent to the service interface.
- Remoting is useful for crossing app domains, but not for crossing machine boundaries. Use it for fault tolerance within a process (one app domain goes down, the main process stays alive).
- Crossing machines and processes, DCOM is fastest binary protocol, and can be secured, which means EnterpriseServices (ES). This also facilitates DTC transactions. Oh, and MSMQ is integrated here so you can also guarantee message delivery.
- On ASMX serialization vs. binary serialization with remoting, ASMX will be faster than .NET remoting, short term performance gains using remoting today will not position your applications for future releases (I.e., Indigo). You can expect better performance with ASMX in future as programming models change, and frankly what impacts performance most is usually bad architecture, including hardware choices and physical tier distribution. One thing that will also support performance improvement at a more granular level is also XML parsers…something the team is working on.
- How many WS* protocols do we need? Less. SOAP/XML is a great start. WS-Security is critical for end to end message integrity. We need standard protocols for interoperability, thus we need tools to assist with serialization, such as WSE 2.0.
- WSE 2.0 gives us a chance to work with WS* protocols now, while waiting for Indigo. The important thing is to realize it is taking you in the right direction. It keeps you in the game. These standards move fast, so does the WSE team. Indigo will just swallow it all making it even easier once standards are more stable.
- MTOM is the future of DIME.
- SAML will be supported, because WSE is extensible. Actually, Benjamin Mitchell and I worked on a SAML sample for our interoperability demonstration with Axis/SourceID…so we kinda already have a start on that!
- Your ES investment with COM+, MSMQ will be supported by the world of Indigo. Of course!
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Get it here
Rebecca Dias hung out with keynote Steve Ballmer and announced the release of WSE 2.0, the successor to 1.0 component libraries with support for OASIS WS-Security protocols in addition to several features of WS-Policy (specifically WS-SecurityPolicy) and WS-Trust/WS-SecureConversation. This is truly an attribute to .NET’s extensibility model that the WSE team can build support for emerging standards (as they emerge) through use of HTTP handlers and SOAP extensions. The WSE team has one of the fastest release cycles at Microsoft, and I expect they will continue to plung forward to support more of the WS* standards so that we can have tools at our fingertips to interact with these protocols with a lot less pain (or, WS-Pain as I call it).
NOTE: If you’re at Tech Ed, come see my talk on HTTP handlers, modules and SOAP extensions. DEV410: Inside the ASP.NET Runtime: Intercepting HTTP Requests, Wednesday 8:30am in Room 8.
This release gives developers a simple way to use Web services security protocols that enable:
- Passing security tokens
- Authenticating callers
- Ensuring message integrity
- Ensuring message confidentiality
This tool has the best support out there today for generating WS-Security and WS-Policy XML, and help you see the value of the actual standard.
Becky, can I have a WSE T-shirt now?
|
|
|
|
|
|
|
Monday, May 24, 2004
|
|
|
|
|
|
|
|
|
After a long week trouble-shooting last minute issues between .NET, WSE 2.0, BEA Workshop 8.1, Apache Axis and SourceID...we pulled off our Web services event without a hitch! What does that mean? Well...for one, all the demos worked. This is significant because although we each had our own test plans hitting remote and local endpoints...the first we were able to get together and test on the actual machines for the demo was Friday when each speaker arrived to San Diego. Here's how Friday played out:
- Heinrich arrives at San Diego airport at 1pm, we head to my technology palace to hook our machines up to the NAT router and have his BEA code hit the token issuer on my machine (which would be Ben's machine later that night), and the Axis web service on Chris' remote server.
- Anant meets Heinrich and myself at UCSD to test the configuration at the event venue, and we switch to Anant running the Axis service. This didn't quite work (configuration was fragile, too many settings to modify each time we moved service endpoints) so I left them (and my machine) to figure it out while I was off to pick Ben up at the airport
- Ben's plane is late, I call Anant and Heinrich, they come to the airport so we can trouble-shoot the configuration issues while we wait. We can't afford to lose time...it's already 7pm
- Ben arrives and immediately spots us. We were sitting at the airport, connected machines via router, people staring (what the?)...as they walked by. It's 8:30pm
- We head back to my place, call for pizza on the way, Adam Cogan waiting on us (he wanted to see our demo...give us feedback). We work on configuration with Ben's machine, then proceed to run through the demos and discussions. By 2am we were ready...a few hours of sleep later and we were setting up at UCSD!
Ted Neward gave an incredible keynote, not only educating us on interesting historical facts while explaining that we are destined to repeat the same mistakes over and over again if we don't approach SOA, Web services and enterprise component architectures incorporating lessons learned from the failure of past architectures such as CORBA and DCOM. He is a phenomenal speaker, and great philosopher, and what I really like about Ted is that he backs up every statement he makes with cold hard facts and reasoning.
We ended up spending some time describing Web services, and what the purpose of WS-Security and WS-Policy were, before we got to demos...however the audience truly seemed to appreciate the overview, as much as they enjoyed the demonstrations to follow. I'll get some links up soon that make reference to resources. In the meantime, some detailed discussions of the event went are already up on John and Benjamin's respective blogs. Benjamin writes about the panel discussion that followed the code demonstrations. He also summarized Ted's keynote.
I plan to summarize some of the interesting things I noticed while trouble-shooting the code as our human interoperability tester...stay tuned...
|
|
|
|
|
|
|
Thursday, May 20, 2004
Saturday, May 08, 2004
|
|
ON THIS PAGE
|
|
|
|
SEARCH
|
|
|
|
CATEGORIES
|
|
|
|
ARCHIVES
|
| | Sun | Mon | Tue | Wed | Thu | Fri | Sat | | 29 | 30 | 31 | 1 | 2 | 3 | 4 | | 5 | 6 | 7 | 8 | 9 | 10 | 11 | | 12 | 13 | 14 | 15 | 16 | 17 | 18 | | 19 | 20 | 21 | 22 | 23 | 24 | 25 | | 26 | 27 | 28 | 29 | 30 | 1 | 2 | | 3 | 4 | 5 | 6 | 7 | 8 | 9 |
|
|
BLOGROLL
|
|
|
|
|
 |
|