Now I can say I'm non-fluent in one more language, Italian. What a fabulous place, too bad my site went down while I was gone and unable to grab email depite numerous efforts. Sigh...back to work...alora, no me piache...

Thanks to everyone that attended this on Thursday night, it's one of my favorite topics! I mentioned several resources you could access now, and that I'm adding some new content for an upcoming article and an advanced presentation at Dev Connections.

For now, get my latest version of these resources here:

http://www.dotnetdashboard.net/Resources/wse.aspx

I will be updating this site with more in late October, when I formalize my new code samples. That will include my password hashing example.

Thanks again!

This entry has references for both of my talks at SD Best Practices (www.sdexpo.com) in Boston this week. I apologize that the slide decks are not on the conference CD, however I was invited to cover another speaker, therefore my materials were not part of the materials submission deadline as they were different talks from those originally scheduled.

I have added some supporting resources to the link below, related to security as well. Enjoy!

http://www.dotnetdashboard.net/resources/scalability.aspx

THank you for attending both talks, and please email me with any questions we could not get to within the timeframe.

Before I get to the resources for this event, I have to tell you about the events surrounding it...just for fun. I landed in Boston Sunday at 4:30pm last Sunday, took a beautful drive to Richmond, VT to present at the .NET user group run by Julie Lerman. The drive from Boston to Richmond was really beautiful, and, even as the night fell the moonlight accentuated the walls of trees around the otherwise pitch-black highway. When I arrived a Julie's, starving, she was the most fabulous host - she had a home-cooked meal waiting in the oven, and a freshly made (delicious) apple pie saved for us (Julie, her husband and myself) to eat afterward. Yum. The next morning, we each worked and chatted for a while, then went for a 2 hour hike up one of the many mountain trails (I can see why you'd want to be an outdoorsy person in VT, really really beautiful views) and some lunch, before getting ready to go to the user group. I thoroughly enjoyed myself, thank you so much Julie, for the great hospitality and for taking time off to show me around a little bit :)

Thanks also to the group for coming out for this talk. It seemed like the topic was really well appreciated, and that always makes me a very happy camper.

Ok, so I have a few relevant resource pages for this talk here:

http://www.dotnetdashboard.net/sessions/handlers.aspx

http://www.dotnetdashboard.net/sessions/soapext.aspx

I am always updating these pages, so please do check them periodically for updates (I try to mark the date of each updated sample).

I'm having a deja-vue here, because I think I've answered this question a number of times, pre-blog. However, since I once again have received the question, I'll go ahead and answer it once more, here.

The question: How do I invoke a Web service that supports session state, and maintain the session across posts?

The answer: The Web service proxy class, which derives from SoapHttpClientProtocol, has a property called CookieContainer. If you intialize this to an instance of the System.Net.CookieContainer type, it will store cookies returned to the client. When the same proxy, with the same instance of the cookie container, is used to invoke service methods, the proxy serializes cookies in the cookie container with the reqest, as a properly formed HTTP header. Before calling methods that support session state, be sure to create the CookieContainer and initialize the proxy like so:

System.Net.CookieContainer cookies = new System.Net.CookieContainer();

localhost.SessionService1 svc = new localhost.SessionService1();

svc.CookieContainer = cookies;

svc.UpdateHitCounter();

For a working demo, download this example, WSSessionCookie.zip.  Be sure and note that a single instance of the cookie container is scoped for the lifetime of the application. If you assign a new cookie container to the proxy, previously stored session ID (or, other cookies) will not be passed with the request.

NOTE: I don't generally recommend using session state with Web services. The typical argument for its use is to support login-once scenarios. However, to maintain a logged in state this way, there isn't sufficient security to prevent replay attacks or sniffing session ID from the wire. OASIS WS-Security specifications describe how to safely pass tokens, including session-based tokens that have adequate expiry rules. Furthermore, they describe how to encrypt and sign the message to be sure no tampering has been done. For other types of session-based tokens, see WS-SecureConversation, WS-Trust and SAML specifications. 

Tonight I delivered a speech to the Orange County Architecture User Group in Irvine, CA. I definitely enjoyed all the great comments and questions from the group, thanks for attending the talk everyone!

Here is a link to my presentation slides in PDF format:

http://www.dasblonde.net/downloads/versiondeploybestpractices.zip

Some of the items mentioned during the talk:

• This overview of CLR, assemblies and versioning by Chris Sells and Don Box has some introductory info for those new to .NET internals: http://www.awprofessional.com/articles/article.asp?p=30601&seqNum=1
• Evaluate security requirements for 1.x assemblies: http://www.desaware.com/products/castester/index.aspx (ClickOnce has this built-in to VS.NET). Also, remember this does not replace developer internal knowledge and QA efforts.
• Also, don't forget to look at the links in the slides, for application updater component references and more.

And, here is a link to my versioning & deployment page:

http://www.dotnetdashboard.net/sessions/versiondeploy.aspx

On this page you'll find sample code with a detailed script that takes you through many of the demonstrations I showed tonight, in a single sample. Also in there are steps for versioning and handling publisher policy, but I have more links to add to this site when I post my slides. Stay tuned.

-------------------------------

NOW - I invite you to tell me your versioning and deployment pain points, I have many code samples, references and other resources and may not be organized on my site at this time...but if you ask for something that will give me incentive to post it. Tell me what you want to hear more about...

How about that. Just one less thing to think about, when you need to map Win32 APIs to .NET [DllImport] statements, check out the PInvoke.NET wiki.

http://pinvoke.net/

What the .NET Framework class libraries don't provide, surely the Win32 API does. Everything from message constants to callback functions (delegates) and function declarations are provided. Of course, in community spirit what you can't find, please contribute after you figure it out.

For example, remember custom Windows messages with WM_USER? Well, search for WM_ and a list of defined message constants appears. No need to search through your dust-covered back-up CDs with those trusty C++ message definition headers.

 private const UInt32 WM_USER                   = 0x0400;

Search for EnumWindows, and you get all related definitions, including the callback EnumWindowsProc (in delegate form):

delegate int EnumWindowsProc(IntPtr hWnd, IntPtr lParam);

Several related functions including EnumChildWindows, EnumWindowStations, and EnumWindows (shown here):

[DllImport("user32.dll")]
static extern bool EnumWindows(EnumWindowsProc lpEnumFunc, IntPtr lParam);

You can even look up COM interfaces for exposing a specific interface (GUIDs and all) from a .NET assembly. The wiki also links you to the MSDN documentation on the requested element.

I, for one, think this was a great idea. And, it is much better organized than your average wiki, thus you can actually be productive with your searches.

In the California Performance Review (CPR) released August 3rd, 2004, the review board is recommending to our Governator that he consider open source alternatives to their IT solutions. Consider is good, favor is bad. The problem is that the review is so heavily slanted to open-source as this magic bullet for solving the world’s IT problems…that there may be risk that a top-down initiative is given to adopt an open-source only approach to IT. No doubt the government needs to streamline their approach to IT, and they are likely wasting money on legacy system maintenance, pre-built packaged software deployment (often referred to as custom-of-the-shelf, or COTS products) and possibly lack the IT horsepower in some areas to make effective, forward-thinking decisions. Still, that doesn’t mean it’s right to take the completely opposite stand: open-source or bust!

Since I’m planning to attend the hearing in San Diego tomorrow and contribute, I have been reading the CPR, and in there they quote the following resource for their list of features that distinguish open-source.

http://www.opensource.org/docs/definition.php

In fact, they use the entire list verbatim, without realizing that perhaps not all items in this list are absolutely unique to open-source. In my opinion this is misleading, and therefore deserves a good commentary bashing. Here’s my shallow, sarcastic and somewhat glib interpretation of “the list”:

1. Free Redistribution: The software can be given as part of a package with other applications;

Not all third party applications require a license fee to redistribute therefore this does not “distinguish” open-source. For example, Microsoft .NET developers can build applications targeting the platform, and redistribute the runtime to support their application.

2. Source Code: The code must either be distributed with the software or easily accessible;

Great! So now our government IT departments will spend time writing code at the kernel level, and hopefully it won’t introduce bugs to the system. Well, I’m sure that along with affording the most qualified administrators and developers, they’ll also have an entire QA team that can verify modifications to the operating system or software plumbing source are “ok”.

Oh for goodness sake, that’s why vendors charge for their products. It’s an economy of scale - you pay a vendor to make sure they test their products, support them into the future, and are held accountable for security and other software patches. Sure, it’s not a perfect science, sometimes we wait for patches, but the overall good outweighs the potential disaster of taking on that responsibility in-house.

3. Derived Works: The code can be altered and distributed by the new author under the same license conditions as the product on which it is based;

Right, and what’s more, when those licenses are invalidated by all of the infringing patents that lurk, they get to violate those as well. Neat! C’mon people you are reaching for bullet points here. Oh, you want an example of the potential problem? Here ya go:

http://news.com.com/Group%3A+Linux+potentially+infringes+283+patents/2100-7344_3-5291403.html?tag=nl

4. Integrity of the author's source code: Derived works must not interfere with the original author's intent or work;

Terrific! So, correct me if I’m wrong, but basically does this mean that anyone who modifies source and gives it back to the community to share is on an honor system to “not interfere”. And if someone fails to meet this requirement, are they sent to jail? Do they receive a good IM scolding? Will they lose all their network gaming friends?

Basically my concern here is “who is accountable?” Software vendors are accountable for their software quality. They are obligated to follow business practices, follow development procedures, and answer to their clients. Sure, not all clients are satisfied all of the time…but you can bet they’ll do everything in their power to address critical issues.

5. No discrimination against persons or groups;

This is an interesting bullet. So, do software vendors discriminate? If you ask me, and I’m assuming you did because you are reading my blog, the discrimination comes from the higher barrier to entry in the open-source community. Because there are fewer productivity tools and in some cases even fewer helpful references for getting started, fewer new developers are able to quickly be productive. Worse, they may take 4x, 6x, 10x to do the job of a seasoned engineer, therefore there are fewer in the community skilled enough to save companies on development costs. This also feeds the issue of #2 above.

6. No discrimination against fields of endeavor: Distributed software cannot be restricted in who can use it based on their intent;

Again with the “discrimination” thing, but this is completely vague so I have nothing more to say here except:

 What on earth do you mean by this?

7. Distribution of license: The rights of the program must apply to all to whom the program is re-distributed without need for an additional license;

See #1

8. License must not be specific to a product; Meaning that an operating system product cannot be restricted to be free only if used with another specific product;

Hey, free is free, however you get it free…who cares? Besides that, I have no idea how this comment really helps government IT.

9. License must not contaminate other software; and

Well, the term was “restrict” not contaminate…I guess this is intended to draw attention…and, well look there you have it. The point here was to ensure open-source software license didn’t require other software shipped with it to be open-source. I don’t know how other vendor’s infringe on this…anyone else know?

10. License must be technology-neutral.

Meaning, you can use open-source software to build any type of software application your little heart desires. Yep, I can do that with other platforms as well.

So, let’s review shall we? What have we all learned?

#1 and #7 make good points that perhaps some costs can be saved on open-source. No argument here, some software platforms require license fees. They also require support fees for additional support. Choose the right tool for the right job then…decide if you want to save money in development time & effort, in the number of developers on staff, or in the costs for licenses. Leave the choice open.

#2 is great for people that write their own compilers. Sounds like a good time to get a high-paying Government job. Otherwise -  useless.

#3 is a potentially dangerous reason why not to choose open-source.

#4 makes no case for open-source as better, sorry.

#5 and #6 are, well, just silly.

#8, #9, #10 – bla bla bla - no compelling argument for or against from what I can see…

Following the overview the review proceeds to talk about the core benefits of using open-source in mission-critical implementations because it is, and I quote from the CPR:

• More secure due to the extreme scrutiny of the source code before being deployed;
• Can be run in multiple environments (i.e. Unix, Linux and Microsoft);
• May be less expensive to manage (no maintenance contracts or upgrade costs); and
• Often less vulnerable to viruses.

More secure?

Ok we all know security flaw are well publicized when it relates to the big giant, Microsoft. However, there are also Web sites devoted to Linux security flaws. Microsoft stays on top of their security patches because they have to, to be credible, to survive. In the Linux world concerns over the timeliness of patches is an issue. Also, recent concerns have evolved related to the fact that a malicious attacker could modify the Linux source and reintroduce it to the open-source community resulting in numerous implementations using corrupt packages. How can this be prevented? Companies have to test the software internally. So, now you have to hire an operating system QA team on top of your software QA team, if you even have one. Right.

Multiple Environments?

It is true that Microsoft solutions only run on Microsoft operating systems. But what about other vendor solutions such as BEA WebLogic? They run on Windows, Linux, Unix. And besides that, most companies can’t afford to staff up on multiple operating systems and platform environments. Platform choices are made based on many factors including the application of choice, the current install base, and the skill set of the team to manage it. Interoperability through Web services makes it to connect disparate systems - that’s the whole point. The right tool for the right job and all that jazz.

Less Expensive?

Possibly for some, but not for all. What about productivity? What about licensing fees paid to third-party vendors that will provide security patches for open-source? What about hardware costs? What about the price for more seasoned developers? A larger QA team? The cycles burned trying to figure out code that isn’t well documented? I could go on…

That’s why the choice needs to be there. It is imperative that each government entity make choices that are right for their requirements, their environment, the existing staff, existing hardware and infrastructure, and so forth.

Less Vulnerable?

See #1.

Ok, so now that I've had my fun sharing my less politically correct thoughts...let's come back to the basic message of this commentary:

• The selection of software vendor and platform is one that should be made based on requirements and leverage on a case-by-case basis.
• Open-source should not be excluded from this selection process, but should not be preferred by policy as that might exclude a government entity from making a better choice for their needs and leveraging existing assets.
• The CIO Council and regional CIO to california should take an interest in defining standards for evaluating ROI on product selection, and should take active role in guiding the selection process and insuring that well educated IT and development staff are employed to manage this selection and implementation process.

All in all, my disappointment in the CPR is that it appears to have been written with a clear slant for open-source because it is “free“ without considering all of the other costs involved for developer productivity, testing, training, maintenance, security, monitoring activities, manageability and more. They should be terminated :)

While researching how to select unique rows from an existing DataSet I ran across many Google references to the following knowledge base article:

http://support.microsoft.com/default.aspx?scid=kb;en-us;326176

NOW THAT YOU KNOW WHERE THE LINK IS, FORGET ABOUT IT!!!! In ADO.NET 2.0 this is now part of the DataView class built-in functionality, and the following article encapsulates this extended functionality in a more object-oriented manner for 1.x:

http://www.aspheute.com/english/20040123.asp

In 2.0, this functionality is available through the DataView class. Consider the following XML file stored as a string resource to indicate supported languages for a Web site:

<?xml version="1.0" encoding="utf-8" ?>
<supportedCultures>
<culture>
<culturecode>en</culturecode>
<language>English</language>
<country></country>
</culture>
<culture>
<culturecode>en-CA</culturecode>
<language>English</language>
<country>Canada</country>
</culture>
<culture>
<culturecode>en-US</culturecode>
<language>English</language>
<country>USA</country>
</culture>
<culture>
<culturecode>es</culturecode>
<language>Spanish</language>
<country></country>
</culture>
<culture>
<culturecode>es-EC</culturecode>
<language>Spanish</language>
<country>Ecuador</country>
</culture>
<culture>
<culturecode>es-ES</culturecode>
<language>Spanish</language>
<country>Spain</country>
</culture>
</supportedCultures>

If I want to populate a DataList with all supported languages, there are dupes in the file. But, I need the dupes to associate language with Country, for another purpose.

As the following code demonstrates, if I load a DataSet with XML (shown below using a StringReader to demonstrate how to load XML from a string resources, another hidden gem), grab the default view for the (only) table, set a filter on the view to exclude <language> elements that are empty, sort by language, then invoke the DataView.ToTable() overload that supports passing in DISTINCT requirements:

DataSet ds = new DataSet();
System.IO.StringReader rdr = new StringReader(cultures);
ds.ReadXml(rdr);
rdr.Close();

DataView dv = ds.Tables[0].DefaultView;
dv.RowFilter="language <> ''";
dv.Sort="language";
string [] distinct = {"language"};
       
DataTable tbl = dv.ToTable(true, distinct);
this.dlLanguages.DataSource = tbl;

this.dlLanguages.DataBind();

This is very useful if you are working with offline DataSets from within a smart client, or a cached DataSet supporting a Web application, and you want to bind different perspectives of the data to controls using consistent binding methods. No need to roll your own code to populate rows, or requery the data source.

What The? happened to WinZip functionality? This is a silly little post but something that annoyed me so I figured a few other readers might care. Now that XP has this cool new shell extension for generating ZIP folders, some of the features of WinZip appear to be obfuscated by this integrated Explorer experience. I was puzzled by the need to run the original WinZip classic experience just to create a password protected ZIP file, but I finally figured out that there actually is a way to do this within Explorer. Create a ZIP file, open it in a new Explorer window, from the File menu select Password Protect...que bueno!