Thanks to all that attended the full-day tutorial at Dev Connections last Monday - Improve Your SOA: Designing a Secure, Reliable and Scalable System. It was certainly an avalanche of rich topics related to SOA and WCF. At last I have compiled the long list of resources from the day, including references to some getting started resources for those new to WCF.

Getting Started

• See my WCF WebCast Series for an introduction to WCF features: http://www.dasblonde.net/2007/06/24/WCFWebcastSeries.aspx
• I also recommend my book since it has hands-on labs for WCF, but all of the code for my book can be downloaded from my book blog: http://www.thatindigogirl.com

Demos

• Download the book code here for VS 2005: http://www.thatindigogirl.com/LearningWCFCode.aspx
• Download the book code here for VS 2008: http://www.thatindigogirl.com/LearningWCFCodeVS2008.aspx
• Chunking Channel: See WIndows SDK samples
• Router demos:
  • http://www.dasblonde.net/downloads/MessagingIntermediaryVia.zip
  • http://www.dasblonde.net/downloads/MessagingIntermediaryDuplex.zip

Code from the book is organized by subject matter. I specifically illustrates samples from these subdirectories: \Exceptions, \Security, \Security\ClaimsBased, \Instancing, \Concurrency, \Bindings, \QueuedMessages, \Transactions, \ReliableSessions.

If there are other resources you are looking for specifically, please drop me an email and I'll add to this post. Thanks!

I just returned from another fantastic Dev Connections conference in Las Vegas. For the four sessions I delivered, this post lists the code samples and resources I referenced. If you are looking for something specific and can't find it here, shoot me an email. Tutorial resources will be posted separately. Enjoy!

Introduction to C# 3.0

• C# 3.0 Samples
• ADO.NET 3.5 Samples

Exploring Windows CardSpace

• Cardspace Samples

ASP.NET and WCF: Meet Your New Web Service

• See code from my book Learning WCF posted here
• See my webcast series on WCF for MSDN

Architectural Considerations for ASP.NET Applications

• GalleryDemo20 - This sample illustrates different globalization techniques including the use of generated resources for page content, the use of resources to select localized images and dynamically loaded user controls, the use of localized database tables, and caching based on theme, culture and query string params
• CustomResourceProviders - This sample illustrates the use of custom localization expressions and custom resource providers. The code is based on this article: http://msdn2.microsoft.com/en-us/library/aa905797.aspx and updated for VS 2008.
• Extending the Visual Studio IDE for localization - I wrote a follow on article on this for MSDN, it has not yet been published, hopefully soon (backlog) but I will post the code here in an update to this post, after a quick review later this week.
• Distributed Boundaries - This sample was based on the ConnectionOrientedBindings lab from Chapter 3 of my book Learning WCF. All the code for my book is here: http://www.thatindigogirl.com/LearningWCFCode.aspx. This particular sample shows how to use a WCF service behind your ASP.NET applications to introduce a security boundary between NETWORK SERVICE and access to data and other resources. I talked about this in two articles for the server side, long ago:
  • Sandboxing with Impersonation
  • Sandboxing with Enterprise Services
• TransactionsOverHttp - This shows how to flow transactions over WCF web services, but I have many more examples of WCF transactions here: http://www.thatindigogirl.com/LearningWCFCode.aspx
• MessagingIntermediaryVia - Illustrates a pass-through router over HTTP where even reliable messaging headers can pass through both directions.
• MessagingIntermediaryDuplex - Illustrates a duplex router that supports reliable messaging headers two-way out of band over named pipes.

Thank you very much for attending the presentation last night, I enjoyed all the great questions and discussion, and as promised here is a link to the slides, and resources for the presentation.

Get the slides here.

Get the code samples from my .NET Roadshow presentations on security, and this includes the federation samples, here: http://www.dasblonde.net/2007/09/15/NET35RoadshowSampleCode.aspx

Enjoy!

I have working with, writing about and presenting on CardSpace for over 2.5 years now...and in the process refining how I describe to people the benefits of information cards for improving security for end-users. In particular, end-users that are not like us developers...every day people that don't know how to choose which sites are unsafe, which links to click in email, and so on.

Consider the following malicious PayPal email:

You can see that the "Click here to verify your information" link is not really sending you to the PayPal site. I see this because I hover over the link to verify the destination...but most non-developers won't know to do this. For those unsuspecting users the story might play like this:

• They go to the destination site, which might look just like the PayPal site. 
• They try to log in, it fails repeatedly. In the meantime, they enter every combination of username and password they use in various sites...perhaps including their online banking site.
• The malicious site collects these combinations of username and password.
• The user gives up logging in.
• The malicious sites now tries to log in to the real PayPal account, or worse, to some of the major well-known online banking sites.
• If they are lucky, and the user is unlucky, one of those username and password combinations will work at the online banking site, and they can write themselves a check, or otherwise play havoc on the user's bank account.

It is that easy to lift a username and password combination.

So, how do information cards issued by CardSpace (or, any other identity selector) help?

Let's assume that the user has associated a personal card with their PayPal account...if PayPal supported information cards. The same scenario might go like this:

• The user get's the evil email. They click the link and head to the malicious site that looks just like PayPal.
• If the site doesn't support information cards, the user will be suspicious because they always log in with a card.
• If the site shows support for information cards, the user may fall for it and click on the "log in with personal card" link which takes them to CardSpace.
• CardSpace will ask you to confirm the site by reviewing its privacy statement and site identity. This should trigger an indication to the user that this is not the site they think it is, since they would normally only get this the first time they hit the site. If they have logged in to PayPal before with a card, they wouldn't see this screen:

• Assuming this isn't enough to tip off the user, and they continue, the next strange behavior will be that they are asked to select a card to send to the site...but there will not be any list of cards already used at this site.

They should have seen at least one personal card present as shown here:

• Assuming this is still not enough to tip off the user, and they decide to select a card to send...the destination site will receive a security token with the requested claims which may include any personal information that you can enter into a personal card such as name, address, phone number, date of birth, and your card's private personal identifier (PPID). BUT, if the site requests more claims than PayPal, there are still more indicators of the malicious site. The first is that you'll be informed that the site is requesting new claims:

• This should really stop the user in their tracks, but they can preview the data requested and decide if they are comfortable sharing this data as shown here:

• If the malicious site wants any data I never share with PayPal, the user would probably stop here. But, let's say they continue and add the data, or, let's say they already had entered the data for this card so it wasn't necessary to provide it here. For example, I might create a personal card with my home and business details in full...but that doesn't mean I send all those claims to every site. Perhaps only to my online banking site because they require an address and phone number to help prove who I am sending the card. So, if the card already has all the details, the user is still warned that new claims were requested and should be approved:

• The user can (and should) preview the requested data. In fact I think that CardSpace should force the user to preview it the first time. Furthermore the new data requested should be called out in red here...so it is obvious.

• Now, the user is ultimately responsible for approving sending the information to the malicious site after all of these indicators that something is amiss. But, let's say that they proceed and send the information. What happens then?
• The site get's a signed security token with your name, address, phone number, date of birth details. Nothing so risky as a SSN or passport number.
• The same token carries the card PPID, however this PPID will not be the same PPID as that used for PayPal because every site gets its own PPID for the card.

So, what can the malicious site do with all this information? Can they log in to PayPal now?

• No, because they don't have the PPID and presumably PayPal has associated their own PPID with the account, not the same as the one the malicious site received.

What else can go wrong? A malicious party could somehow get their hands on the PPID information. This wouldn't be so easy, since the security token issued by CardSpace is always encrypted when sent...but once it arrives to PayPal site it is open and available for view, and someone could look over your shoulder as you view your card to send to PayPal and see the PPID for PayPal right there. If this happens, there is another security measure available.

Each personal card has a private key associated with it - called a master key. That master key is used to sign the security token sent to the site. Only your exact card installed in CardSpace can sign the token with this private key. Thus, if the site associates the PPID + hash of the master key cert with your account, only tokens signed with the correct private key carrying the correct PPID will be authenticated. A malicious party cannot get the master key unless they export your cards from the machine, and import to their machine. Hopefully the user has a password on their laptop. Hopefully if they export cards and import to another machine, they do it safely and destroy the copy they put temporarily on the USB drive to transfer the cards.

Still, this is MUCH MORE SECURE than the username and password we use today...because now a malicious party has to get physical access to a user's machine or USB drive with exported cards...and figure out the password protection in the latter case since exported cards are encrypted.

Hopefully this helps explain how CardSpace and personal cards HELP sites to protect users...better than username and password to today.

You may have noticed after installing Visual Studio 2008 that if all of your projects in a solution don't compile, you can't debug the one that DOES compile. This causes problems for me when I work with WCF because I may want to update the service code, and later update the client proxy....in the meantime, changes I made such as deleting the existing proxy do not compile anymore...so I can't run the solution.

There are two settings that affect this:

a) All projects are compiled each time you try to run

b) If errors are encountered the environment is set not to run at all

You can address this in one of two ways. You can only compile those projects that you need to, by checking the "Only build startup projects and dependencies on Run" setting as shown here:

Or, you can set the environment so that it runs the old version of any projects that don't compile as shown here:

The latter causes more problems in my opinion, because you may not realize you are running an older version of one or more projects. The former is what I choose to set my environment to, since it allows me to compile only dependencies of the project I'm trying to test at the moment. Thus, I can recreate my service references from scratch, without having to comment out client code that doesn't compile in the interim.

There...annoyance gone.

As some of you may know, several of us at IDesign (Juval, Brian and myself) are in the midst of a two-week .NET 3.5 Roadshow - six cities in two weeks where we collectively cover WCF, WF, WPF, CardSpace, federated and claims-based security concepts, and some key aspects of .NET 3.5 such as new C# 3.0 language features and ADO.NET 3.5 including LINQ and the Entity Framework.

I'm personally covering WCF security, federated and claims-based security, C# 3.0 and ADO.NET 3.5. For those of you attending (or, not) here are links to the code samples I'm presenting:

VS 2005 samples

• WCF Security Fundamentals - these samples come from the \Security directory from my book code
• Federated and Claims-Based Security in WCF - these samples come from the \Security\ClaimsBased directory from my book code
• CardSpace Samples

Download VS 2008 Samples (UPDATED 10/11/07)

This download includes all samples referenced above, in addition to .NET 3.5 samples for C# 3.0 and LINQ, and IDesign's declarative security model including a recent version of our ServiceModelEx library.  

Other relevant resources discussed:

• My WCF webcast series
• CardSpace controls for ASP.NET
• IDesign articles

Any questions? Email me.

-Michele

I have recently made a series of posts describing changes to VS 2008 templates for WCF as compared to VS 2005 + Orcas extensions. See

the post here: http://www.thatindigogirl.com/VS2008Beta2ProjectTemplatesForWCF.aspx

After my travelling without a cell phone nightmare which I blogged about here, I moved my phone number to a backup phone - the VCast Chocolate. Months ago I had thought that I might want to switch to this phone from time to time when travelling on vacation (a rare occurrence) because it is a nice small form factor, and it can double a a nice MP3 player. In preparation for this, I asked the Verizon store if there was a product that would support moving my copious outlook contacts to the phone, so that I wouldn't have to retype them into the phone. THey pointed me to the Verizon Mobile Office Kit - and I bought it.

As per usual, after buying a new toy my schedule sometimes gets the better of me, and I didn't try it out right away. I needed to yesterday...since I switched to the VCast. Of course, now I'm running Vista on both my machines...and the product says it only supports XP of course.

I call support, to see if they can answer some questions about the product, and I get some guy acting as a liason between me and technical support. Three times he puts me on hold to ask them a question:

Question 1: Is there an updated driver for the USB connector to the phone, and Vista? Answer = No, it was supposed to be August...it is not ready and they have no ETA. Nice.

Question 2: Do they know for a fact it won't run on Vista? Has anyone tried it? Answer = No, they haven't tried it but they don't think so.

Question 3: If I find an XP machine to install it on, can I move my Outlook Contacts? Answer = No, that won't work. It doesn't integrate with Outlook.

Question 4: But, when I bought the package, I was told it would. Will they give me a refund now? Answer = No, it is long past the 30 day window.

Question 5: Can you put me through directly to tech support so I can talk with them about options for exporting Outlook contacts to the program...there is probably a way...but I need to talk to them directly. Answer = Ok, but we don't usually put you direct...since you have so many questions I will do it.

The person on tech support tells me it does import Outlook contacts, and can send contacts to the phone as well as pull contacts from the phone. Relief.

I decide to install the software on Vista...despite what they said. The LGE USB modem driver won't install on Vista, but I install the software which then prompts me to connect the phone to the USB port. I do it, Vista tries to find a driver...after about 10 minutes no luck.

I search the internet for USB modem drivers...and as luck would have it I find a forum with a 32bit and 64bit driver. Unzipped the driver and connected the phone again. After 10 minutes...I have a driver!!!!

Now, to set up the software. Oh, wouldn't you know? Import/From Outlook...bam...I have all my contacts! Send to phone...bam...all my contacts are now on my VCast. Easy.

I guess you have to ignore tech support...though the last guy was nice enough to check after I pressured him...most of them just give a cookie cutter answer, drones. Imagine if I was not technical...and didn't know that there must be a logical way to import contacts...and find drivers...I'd be typing in phone numbers still today...

Well, I have had an interesting couple of days with phones my friends. It all started in New London Connecticut this past Saturday evening. I had just attended Carl Franklin's birthday party, watched a wickedly funny taping of his show Mondays (that I was part of in the early days) and of attempted to learn to like bourbon (it didn't take, I think I'll stick to fine wine) and saw some good friends like Kimberly Tripp and Paul Randall (the newlyweds), Richard Campbell and Stacy Holt, Scott Hanselman and his lovely wife Mo, Patrick Hynds and lovely wife Sabine, Miguel Castro, Mark Miller, Don XML and of course the birthday boy himself, Carl Franklin and his lovely wife Gretchen (the hostess with the mostess).

I returned to the hotel after this...and as I slept peacefully my Motorola Q was supposedly charging happily through the USB connection to my laptop. Something tragic happened this unsuspecting night. I woke to the Q completely dead...the power to the wall no longer servicing the laptop...but the laptop still had charge which meant that I had power for most of the night...for sure (Vista would have sucked it dry of charge in 1.5 hours flat). The phone should have been charging and greedily sucking laptop battery power...so I knew something was amiss.

In haste I plugged the laptop in elsewhere and tried connecting the phone once again. Not one of my USB ports of my Sony Vaio (the old laptop) would give the phone charge. Concerned, I fired up the new Acer Travelmate, trying its USB ports...one of them gave charge. Relief...or so I thought. So I grabbed a coffee and strolled down to the beach for 1 hour, expecting to return to a charged Q...ready to use.

NOT.

The Q was not charged enough to boot at least. Try as I might, nothing would give the Q enough charge to boot.

I went down to brunch with Richard, Stacy, Kimberly and Paul...for sure one of them would have a suggestion for my problem. They are geeks after all (well, except Stacy...she's cooler than a geek). In fact, Stacy thought I could revive it with the wall charger, thus I had to wait patiently to arrive home before I could be sure.

I felt naked without my phone...and I had to fly home that way.

This was the beginning of the nightmare I call "will I get home tonight?".

If I had had my working cell phone, I would have logged in to the internet to see if my upgrade went through, and discovered the flight was delayed 4 hours leaving Providence. Alas, I find this out at the airport, and they put me on standby for the earlier flight that was supposed to leave at 2pm, now leaving at 5pm, which is when my flight was supposed to leave. So many questions:

• Will I get on the flight? If not, shouldn't I be having dinner with the gang back at Carl's instead of sitting in the airport that has no Starbucks?
• If I do get on the standby flight...will I make my connection?
• If I don't, can I stay with my friend Gillian in Chicago?
• If I arrive on the late flight should I stay with Gillian anyways, or just head to a cheap local hotel since I have to return to catch the morning flight in?
• How the hell can I coordinate all this crap without a freaking cell phone!?!?!?

And so Part 1 of the nightmare begins...

There was a line of Verizon pay phones right by the gate so I stared at them for a few minutes first, trying to remember how to use them. Let's see, you can use coins, a calling card (no go here), or credit card. It looks like you can get 4 minutes with 4 quarters, so I went for it, I got change.

• Call #1: Put in 4 quarters, several drop out, finally 4 stay in. I call Gillian to see where she is at. The call rings, and then stops dead. I hang up, quarters pop out.
• Call #2: I call the operator, ask for help, put in the 4 quarters again, call goes through, then goes nowhere. I hang up, quarters drop out.
• Call #3: I call the operator, ask to pay with credit card. No problem, give the numbers, call goes through. Gillian is not answering (probably out running a marathon or something) so I leave a message. Oh, wait, she can't call me back...tell her to leave a message with my machine I'll check my messages and tell her to keep her damn phone on (don't worry, we go way back to university days in Toronto).
• Call #4: I call the operator, ask to pay with credit card again...once again give all the numbers, call goes through to Gillian. Tell her she could also call Andres just in case. Tell her I'll call back if I don't get on standby.

Now I'm sick of putting in the dang credit card number every call, so I hook up my laptop. Of course no cell phone so I have to get a T-Mobile day pass first...now I'm online. Yes! I have Skype-to-phone all hooked up...so I call my cell and check messages...nothing yet. Where's Gillian?

Wait a bit, IM with Richard and Carl about my delay...wish I was having dinner and drinks over there...standby sucks.

We finally have an ETA to leave Providence on the standby flight...later than we thought, I'm definitely missing my connection. Oh, by the way all of this due to weather in Chicago...they were in chaos over there.

• Call #5: I Skype to Gillian's cell...ahhhh...much easier than stupid credit card pay phone calls...and faster. New update, I'm missing connection, if I don't call in 1 hour, I got on standby, let's have dinner!!! Yeah! Leave a message on my stupid cell phone and I'll manage to check them somehow via T-Mobile.
• Call #6: just before flight is to leave, check messages. Easy, Skype to my cell...ahhhh...I love this. And, only .021 cents per minute! I wish I could think of more calls to make ... this is fun...but I should do some work...

I get on standby...awesome...but I'm still going to miss my connection so that's the next mess to deal with in Chicago.

Arrive to Chicago in one piece...OMG the airport is in complete chaos...people laying around all over the place...piles and piles in each gate area...just a mess.

I go to a pay phone again. I'm scared, I can hear the theme from Jaws in my head as I approach the line of pay phones...but I go in to make the call anyways. There was no room to sit and fire up my computer.

• Call #7: Call the operator to use my trusty credit card again...wouldn't you know you can't charge a local call to a credit card? I wanted to call Gillian, tell her I would be able to make my flight.
• Call #8: I plop in 2 quarters to make a local call...plunk plunk...they drop through. I go to the next two pay phones, same result. I call the operator again and explain that the phones won't take my quarters, I don't have a calling card...how do you suppose I make a local call? "Sorry, I can't help you" is the response. PAY PHONES SUCK!
• Call #9: Can I make a long distance call using my credit card please? I call my cell phone, check messages. PROBLEM. When I hit # to go into voice mail to check messages...the call disconnects. CRAP CRAP CRAP CRAP CRAP CRAP CRAP. I try again...in case I'm mistaken. Yet another credit card call. Hit #. CRAP CRAP CRAP CRAP CRAP CRAP CRAP. I can't check freaking voice mail from a pay phone!!!!

At this point I'm really pissed. I go to the United Red Carpet lounge...fire up the computer, fire up Skype.

• Call #10: I Skype my dead cell phone to check messages. Gillian has left a few messages regarding her plans for the night.
• Call #11: I Skype Gillian, whazzup? At last she answers!!! Yeah!!! I update her on my flight status.
• Call #12: I Skype Andres...I'm getting on the flight...check the Internet for landing time!

At last, the phone call hell ends. I can go to my gate, catch my second late flight, and make my way home to sleep. If only I had more battery left in my computer to get more work done.

Now, to deal with the broken phone.

Charging it in the wall charger didn't solve the problem...call Verizon. No, not from a pay phone...from a home phone. We try to reset the phone, no go. Luckily I'm within tye 1 year warranty, they'll ship me a new Q overnight! Yeah! So, we switch the phone number over to my backup phone, the VCast Chocolate. And here another short saga begins...but I'll save that for the next post.

The moral of this story is:

• Travelling without a cell phone is a nightmare
• Pay phones are useless
• Pay phone operators are useless
• It is a good idea to set up a Skype-to-phone account for emergencies, and carry your headset with you of course
• Have a backup cell phone handy in case your phone bites it and you need to swap out

Today I completed a webcast as part of a 15 part series - today's subject concurrency, throughput and throttling. I received some questions about callback and Windows client applications that I thought I would elaborate on here. In fact, I went a little overboard and created a bunch of samples that would illustrate the behavior of services and clients when you have a Windows client, a service with a callback contract (thus, two-way communication) and various WCF settings at the client and service that relate to concurrency, multithreading, synchronization with the UI thread, and so on.

The following table summarizes various settings at the client, service and callback and the resulting behavior at runtime. Here's the breakdown for each column:

• Callback Sync Context - refers to the UseSynchronizationContext setting for the CallbackBehaviorAttribute on the client callback object.
• Callback Concurrency Mode - refers to the ConcurrencyMode setting for the CallbackBehaviorAttribute on the client callback object.
• Service Operation - Indicates if the service contract operations are one-way or two-way.
• Callback Operation - Indicates if the callback contract operations are one-way or two-way.
• Service Concurrency Mode - refers to the ConcurrencyMode setting for the ServiceBehaviorAttribute on the service type.
• Resulting Behavior - when the corresponding sample is run, what happens?

I have also uploaded sample code for each of these scenarios, numbered in order of table row description below. Get the code here.