Category Archives: Development

ASP.NET OpenID/OAuth Login With ASP.NET 4.5 – Part 2

With ASP.NET 4.5 it is very easy to enable users to login to your site with their accounts from Facebook, Google, LinkedIn, Twitter, Yahoo, and Windows Live. In this 7 part series I’ll show you how for each of the identity providers.

Note: Out-of-the-box this only works with WebForms and MVC4. MVC3 is not supported by default.

Part 2: Logging in with Google

Enabling your site for users to login with Google is extremely easy. It just requires you to uncomment a single line of code. There is no need for registration with Google or setting up some share secret, as is the case with the other identity providers.

  1. Open Visual Studio (if you don’t have already).
  2. Open the project created in Part 1 (or quickly create a project in the same manner).
  3. Find the App_Start folder and open AuthConfig.cs.
  4. Register the identity provider:
    1. In MVC go to the bottom of the RegisterAuth method and uncomment the following line of code:
      OAuthWebSecurity.RegisterGoogleClient();
    2. In WebForms go to the bottom of the RegisterOpenAuth method and uncomment the following line of code:
      OpenAuth.AuthenticationClients.AddGoogle();
  5. Save the file.
  6. Run the project.
  7. Click the Log in link. You will notice Google has automatically been added under Use another service to log in.
  8. Clicking the Google button will send you to Google to log in, which will show a page like the one below. Notice that it is telling the user which application (gained from URL) wants you to log in with your Google account.
  9. On the next page the user gets to see which information the application will get, in this case only the email address (and in Dutch in my case). The user can also indicate if this permission should be remembered next time.
  10. After clicking the approval button, you’re sent back to the application, where you can create a registration for the Google account. Note: if you’re already logged in through the local database or another identity provider, you will be asked to add the Google account to your existing account.

ASP.NET OpenID/OAuth Login With ASP.NET 4.5 – Part 1

With ASP.NET 4.5 it is very easy to enable users to login to your site with their accounts from Facebook, Google, LinkedIn, Twitter, Yahoo, and Windows Live. In this 7 part series I’ll show you how for each of the identity providers.

Note: Out-of-the-box this only works with WebForms and MVC4. MVC3 is not supported by default.

Part 1: Setting up your development environment

Create a website project in Visual Studio

You’re going to need a website project for any of this to work, and you may have to configure some of it later. So first, let’s create a project.

  1. Fire up Visual Studio (Express will work just fine).
  2. From the menu select FILE > New Project…
  3. Select one of the Web Application projects. In this example I’ll use ASP.NET MVC 4 Web Application.
  4. Click OK.
  5. Select Internet Application. This is the only template that includes the OpenID/OAuth stuff by default.
  6. Click OK.
  7. The project is ready. You may want to run it once just to make sure everything works. Be sure to click Register and then register for an account to see if the database is working.

Setting up your development environment

In most cases you need to register you website with the identity provider to be able to authenticate users with that identity provider. The provider will ask for several pieces of information, most notably a URL. The problem is that this can’t be an IP-address, and can’t be localhost. Most identity providers also don’t allow a port number, so you will have to ensure that your development website can be reached at port 80 (or port 443) and on a valid URL.

Getting a valid URL

Getting a valid URL is mainly about using a domain that an identity provider will recognize as valid and public. You can get one setup for your application in three ways:

  1. Modify your hosts-file to contain the desired URL.
  2. Open notepad as Administrator.
  3. Click File > Open and navigate to the C:\Windows\System32\drivers\etc folder.
  4. Select All Files (*.*) as filter so the files with no extension show up, as shown below.
  5. Open the hosts file.
  6. Add a line for IP-address 127.0.0.1 with the domain you want to use with your application, as highlighted below.
  7. Save the file.
  8. Use a public domain of your own and modify add a DNS entry for your application. How this works depends on your hosting provider, so I won’t elaborate in this.
  9. Use the localtest.me domain. This is a very neat trick by some clever guys. They’ve setup a DNS that will route any localtest.me request to 127.0.0.1, your local computer. That includes the root domain itself, but any subdomain or sub-sub domain (or sub-sub-sub domain… you get the idea), will work. The only domain that doesn’t work is http://readme.localtest.me, because that’s where you can find the documentation and background. The great thing is that this works without registering or anything. For my demo’s I will use http://michiel-security-demo.localtest.me.

Setting up IIS

Besides having a public domain, your application needs to run on port 80. Although this is possible with IIS Express, it is much easier using IIS (if you want to tinker with IIS Express, check Scott Hanselman’s post Working with SSL at Development Time is easier with IISExpress). The one proviso is that IIS can’t work with LocalDB, so you will have to use SQL Server (Express) instead. For the description below I will assume you have SQL Server Express installed. The best way to go about this is creating a new Web Site in IIS with a custom host header. The steps are easy:

  1. Start the IIS Manager.
  2. In the Connections pane navigate the tree to the Sites folder.
  3. Right click Sites and select Add Website…
  4. Set the Site name and under Physical path browse for the application folder created by Visual Studio.
  5. Under Host name set the host header, in my case michiel-security-demo.localtest.me.
  6. Click OK.

Now you need to point Visual Studio to use IIS, instead of IIS Express when you debug.

  1. Open your project in Visual Studio (if not already open).
  2. Right click the project and select Properties.
  3. Select the Web tab, and scroll down to where it says Use Local IIS Web server.
  4. Uncheck Use IIS Express.
  5. You will be warned that you can’t use LocalDB with IIS with the dialog below. Click Yes.
  6. Enter the Project Url, in my case http://michiel-security-demo.localtest.me/. The settings now should look like the image below.
  7. Click Save.
  8. Start the project in debug mode to verify that everything is working under the specified URL.

Although IIS points to the right folder, it needs permissions to read the folder. If that is not the case, you will get a HTTP 500.19 error when you run the application. You can solve this as follows:

  1. Open Windows Explorer.
  2. Navigate to the application folder.
  3. Right click on the application folder and select Properties.
  4. Go to the Security tab and ensure IIS_IUSRS has read permissions. If so, skip the next steps.
  5. Click Edit…
  6. Click Add…
  7. Enter IIS_IUSRS and click OK.
  8. Click OK twice.

Book Review: Async in C# 5.0

Async in C# 5.0 (Alex Davies, O’Reilly) is good read of you plan to do parallel or async programming, although a bit theoretical. The book shows you why asynchronous programming is a little more than just using the new async and await keywords. These keywords make asynchronous programming syntactically simple, but as this book shows through meticulous explanation there is much more than meets the eye. The book starts of with just showing you how async and await works, and then shifts gear to show you how asynchronous programming worked before we had these keywords. This makes you appreciate all the heavy lifting done for you, but it also makes you understand why asynchronous programming is something you need to do with care. Then there’s several chapter about what’s going on and which pitfalls you can run into (and how to avoid them). The strength of this book is the excellent theoretical handling of the topic. The weakness is the lack of practical examples and a high-level view on when and how to use asynchronous constructs.

Intercepting a 404 in IIS 7 and up

Lately I’ve been working on a system that needs to serve flat files, which is what IIS is very good at. However, when a file does not exist (i.e. a 404 error occurs) there are several options:

  1. The file never existed: propagate the 404.
  2. The file did exist, but has been permanently removed: return a 410 (Gone).
  3. The file did exist, but a newer version is available. In our system a different version always gets a new identifier and as such a new URL, so this is a common scenario for us: redirect the user to the new version.

So the question is: How do we intercept the 404 error for any file?

The answer: With an IIS HttpModule, which is pretty much the same as an ASP.NET HttpModule, as the code below demonstrates.

using System;
using System.Net;
using System.Web;

namespace IisModule
{
    public class DemoModule : System.Web.IHttpModule
    {
        public void Dispose()
        {
        }

        public void Init(System.Web.HttpApplication context)
        {
            context.EndRequest += new EventHandler(context_EndRequest);
        }

        void context_EndRequest(object sender, EventArgs e)
        {
            var context = (HttpApplication)sender;
            if(context.Response.StatusCode == (int)HttpStatusCode.NotFound)
            {
                context.Response.Redirect(“http://michiel.vanotegem.nl/”);
            }
        }
    }
}

The only place where you can check for a 404 error is at EndRequest. Other events get bypassed, including the Error event. However, as you can see in the code, getting the response code is easy. And after checking it you can do a redirect or change the response and response code (don’t forget to clear the response stream). You need to add this code to a Class Library project in Visual Studio, to which you will have to add a reference to the System.Web assembly. Also, this does not work with .NET 4.0 and up (except in Windows Server 2012), so you’ll need to configure the project to target the .NET 2.0 runtime, which is the case for .NET 2.0 through 3.5, as is shown below.

Configuring IIS

First you have to create a /bin folder in the website you want the module to work in, and copy the DLL to the bin folder. If you want this on the Default Web Site, you need to add this to C:\inetpub\wwwroot (assumming C is your OS drive), as shown below.

Second, you need to fire up IIS Manager to add the Managed Module to the Web Site. Select the Website (in my case Default Web Site) and select Modules, as highlighted below.

Now click Add Managed Module… as highlighted below.

Finally, give the new module a name, so you can recognize it in the list of modules active for the website, and select the module in the dropdown, as shown below, and click OK.

That’s it! Now every 404 will redirect the user to the root of my blog.

Configuring IIS for all sites

If you don’t want to have a /bin folder in your site, and all sites hosted on the system require the same behavior, you can also sign the assemly, place it in the GAC, and configure the Module at server level.

Book review: Building Hypermedia APIs with HTML5 and Node

Building Hypermedia APIs with HTML5 and Node (Mike Amundsen; O’Reilly Media) is an interesting little book. It covers designing an online system that operates well in a browser, but works equally well when talking to
from another type of application, which also has positive impact on automated testing. The strength of this book is absolutely the design theory, which is explained very well. The theory applies to pretty much any web development platform, which is where the weakness of the book comes in. If you are not an HTML5 or Node developer, and many of us aren’t, reading through the practical part of the book is somewhat tedious. That said, the book is only 244 pages, and the theory is an easy read. That means that if you are only interested in that you can get through pretty quickly. The examples in itself are simple, but already add up to quite a bit of code you need to wade through. Understanding all that’s going on takes a while.

Book Review: Programming Amazon EC2

Programming Amazon EC2 by Jurg van Vliet and Flavia Paganelli is practical in nature and takes you through all the steps to create and configure accounts, develop applications, and deploy applications. If you’re new to Amazon EC2 (and related services) this is definitely a good place to start, because it goes through all the components Amazon offers, such as S3/Cloudfront and RDS for data storage. It also looks at how you can setup your application to scale up and down, and ensure your application has excellent uptime. The book takes you by the hand based on some applications the authors have created themselves. Although this approach makes the book practical, it sometimes reads as (irritating) marketing for their applications.

Generic interfacing with Workflow Services

I’m currently working on a project where we have a lot of semi-independent moving parts. One aspect is that we communicate with different applications, in a BizTalk style manner. We do this using Workflow Services to ensure delivery and have fault tolerance when running inside Windows Server AppFabric (see my post What is Windows Server AppFabric and why should I use it?). However, we wanted to ensure that these Workflow Services all provide the same interface from out side of the application, so we can call into them generically. This by the way happens when a status changes occurs on some entity we use. Getting the Workkflow Services to expose the same contract (more or less) is relatively easy. You just ensure that all services use the name namespace, operation name, and parameters. However, calling those generically through WCF was a bigger challenge. Basically we have a table with state transitions, which can hold some string of information about what to do. The choice we made is to have this string be equivalent to the endpoint configuration in the web.config file. Now all we need is a correct WCF contract, and off we go. That took a little tweaking too, but with the help of the below two posts by Ron Jacobs, we were able to pull it off:

Thanks Ron!

IE9 Developer Tools

In recent years the development story for Internet Explorer wasn’t particularly appealing. If you wanted to fix CSS and JavaScript errors, IE was definitely not the tool you wanted to use. Also, seeing what was going over the wire wasn’t possible with IE, and as a result developers flocked to FireFox and other browsers offering (plugins) to help with these issues. You don’t have to be a genius to understand that in the long run this wasn’t helping IE in terms of market share. And with the renewed focus on webbased (HTML5) apps, Microsoft has stepped up and produced built in developer tools, also known as the F12 developer tools. So, what’s in there and what can you do with it?

What’s taking so long?

As with IE8, there are inspector tools for HTML, CSS, and script. Since I am by no means an HTML/CSS guy, I’m not the best judge when it comes to these tools, but for what I need from those I’ve been pretty satisfied. For me, the new profiler and network tools are much more interesting, because they respectively hook into the browser rendering engine and what’s going over the wire with HTTP. If you’ve been using tools such as Fiddler or HttpWatch, the latter of the two should be more or less familiar. As you can see in the image below, it shows all the HTTP requests going out to the server, when in the timeline these requests were going out, and how long that took. If you’ve never seen something like this, you can see that this provides great insight into what goes down under the covers.

If you need more details about the timing information, you can select one of the items, and see more. As you can see below, that information doesn’t only include HTTP information, but also information about the time it took to render and JavaScript to fire. If there’s a page that is slow to appear in the browser screen, this will give you great insight into where your time is going.

Is this functionality better than commercial tools such as HttpWatch? Not at this time, but I have a feeling Microsoft isn’t done yet. Tools like that are specialized, and Microsoft is playing catchup. One annoying thing I found is that if I have multiple requests bouncing back and forth, filling in a form, etc. IE9 tools will only show me the last interaction. It could be I’m missing something, but I haven’t been able to figure out how to see the whole list of requests since I started capturing, and I’m too lazy to figure it out. That means I find myself going back to HttpWatch for that (at the moment). That said, the tooling is good, so if you don’t want to spend the extra dime for other tooling, this will do in most cases. Except of course that this only works in IE9, whereas some of the tools out there work in multiple browsers. But wait… there’s more.

What I’m I getting?

An interesting question is always: what HTML will a certain browser actually get. This is where the F12 tools have another nice new feature. You can change the user agent string the server is receiving, and as a result inspect what happens on the HTML, CSS, script side when other browsers come in. Obviously this doesn’t make IE9 behave itself as one of the other browsers, but it can provide nice insights nonetheless, especially to tweak what robots are seeing.

How will it look?

The last thing that I fond really useful is the ability to change the browser so you can check the user experience for users with different settings. As you can see from the image below, you can disable css, script, and the pop-up blocker. In the environment I’m working in now, there’s often the need to see whether everything still works if JavaScript is disabled, and there this is a great tool. It definitely beats going into the browser settings and changing these settings every time you have to test.

Last but not least, you can easily resize the browser screen to fit a certain size. I always used Windows Sizer for this, but having this built in is better, because I rarely use it for anything but webdevelopment.

What’s more?

There’s a whole bunch of stuff I haven’t gone into here, so I advise you to play around with the F12 tools for a while. I’m also betting we’ll see a lot more where this came from in the not too distant future. Microsoft is investing heavily in HTML5, and is actually trying to use “the best HTML5 support” as a unique selling point for Windows.

Book Review: iOS 4 Programming Cookbook

Reading iOs 4 Programming Cookbook by Vandad Nahavandipoor left me confused about the book’s intentions. The book’s audience is stated as for novice AND experts. That rarely works and this is no exception. That said, there is some good, practical content.

The first few chapters cover topics aimed mostly at the novice developer. In a language basics book these chapters would typically be somewhere half way through the book. So this is only useful if you just started to learn Objective-C without reading a book. The cookbook format doesn’t help here, because discussing these topics benefit from a nice flow, which the cookbook format doesn’t have. This goes for a lot of content covered. The content itself is not bad, but it should have been covered textbook style, not cookbook style.

Several chapters are good in the cookbook format, such as chapter 4, which deals with maps and location. It quickly explains how to get things done in a practical manner. The book goes back and forth between content that should be part of a textbook (e.g. gestures, networking) and stuff more suitable for a cookbook (e.g. audio/video, camera).

All in all, I think you can get quite a few handy tidbits from this book, but to be fair, this should be split into two books. One textbook, that really starts at the basics of Objective-C programming and teaches you good programming practices, and one cookbook with the good cookbook stuff from this book and with more practical recipes to give it more body.

p.s. I realize I have a real Microsoft aura around me, so for some it may come as a surprise that I read an iOS book. However, I like to keep myself informed about things outside my comfort zone. I am also reading an Oracle book :).

Tips on Finding Performance Issues in Your ASP.NET App – Part 2

Earlier I blogged about finding performance issues in an ASP.NET app “in the large” (see here). I’d like to reiterate that doing this for a web app is critical, because it not only shows you where the bottlenecks are, but also how these affect the entire application. I said I’d follow up on profiling, so here it is…

Once you know what the bottlenecks or “hot spots” are, you can dive into figuring out what the problem is with these pages. This is where profiling comes in. Profiling lets you know what is happening inside your code. It shows you how long a method call is taking and how often a call is made. Both of these are interesting, because performance bottlenecks can be caused by calls taking long, but also by too many calls to a method. Now, I won’t get into the details of how to profile with Visual Studio 2010 (you can read Beginners Guide to Performance Profiling for that), but when you use this tooling, you should focus on one page at a time. The profiler will throw a heap of information at you, so dealing with one page is hard enough. Once you have this information you have to determine what’s really going on. Is this somehting you can fix by changing a few lines of code, or is there a more structural problem you need to solve? Pages that under no load take 10 seconds or more likely have a structural problem, so you need to check if there is a lot of code being executed that is just waste. Also, be sure to focus on big fish first. You can worry about micro-optimizations (such as a different string compare mechanism) later. That said, you should try to make such optimizations part of your coding  guidelines, rather than looking at that afterwards. Micro-optimizations are only really interesting for very high performance apps. A 10th of a second loss here and there isn’t going to make a lot of difference apart from maybe needing to scale-out a little earlier.