Op het SDN Event van 13 december heb ik twee presentaties gegeven. Hieronder kun je de aantekeningen downloaden die ik gemaakt heb op de tablet (voor wie er niet bij was: ik heb in plaats van slides mijn sessie gedaan met behulp van tekenen in OneNote).

• ASP.NET_Aanpassen (1.05 MB)
• Wegwijs_in_Moderne_Beveiligingstechnieken (2.06 MB)

De demo's bij ASP.NET Aanpassen volgen op korte termijn (vermoedelijk komend weekend... leuk speelgoed voor de kerst).

A while back I blogged about how to deal with unsecured responses in WCF (see this post). I've had several people ask me for the code that you can use in case you can't use the mentioned hotfix. Attached is the code for a message encoder that intercepts the MessageSecurityException thrown by the original encoder. The encoder wraps around the actual encoder you want to use, so you'll have to configure it like this:

<system.serviceModel>
  <extensions>
    <bindingElementExtensions>
      <add name="unsecureResponseEncoding"
           type="UnsecureResponseEncoder.InterceptingMessageEncodingElement, UnsecureResponseEncoder,
                 Version=1.0.0.0, Culture=neutral, PublicKeyToken=null" />
    </bindingElementExtensions>
  </extensions>
  <bindings>
    <customBinding>
      <unsecureResponseEncoding>
        <textMessageEncoding maxReadPoolSize="64" maxWritePoolSize="16"
                             messageVersion="Soap11WSAddressing10">
          <readerQuotas maxDepth="32" maxStringContentLength="8192"
                        maxArrayLength="16384" maxBytesPerRead="4096"
                        maxNameTableCharCount="16384" />
        </textMessageEncoding>
      </unsecureResponseEncoding>
    <!-- removed for briefity -->
    </customBinding>
  </bindings>
  <client>
    <!-- removed for briefity -->
  </client>
  <behaviors>
    <!-- removed for briefity -->
  </behaviors>
</system.serviceModel>

The main thing the UnsecureResponseEncoder does is override the ReadMessage methods of the message encoder. All else is just plumbing to wrap the original encoder and use it as is. In ReadMessage the received message is retrieved and place in a local variable. If a MessageSecurityException occurs, this is caught, and an UnecureResponseException is thrown, which includes the original message. Higher up in the call chain you can parse the original message and extract the fault information. The example below shows an altered proxy call so the proxy actually returns a FaultException<>.

SomeResponseMessageContract ISomeService.SomeServiceMethod(SomeRequestMessageContract request)
{
    try
    {
        return base.Channel.Aanleveren(request);
    }
    catch (UnsecureResponseException exception)
    {
        if (String.IsNullOrEmpty(exception.ResponseMessage) == false)
        {
            // Put original response message in XmlDocument so you can manipulate it
            XmlDocument xml = new XmlDocument();
            xml.LoadXml(exception.ResponseMessage);

            // Add namespaces concerning faults, including your custom fault schema
            XmlNamespaceManager nsmgr = new XmlNamespaceManager(xml.NameTable);
            nsmgr.AddNamespace("soapenv", "http://schemas.xmlsoap.org/soap/envelope/");
            nsmgr.AddNamespace("fault", "http://somefaultschema/");

            // Retrieve the fault node and extract information.
            XmlNode faultNode = xml.SelectSingleNode("/soapenv:Envelope/soapenv:Body/soapenv:Fault", nsmgr);
            if(faultNode != null)
            {
                SomeFault fault = new SomeFault()
                {
                    SomeFaultInfo = faultNode.GetNodeStringValue("detail/fault:SomeFault/fault:SomeFaultInfo", nsmgr),
                };
                if(String.IsNullOrEmpty(fault.SomeFaultInfo) == false)
                {
                    throw new FaultException<SomeFault>(fault, exception.Message);
                }
            }
        }
        throw; // If not properly handled, rethrow original exception
    }
}

I've been trying to find a way in which I can easily map competences, books, certifications etc. The goal here is to be able to determine what you need to do to reach a certain competence or certification. Now, there may be some fancy tool out there to do this, or you could just whip up Visio and start drawing, but a) I don't want to buy a new tool, and b) I want this to be interactive.

I just finished a demo that uses the Dependency Graph functionality in Visual Studio Ultimate. I've used similar tooling before (from NDepend) for auditing and reviewing, but this time around I'm using it as part of my solution rather than to review a solution. I've expressed compentencies and books in classes, and if a competence is required for another, I'm adding a reference to it in a prerequisites list. The same happens with books you could read to learn about the competence.

After letting Dependency Graphing do its thing, you end up with a graph such as the one below. The great thing is that it's interactive. You can delete/colapse in the diagram what you don't need, and you can select the items for which you want to see more detailed dependencies. In the graph below, I've selected several constructors to show me all the dependencies.

With everything in code, I could now create a user interface that enables you to query the map for what you still need to do to get to the competence/certification you want.

In the early stages I've commented on Microsoft not going the right way, because a major selling point could be that you can run Azure in the cloud or in your own data center. That seemed not to be possible. When Azure almost went live, MS had changed sufficiently to maybe make this possible in the future. With Azure Appliance, this is now definitly a reality.

A recurring theme in web programming is calling a function periodically and/or at a specific date and time. This has two aspects:

• Calling a function on a scheduled basis
• Making sure time-outs don't interfere

Calling a function on a scheduled basis
To be able to call a function on your web app, you first need an endpoint (a URL) that you can call to kick the function off. In ASP.NET you can do this in several ways:

1. Create a page that calls the function.
2. Create a handler (ASHX) that calls the function (more efficient than a page).
3. Create a WCF service that allows calls with HTTP GET, as discussed in this blog post by Sasi Suryadevara.

With your endpoint in place, you can use the Windows Task Scheduler to invoke the function at any given time and at intervals as low as one minute. With the Windows Task Scheduler you have several options again:

1. Create a VB Script that calls the URL, as discussed in this blog post by Steve Schofield.
2. Create a PowerShell script that calls the URL (same as option 1, but more modern).
3. Have the Windows Task Scheduler open Internet Explorer and open the specified URL (e.g. C:\PROGRA~1\INTERN~1\iexplore.exe  -extoff http://www.google.com, which starts IE without extensions). If you do this, you also need to specify that the Task Scheduler closes IE after 1 minute, which you can do in the Settings tab of the task (Windows 2003), or in the Trigger configuration (Windows 2008), as shown below. NOTE: I've found that IE sometimes doesn't close, even if you tell Windows to close it. Eventually this will cripple your scheduled task.

Task Settings in Windows 2003

Trigger configuration in Windows 2008

Note: In Windows 2008 the dropdowns governing duration and interval show 30 minutes as lowest value. You can in fact change this to 1 minute by editing the text.

Making sure time-outs don't interfere
A web based call is bound to time-out after a few minutes. If you task takes longer than that, this may abort the call depending on how you programmed it, and what webserver settings are used with regards to disconnected clients. To ensure a time-out does not interfere, you can spawn a new thread and have it call the function. That way the thread handling the request can return a response to the client, and the function is carried out regardless. One issue that may arise there is that the function itself hangs or takes too long. You may want to add logic to ensure that it's aborted after a certain time, and add logging to notify you of this, and possibly also ensure that the function can only be run by one caller at a time.

I keep forgetting that I need to use GPEDIT.MSC to configure the Windows Shutdown Event Tracker (which you really don't need in a virtual machine).

Sometimes we come across integration scenario's that look straighforward, but where the devil is in the details. We needed to integrate our asp.net/silverlight application in an existing ASP "classic" site (yes, the still exist). The catch was that we needed to call the ASP "classic" site in a server to server call to get some information, but we needed to do this under the context of the current user. You may be wondering why we didn't go through a shared database or someting, but the problem is that there is little knowledge left of the old app, so changing the existing app was a no go.

So, in order to impersonate the user, you need your server-sided request look like that user. This means forwarding the cookies the user sends, and sending back the cookies the server sends to the user. Below is code that demonstrates that.

HttpWebRequest webRequestToServer = (HttpWebRequest)HttpWebRequest.Create("http://somedomain/somepage.asp");
webRequestToServer.CookieContainer = new CookieContainer();
foreach (String cookieKey in Request.Cookies)
{
    HttpCookie cookie = Request.Cookies[cookieKey];
    Cookie serverCookie = new Cookie(cookie.Name, cookie.Value, "/", "somedomain");
    webRequestToServer.CookieContainer.Add(serverCookie);
}

HttpWebResponse webResponseFromServer = (HttpWebResponse)webRequestToServer.GetResponse();
foreach (Cookie serverCookie in webResponseFromServer.Cookies)
{
    HttpCookie clientCookie = Response.Cookies[serverCookie.Name];
    if (clientCookie == null)
    {
        clientCookie = new HttpCookie(serverCookie.Name);
    }
    clientCookie.Value = serverCookie.Value;
    clientCookie.Expires = serverCookie.Expires;
    Response.Cookies.Add(clientCookie);
}
webResponseFromServer.Close();

This code works fine in a test environment, but there is a catch... in some cases the domain of the server is not set in the cookie you get on the server side. The problem with that is that when you set the domain, it doesn't correspond to what the server expects. You can see this if you write out the cookies you send/receive (both on the browser connection and te server-server connection) to a log or something (including the domain. It took a while to figure out, but replacing "somedomain" with Request.ServerVariables["LOCAL_ADDR"] did the trick.

An important reason I have a Windows phone is because I have control over which applications I buy and from whom. I decide what I can or cannot install on my phone. With Windows Phone 7 Series Microsoft is blocking this "sideloading", so users can only download and install new software through Marketplace. Basically Microsoft is following the Apple iPhone model with this, and the reason is for this is clear: follow the money. Microsoft has realized that Apple is making millions of dollars from the percentage they get on apps sold through the app store. This is logical, because ultimately it is not your device that makes the difference, but what you can do with it. Functionality and content sell, it's as simple as that.

As I said an important reason for me to have a Windows phone, and not an iPhone, was the control I have over my device. I think I am not alone in this, and I've heard a lot of people using Apple products (iPhone in particular) complain about this too. It's the one thing the makes Apple impopular compared to Microsoft, so I guess Microsoft just wants to be the impopular company. Windows Phone 7 Series will also be impopular to vendors. On that front Microsoft is thightning the screws as well. Microsoft now determines the hardware specs and as vendor you have little options to alter the appearance of the OS. This means there are less options to differentiate yourself from competitors.

I think the new Microsoft policy will ultimately drive people away, rather than gain momentum. It will drive people to Android based phones where phone vendors and users are still in control. If you look at the momentum Android already has, more people will also choose Android over iPhone for the same reasons.

When you're using signing or encryption on your SOAP requests, WCF exepects the response to be signed/encrypted too. When the response is not signed/encrypted the message encoder throws a MessageSecurityException. This is perfectly fine behavior, but in interop scenario's can really bug you, because some WS-* implementations don't sign/encrypt Fault messages. Now, because the message encoder throws the exception, you can't get to the underlying SOAP fault. This means that you have no clue why you received a fault in the first place.

To fix this, Microsoft has provided a hotfix. With this hotfix in place you can specify enableUnsecuredResponse="true" in the binding configuration to allow unsecured responses. Unfortunately this means that also valid responses don't have to be signed/encrypted, defeating the purpose of signing and encryption altogether!

As an alternative, you can implement your own message encoder that wraps the encoder that is actually used. In the wrapper you can either store the received XML for use higher up in the call stack, or retrieve the fault and throw a FaultException<>. Without jumping through hoops the latter option does require your wrapper to know about the fault types it needs to handle. With the former option you can handle the exception higher up in the call stack by catching the MessageSecurityException and throwing a new exception with the XML of the message as a property.

Two months ago I spoke at WDI 2010 in Warsaw, Poland on ASP.NET Web Forms vs. ASP.NET MVC. I should have posted the slides for that session soon after, but just didn't get around to it because of all the work thrown at me. Here they are... finally. Slides (668.34 KB)

Thanks to the great folks organizing the conference. They took great care of me and managed to get a good crowd together. Even though it was a pretty large audience, the level of interaction was very good.