Noffke.com

There’s a lot of good books out there on MVC, but what about a reference?  You tell me the best, so far, here’s my hitlist of reference resources…

• ASP.NET MVC 3: Implicit and Explicit code nuggets with Razor - all of the series from Scott Guthrie are nice
• Understanding the ASP.NET MVC Execution Process – asp.net references/tutorials linked from the main mvc content
• ASP.NET Razor Pages / API Quick References – some more good content at asp.net
• MSDN ASP.NET Web Pages Reference

Saw a new twist on the Singleton pattern. Here it is…


class ThreadSafeSingleton
{
// typical pattern: private constructor and property to return the instance
private ThreadSafeSingleton() { }

internal static readonly ThreadSafeSingleton instance = new ThreadSafeSingleton();
}
}


Looking for a bit more integration of Agile methodologies into your Microsoft development environment? Read this…

When using updateable websites, one on the nice features of .Net Development in Visual Studio is the helper page during the publishing process. The auto-generated page is app_offline.htm. So, if you are updating a production site and want to do te publish process manually, or want to script out your own process, just drop a page of that name in your root and you are all set. When you are done, just delete the page. Guess there is a little magic left at Microsoft. btw… what about the Skype purchase?

Two cool plugins are serious options to simplifying the task of creating a “Select From/To” or Multi-Select sort of a list. The old ASP.NET solution would be to create two multi-value dropdownlists, then wire up postbacks or complicated javascripts.

Not necessary anymore.

Try this one for a simple “classic” solution that has tons of configurable options – senamion

Or if you want to knock their socks off, try this one – Searchable jQuery UI

If you want to learn more about jQuery, try some free lessons at appendto

Is .Net really faster than using Java? Microsoft thinks so, and updated their Stocktrader benchmark application to prove it. Not to mention its a whole lot cheaper. Read the Microsoft® .NET Framework 4.0 vs. IBM WebSphere® 7 StockTrader Benchmark Report to find out the details of their testing.

OBJECTIVE

Implement a standard security mechanism based on the recommended Microsoft SQL Server provider for use in a custom asp.net web application.  The diagram below is helpful to understand where this component lies in the overall solution design.

This visualization shows how the security of an application can be implemented across the standard layers of an application.  It’s taken from the 2^nd edition of the .Net Application Architecture Guide which is a solid point of reference for implementing our Microsoft based solution.

There are two primary points of focus in securing the application:  Authentication and Authorization.  We need to know that users are who they say they are through authentication. We need to control access to those components that the user is granted access to via authorization.  Each of these is discussed in detail below in how they can be implemented and leveraged to meet our needs.

Authentication

When configured within an application, users are prompted to authenticate.  This is easily implemented in an asp.net solution via settings in the web.config.  This sample code below shows the basic structure used to set the base attributes.


<authentication mode="Forms">
…
</authentication>


Clearly this is not all that is necessary, although it’s already shown that the Forms mode will be easier to use in implementing an extensible authentication process.  This is the first departure from the default settings.

In order to address what underlying process is used to manage the users of the website, we need to implement a provider.  In our Microsoft SQL Server based solution, it is straight forward to leverage the SQLMembershipProvider, more on this in a moment.

Authorization

Once the user has been identified as who they represent themselves to be, we inevitably will need to determine their privileges.  Fortunately we have another simple structure that can be used to implement this within the web application.


<authorization>
<deny users="?"/>
<allow roles="Administrators"/>
</authorization>


This straight forward structure can be used to secure access to entire files and directories.  Similar to the first provider, we can use the SQLRoleProvider to assist in our handling of user authorization.

SQL Membership and Role Providers

When we are ready to store users in our SQL database, all that needs to be done is to run the aspnet_regsql.exe installation program.  What is created is a set of tables and stored procedures that are used by our providers.

The foundations are nearly in place with the creation of the database structures.  To utilize them within our solution, we’ll need a few more lines of code in our web.config.


<membership defaultProvider="OurMembershipProvider">
<providers>
<clear/>
<add name="OurMembershipProvider"
type="System.Web.Security.SqlMembershipProvider"
…
/>
</providers>
</membership>
<roleManager defaultProvider="OurRoleProvider">
<providers>
<clear/>
<add name="OurRoleProvider"
type="System.Web.Security.SqlRoleProvider"
…
/>
</providers>
</roleManager>


With these settings in place we can now make use of the core methods of the providers that we are implementing.  The primary Membership provider method is ValidateUser, while the Role provider would rely on using the IsUserInRole method.  Various other methods can be used to manage the users and roles within the application, all relying on the standard features provided.

Should this simple approach proved incomplete, a custom provider class structure can be created to override and implement the base level behavior, and must implement a core set of methods, although the application can choose to not utilize these features.

Concerns

Three concerns with the use of a pre-defined solution as described above have been noted.  This are briefly addressed below:

• There is only a practical limit to the number of roles that can be utilized, and there is not an inherent flaw in the design that limits the return of only one role.  For example, the SQLMembershipProvider implements a GetRolesForUser method.
• Changes to the database structure, like moving the tables and stored procedures to a different naming convention can be achieved by implementing a pair of custom providers that would them only be similar to the methods of the SQL provide methods.
• Limitations of groups and roles are only limited to the need for complex relations of user base.  The concept of a hosting domain as mentioned implies that integrated windows authentication is used.  This is different than forms based authentication and be configured independently.

Conclusion

Using the simple .Net framework provided solution has several benefits.  It was confirmed to meet the business requirements that have been documented outside of this analysis, minimizes custom application development and maintenance, as well as time savings.