Hello!

Long time no seen, yes I know...
It's because I am quite busy at work, we worked at full time job on a very large web project to one of the government offices, but this project is coming to its end.

Now, to our issue...
Firstable some words about the application architecture - the application is devided and built as N-Tier layers, every tier is isolated from the other and lives as a single and separate assembly (.dll).
The tiers are:

• Entities Layer -  This layer holds and represents the entities of the application, for each database table there is an entity class which holds all its fields as properties by each field specification. This class is a Typed Dataset, that holds all the data and being generated automatically, in addition there is another class that represents a filter in purpose to hold values to filter if necessary.
• Data Access Layer - Every entity class has a DAL class which implements the main CRUD (create, read, update and delete) methods against the database. For easyer and comfortable working, we are using the SqlHelper of Data Application Blocks v.2.0.
• Business Logic Layer - This layer holds business logic classes that holds the flows of more comlpexed actions, like transactions, and a working with several tables.
• Presentation Layer - This layer holds the presentation web pages. All the pages are AJAX fully supported to grant the user the best surfing experience.

OK, after I told you about the architecture I will approach the problem I bumped into.

When I wanted to fill my Typed DataSet using SqlHelper I thought to use the classic method:

But I encountered with a problem to fill the typed DataSet - UsersDS, this method knows to return a generic DataSet with no specification of the Typed DataSet and it was a problem (but little one... :))

The new change of the Data Application Blocks v.2.0 is that there is the ability of using FillDataSet method which knows to fill the exact Typed DataSet and DataTables that exists in it, and this is going like that:

SqlHelper.FillDataset(con, StoredProcedures.GetUserById, ds, new string[] { "E_Users" }, idParam);

Here, you must specify the Typed DataTable that exist in the Typed DataSet that you want to fill. As you see, we must send it via the method as a string's array, and by that you can send several tables to fill by sending their names.

That's it folks, as usually I will be glad to hear some additions and comments.

Some of the impovments with that service pack are:

1. Refactoring performance in ASP.NET WebSites projects like:
    Before determining if an .aspx page should be loaded, the refactoring operation will:

2. Web Site Projects and Web Application Projects general issues:
    The Web Applications project system does not detect missing web.config files. Adding a control that requires configuration information will cause a false folder to appear in Solution Explorer. The workaround is to add a web.config file manually before you add any controls to a Web Application project.

   Web Application projects that contain subprojects that reference controls in the root project may hang the IDE.

   If a Web site solution that contains .pdb and .xml files is added to TFS source control, the .pdb files and .xml files may not be added correctly.

   Visual Studio will leak memory when you operate a Wizard inside a View inside a Multiview. The workaround is to save the solution and then restart Visual Studio.

   Changes to the bin folder in Web site and Web Application projects can cause Visual Studio to create a shadow copy of the entire bin folder. This copying can slow the performance of Visual Studio and consume disk space.

   If your page and user controls exist in different namespaces that are under the same root namespace, the generated code will not compile because the namespace that the designer creates for the declaration of the user control inside the page is wrong. The workaround is to delete the declaration from the designer file and then put it in the code-behind file. Once it is moved to the code-behind file, it will remain there unaltered even if you change the page.

You can download it by pressing this link: http://www.microsoft.com/downloads/details.aspx?familyid=BB4A75AB-E2D4-4C96-B39D-37BAF6B5B1DC&displaylang=en

Hey guys how are you?

After long conversation with my work colleague, I thought that I need to sharpen the evidences about Application Domains - aka AppDomain.

By .NET environment, the concept of an application domain, or AppDomain known as a process. The AppDomain is both a container and a boundary. The .NET runtime uses an AppDomain as a container for code and data, just like the operating system uses a process as a container for code and data. As the operating system uses a process to isolate misbehaving code, the .NET runtime uses an AppDomain to isolate code inside of a secure boundary.

An AppDomain belongs to only a single process, but single process can hold multiple AppDomains. An AppDomain is relatively cheap to create (compared to a process), and has relatively less overhead to maintain than a process. For these reasons, an AppDomain is a great solution for the ISP who is hosting hundreds of applications. Each application can exist inside an isolated AppDomain, and many of these AppDomains can exist inside of a single process – a cost savings.

Lets take an example from the REAL life:
Assume that you had created 2 ASP.NET aplpications in the same server, what will happen intior the system?

Firstable, the ASP.NET process that runs the web application will run both the applications (you can find the process name in the task manager as aspnet_wp.exe in Windows XP or as w3wp.exe in Windows 2003. Each application will have its own AppDomain including its Cache, Application, and Session objects.
BUT, the code of the same application runs under the same process!

What about static members or shared classes? In this case, each ApDomain will have its own copy of the static members (fields), but of course, the data and code is not shared and will be held safely isolated and inside of a boundary provided by the AppDomain.

Load some new assemblies..
Suppose you want to load an updated dll into the application folder or subdirectory, the ASP.NET runtime will recognize it and and will start a new AppDomain because it cannot insert it to the running AppDomain, the result is that running requests will finish its work and after it they will work against the new AppDomain that holds the new dll and executing code.

Last word...
I think that one of the good adventages of the AppDomain is that you can allocate the wanted memory for your application (under its AppDomain) as much as you want (bounded by the process capability of course) and if there is a runtime crash, the rest of the applciations that runs over the current process will not crash.

I will glad to hear some comments and additions... :)

Hey guys, how are you these hot and exhausting days?? I am pretty OK, except for the heat...

If you didn't hear about the ReSharper yet, some words about it:
ReSharper is an add-on to Visual Studio 2003 and 2005, It comes equipped with a rich set of features that greatly increase the productivity of C# and ASP.NET developers. With ReSharper you get intelligent coding assistance, on-the-fly error highlighting and quick error correction, as well as unmatched support for code refactoring, unit testing, and a whole lot more. All of ReSharper's advanced features are available right from Visual Studio.

This add-on includes features like: Error Highlighting and Quick-Fixes, Advanced Coding Assistance, Numerous Refactorings, Navigation and Search, Unit Testing, ASP.NET Editing, NAnt and MS Build Scripts Editing. More details you could read in the link attached below.

So, you can try using this good add-on by downloading a 30-day evaluation from the jetbrains.com site here, and if you will like it I suggest to buy it (on your company account of course :))

Hello!

Yesterday while surfing on the web in purpose to find some interesting tutorials and innovations, I encountered with a nice article that has been written by my college's mate, Evyatar Ben-Shitrit.

This control derives from ListBox, supports a horizontal scroll bar, and yet behaves like the ASP.NET ListBox control. More in this article, he explains the creation of the ScrollableListBox custom control (written by him).

So, I recommend reading this one at thecodeproject web site here.

Fare well...

Hello!

I am still working on a big web application in work. I will glad to tell you about the application, but this is for other conversation. I am glad to say that we are close to the end of the project and doing now last fine tuning on it.

The thing that I had to deal with for the last days is all the issue with publishing application errors in orderly fashion to the event viewer. The reason of doing it is to get the ability of tracking in runtime, bugs, errors or exceptions that can be appear while the application is in production. In this case we don't have the CLR debugger to find what was wrong (if something happend of course...), so we must publish the exception to the system's event viewer or just  to a simple Log file (which less recommended then publishing to the system's event viewer).

Now, to the implementation (the imporatnt thing!!!)

In order to publish error to the event viewer, we need to use the Microsoft.ApplicationBlocks.ExceptionManagement assembly of Microsoft. This assembly expose us all the publishing tools that we will need to publish an errors (and more...).

In my web application, in global.asax file, in Application_Error method, I wanted to publish the exception to the event viewer. It is very important to do it there, because in every application error, like runtime errors, exceptions and actions that the application and systme doesn't know to deal with, this method is being called (by the application of course).

Now, before publishing the error to the event viewer, you need to distinguish between the different exceptions. Do it with your own information about every exception that is happening but, it is important to know that also in every response's redirect (Response.Redirect (" ... ", true) or server's transfer (Server.Transfer (" ... ", true) an ThreadAbortException is being raised.

By this example you can see the publish exceptions handling.

Now, do not forget to declare in the web.config file the appliation name and the exceptions pulishing handling:

<exceptionManagement mode="on">
        <publisher assembly="Microsoft.ApplicationBlocks.ExceptionManagement" type="Microsoft.ApplicationBlocks.ExceptionManagement.DefaultPublisher" applicationname="APPLICATION_NAME"/>
</exceptionManagement>

One more thing... you need to register this assembly with the appliation name in the registry in purpose to let the application all the rights to publish the error in the event viewer, if you won't do it, the system won't let you write to the event viewer and you will get the exception: The event source ExceptionManagerInternalException does not exist and cannot be created with the current permissions. security exception and you will spend planty of time trying to solve it :) (like me...)

How to register this to the registry you ask?

Open notepad and write there this code:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog\Application\APPLICATION_NAME]
"EventMessageFile"="C:\\WINDOWS\\Microsoft.NET\\Framework\\v2.0.50727\\EventLogMessages.dll"

Save this file with .reg extension and double click on it, this will register this to the system's registry.

So, bye for now...

Hello and good week to all!

These days I am starting to publish here (in my blog ofcourse) a series of articles that discusses with Web Serivces and the most important issue - Security over Web Services (using Microsoft technology ofcourse), because it is quite simple to write a web service that receives/retrieves data and 'do you thing...', but the complexity comes when you want to secure this data that runs over non-secured protocols or web-lines.

This article assumes that you are familier with web services, its porpuse and its implementation and assimilations, if not, you should read some basic tutorials before you start to read this article. (You can fine general example here).

Introduction
WS-SecurityProtocol defines all web services expansion security topics. Its goal is to let you build and use SOAP messages exchange in secured way. This term is quite flexble and it designed in a specific way in order to constitute the base of building a secured Web Service by the different security models like: SSL, Kerberos, PKI.
WS-SecurityProtocol supplies a full support for large number of security tokens, trusted domains, signature formats and encryption technologies.

This component supplies 3 basic mechanisms: Message Confindentiality, Message Integrity, Security Token Propagation. These mechanisms, each one by it own, doesn't supplies perfect security solution, therefore in actual fact, WS-SecurityProtocol builds a block that uses a combination of all there mechanisms and different enhancements to supply a perfect sucurity solution

Main Facts
Before I start explaining and showing the protocol's structure, I want to stand on the basic definitions and terms this protocol is uses:

• Claim - the client's claim (like: name, identity, key, group, rights and more...)
• Security Token - represent a set of tokens.
• Signed Security Token - this is a claimed and encrypted by a specific authority (like: Kerberos ticket or X.509 certificate) security token.
• Proof-of-possession - information that used by a specific "proof process" in purpose to describe the sender data.
• Integrity - a process that comes to note that the sent data hasn't changed while sending the message.
• Confidentiality - a process that comes to ensure that the data is protected and just specific authorized 'players' are allowed to watch it.
• Digest - an encrypted sum of the data sent stream.
• Signature - this is an encrypted communication between the Proof-of-possession and the digest. This action creates a symetric key and public signatures.
• Attachment - this is the physical data that is transfered using the SOAP messages, but is not a part of the SOAP envelop.

We want to ensure that the SOAP message is encrypted properly to avoid dangers, like:

1. The message could be readen and be changed by malicious user.
2. Malicious user can send fake message through the Web Service and by that to get secret information.

Message Security Model

The WS-SecurityProtocol works under the Message Security Model, that comes to prevent such cases like mentioned above. Its behavior is:

The Security Token declares on Claims and Signatures, this mechanism supplies a proof to the knowledge of the sender (in simple words, the data that the sender holds). In addition, the Signature can bind itself with the Claims in the Security Token (in assumption the token is secured).

Claim can be supported (or not) by "secured authority", which is a set of claims, which encrypted or digitally signed by this authority is usually represented by Signed Security Tokens. An example to Signed Security Token set is X.509 Certificate - which by this set of claims, the binding is executed between the client identity and the the public key.
Claim that is not supported by any "secured authority", can be secured only when the connection (binding) between the sender and the receiver is secured (secured line, like SSL etc...), for an example, they can agree on a specific message name that is accepted by both of them and by that only they will know that the message is meant for them (because they are both will look forward to get the same name).

Another type of non-secured claim (which is not supported by any "secured authority") called proof-of-possesion. As I descibed earlier, this term confirms that the user has "pieces" of knowledge that diagnosed by the other 'players' which related to it. For an example, lets take a look of username/password security token, the proof-of-possession here, combines another security token in order to confirm the sender's claim. I need to note here, that Digital integrity (see above if you already forgot) for a message can be used as a proof-of-possession, but in theis case it will not considered as a security token.

Message Protection

Another model that comes to prevent such cases as mentioned above (remember...?).
This model claims that all the messages that are being sent, supposed to be encrypted in order to not be negatively affected by hostile factors. The Integrity based message is supplied by leverage of an XML signature with security tokens, in order to notice that the messages has been sent with no data changes of bad influences. This mechanism supports many signatures and players.

A confidentiality (see above for a definition), based message, uses XML encryption with secutity tokens to ensure that the message's parts will be confidential.

In order to supply the the maximum security to the SOAP message, that we'll want to send, there is a need to build the XML file that includes all the filters and headers definitions.
The structure of the XML file includes the <Security> tag, which symbolizes the security definitions. Under this tag it is possible to define all the information about the message security issue.

An XML file cannot hold more that one security tag, this in purpose to allow that each tag (security XML) will taget to other destination. This tag and all its data under, represents the signature steps and the encryption type that the sender used with to send the message.

A typical WS-SecurityProtocol example:

Line 001 and 002, describes the SOAP envelope. Line 003 opens the headers definitions that describes the message. Line 004 to 008, describes the sending message type, the source and destination.

Line 009, open the Security's filters definitions. This label defines the security definitions that the receiver need to be up to (in order to watch the message ofcourse). This header label is closed in line 029.

Lines 010 to 012, describes the security token that message uses, here the usage is username token. (Here the assumption is that the password is well known by the service, and by that, only username is being sent).

Lines 013 to 028 defines the digital signature. By this example, the signature is based on the key that generated from the sender password. Lines 014 to 021, explains the digital signature. Line 015 defines how to normilize the sent information.

Lines 017 to 020, chooses the elements we want to signature. In this example (by line 017), we can see that the body is digitally signed (<s:Body> label, which you can see in line 031).

Line 022, holds tha signature value that derivated from the encrypted information. Lines 023 to 027, holds an information about the security token location, which combined with the signature. In more explicit, lines 024 - 025, defines that this token is located in a specific URL address.

Line 031 to 033 holds the message body.

That it for now. More tutorials at:

• http://www-128.ibm.com/developerworks/webservices/library/ws-secure/
• http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-securitypolicy.pdf

Comments will be appriciated...