The book will be available at this link in January: http://www.lulu.com/content/7738132
Well, a lot has changed with security in this SL platform. I think its for the best but you'll have to be patient as the Silverlight platform matures. So, you may miss some functionality. Here's a quick overview from what you used to have, to what you will have and what you need to get accustomed to having.
Previously, if you wanted container based Web applications, you'd create a user control and stick it into a web page. I blogged about this several times in the past, here is one example. When you embed the object tag, your favorate browser will determine that the object needs the CLR (by parsing the path) and load the appropriate CLR (depending on configuration settings) in order to execute the binary. The binary will be downloaded into a special place in the GAC where code policy and zoning rules come into play. That creates the sandbox (well, it enforces the sandbox - the sandbox is already created. Moving on...).
What do we have today with Silverlight? Perhaps most of it is the same from a theoretical perspective. The object is now replaced with the Silverlight pluggin. You'll see something like this in VS2010:
<div id ="silverlightPlugInHost"> ...
The purpose of this tag is to embed the SL object into the Web page. From there, you can script the object or program to its interface. However, that's about where the similarity ends. Underneath the hood, the managed user control that I talked about earlier is sandboxed with policy and zoning. This is how security is enforced. It's a good concept, but it was tedious to implement and tricky to get it right. So, it never really took off. Microsoft has tried to simplify this model to gain some more traction in the container war with Adobe.
In the past, with the correct policy, you could elevate out of the sandbox. A web page could automate Windows media player or read the registry for instance. Today, with the simplified approach, the sandbox is fully enforced. That is there is no concept of elevation out of the sandbox. Elevation significantly complicates security implementation. What you have is now 3 layers of code, see figure 1-0.
Figure 1-0, Silverlight Security Stack courtesy ASP.NET by Example (coming in February).
Your Web application with Silverlight (click me button) is built in managed code. That is the transparent layer. It's transparent because it can be reviewed, disssected, and adjusted. So, notice the security stack, it can't by-pass or elevate around the safe critical code layer. It must call into that layer to get into the pot of gold behind it (Critical, OS layer). That type of behavior is simply not defined. What that means to you is that you won't be able to write to the registry or access the printer port for instance. You could do this with a managed user control and the right security settings. So you've lost that. What have you gained?
You've gained a simpler security implementation stack. You call through safe-critical code. If safe critical does not allow it, it can't be done. It's that simple. With simplicity comes less bugs, less compromises and cleaner code. Now, all that remains is for safe critical (I'll use it as a noun from now on) to implement the features that we as developers need. Printing for instance is a major request. So Silverlight 4 implements this. Socket access is another and that is also available in SL4. So now you see, Microsoft essential controls the back-end right? Right! You never thought of it like that. Cheeky.
There's one more complication to the picture. The entire security stack can be by-passed. I know I said this wasn't defined, but I mislead you only to simplify the explanation. If you run the SL application as an OOB (Out of Browser) application, the SL application runs as if it were installed from an install media; That is, it is completed trusted. Completely. So the security stack gets by-passed.
So why would you run OOB instead of building a Windows client application? Did you really ask that question? Thought so. I ask the question on your behalf. Answer: Money. It costs a ton to deploy applications. If it is a browser, you don't have to test the deployment leg. Microsoft already did that for you when they packaged it. Ch-ching!
I found out the hard way that JSON Data contract serialization is not supported in the DSF (VS2010). Here's what I was trying to do. I wanted to pull down and parse data from a DSF application. I do have code to parse and dump the data to the console for instance, but I really wanted to work with a strongly typed class so that I could work with the domain objects directly. So I build my datacontract, point it at the DSF supported site and let it rip. SerializationException. So I spend valuable time tracking this down - couple of days actually. Eventually, what I find is a statement by one of the program managers at MS that goes something like this - I am paraphrasing because I forgot the link:
JSON Data Contract serialization is not supported because there is no way to specify reference types in JSON. Since the entity frameworks (on which DSF relies) projects via reference types and only supports one projection, it isn't possible to project a second time to a value type for instance. Hence, it is a feature hole that won't be plugged for the forseable future.
Oh well, I guess I need to go parse strings then...
Folks:
I've finished writing this block buster. I'd like to invite some of you to peer review the bookSend email by using the blog link contact with subject line Peer Review ASP.NET 4 by Example. You'll get a pdf file of a chapter that you can read and comment on. You won't get paid for your services. However, I'll mention you as a peer reviewer in the book credits at the front of the book. If you are contemplating a writing career, it's a great way to start.
The book will go on sale in February time frame with a price point of $19.99. Can't go wrong for $20 right? There'll be VB and C# as usual and I'll cover everything new in ASP.NET with a focus on explanation using example code.
If you look at the new technology wrapped in VS2010 (technology is a grand term, yes I know), I think you will agree that the stage is being set for all sorts of goodies down the line, things like Azure, Increased productivity, more secure, scalable applications, Accessible products, Richer UI. It's coming, better get on board and start digging in...
That's the title of my new book. Woohoo! Should be out in February 2010. 7 Chapters, heavy on the code, light on the fluff. It will sticker for $20, printed and eBook versions along with code download. I'm targetting about 300 pages, give or take a few.
I'm ashamed for not posting any sooner than this. I forgot my password for the longest while...Have you noticed how many passwords people now have. There's work, there's home, there's social sites, there's chat clients, there's taxes, banking...On and On. And they are all different right? Because, oh no, you don't want to share the same password across all these sites. What if the booboo man gets a hold of it? I think we've pinned ourselves into a corner here...
I walked into a booby-trap with .NET 3.5 SP1. Here are the details. You receive a 401 authentication error when you upgrade your server running WCF service to .NET 3.5 SP1. The WCF run-time now requires an identity to be passed in on the call. The identity or SPN is not verified for authenticity, it just needs to be present. You can fix the issue from code or by inserting the identity tag into the url.
The authentication failure is triggered if all of the conditions are met
-
The scenario uses ClientCredentialType.Windows, which specifies the Negotiate authentication scheme.
-
The scenario uses http, https, or net.tcp.
-
The service runs under a don-domain account
More specifics
|
|
3.5 SP1
|
3.5 RTM
|
|
Default – specify NO identity
|
System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate oYG… snip…. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect
|
Accepted (no identity required)
|
|
Default – specify bad identity
|
Accepted (identity not checked)
|
Accepted (identity not checked)
|
|
allowNTLM=false – specify NO identity
|
System.ServiceModel.Security.MessageSecurityException: The HTTP request is unauthorized with client authentication scheme 'Negotiate'. The authentication header received from the server was 'Negotiate oYG… snip…. ---> System.Net.WebException: The remote server returned an error: (401) Unauthorized. ---> System.ComponentModel.Win32Exception: The target principal name is incorrect
|
Accepted (no identity required)
|
|
allowNTLM=false – specify bad identity
|
Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. ---> System.Net.WebException: The request was canceled ---> System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.
|
Caught System.ServiceModel.CommunicationException: An error (The request was canceled) occurred while transmitting data over the HTTP channel. ---> System.Net.WebException: The request was canceled ---> System.Net.ProtocolViolationException: The requirement for mutual authentication was not met by the remote server.
|
Here is the fix, placed in the client configuration file inside the endpoint tags (<endpoint>fix goes here </endpoint>:
<identity>
<servicePrincipalName value="spn" />
</identity>
Community:
I have a one licensed, legal
VSTS 2008 with MSDN premium subscriptions to give away to the community. If you care to take part, please send me an email with 1 paragraph explaining why you think you should be considered. That's it, no gimmicks, strings or anything funny.
I'll take the best 1 on October 31st and provide the subscriptions to the lucky person. Your contact information and email will not be published or distributed.
To participate: Send email to vstsgiveaway@live.com. Subject line - VSTS Giveaway is Back. I will pay shipping and handling charges.
Community:
I have a couple of licensed, legal
VSTS 2008 with MSDN premium subscriptions to give away to the community. If you care to take part, please send me an email with 2 paragraphs explaining why you think you should be considered. That's it, no gimmicks, strings or anything funny.
I'll take the best 3 on July 31st and provide the subscriptions to the lucky ones. Your contact information and email will not be published or distributed.
To participate: Send email to vstsgiveaway@live.com. Subject line - VSTS Giveaway. I will pay shipping and handling charges.
Aint it great that the latest from MS falls short of the accessibility mark? Gotsta luv it. Here are the details.
Microsoft is aware of the issue and working on it.
DeskTop Heap Exhaustion
Ran into another mine field the other day - blew my foot right off before I could even realize what was happening.
The client received this error:
The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in d:\nt\com\complus\src\comsvcs\threads\stathread.cpp(284), hr = 80070000: CSTAThread: CoGetApartmentID failed
The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in d:\nt\com\complus\src\comsvcs\threads\stathread.cpp(271), hr = 80070057: CSTAThread: CoInitializeEx failed
The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Error in d:\nt\com\complus\src\comsvcs\threads\stathreadpool.cpp(1230), hr = 8000ffff: CSTAThreadPool: Unable to get bind thread.
The run-time environment has detected an inconsistency in its internal state. This indicates a potential instability in the process that could be caused by the custom components running in the COM+ application, the components they make use of, or other factors. Couldn't get ApartmentID from STAPool
The COM+ component was configured to use a large number of threads on startup but this was working fine for several years in production. The workaround was to reduce the number of pre-allocated threads, but why was this issue surfacing?
As it turns out, the desktop heap size was the root cause. Each process running on the desktop is treated differently for "Interactive User" vs "Non-interactive User". Windows reads a registry key to determine how to treat these groups of users:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems\Windows --> SharedSection = 1024,3072,512
You can read up more on this here http://blogs.msdn.com/ntdebugging/archive/2007/01/04/desktop-heap-overview.aspx.
In the settings above, you can see that the heap is set to 3072 KB for Interactive user and just 512 KB for non-interactive users. This heap is used for system resource (e.g. thread handles). The small size prevents dllhost.exe from creating more threads.
By increasing the heap allocated for non-interactive users (from 512 -->1024) the problem was solved.
Several readers found it necessary to email me with their comments and answers to the post http://msmvps.com/blogs/alvin/archive/2008/01/07/how-old-is-the-earth.aspx. Unfortunately, there isn't a correct answer though there may be several plausible answers.
The story tries to describe the starlight problem. Starlight from distant stars travel several million years to reach the earth - we all agree on that, meaning that when we look up into the night sky, what we see is the past. Based on the time we think it takes the light to travel (represented by the boat), we say the earth is a few million years old (represented by the man on the beach). The two points of view juxtapose christianity with science. Unfortunately, since we were there when the earth was formed, there isn't an definitive answer to the problem - the man doesn't answer.
Part of my day job is to lead the migration project from VB6 to .NET. You need to be shot at if you think the migration wizard will solve your problems. That's putting it bluntly. To be politically correct, there are lots of issues. I'll document those as I run into them and keep adding to this post. Hopefully, I'll have time to write some kb articles on this as well.
The estimate of 7000 lines per week of converted code is fairly accurate. This improves with familiarity and it is possible to get to around 10,000 lines of converted code per week. See this link: http://www.devx.com/vb/article/16822
-Moving a windows VB6 client to the web that uses email. Microsoft does not support .NET and exchange server and CDO. The supported approach is to use WebDav.
-For each statements in asp pages don't return valid values. Ex.
-Replacing exceptions with the enterprise library. By default Enterprise Library Data Access Application Block uses System.Data.SqlClient as the provider. In order to be able to use ODBC connectivity, you will need to configure Data Access Application Block.
-.NET 2.0 client is not able to communicate with a web service hosted on a Windows 2000 server. Search for the string hostname in the WSDL and replace it with the IP address of the server. The exception message is usually:
[WebException: The request failed with HTTP status 404: Object Not Found.]
System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall) +533199
System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters) +204
BFGServiceApp.ReportService.ReportURLService.ReportURLInfo(String AppKey) in C:\webroot\BFGIntranet\BFGServiceApp\Web References\ReportService\Reference.vb:80
BFGServiceApp.CallReportService.Page_Load(Object sender, EventArgs e) in C:\webroot\BFGIntranet\BFGServiceApp\CallReportService.aspx.vb:8
System.Web.UI.Control.OnLoad(EventArgs e) +99
System.Web.UI.Control.LoadRecursive() +47
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1061
-Cannot access object properties using foreach loop. Solution is to rewrite the asp code with a for statment.
A scientist and a preacher observe a man standing on the shore next to a harbor looking at the neighboring island. A boat is docked in the harbor. Both the scientist and preacher agree that the boat likely came from the island. If it did, both agree that the boat would have taken approximately 10 hours to make the journey. The scientist and preacher ask the man 'How long have you been standing there?'. The man does not answer. Instead, he turns his head to look at the boat in the harbor.
The scientist reasons that the man must have been standing there for at least 10 hours because he likely was standing on the shore watching the boat from the time it left the island to the time it arrived in the harbor. The preacher does not think it logical for the man to have been standing on the shore for 10 hours. He reasons that the man would have gotten bored or tired. He may also have just arrived on the shore a short while ago, maybe 15 or 20 minutes or so.
How long do you believe the man has been standing on the shore?
Blame it on the strong Canadian dollar! Enjoy this new price of $19.99.
I've gotten a lot of comments on shipping to different parts of the world - customers want the Black Book and they want it yesterday. Lulu will ship anywhere and expedited shipping is possible for a very reasonable price. Don't hold your breath on an eBook download; that's not happening. Period. Your best bet is to buy using expedited shipping.
The reason why the book is not on Amazon is that the ISBN package required for that type of service will add $30.00 to the current price of the book. That's not going to happen on my watch. So, it's gonna stay on www.lulu.com/owc indefinitely.
Recently, I walked right into an ambush with .NET. A client asked how best to target a CLR version from a .NET application. Easy right? Just use this in an app.config file:
<startup>
<requiredRuntimeversion="v1.0.3705" safemode="true"/>
</startup>
As it turns out, this simply won't work for any version above 2.0. Bummer! I hate those issues because it makes you look stupid as a consultant. Even worse, it makes the framework looks like it is broken - ofcourse it is. The blame game is an appropriate response, but it doesn't solve the problem at hand.
As it turns out, there is no bullet proof way to fix this issue except to recompile the application with the appropriate targetted version of the framework. Here is the link that describes this in more detail: http://support.microsoft.com/kb/556035
The Black Book, 2nd Edition is now available at an amazing price of $24.99. However, this price is only available on www.lulu.com/owc. Amazon will continue to stock the old item. I strongly recommend purchasing the new item from www.lulu.com/owc.
The book is updated to provide:
1. More code.
2. Sample working projects with code snippets for each component.
3. WCF examples.
4. Better images.
5. Corrections and updates to licensing.
I am currently wrapping up work on the 2nd edition of the Black Book. It is expected to hit shelves in October 2007. The update includes
-
Code corrections
-
Licensing information changes
-
WCF programmability with the components
-
WCF programmability with the components
-
Updates for Visual Studio 2005
-
Updates for Visual Studio 2008
-
Direct binding of components to datasets
As you know, the Black book was an independent project not backed by any major publisher. But it has been one of my most successful books in terms of financial returns. As a thank you to my customers, I've always wanted to reduce the price on the book and infact did so on the lulu.com website where the book remained in the top 10 for 18 straight months. However, lulu changed their pricing format to reflect those of Amazon etc and the price drop vanished.
The only way to reduce the price was to purchase another ISBN. I figured, if I was going that way, I met as well see update the book in the process. This would give me a chance to incorporate user feed back and correct some issues with the book.
Now, for the good part. Since I have no major distributor on my back, I can sell the book for whatever price I see fit. My new price is $24.99
This issue seems to be raised a lot in the newsgroups. When you iterate a container, ArrayList for instance, you cannot remove items in the contain inside the body of the loop. You get a nasty exception if you have no regard for the rules.
Apparently, the run-time imposes a read-only restriction on the iterating container. The read-only restriction forces all assumptions about the container to be valid during the loop iteration process. There's an article here that discusses this in more detail.
Basically, this code produces an exception:
//arr is an arraylist with some random items
foreach (string s in arr)
{
arr.Remove(s);
}
whereas this code does not:
//notice the inline declaration of the ArrayList in the loop
foreach (string s in new System.Collections.ArrayList(arr))
{
arr.Remove(s);
}
However, I did get yelled at for providing a solution that was not efficient :-).
To be fair, the solution discussed in this article is mildly inefficient; it takes well under a second to remove 10000 items from a collection. If efficiency is your main issue, you may want to make use of the generics approach. The generics approach will follow this approach:
List<string> list = new List<string>();
//add list items
...
list.RemoveAt(find);
//define find here
public bool find(string s)
{
//add some condition here, for now return true
return true
}
To be clear, the generic approach is much faster at the expense of more code. There is no free cheese. However, because both of these approaches execute in well under a second, you earn your daily wage by focusing on other inefficient points in your application such as indexing your database records. It's not worth it to optimize away 0.5 seconds for this routine while your database records run on stale indices for instance. That's pretty pointless in my humble opinion.
Something of interest to note is that while the underlying implementation of remove is implemented with a linear search followed by a delete, the generic approach also uses a linear search using the find method. But it is important to note that this linear search is a one-time expense. This sweep marks all items for deletion and then removes them in one pass. My approach essentially incurs this expense every time remove is called. This explains the jump in performance by the generics approach.
In the real world, you won't get any brownie points for that optimization. Period. Go find somewhere else in your application to spend time and energy on.
More Posts
Next page »