Neil Bostrom: Microsoft TechEd (Friday)

Attacking and Defending ASP.NET Applications
This session provided a valuable insight into some of the small mistakes you can make in your applications that can be exploited. SQL injection, Cross site scripting and malformed url being some of the common ones. The key point that was raised was to not trust user input whatever form this may be, Querystring, Form Input, URL or Cookies. Validate any input and always assume it's malicious until proven safe.

Membership and Profiles in ASP.NET 2.0
The new membership object model that was introduce in ASP.NET 2.0 is extremely flexible and provides a lot of functionality out of the box. All the controls can have their HTML customized as well as just setting the CSS classes. The provider model that plugs into the back end also always almost complete customization.

A Distributed Solution with .NET 3.0
This was a practical session using all the new technology, WCF, WPF and WF. The Speaker had created a media library application with multiple front ends using WCF to communicate with a single server application. The application also demonstrated streaming video using WCF, but required some custom handlers as the out of the box functionality is not provided for streaming.

OlyMars
Take one crazy French guy that works at Microsoft and an awesome idea on how to take generation to the next level and you have OlyMars. It's a template-based generation system that comes with a bunch of inbuilt templates supporting ADO.NET, Presentation Controls and even Documentation. The framework that has been put in place is extremely well made and gives you incredible control on what you generate and where.

Tim Jeanes: Microsoft TechEd (Friday)

A session on creating secure websites today was a little disappointing in that we didn't learn much, but I took it as encouragement that we're already doing things the right way. (There was one small vulnerability that it brought up, but of course I can't tell you what that is until I've got back and fixed it in the one site it applies to. It's pretty well a one-line fix, so I don't feel too bad about that.)

Microsoft have a new product out for analysing the potential security risks in your websites, but as it mostly seems to be a matter of your ticking boxes to say what technology you're using and it then telling you what to watch out for, I think I'll stick to reading the relevant articles on MSDN.

The seminar "Accessibility in the AJAX age" was led by one of the contributors to the w3c standards for page accessibility. With browser technology moving forwards so quickly, and innovations such as AJAX driving the user experience forwards, it's encouraging to hear that accessibility devices such a screen readers are (just about) keeping pace with these changes. Though it's still extremely easy to confuse such devices (or human users with any of a range of disabilities) by writing poor html or css, so long as stick to the basic tenet of having your html say exactly what you mean, rather than using layout tricks to make the final result look like what you mean, then you're not going to go too far wrong. Making sure the only javascript event you rely on is the onclick event, and that you never expect anyone to click something that isn't a link or a button will give you reliable DHTML.

AJAX makes things a little trickier though. A blind user will know to click a link to expand a details panel, for example, but their screen reader will take a snapshot of the updated page with the "Please wait... loading" message you thoughtfully put in. As the completion of the asynchronous call to the server uses only javascript to update the page, this doesn't appear to the user. The way round this is to navigate a hidden IFrame to a blank page (with a GUID in the query string to prevent any caching issues). Screen readers will take this navigate event as its cue to reread the html and present the changes to the user.

These blogs, by the way, have been uploaded over the wireless network in free moments between sessions. It's pretty impressive that they've set up a network capable of supporting the needs of 6,000 people armed with laptops.

There's a short video of our exploits here.

PDF Documents in ASP.NET

I needed to write a system which would take a system defined number of images from a database and present them in a well structured PDF document.

This was the first time I had looked at creating PDF documents on the fly in an ASP system without being able to render the contents into HTML first and then simply using a print driver to create the document for me.

My first stop was the Internet to see if there were any PDF DOM utilities out there for .NET. As you might expect this was not the first time anyone had tried to do this and as a result I found a plethora of systems which looked like they might fit the bill. On further investigation however, many of the candidates seemed to only have limited functionality with respect to image manipulation and supported formats. In short, after a few hours of trawling through the specifications and technical documentation of these solutions I plumped for PDF Sharp

PDF Sharp turned out to be a fantastic piece of kit which had excellent support for image and document manipulation and the documentation was as complete as you could want. I had a working system within half a day and the reporting module was totally finished within 2 days.

Awesome.

Neil Bostrom: Microsoft TechEd (Thursday)

Asynchronous ASP.NET Programming
It turns out that threads inside ASP.NET worker process are like hot pokers, you don't want to hold them for long!

Using asynchronous programming in ASP.NET, you can free up more time for the worker threads to do other work (like take more requests). The biggest wait times in your system are always external IO (Database calls, web services calls, file writing etc). By moving this kind of work asynchronously, it always so many more requests to be processed by your application.

The three main ways to accomplish asynchronous programming in ASP.NET are:

Asynchronous Pages
By adding asynch=true to the page header, extra event handlers are available on the page to allow you to wire up asynchronous events.

Asynchronous HTTP Handlers
Handlers are ideal for pulling images from databases or doing general file type actions. HTTP handlers are more lightweight than standard aspx pages as they do not need to load the page control tree model.

Asynchronous HTTP Modules
Modules allow you to control any part of a request coming in or going out. This has the same asynchronous model as the handlers.

Internet Information Services 7 (IIS 7)
A new version of IIS has been developed for Windows Vista and "Longhorn". Building on the success of IIS 6 with accounts to Security and Reliability, IIS 7 takes it one step further by splitting out most of the functionality of IIS into modules. This means you only need to load the modules you need. So if you're just hosting html pages, just load the static content module and nothing else. This makes the attack surface of IIS 7 much smaller than any previous version. Microsoft has also given IIS a new interface that integrates into Visual Studio and can also be access remotely. All the settings are stored using the same mechanism as ASP.NET, in .config files. These XML setting files allow settings to be overridden at any level or block them from being overridden. This makes for a flexible configuration model that IIS has been missing for years.

Continuous Builds
Continuous builds is such an important part of Agile programming that a lot of tools are now being released to support this need. We currently use NAnt with a custom tool for continuous integration. During this session we were shown some of the other players and their capabilities. FinalBuilder seems to be a well established tool with good support for all the common tasks. It has a small licence fee but nothing compared to the huge cost of Team System Foundation Server (TSFS).

Team System Foundation Server is a new Microsoft offering. It's probably one of less complete products but it is trying to do a lot of jobs (Unit Testing, Build, Code Coverage, Source Control, Document Versioning, Bug Tracking and Project management features). Saying TSFS is big is an understatement. The optimal configuration for TSFS is like 4 seperate servers. This is a big expense, let alone the licencing costs.

Tim Jeanes: Microsoft TechEd (Thursday)

The first session today was on asynchronous ASP.NET. This is something we haven't really needed to use in the past because it's quite a pain and it doesn't improve the individual user's experience at all: if you request a web page then you're going to have to wait for all the information to come back before you can do anything anyway. The downside (that we'd overlooked) is that if the page is slow to load due to waiting for a large database request or a response from an external web service, then that ties up a thread from the pool, potentially preventing other users accessing the site if there's a lot of heavy traffic. This session walked through how to use multi-threading to make applications far more scalable (sometimes over 1000 times more scalable).

I don't think this is something we'll be implementing on every page we build (although practically all our pages query the database), but there are some pages that I think are good candidates for using this kind of methodology: ones that contain images we're pulling from the database or contacting the bank to take customers' payments, especially when these pages are amongst the most frequently-accessed ones.

A Q&A session on squeezing better performance out of .NET code contained a disappointing lack of stuff that I can immediately use, though it did give a few interesting insights into what's going on behind the scenes.

I attended a seminar and subsequent white board discussion that went into quite some depth of how to use Windows CardSpace to authorise users logging onto your website and to take credit card payments for your goods and services. CardSpace is just such a beautiful thing. If you're reading this blog, then the chances are that CardSpace isn't going to help much to protect your identity online. It's all about protecting the identity of people who are using the internet but have no idea what security is, and couldn't tell a phish from a fish. So many times, the speaker's or delegates' mothers were cited: what would my mum do if she visited such a site? How would my mum manage her cards? What would a phishing site be able to do with my mum's card?

The end user will never have to remember a username or password again; they can control exactly what personal information is sent to each site; even if two websites have access to each others' databases, they won't be able to tell that a user uses both those sites; and a user can (if they so wish) maintain a number of different identities for different purposes.

There was a demonstration of how to switch an existing site across to using CardSpace as well as the username/password system that's already in place. It's surprisingly simple: you'd have to add a few lines of HTML to the login page, one GUID column to the user table, and write a bit of easy code to handle the card data you receive. Public code libraries already exist to handle the decryption of the incoming key.

There's additional security for sites that (at present) require rather more security for setting up a user account than just picking a username and password - such as your online bank account. In this case the bank would dish out the virtual card that you then use to sign on. The bank is the only person who holds your details, and they'll never need to know your mother's maiden name.

I think CardSpace really has the power to revolutionise identity on the internet - especially as non-Microsoft systems providers are actively supporting it, and a number of banks are on board for using this as a more reliable method of user authentication.

Neil Bostrom: Microsoft TechEd (Wednesday)

LINQ More Questions
We had another session on LINQ this morning covering much of what we have seen before. There was a lengthy Q&A slot at the end of session giving us a good chance to raise our questions on LINQ. Our main question was on how you control population of related objects to optimise the number of SQL calls made. This was always the biggest drawback we faced with using Gentle.NET. This seems to have some nice solutions in LINQ with declarity control over what is pulled back in your SQL calls.

Windows Presentation Foundation (WPF) In Web Applications
I was interested in joining this session to find out what kind of support WPF has for the web. Turns out is very limited; being only supported on IE7 and you have to have the framework 3.0 installed. It has almost no intergration with your existing web applications.

However, planned at the end of the development is a product code-named WPF/E (for everywhere). This is a cut down version of WPF that is planned to be shipped on most current platforms and browsers as a Flash-like plug-in. This could make for a very powerful addition to web development.

Hardcore .NET Production Debugging
This was a fantastic session covering some of the most advanced tricks to debugging memory leaks, crashes, application hangs and threading issues. It highlighted some of the great tools available to debug your applications on production servers. The most interesting point was on what you could do with crash dump files. These files had always interested me and I wanted to know more about making the most of them.

Dot NET Rocks!
This session was a live recording for the popular Dot Net Rocks show. Turns out the topic for this show was one very close to my own heart: Agile development. The Dot Net Rocks team had managed to dig up three very good experts on the topic and it made for a heated show covering really good tips on getting Agile development working for you in your company. We have already starting using most of the important Agile features (Unit testing and Continuous builds). This puts us in a very strong position to maybe try to pick up some of the other Agile features (XP Programming, The Planning Game, Sprints or Scrum Meetings).

Patterns for Service-Oriented Architecture (SOA)
This session was a do's and don'ts on web services for creating an SOA. Ron Jacobs was clearly a very experienced speaker in this field and brought across the issues very well. Here is a highlight of his points:

Do's:

• Make very strongly typed web services for business processes
• Try to version your service objects if you have to change them with existing clients
• A good design plan is to base your interface on the mental image of moving documents around an office, make it feel right
• Try not to think of web service calls as methods but more business processes

Don'ts:

• Make very general interfaces into your services. e.g DoEverythingMethod
• Use internal objects as part of your interfaces
• Create a chain of web service calls, as these would add a dependency of the client calling the methods correctly

Tim Jeanes: Microsoft TechEd (Wednesday)

We saw some more of LINQ this morning, and holy crap! - this is so going to change the way we work! It just makes it so easy to get your hands on exactly the data you need where and when you need it. When combined with the new anonymous classes in C# in .NET framework 3.0, you get all the type casting and intellisense you'd expect from a proper class, but without the hassle of creating a whole new class just for that one time you want to use it. So, on your customer list page you can create an anonymous class on the fly that holds just the details you want from the customer table (with any aggregate data from child tables), without having to make a "CustomerSummaryDetails" class to hold it. It's a beautiful thing.

I was very impressed with how LINQ saves data back to the database - it supports all common models for data concurrency and transactions right out of the box. However, it frightened me a little that if you query the same table twice, both resultant datasets will refer to the same object in memory. This has the potential to be either very powerful or very dangerous. Similarly, I'm not convinced we'll still have enough control over how LINQ saves changes to child tables. We caught the speaker at the Ask The Experts stand over lunch and though he put our minds at rest over some issues, we managed to throw him slightly with these kinds of questions, so I remained unconvinced.

I later attended an extended Q&A session with Anders Hejlsberg - the head of C# language design - who also had a big hand in LINQ. I think it'll take a bit of a paradigm shift on our part: whereas Gentle.NET takes snapshots of the data in the database and lets you play with them in object form, LINQ considers your objects to be a representation of the underlying data: you only have one instance of that object in memory, just as there is only one instance of the object in the database. Everything we already do is still possible (and slicker in many cases), but we'll just have to alter the way we handle our objects a little.

Hejlsberg talked about his future plans for C#. Microsoft will be taking their current support for partial classes one step further by enabling partial methods too: you can define the signature of a method in one half of your partial class and then instantiate it (if needed) in the other. (If you don't instantiate it then the compiler removes not only the method signature, but also all calls to that method.) This perfectly fits a problem we've hit regarding the validation of classes, one half of which has been created by a code generator.

We'd found a work-around, but as Hejlsberg said that this exact use is the main driver for introducing this new feature, it's nice to see that we're one step ahead of the game! Incidentally, Hejlsberg also said that partial classes were introduced in the first place to enable the safe regeneration of code after the underlying database changed. This is exactly the use we've made of them - it fixed the inheritance workaround we'd used before - another encouragement that our coding practises are right up there with the best of them! omg omg 1337 hax!

Another interesting session today was looking at the ASP.NET AJAX toolkit. Microsoft are providing a good-sized library of out-of-the-box AJAX controls, and though we've not had the business incentive to use them in the past, I think the ease of use I saw today means that we'll be incorporating these into our web applications in the very near future. They're supplying pretty well every type of control that will be commonly useful, and they're all vastly configurable. The demonstration also covered how to build your own AJAX control using the various helper libraries that Microsoft have prepared (that handle everything from the browser-to-server interface to ensuring your control will work under the varying DOM models implemented by all the major browsers). Quite frankly, building your own control looks pretty horrendous, and it's the sort of thing you'll quickly forget unless you do it every day. However, as with most technologies it's enough to know that it can be done, and the ample resources on the web will fill in the gaps as and when you need them.

The session entitled 'Encrypting Without Secrets' took a look at the strengths and weaknesses of public/private key-pair encryption, highlighting the issue that all this generally achieves is transferring what the secret is from one thing to another. Initially your secret is that one big critical document, or perhaps your credit card details; after encryption you tend not to worry too much about who gets to see that encrypted text, so the secret now becomes your private key. Unfortunately, a private key is a lot smaller than a whole bunch of company secrets, and getting your hands on the key unlocks a whole load of valuable information. Typically the private key is kept on the server as the encrypted information, merely for convenience's sake. Avoiding this much-overlooked weak link in the chain is a fascinating topic, especially if you're not to introduce any other new weaknesses, whilst keeping your secure systems usable.

I really hope they do something different for lunch tomorrow though - they've served the same thing two days running now, and though I'm generally not averse to paella, I am when it tastes like that...

Neil Bostrom: Microsoft TechEd (Tuesday)

ASP.NET AJAX
Previously known as "Atlas", this is Microsoft's open source implementation of AJAX. When I say open source, the client scripting is open source and is compatible with all major current browsers (IE, Firefox, Netscape and Safari - even on the Mac). This client scripting is being developed by the community in an open source fashion.

Server side scripting for this technology is Microsoft's usual closed source but is only compatible with ASP.NET so no real reason to make it open source. A lot of the server side work is drag-and-drop; you can change most of your existing code to start using the power of AJAX (when appropriate).

Neat features with this AJAX framework are that it will plug straight into existing web services. and has bridging code to allowing AJAX script to seamlessly call current web services.

SQL Server 2005: Advanced Indexing Strategies
All of this session made me see that I need to learn a lot more about sql server! and soon!

Summary of this session was try to always have a clustered index of your standard tables. Try to make the clustered index narrow (limited fields), unique (identity field, datetime / identity or GUID) and small (Identity). Sometimes the best non clustered indexes are the ones that cover a lot of fields. This gives the sql optimizer a bunch more options.

Kimberly Tripp knows her stuff and is incredibly passionate about SQL server and all it entails. She has made a bunch of online webcasts discussing almost every aspect of sql server and getting the most out of it. As soon as I get back to the office I will be downloading them all!

Language Integrated Query (LINQ) Framework
I personally believe this is the best thing to come out of TechEd: It's Gentle.NET on steroids backed by Microsoft. It's a well thought through framework for querying almost anything inside .NET. Objects in memory, you want to filter them? Job done. Sort, group, aggregate? Job done. You want to do all that with data from sql server? Job done. You want to all that with xml document / web services? Job done.

I believe this will fundamentally change how I write my code and I'm picking up a copy as soon as I can!

Visual C# IDE Tips and Tricks
Class Diagrams - You can drag framework classes into the class diagrams to explore them in more detail
Refactoring - All the refactoring in C# is code snippet based, meaning you can change the refactoring to suit your needs
Debugging - You can control more closely what is debugged and how it's displayed using the Debugger attributes available in the framework

Tim Jeanes: Microsoft TechEd (Tuesday)

Wow, they work you hard at TechEd! Five seminar sessions a day keep you going from 9am till 7pm, yet none of them is ever long enough to fit in everything you want to learn. Every session left me wanting more, and with 138 seminars, white board discussions and hands-on labs to choose from, you can never get more than a fraction of the amount of information available.

I'll pull out a few things that stood out to me today.

First of all were the changes in working practices that Windows Vista will force on us. Having the same people developing the logic of the code and the visual front end just isn't going to cut it any more, unless you're happy with all your applications looking like Windows XP (which will be worse than the feeling you got running Windows 3.1 apps in Windows 95). The whole visual experience of Vista is going to be such a step above what Windows offers today that you really will need dedicated designers giving your applications their own look and feel. Absolutely everything can be styled. Whereas presently you can style a button by setting its border and colour (or maybe a background picture if you really want to), in Vista you basically have to draw it yourself from scratch. So long as you have some kind of artistic talent then you won't mind setting the shading, transparency and opacity of the various layers you choose, along with the transitional animations for when you move your mouse over it; if not then you'll be needing to hire some graphic designers pretty soon. As a concession they do include xaml to draw the controls we're used to in XP, but that's really only to get you started.

Fortunately they're adding the necessary functionality into Visual Studio to allow the developers to get on with developing the code and the designers to get on with making the look and feel without the two parties stepping on each others toes. I (as a developer) can create my form with a listbox on it and make everything work, only to be utterly surprised that the final project ships with that list box rendered as a rotating 3D carousel - yet I can rest assured that such dramatic changes will have no impact whatsoever on my functionality.

Microsoft are shipping a new set of products (LINQ, DLINQ and BLINQ) that will greatly enhance our speed of application development. LINQ stands for Language Integrated Query, and basically lets you query any sets of objects you have in memory as you would query a SQL database. This gives you clearer and easier methods for searching threw collections of object you already have. However, its real strength lies in letting you tell the compiler that properties on a class map onto fields in an actual database; then querying your objects builds queries on the fly (including all the necessary joins, filters and sorts) to pull out the data you require. This is phenomenally easy to implement - it's just a case of slapping a few attributes on some properties. This nicely side-steps all the hassle of creating stored procedures to handle your data persistence: you may never need to write a stored procedure again.

This all sounds remarkably familiar to those of us who are used to using products like Gentle.NET (which has served us very well for a few projects now), but it's great to see Microsoft catching up with the rest of the coding community, and being a Microsoft product we can be sure it'll plug nicely into Visual Studio and everything else. They're not being exclusive though: they've made it easily extensible so we can use whatever back end database we like.

BLINQ takes code creation one step further. They didn't mention what it stood for, though I'd like to venture "doing my BLINQing job". This product is still in the early stages of development and so only exists as a command line utility so far, but will be integrated as a fully-fledged wizard in the new version of Visual Studio (project Orcas/.NET Framework 3.5). Basically what it does it build your entire web application for you. You hand it a database schema and it creates pages to list, view, add and edit every object that the database describes. It understands the joins in the database so your customer details page will have links to list all the orders that customer has placed, etc.

Fortunately it's a fairly blunt instrument: it doesn't understand which users should be allowed to do what, the relative importance of various fields, or exactly what processes should be triggered when you try to delete a customer, for example, but it certainly could give you a good starting point for your web application (so long as the final version lets you define your own templates), which will take out a lot of the dull monotonous parts of web development.

Once last highlight: they provide all the Coke you can possibly drink, free of charge. It's geek heaven.

Tim Jeanes: Microsoft TechEd (Monday)

Microsoft Tech.Ed Developers 2006 is considered the conference for computer geeks worldwide. The day before I flew out here, my house mate expressed his jealousy and asked if I had any space for him to stow away in my suitcase. I told him he'd have to share with the two others who had already asked.

Billed as "four days to get you months ahead of the game", it's actually five days if you include the pre-conference sessions on the Monday. Enthusiastic as we are, we turned up on site first thing Monday morning - only to find that though our flights had been booked a day early, no one had remembered to book our places on the pre-conference itself. We weren't the only ones disappointed to be turned away by the surly security guard.

*Sigh*

Oh well - registering still got us the conference pack, including a rather impressive DVD stuffed full of demo videos, white papers and hands-on labs: everything the keen geek needs to get his hands dirty. So, after a whistle-stop tour of the local tourist attractions, it was back to the oldest hotel in Barcelona to review the newest developments in IT.

And it's impressive stuff! There's a lot to be covered in the coming week, and we can't wait. Microsoft is splitting into three main areas, though of course they overlap and there's plenty more on the sidelines.

1. Office 2007
2. AJAX
3. Windows Vista


We haven't seen much of Office 2007 yet (what kind of geeks care that much about PowerPoint?), but I'm sure we will through the rest of the week.

AJAX is the tool used to make web sites more intuitively interactive - basically allowing you to do much more within the web page without the whole screen refreshing. It's the useful third of the much-hyped but little-understood Web 2.0 (the other two being rounded corners and a penchant for remaining constantly in beta testing). We're pretty excited about getting to see what Microsoft has to say about this and what ready-made tools they're supplying to use out-of-the-box.

Windows Vista is going to be a major step forward. It includes

• WPF (Windows Presentation Foundation) - what makes Vista a (much, much) prettier face than XP
• WCF (Windows Communication Foundation) - enabling communications using web services to make true SOAs (Service Oriented Applications) either over the internet or all on the same box
• WF (Workflow Foundation) - a way of tracing objects through real-life business processes (with, naturally, a pretty front-end). Incidentally, it seems they had to avoid using the word Windows in that last acronym to avoid confusion both with the WWF and the WWF.

From a programmer's perspective, all the Vista stuff is handled by the .NET Framework 3.0: a misnomer in my mind as it's an addition to Framework 2.0 - it doesn't replace anything at all. It does, however, enable us to write applications that use WPF, WCF, WF and Windows CardSpace.

This last one's interesting: on the surface it just looks like Microsoft having another bash at their abortive .NET passport idea, but under the hood it's a different kettle of fish altogether. This time it's using proper encryption - separately for the company hosting the site, the user and the provider of the user's identity. Crucially though, Card Space is only Microsoft's implementation of the Identity Selector Machanism: there's also an open source version that's backed by Apache and contributed to by Red Hat. Dishing out IDs in a compatible way is already in place from Sun, IBM and Novell.

IE 7

Last night I received the usual windows update icon. I have a quick click to see what security hole they were fixing this time. To my shock and disappointment it was sending me IE7!!?!

At 15mb this isn't any usual, security fix. IE7 has been completely rewritten to try to support as many of the new standards emerging as possible. The problem with this is it breaks so many existing sites, corporate Intranets, e-commerce applications. For any corporation or even individual to move to this browser is a bold move. This is what makes shipping it as a critical update such a shock!

At the end of the day, we don't really have that much choice but I think I'll put this update off for a couple of weeks.