Sunday, 13 October 2013
Monday, 7 October 2013
Deploy code first DB based web app to Windows Azure
If you created a ASP.NET MVC4 app using EF5 code first model, and you want to deploy the app onto Windows Azure, basically there are 2 steps you need to follow:
Then create a web site on Azure server and remember to create a database at the same time by following the online guide. Once website created you can get the publish profile which contains the database connection string so later when you use the publish profile to deploy your website those values can be used to replace your LocalDB connection string value (see screenshot below), and remember tick the Execute Code First Migrations option before click Next.
Tuesday, 27 August 2013
Launch an app from another app: cross platform review
Android platform allows launch any app from inside of other app as long as we know the full package name of the target app. Developer can even specify the activity to be opened initially.
iOS and Windows Phone don’t allow launch arbitrary app on the device, instead, they have different approach, the URL scheme. The targe app can register a specific URL scheme (for example “com.facebook:” for Facebook app), later when user launches the same URL from either another app or inside a webpage the target app will be launched automatically. Developer can also pass parameters in the URL just like we do in a normal URL.
Please be aware, the URL scheme introduces a security flaw because any third party app can register the same URL scheme. If more than one third-party app registers to handle the same URL scheme: for iOS, there is currently no process for determining which app will be given that scheme (see doc); for Windows Phone, each time the user opens the file, they will be asked which app they want to use.
Besides, Windows Phone provides a way that launching apps from the same publisher who published the current app. See below the code sample:
IEnumerable<Package> apps = Windows.Phone.Management.Deployment
.InstallationManager
.FindPackagesForCurrentPublisher();
apps.First().Launch(string.Empty);
Wednesday, 10 July 2013
HttpWebRequest Connection limitation
As you may know, by default, the System.Net implementation of C# is using connection pool to improving performance which respects restrictions stated in http 1.1 - one user agent SHOULD NOT create more than 2 connection to a server. This causes max 2 live connections can be created by HttpWebRequest in the same app domain at any time. So the wordaround can be just host the code in different app domains and fire the method in multi threads.
Or, you can change app configuration to rewrite the default connection limit:
<system.net>
<connectionManagement>
<add address="*" maxcoonection="2000" />
</connectionManagement>
</system.net>
Or, you can rewrite the limitation in your code before initialize the first HttpWebRequest:
ServicePointManager.DefaultConnectionLimit = 100;
Monday, 11 February 2013
Tuesday, 25 September 2012
ASP.NET Web Forms Application Paths Related
This article is going to list all ASP.NET Web Forms application paths related properties and their values on the Request object. Below the test result are based on this scenario: local hosted IIS site named VirtualSite, first we access to http://localhost/VirtualSite/Redirect/dummy.aspx and there is a HttpModule to redirect the request to http://localhost/VirtualSite/Redirect/Redirect.aspx. The request has parameters "a=1&b=2&c=3". So here it is:
| Request Property | Value |
| ApplicationPath | /VirtualSite |
| AppRelativeCurrentExecutionFilePath | ~/Redirect/Redirect.aspx |
| CurrentExecutionFilePath | /VirtualSite/Redirect/Redirect.aspx |
| FilePath | /VirtualSite/Redirect/Redirect.aspx |
| Path | /VirtualSite/Redirect/Redirect.aspx |
| QueryString | {a=1&b=2&c=3} |
| RawUrl | /VirtualSite/Redirect/Dummy.aspx?a=1&b=2&c=3 |
| Url.AbsolutePath | /VirtualSite/Redirect/Redirect.aspx |
| Url.AbsoluteUrl | http://localhost:25739/VitualSite/Redirect/Redirect.aspx?a=1&b=2&c=3 |
| Url.Authority | localhost:25739 |
| Url.DnsSafeHost | localhost |
| Url.Host | localhost |
| Url.LocalPath | /VitualSite/Redirect/Redirect.aspx |
| Url.OriginalString | http://localhost:25739/VitualSite/Redirect/Redirect.aspx?a=1&b=2&c=3 |
| Url.PathAndQuery | /VitualSite/Redirect/Redirect.aspx?a=1&b=2&c=3 |
| Url.Port | 25739 |
| Url.Query | ?a=1&b=2&c=3 |
| Url.Scheme | http |
Since there is a redirect, as you can see, only the RawUrl contains the very original request, all other values are for the redirected Url, event the Request.Url.OriginalString
Thursday, 6 September 2012
Do not mix using HtmlTextWriter and WebControl itself to set its attributes
Have a look the simplified code below first. The code is inside a ButtonControl class (assuming there is no null reference exception for CssClass property).
What does it do? First in the Render method we set the class to "Disabled" if Enabled property is false. Later when AddAttributesToRender method fired during base.Render() it will attach more CSS classes on the web control. All look good, right? No. It won’t work when Enabled == false.
Why? Check what the base.AddAttributesToRender() in line 16 does first. The AddAttributesToRender method will copy every single attribute from the web control into the HtmlTextWriter for page rendering later. If the attribute name has already existed in the HtmlTextWriter then the value of this attribute is abandoned to avoid value overwritten. This rule doesn't apply for Style attribute. For Style attribute, the value will be appended at the end of existing style string.
Ok, in our case when Enabled == false, since we have already set the Class attribute equal to "Disabled" then no matter how many other CssClass values assign to the web control directly those values will be abandoned when base. AddAttributesToRender() called.
So here is my simple advice: see the title of this article. Since we can always set attributes value on web control level it is unnecessary to touch the HtmlTextWriter under any condition.
What does it do? First in the Render method we set the class to "Disabled" if Enabled property is false. Later when AddAttributesToRender method fired during base.Render() it will attach more CSS classes on the web control. All look good, right? No. It won’t work when Enabled == false.
Why? Check what the base.AddAttributesToRender() in line 16 does first. The AddAttributesToRender method will copy every single attribute from the web control into the HtmlTextWriter for page rendering later. If the attribute name has already existed in the HtmlTextWriter then the value of this attribute is abandoned to avoid value overwritten. This rule doesn't apply for Style attribute. For Style attribute, the value will be appended at the end of existing style string.
Ok, in our case when Enabled == false, since we have already set the Class attribute equal to "Disabled" then no matter how many other CssClass values assign to the web control directly those values will be abandoned when base. AddAttributesToRender() called.
So here is my simple advice: see the title of this article. Since we can always set attributes value on web control level it is unnecessary to touch the HtmlTextWriter under any condition.
Friday, 20 April 2012
Uhuru Cloud - My First App
I recently had a chance to test a newly release cloud service provided by Uhuru. The service is named Uhuru .NET Services for Cloud Foundry and you can find all information about it by accessing Products page of Uhuru website.
Uhuru Cloud support JAVA, .NET, php and other web applications but I'd like to start with the simplest one, my company website, a single html/js webpage.
To deploy app to Uhuru Cloud you will need either install a MMC (Microsoft Management Console) or Uhuru Visual Studio plugin. I choose MMC because the multi page user guide for installation of Visual Studio plugin is quite scary. Uhuru gives a very detailed PDF doc to help deploying app through MMC and the whole process is very straight forward.
One thing worth mentioning, when pushing your app to Uhuru CloudFoundry, it will automatically identify the suitable framework and runtime version for your app. In my case, since it is just a html/js site, CloudFoundry treat it as a php app (fair enough, compare with JAVA and IIS, php host cost less). While after couple of mouse clicking and filling one small windows form, my first app is officially online now. See here: wandj.uhurucloud.net
Uhuru Cloud support JAVA, .NET, php and other web applications but I'd like to start with the simplest one, my company website, a single html/js webpage.
To deploy app to Uhuru Cloud you will need either install a MMC (Microsoft Management Console) or Uhuru Visual Studio plugin. I choose MMC because the multi page user guide for installation of Visual Studio plugin is quite scary. Uhuru gives a very detailed PDF doc to help deploying app through MMC and the whole process is very straight forward.
One thing worth mentioning, when pushing your app to Uhuru CloudFoundry, it will automatically identify the suitable framework and runtime version for your app. In my case, since it is just a html/js site, CloudFoundry treat it as a php app (fair enough, compare with JAVA and IIS, php host cost less). While after couple of mouse clicking and filling one small windows form, my first app is officially online now. See here: wandj.uhurucloud.net
Saturday, 24 March 2012
Cheat Sheets for Web Development you must have
The original article is from: Cheat Sheets for Web Development you must have. Here I only copy those I am familiar with as a back up.
Monday, 2 January 2012
Tips of securing your ASP.NET MVC3 application
Tip 1, Always encode user input content before showing it on web page. You can do this simply by using Html.Encode() for innerHTML, Html.AttributeEncode() for attribute values and Url.Encode() for href link values.
You should know code expressions in Razor are implicitly HTML encoded, therefore in cases you do need to render some HTML value that should not be HTML encoded you can use the Html.Raw() method to ensure that the value is not encoded. BUT by doing so you have thrown open the door to evil.
Tip 2, Always JavaScript Encode user input values in your JavaScript code. You can use Ajax.JavaScriptStringEncode() to do this. The reason behind this is the html encode methods mentioned in Tip 1 cannot fully stop the XSS attacks because the html encoding cannot handle hex escape string but DOM does. Therefore the hacker may use your JS code to pass hex escape string into DOM object and the DOM object will convert the string back to JavaScript code and hurt you. Have a look the code below:
1: <div id="test">Text here is suppose to be replaced</div>
2: <script type="text/javascript">
3: $(function () {
4: $("#test").html(
5: '@Html.Encode("\\x3cscript\\x3e alert(\\x27oops\\x27) \\x3c/script\\x3e")');
6: });
7: </script>
Copy the code into your razor page and run it you will see an alert message says “oops”.
Tip 3, Follow the listed principles below to prevent CSRF attacks (if you don’t know what CSRF is please google it).
- First thing first, you need follow Tip1 and 2 to make you site XSS proof
- Always use POST instead of GET to submit data changes
- Validate HTTPReferrer by checking the HttpContext.Request.UrlReferrer to see if the client that posted the data was indeed from your site page
- Put token Verification in your form. You can use Html.AntiForgeryToken() to create a hidden token value in your form and in the related controller use ValidateAntiforgeryToken attribute to check if the token is matched
Tip 4, Protect your open redirection URL. The ASP.NET MVC 3 template includes code to protect against open redirection attacks in its AccountController after user successfully log on. You need also do similar thing in other places where a potential URL redirection may occur.
Tip 5, Use the AuthrizeAttribute to require a login access or role membership access. AuthrizeAttribute can be used on Action level or Controller level. You can use FormsAuthentication.SetAuthCookie() to keep the user login info into http cookie and it can be read by calling User.Identity.IsAuthenticated() in the requested Controller.
Tip 6, Use ValidationAttibute to do view-model level data value validation automatically. Most of the ValidationAttributes support client side validation if related jQuery lib file included which is a huge benefit for us developers.
Tip 7, Prevent over posting data through ASP.NET MVC3 model binding feature which can allow your attacker an opportunity to populate model properties you didn’t even put on your input forms. You can use BindAttribute to specify the name of properties which allow auto model binding. Alternatively you can do a manual data binding by calling UpdateModel() or TryUpdateModel() methods in the controller.
Still another way to deal with over-posting is to avoid binding directly to the data model. You can
do this by define a View-Model class that holds only the properties you want to allow the user to set.
Sunday, 16 October 2011
Dynamic HttpModule registration in .NET Framework 4.0
This article could be useful for the scenario that you are developing HttpModule handling related functionality for a web application and you do not have the right to or not intend to modify the Global.asax file to register your HttpModule handler.
So here we go. Step 1, before register a HttpModule handler dynamically the first thing is to create the handler. See code below:
public class MyDynamicModule : IHttpModule
{
void IHttpModule.Dispose()
{
}
void IHttpModule.Init(HttpApplication context)
{
context.BeginRequest += new EventHandler(context_BeginRequest);
context.EndRequest += new EventHandler(context_EndRequest);
}
//... more code ignored
}
Step 2, to register this HttpModule handler, we need the reference to Microsoft.Web.Infrastructure assemble and use the contained method DynamicModuleUtility.RegisterModule. See sample code below:
DynamicModuleUtility.RegisterModule(typeof(MyDynamicModule));
But where we call this line of code? As you know HttpModule registration has to be done before the instance of HttpAppliction start. To achieve that we need the newly introduced attribute class System.Web.PreApplicationStartMethodAttribute in .NET framework 4.0. Note this attribute is assembly level attribute. See the code below, as step 3 of our example, of how to use the attribute:
[assembly: PreApplicationStartMethod(typeof(DynamicHttpModule), "RegisterMyModule")]
The code above basically says I want the web application to do something in its pre-start event, which is, to execute the static method DynamicHttpModule.RegisterMyModule, see below the code of the DynamicHttpModule class:
public static class DynamicHttpModule
{
public static void RegisterMyModule()
{
DynamicModuleUtility.RegisterModule(typeof(MyDynamicModule)); //code from step 2
}
}
And that is it.
Wednesday, 12 October 2011
Controlling XML Serialization Using Attributes
The article is mainly focus on mapping the object type name with the xml file node name when De-serializing the xml file and when the node name is not a proper C# type name
Long story short, here are some brief ideas:
- Mapping xml root element name with class name: XmlRootAttribute
- Mapping element name other than the root with class property/field name: XmlElementAttribute
- Mapping List of elements underneath the parent node, normally to a ArrayList (or generic List<T>): XmlArrayAttribute and XmlArrayItemAttribute
- Mapping a xml attribute to a C# class property/field: XmlAttribute
More details you can check the Microsoft article: Controlling XML Serialization Using Attributes
Friday, 7 October 2011
Control.BeginInvoke() vs Control.Invoke()
The BeginInvoke() method has a IAsyncResult type return value and the Invoke() method simply return a object. This makes a big difference between them which is the BeginInvoke() is making a asynchronous callback to the thread created the handle of the control.
Assuming the main thread is A and currently executing code is in thread B, if call Invoke() from thread B then thread B has to wait for the callback to thread A being finished and then continue the following process.
Tuesday, 27 September 2011
Tuesday, 7 June 2011
Ways of passing data between WP7 pages
The book Programming Windows Phone 7 (MS Press) introduced 4 ways:
- add a public propery on App class to retain the data during current lifecycle;
- add a public propery on the target page, and then in the prev page's OnNavigatedFrom event set the value of the property for the next page;
- use the property State from the application's current PhoneApplicationService instance, which is a type of generic dictionary. But the object been stored has to be serializable (the reason is when app goes to deactivated it will serialize the objects to isolated storage);
- isolate storage. BUT obviously it is not wise to frequently access isolate storage during application running. Here is a great article of compairing the performance of using isolate storage http://blogs.claritycon.com/kevinmarshall/2010/11/03/wp7-serialization-comparison/
Friday, 18 February 2011
How Secure Are Query Strings Over HTTPS?
The original article is from HttpWatch's blog, a very good post.
So, to make a long story short, the conclusions are:
At the network level, HTTPS URL parameters are secure, but there are some other ways in which URL based data can leak:
- URLs are stored in web server logs,
- URLs are stored in the browser history,
- URLs are passed in Referrer headers
Monday, 19 July 2010
Developing on SharePoint 2010 (Day 2)
a) SharePoint Server Architecture
b) SharePoint Object Hierarchy
So as you can see the SharePoint Object model is relatively straightforward. Here we have a very simple slip of code which start from reaching all services of the Farm and navigate through to the item and file level objects.
1: foreach (SPService svc in SPFarm.Local.Services)
2: {
3: if (svc is SPWebService)
4: {
5: foreach (SPWebApplication webApp in ((SPWebService)svc).WebApplications)
6: {
7: foreach (SPSite site in webApp.Sites)
8: {
9: foreach (SPWeb web in site.AllWebs)
10: {
11: foreach (SPList list in web.Lists)
12: {
13: foreach (SPListItem i in list.Items)
14: {
15: // do something
16: }
17: }
18:
19: foreach (SPFile f in web.Files)
20: {
21: // do something
22: }
23: }
24: }
25: }
26: }
27: }
Friday, 9 July 2010
Oracle Procedures (version 11.1)
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Temporary Tables vs. Table Variables
| Temp Table | Table Variable | |
| record transaction logs? | Yes | No |
| inside transaction scope? | Yes | No |
| cross execution batch? | Global temp table | No way |
| support index? | Yes | No |
| where to store? | Tempdb | Memory |
Thursday, 8 July 2010
Developing on SharePoint 2010 (Day 1)
This article is talking about developing web parts for SharePoint 2010 using Visual Studio 2010. If you are looking for articles for older version of SharePoint or Visual Studio I recommend this URL: http://www.aspfree.com/c/a/Windows-Scripting/Beginning-SharePoint-Web-Part-Development/
First of all, there are two types of web parts VS 2010 supports: Standard Web Part (which in VS 2010 Item Template list named Web Part) and Visual Web Part.
A standard web part is just a class inherited from abstract class WebPart. Below is the Inheritance Hierarchy of WebPart class.
1: WebControl
2: |---Panel
3: |---Part
4: |---WebPart
To add contents into standard web part we need override the CreateChildControls method and inside put code logic to create sub controls manually and add them into the Controls collection. See the code below:
1: protected override void CreateChildControls()
2: {
3: LiteralControl msg = new LiteralControl("test");
4: this.Controls.Add(msg);
5: }
The visual web part, in the other hand, give you a visual design UI to drag existed web control in. But if you check the source code, a visual web part is just a standard web part plus a Web.UI.UserControl. And in the overrided CreateChildControls method used a trick like this:
this.Controls.Add(Page.LoadControl(_controlPath));
One more thing for visual web part: the value _controlPath is the physical URL of the user control and the value of it is maintained by VS 2010.
Subscribe to:
Comments (Atom)
