A friend of mine has been in school for programming now for nearly 2 years and getting his associates really soon.  Good for him!  On and off he's come and asked me some questions about how to approach certain problems, most of which have been fairly easy to me so I was happy to help and walk him though some of the confusing aspects.  No sweat.

About 2 days ago he approached me about his senior project and that they were doing a website and needed some help with editing, updating employee info.  He also noted that just getting data was a huge pain and took hours for them to get it to work.  No problem, that's easy stuff.  I busted out my favorite ORM tool (subsonic!!!) and showed him how to make his data access life easy.  None of this inline sql crap.  Then I discovered something downright offensive.

We all know architechure is important.  Someone forgot to tell them that.  Further, they didn't seek out any assistance and went crazy.  What they ended up with was a horrific db structure and data access the hardest way known to man (by hand using the object data source).  I kid you not there's a page, an aspx page that has over 1000 lines and its just displaying simple address info, nothing more.  Adding more pain, instead of using 1 page as a one stop shop, every CRUD operation is broken up into individual pages.  View the data over here, edit it over there and save it somewhere else.  I'm not joking.  Just to step it up a notch, the naming conventions are "NewUser" (new employee), "Employee Management" (editing employee data) and "ManagePhoneNumbers" (just to edit phone numbers).  In their defense, the graphics and layout aren't bad, B+.  The links and useability, F.

What are they teaching these students?!  Are the professors this far removed from the real world?  This isn't the first time I've heard of teachers being way way off base and furthers my desire to teach.  It's terrible, sad and pathetic.

If the custom module wasn't enough, I'm now wondering off into encryption land.  A quick scouting of the System.Security.Cryptography namespace shows me a ton of stuff to play with.

Ooo, AES.  I like AES.  It runs on my router(s) @ home and is viciously annoying to crack (TKIP f0r t3h w1n!!!11).  Cool, let's use that, its good enough for top secret docs for the gov so it should be good enough for me.  But, as with anything else, there's a catch or ...20.  Here's some basic considerations.

Will this data be searched? 

Searching encrypted data is a royal PITA and a huge overhead.  Example : saving data to a db with encryption happening in the business layer.  A perfectly viable user says to the application "hey, find this" -- you cannot directly ask the database to find it, it is impossible, so every search that happens comes across, ALL OF IT (say 2 million records), decrypts, the search happens, find the records necessary and passes that on.  Not very reasonable nor scalable.  2nd option for this is do it on the sql server itself.  Fundamentally I have a problem with this for 2 reasons.  1, a purely architecture standpoint, this should never be passed off to the data source.  In the real world, it's probably ok to offload some of that overhead, but still, using the OSI model alone says "no no" -- encryption happens in the presentation level and offloading it means you pass though all 7 layers ONCE before you encrypt -- bad bad bad.  2nd, unless the data connection between app/server is encrypted to hell and back itself, your encryption is trumped and effectively worthless.

How much protection is necessary?

The question of the ages.  Understanding the CISSP-ism of protection and risk management: the amount of protection spent on it should be equal to the amount of total loss of one breach by the inverse of the possibility of recurrence.  So say the data is worth 10 million dollars for ONE loss.  The probability of loss is once every 5 years.  10m/5y = 2 million a year should be spent to protect it.  No really.  Now, if there's no REAL value to the data, ie, its personal junk you keep at home for giggles, then whatever the server can handle works fine.  Otherwise, use reasonable + 1.

I'll stop there.  Other questions can range from "Who needs access to it?" to "Where will the server be physically housed" -- but thats somewhat outside of the scope of this post.  Not saying they're unimportant, just "too much" for this post.  I think my first task will be working on getting something simple to encrypt, like a file or a string and work up from there to see how much overhead this thing creates.

It works, I see data, it comes, it goes.  It all works.  This'll be my last posting about this for a while but ...Marathon post, GO!

From part 2 of the sitefinity adventure, we left off with controlpanel.cs, I'll continue from there.

webcontrols/admin/<controlName>Editor.cs - where you edit/change/modify your content for your control.  This is another complicated class on the surface yet very similiar in operation to controlPanel.cs.  This also contains a Methods section with CreateChildControls which is important (don't forget to wire events in this method too).  Additionally, update/save/delete methods will be added in here as private methods.   Templates is also important section yet again because you have to line up your event commands to match what your handler understands.

I<controlName>.cs I eliminated completely.  No need for it since subsonic handles the class generation.

<controlName>.cs I also elimated -- again, subsonic handles this.

<controlName>Manager.cs - module name is defined in here, along with some other minor lightweight labeling.  I removed all get/update/delete/etc calls from here, subsonic's controller class handles this.

<controlName>Module.cs - simliar to manager, lightweight and mostly a labeler.

<controlName>Provider.cs - this pulls the info you define in the web.config for your custom control.  Pay close attention to the names (string values) that grab this info, otherwise expect some nasty "I can't find this!" errors.

A quick recap on the classes.  Well, the important/involved ones.  Admin/<controlName>Editor.cs and Admin/ControlPanel.cs require a lot of focus.  The override method "CreateChildControls()" needs to have all things necessary for that on-the-fly usercontrol to operate including events for button clicks and the like.  The Template section defines what shows up where via the container region with what names of what controls when childControls does its magic.  The rest on a really high level view is labeling and correct text pointing to the new control.

So onto the fun stuff, how do you make subsonic work with sitefinity?  It's not nearly as hard as you'd think, thanks to the <Table>Controller.  This ties right up to an ObjectDataSource real easy like.  First you find your objectdatasource that looks something like this from the contacts example...

ObjectDataSource dataSource = new ObjectDataSource();
dataSource.ID = "ContactsDataSource";
dataSource.TypeName = "Sample.Contacts.ContactsManager";
dataSource.SelectMethod = "GetContacts";
dataSource.DeleteMethod = "DeleteContact";
dataSource.DeleteParameters.Add("id", Guid.Empty.ToString());
this.container.Controls.Add(dataSource);

and switch it out to something like this...

salesStatData = new QSalesStat();
salesStatData.SalesStat = this.container.SaleDollarAmount.Text;
salesStatData.Save();

}

Very easy to do.  I'm becoming a huge fan of subsonic :-)

Ever since I got my zune, I've subscribed to all kinds of podcasts, one I particularlly enjoy is the 60 second science from Scientific American.  It's good stuff and REALLY lasts 60 seconds (with intro and junk, 1:15).  One that really caught my attention was one regarding Training Scientists to Run for Office.  It's an awesome idea and here's the transcript...

[The following is an exact transcript of this podcast.]

Would America be a better place if more people with science training held elective office?  One organization that thinks so is Scientists and Engineers for America, or SEA.  On May 10th, they’re holding a daylong workshop in Washington, D.C., to teach researchers the nuts and bolts of running for office.  More than 70 attendees have signed up.
 
SEA points out that understanding a lot of today’s most pressing challenges requires a science background. Energy, health care, climate, even general competitiveness are all deeply connected to scientific research and progress.  Even more important may be the general intellectual approach that scientists could bring. The group’s director, Lesley Stone, says, “Scientists and engineers have an appreciation for the kind of evidence-based decision making necessary for tackling our nation’s most pressing problems.”
 
For more information, go to www.Elections.SEforA.org.

--Steve Mirsky 

in the past couple posts, I've been covering custom modules in sitefinity with subsonic.  This morning, I hit a snag and I'm not sure how I'm going to go about fixing it.  Immediately after one of the overloads, the SalesStatManager constructor is called where it gathers the provider info and promptly bombs out as such...

Configuration Error

Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Could not find a type for a name.  The type name was 'SalesStats.DefaultProvider'.

Source Error:
Line 215: <providers>
Line 216: <clear/>
Line 217: <add name="Sales" securityProviderName="" type="SalesStats.DefaultProvider" conectionStringName="DefaultConnection" visible="true"/>
Line 218: </providers>
Line 219:</salesStats>

I've submitted a question to one of their devs in hopes they can tell me its something stupid (it has to be) and I can move forward with my uber cool research.  I love these projects.

After a solid day of working with my happy little module "SalesStats" I've come to some conclusions.

1. Subsonic CAN be used.

2. After the pain of the learning curve, sitefinity's setup ain't all bad!

3. I have yet to get my module working ...but I think I know why

First off, I had to figure out how to make subsonic work within an application and not a website.  No big deal, easy to do.  I had to do some quick research on how to generate ONE table out of the database (subsonic supports this!) and ok, great, I've got my data object, good, great, dandy -- for ref reasons, it looks something like this for your subsonic service...

<SubSonicService defaultProvider="MyProvider">
<providers>
<clear/>
<add name="MyProvider" type="SubSonic.SqlDataProvider, SubSonic" connectionStringName="MyConnection"
fixPluralClassNames="false" spClassName="sp" generatedNamespace="MyClass.Data" includeTableList="MyNewUsefulTable"/>
</providers>
</SubSonicService>

"includeTableList" is a comma seperated list, so pound out what you need there.  For sitefinity, all you need is two ID fields, a guid as "ID" and an application nvarchar(50), ok fine, got that added in, ran the subsonic generator, done and done.

For a custom module, I've noted a couple objects you need to be aware of (at least as I understand it)

Configuration/ConfigurationHelper.cs - just a helper class, pulls the config section out for your newly added control.  Pay attention to this for the "GetSection(<place>)" and make sure it matches up.

Configuration/SectionHandler.cs - this pulls in your roles/users and other providers (if they exist).

Resources/Messages.resx - for localization.

Also in the resources folder I put in my subsonic DAL folder.

WebControls/Admin/CommandPanel.cs - inherits "CompositeControl" and "IControlPanelCommand".  This class is rather lightweight, contains a panelId, a simple override for CreateChildControls (take note of this, it'll come back a BUNCH of times) and a private value of panelId.  Easy stuff.  This is for your :gasp!: command panel, its the white er, gray space on the left in your admin module section.

WebConrols/Admin/ControlPanel.cs - inherits "CompositeControl".  Very involved and there's a few note worthy spots.  Enums -  Displaymode, 3 values, "new", "edit", "<object>List" or not new/edit.  Methods - override CreateChildControls(), probably the most important part in this control.  This is the controls you get on the screen.  That includes event handlers for buttons you add, dont forget those (you'll need 'em).  DefaultTemplate - InstantiateIn(Control container), main action happens here such as adding a datagrid, add/delete buttons, etc - you like this one.

In part 3 I'll finish this post with the rest of the explination (as I understand it) of the rest of the classes.

I don't know why but it seems the crazy complicated research projects get tossed at me - "Hey, figure out how ________ works".  Well today, it's Sitefinity and custom modules.  Consider this my notes as I work to make this stupid simple and easy.

Before I go down this path, I've collected a ton of links with various things on it that hopefully will make my life easier.  So far, not so much.  I've got a couple problems I'll have to overcome.

• The ORM (I'm guessing) has generated classes -somehow- and I have no idea where to make those change/update/whatever.  In the sample project Sample.Contracts.Data there's a "Department.dbclass" -- how that is made I have no idea.  There's no app.config, nothing that might tell me how, but I'm guessing I'll have to look into "Nolics.Engine.v4.2" (A referenced class) to find out how its generating this info.  Again, there's no explaination in the sample -- I expect a google search to fix this though.
   
• The example's out of date (1 year old, May 2007).  Right when I loaded it up, one of the implementations is obsolete - "IControlPanelCommand" needs to be replaced with "CommandPanelBase".  Doesn't seem to be an issue (builds no problem), I'm just wondering what other goodies might be inside...

Good news is it builds right after you re-reference the dlls, no problems there.

*Update* 11:30am - ugh, found the ORM and its freakin expensive, 950 euros.  I'd rather use subsonic but who knows what kinda problems that'll cause...I feel more research coming on.

*more Updates* 5pm - ok, subsonic is very doable, I might even have it all setup and ready.  I'm going to pound out a bit more code and I think its done.  We'll see.

Right now I'm working on deploying a project that I never would imagine would be this difficult.  The idea was to swoop in, drop the code, show off (ooooooo ahhhhhhhh) and done.  Does anything ever go according to plan?  Of course not.  Well, this one had a rude surprise waiting on us.

The client I speak of has a huge, global network.  Active directory (which is good!) and somewhere around 10+ forests and god knows how many domains.  It's massive, utterly massive.  I would GUESS they have at least 5000 users on this one domain and probably 50-100k user accounts globally, ignoring groups.  So why is this a problem? :Sarcastic laugh:  A couple few reasons.

1. Not all (logical) networks are setup "best practice".  Best practice is a cookie cutter template, it doesn't always fit and should be used as a guide so immediately you cannot assume "all domains trust each other" or "all accounts have rights".  Transitive trusts, one way trusts, mutual trusts all mean very different things -- they could screw you in different ways too.
2. Not all authentication can be trusted to work across domains.  This includes SQL accounts.
3. Not all network devices allow traffic.  This means your www traffic, ftp, etc might not work across the world.  Chances are, http traffic is your best bet, but its not a sure shot.
4. Network policies (more specifically, group policy) can be your best friend and your worst enemy.  You may not know which nor have a straight answer.

So translate : it means your codes magic won't always work thanks to network conditions -- it also means it might work on one domain (ohio domain lets say), it might on one network (wired works whereas a wireless may not), or it might work across one domain and not another (ohio might work with texas, but not necessarily in reverse or from colorado to texas), it may not run at full speed (ohio's domain has flood control turned on).

This makes my head hurt.  I have to think of ALL the network stuff I haven't used in a while plus the admin stuff and toss some happy code to get a wonderful steaming pile of confusion and pain.  After thinking about this for a minute (ok, half hour) I've decided that after this, I'm going to insist web services, anonymously.  Now before you have me skinned alive, hear me out and here's my thinking behind it.

Anonymous webservices can still be secured protected via https, certificates and credentials.  Sure, you can make a request without any network creds, but the service won't talk back because you don't meet the needs.  "But this'll increase the overhead on the server, it'll slow everything down!" and you would need to be fired -- speed should never trump a security decision.  "But what if an account isn't disabled and cleaned up?!" good point, not your problem, a well administered network will not have this concern. 

Now that those problems are addressed, why anonymous?  More likely than not, a network, and I'm speaking of the whole network, will allow web traffic from point A to point X without too much drama.  Furthermore, once the request gets to that service, I'd bet money that server is sitting in a screened subnet/protected area (I've yet to see one NOT setup like this in a really long time) -- perfect place to make all your sql calls (via ipsec I'm sure).

Will this make code more complicated?  Yes.  Will it tax the server/client more?  No doubt.  Will it drive up costs?  Yes -- BUT, and thats a full, wholesome but, it's meant for enterprise, treat it as such and bring the big guns.