In the first two parts of this covered the idea of security and physical security.  We now move into access security.  Access security is a highly religious topic, bent with emotions, misinformation, egos, principals and typically (worthless) corporate policy so prepare for battle on this one if you dare tackle it.  Let's dive right into this using our previous example of an office building and I'm looking for a port to plug into the network.  How long will that take?  Virtually no time, they're everywhere, which leads me to my first not-really bold statement of this post.

Network access cannot be controlled.  More...

In part 2 of X, I'm going to cover the aspects of physical security.  This doesn't seem like rocket science, but again, I'm surprised how the same breaches happen again and again so it's necessary to cover it.  Physical security is often overlooked.  If a bad guy has access to the server room, network gear, etc, he owns it, not you.  The biggest, baddest security is worthless if it's taken out by pulling a power cord -- game over and time to update the resume. More...

In this world we live in today, there are many issues that hit in the security realm but I'm astonished at how the same issues keep coming up so I feel it's necessary to go over them as best I can.  Some things may shock you, freak you out, piss you off and generally make you think I'm full of it. More...

From my previous posts, I talked about creating a custom module that complies into a dll.  I've discovered that is THE hardest way possible to create a custom control.  The experience was good, but not exactly fun.

Luck would have it, they have a much stupid simpler way.  It's not as shareable, you have to add the files to each and evey site instead of just changing up the web.config.  So what?  There's a download they provide in their documentation that's kind of burried, but no sweat, you can get it here.  It's a full project and it takes a minute to unzip.

Before we get started, let me explain what this custom module does and what we're going to do to it.  The JobsModule consists of 4 user controls, your tried and true ascx files, that do various things, a couple classes, nothing intimidating.  One neat thing they did in this example was use an interface, "IJobsControlPanel", (app_code/jobsmodule.cs:142) to switch between two modes, "Category" and "Type", but in my examples I removed this for simplicity and the real module I was creating does not call for it.  Other files you need to note are all within the /Jobs folder.  Control panel and Toolbox are for the admin side, where the "JobList" and "JobListSummary" are for the user side. 

If you haven't went though the pain and agony of unzipping that file, do so now and let's take a look at the "JobsModule.cs" under the app code directory.  Line 28 begins the Nolics database init which later on, we won't need, but note where it is.  Under the properties region, lies the name/title/descript that will show up on the admin side.  On line 93/94, these are the files that will show up for the user side which will get more into later, just note that is where they are.  Next, take a look at line 112 and 121 as these are you admin controls.  Very easy to do.  Finally, there's the enum and interface for the other items they use for this module.  This is 95% of what it takes to make a module.

For this example, I am going to completely ignore the code behind for the user controls on the public facing side as they are unimportant.  Why?  Because user controls are user controls are user controls.  Make one, make 'em all, which is a very good thing!  Now, let's make a custom module, shall we?  Let's say we have a customer that wants a very very basic control that displays how many orders recieved today with the option to look at yesterday.  Our database table will look something like this...

TableName : Orders
Id  uniqueidentifier, not null, primary key
OrderDate datetime, not null
Quantity int, not null
DollarAmount money, not null
ItemOrdered nvarchar(1000), not null

Very simple, nothing fancy.  For the next step, I went away from the example just a bit and created a "CustomModules" folder under the App_Code directory along with a "DAL" folder with two folders within named "Generated" and "Extended".  See the image below for a bit of clarity. Now move "JobsModule.cs" into the CustomModule folder. Create yourself a folder in the root named "CustomControls" and a folder within it called "Orders" -- this is where the user controls will live.

At this point, if you've never touched subsonic, I would highly suggest jumping over there to brain up on how it works as I will not be covering that aspect.  Also, if you are unfamiliar with subsonic generating only certain tables, add the tag includeTableList="Orders" to your subsonic service.  For reference, this is a comma seperated list and will restrict subsonic to generating only those tables defined there.  Very handy since sitefinity has around 100 tables out of the box.  Generate this table and dump the files into App_Code/DAL/Generated.

Next, make a new class in App_Code/CustomModules and name it "OrdersModule.cs".  On the class declaration, inherit the WebModule from the Telerik namespace, implement the abstract class and change out the constructor from public to static as seen below.

Hop over to the JobsModule and copy the Methods region (override CreateControlPanel and Override CreateToolBoxControls), paste those into your OrdersModule -- don't worry about the string values yet, we'll get to those.  Also copy over the get in JobsModule:83-99 and paste that into the "Controls" override.  Finally, create a private variable of IList<Telerik.Web.IToolboxItems> (look to JobsModule:40 for example).

Now that's prepped, hop over to the CustomControl folder and create 3 user controls - "ControlPanel.ascx", "ToolboxPanel.ascx" and "OrderList.ascx".

ControlPanel needs to inherit the Telerik.IControlPanel and go ahead and give some string values, similar to this...

In the ToolboxPanel, inherit the Telerik.IControlPanelCommand and give values where necessary (Title for one).

Finally, for OrderList, we don't have to do anything yet.  If you feel like it, drop some text on the page just for rendering reasons.  Guess what? Most of the "behind the scenes" work is already done.  No really!

At this point, it should build and give you a custom module within your sitefinify project.  For the next post, I'll talk about how to wire up the subsonic stuff and even get at some data within sitefinity!

Right now I'm working on deploying a project that I never would imagine would be this difficult.  The idea was to swoop in, drop the code, show off (ooooooo ahhhhhhhh) and done.  Does anything ever go according to plan?  Of course not.  Well, this one had a rude surprise waiting on us.

The client I speak of has a huge, global network.  Active directory (which is good!) and somewhere around 10+ forests and god knows how many domains.  It's massive, utterly massive.  I would GUESS they have at least 5000 users on this one domain and probably 50-100k user accounts globally, ignoring groups.  So why is this a problem? :Sarcastic laugh:  A couple few reasons.

1. Not all (logical) networks are setup "best practice".  Best practice is a cookie cutter template, it doesn't always fit and should be used as a guide so immediately you cannot assume "all domains trust each other" or "all accounts have rights".  Transitive trusts, one way trusts, mutual trusts all mean very different things -- they could screw you in different ways too.
2. Not all authentication can be trusted to work across domains.  This includes SQL accounts.
3. Not all network devices allow traffic.  This means your www traffic, ftp, etc might not work across the world.  Chances are, http traffic is your best bet, but its not a sure shot.
4. Network policies (more specifically, group policy) can be your best friend and your worst enemy.  You may not know which nor have a straight answer.

So translate : it means your codes magic won't always work thanks to network conditions -- it also means it might work on one domain (ohio domain lets say), it might on one network (wired works whereas a wireless may not), or it might work across one domain and not another (ohio might work with texas, but not necessarily in reverse or from colorado to texas), it may not run at full speed (ohio's domain has flood control turned on).

This makes my head hurt.  I have to think of ALL the network stuff I haven't used in a while plus the admin stuff and toss some happy code to get a wonderful steaming pile of confusion and pain.  After thinking about this for a minute (ok, half hour) I've decided that after this, I'm going to insist web services, anonymously.  Now before you have me skinned alive, hear me out and here's my thinking behind it.

Anonymous webservices can still be secured protected via https, certificates and credentials.  Sure, you can make a request without any network creds, but the service won't talk back because you don't meet the needs.  "But this'll increase the overhead on the server, it'll slow everything down!" and you would need to be fired -- speed should never trump a security decision.  "But what if an account isn't disabled and cleaned up?!" good point, not your problem, a well administered network will not have this concern. 

Now that those problems are addressed, why anonymous?  More likely than not, a network, and I'm speaking of the whole network, will allow web traffic from point A to point X without too much drama.  Furthermore, once the request gets to that service, I'd bet money that server is sitting in a screened subnet/protected area (I've yet to see one NOT setup like this in a really long time) -- perfect place to make all your sql calls (via ipsec I'm sure).

Will this make code more complicated?  Yes.  Will it tax the server/client more?  No doubt.  Will it drive up costs?  Yes -- BUT, and thats a full, wholesome but, it's meant for enterprise, treat it as such and bring the big guns.

Ok, I've got my source code ready and hopefully the sql script will work (much easier/smaller than posting up a bak or mdf).  Download it, take a look, make fun of me on twitter.  Honestly, this was/is going to be used at some point for something real (survey engine) other than a research-ish project.  Anyway, enjoy!

SilverEngine.zip (750.98 kb)

I was recently involved in a rear-end accident (I was hit ), much to my annoyance.  My newer car, which is a 13 year old, 2 ton _car_, not these roller skates you people call "economy cars" is part of the family.  I treat my car like a child, its my baby, so having a very large, glaring imperfection such has 2-3 feet of bumper scuff on my car was unacceptable -- consider it like your child bringing home a D and 2 Fs, same feeling.

I'm not saying the car is perfect, not in the least bit (the interior however, we can argue that) -- I had been nudged a few times here and there, someone tried to steal it once, but nothing major (these things disappear at 10 feet) ...except my hood.  I had a "bald spot" on the hood pretty much since I got it and it, like a bald spot, grew as the years went on.  It was that one thing that everyone would say "hey nice ca ...ooo, whats this?"  Well, I went and got the estimate for the rear bumper, passed it on to the insurance company, got the OK for it and when I took it back, asked how much for the hood to get painted to.  Hoods are easy -- easy to take off, hang, paint, bake, put back on so it wasn't a whole lot and we agreed on a fair price and I got my car back last night.  Before we more forward, let's talk about the rental...

For a rental car, they first offered me a Sentra.  Uh, no, for those of you in the wild, I'm 6'8, that will not work.  The biggest thing they had was an Ultima - a 2008.  Ok, fine.  The guy brings it around.  The car doesn't have keys, at all (ok, there's one hidden), its all operated by this key fob, which is cool, I'm kinda geeked about that.  You walk up to the door, push a button and "beep" it lets you in, sit down and press the break, push a button, the car starts and your on your way. The guy tells me "you can just leave the fob inside the car" to which I replied "You have no idea where I live do you?" -- not leaving the fob in the car.  I drive this thing and it ain't all bad - overall I liked it (but would never buy one).  But I digress, I need to go right into the complaint deparment because there's a couple things that drove me insane about this car.

1. CVT transmission.  Glad I expereienced it in a "I didn't buy this" way because I HATED it with a passion.  Yes, when you accelerate, you always are at this magical 3200rpm range and continue to accelerate, that's great fine and dandy _BUT_ ...and thats a full, wholesome but... I want to know that the car is IN GEAR when I hit the gas.  I want to feel a slight step, a kick.  Let's be honest, it IS an Ultima and doesn't have the same engine mine has but good god, make me feel like it's trying when I want to get on the highway or pass someone.  One thing they DO have was a mpg gauge (nothing new, my 96 has one - and I think mine's cooler and yes I'm biased) and you'd notice if you were to accelerate with traffic, 5mph over 15-20 seconds, you'd see the mpg thing go ALL OVER the freakin place.  It gave me the feeling of a failing transmission that's hunting for a gear or a bad position senor that didn't have a clue where it was.  Yes, the transmisson was suffering from dementia.

2. Power steering.  I understand this is a mainstream car, but I expect the wheel to be able to hold the weight of my thumb.  The thing was psycho sensitive leading me to believe it does NOT have speed sensitive steering.  If you ever drove an older truck at highway speeds, it feels EXACTLY like that at ALL speeds.  I can't blame that on break-in or "new car" because yes, the brakes were touchy too but I expect that, but not this overly sensitive, soupy feel of the steering wheel.  I want the damn thing to be SURE I'm moving it and not a fly fart.  I'm sure there was quite a few people that were saw me "jerk" the wheel and thought a mental patient was behind the wheel ...well maybe there was but regardless, its way too disconnected-feeling.  Gave me 0 confidence in the car.

In all fairness, I'm super critical of cars.  Most people won't even notice that kinda stuff, but I do, I'm old school in how a car should be (v6 or bigger, rear/all wheel drive).  So back to my car.  I go and turn in the rental, hit the service counter and talk to the nice lady to get my car back, pay the big chunk of cash and she says they can pull the car around -- Nope, I'd rather go find her.  So off I go and my car's sitting out at the end of row 7 (theres 8-9) and I can see it from the other side of the lot.  Like a kid at christmas.

The blad spot is GONE, the bumper is imperfection-free and ah is it nice.  I noticed immediately my rims are bright and bling-blingy -- they detailed the bejesus out of it, inside and out.  The scuffs around the car are GONE (buffed out, dude's got skillz) and I was reminded why I love this car ...that and its paid off!

If you need some body work done, I would recommend Tom Hicks over at Graham Ford.

I've had the pain joy opportunity to work with Subsonic, Linq, NHibernate and good ole ADO.  The only one I haven't got to mess with yet is that new MVC thing.  My girlfriend, god love her, asked an amazing question - "What's the difference?  Don't they do the same thing?" Er ...yea I guess they do.  They all write to a database of some kind, somewhere.  So what is the difference?  Well, based on my humble experience, this is my thoughts on each.  Sadly, I don't think there's a clear, big time winner, but there are some that are somewhat better than others.  This'll be a general overview with not a ton of tech detail.

Subsonic is the latest thing I've had to use.  It's very Linq-ish, but not exactly.  Subsonic generates classes for you based on a command line executable and from there, you get your basic goodies, update, save, delete, -destory- and other things.

A nice touch to this is three things, 1, all classes generated are partial classes so extending them is uber easy.  Just keep your namespace the same and you'll have NO problems expanding the class to do other things.  2, overloads of some items, such as "Validate", which by default confines to the table/column definition like "must be varchar, cannot be null". 3, if you have a "IsDeleted" column in your database, or "LastModified" ...when you call <entity>.delete(), IsDeleted goes to true and LastModified gets updated too.  4, the "Query" object is cool, I like it, you write various statements that append to your query for different situations (say, if you get an ID back that's greater than 0, that means you should go try to find it) and just do query.AndWhere("

and this magically paging feature.  My page index is 3 (I'm on page 3) and my page size is 20.  Done and done, no drama (makes repeaters easy to work with in that regard)

Of course, there's a few catches.  Joins are ...a royal pain -- creating views seems to be the best work-around (which are picked up by the code generation) and -any- change to the database -requires- a regeneration of the classes.  So if someone changes a column to a bit field, annddd you run your code without the new bits, kaboom.

Loading data is very easy, <Entity> entity = new <Entity>(Id) along with collections, for example <EntityCollection> collection = new <EntityCollection>.FetchAll() and it does bring back related data (database relationships).  Overall I like it, the learning curve is short and does its job with very few surprises.

Linq I've been using in my chapters in tandom and writing up my own little app using Linq.  Linq is part of the .Net 3 framework meaning "its built in!", no extra downloads but you do have to download the extension for VS2005.  Within Vstudio, "Linq to Sql" and you're well on your way.  Drag/drop the tables you want, save it, you've got your entites.  These are also partial classes, so extending them is easy.

Linq also introduces a new ...thing called "var".  Consider var your container for ANYTHING you'd want from your database.  Syntax goes something ...like this.

Product now becomes like an instant database collection with a bunch of really slick stuff on-tap as shown below

One of the advantages with Linq is its built into .net 3 so additional references are not needed, everything's in the GAC.  Second is that anything returned can be used like a database on tap -- don't like your results?  Need them filtered?  Do it right there on the spot if you want.  I think that's huge and uber flexible.  Another thing is more or less SQL like queries are used to get your data so the structure is familiar (just slightly out of order).  And Jon's a big fan -- that counts for something right?

Disadvantage, like SubSonic, every time you change the database, its time to go regenerate the classes (only this time you get to use a GUI!).  Also misuse of var could get nasty.  I've read a few warnings on this, but we're all smart devs, we'd NEVER do that ...right?  I tried to find the post I was thinking of ...can't find it.  Oh well. 

Part two I'll cover NHibernate and ADO because this got a lot longer than I suspected (2-3 days on and off)

A draft of html 5 has been posted up on w3.  Might want to take a look, namely the new elements and attributes.

I've been tasked with enabling Windows Authen to the current project I'm working on which "back in the old days" of IIS6 was uber easy -- tell it to use windows for the authentication, set your allow/deny groups, done, move along.  With IIS7 you get this really nasty rude surprise...

Woah, ok, fine cousin Vinnie I'll just ...um, go over here for a while.  Jesh.

So I go bouncing around the net and I keep seeing posts about going into vista and enabling various stuff for IIS ...I go take a look and well well well, what do we have here?  Windows Authen, thank you very much ...along with all the other useful stuff.

Ooook, now let me guess, you have to go turn it on (yep!) so into the Inetmgr.msc, click on authentication, and no surprise...

Right click, enable, annnnddd back to the page.  But how do you know its working?  Here's a test I came up with on the fly to verify the stuff is doing its thing.  Just as a note, you have windows authen enabled and anonymous enabled for the following tests.

Go into your root page, whatever that may be (default.aspx?) and drop in a LoginName control onto the page (look under Login in your toolbox), drop it on the page somewhere obvious, the top works great.  Dump this into your web.config somewhere under <system.web>, you've probably seen this before...

<authentication mode="Windows"/>
<authorization>
     <deny users="?"/>
</authorization>

so you've seen this, the ? disables all anonymous users.  Load your page up and you'll see <domainName>\<userName> on the screen (assuming you are on a domain).  Great, it works, now change <deny users="?"/>  to <deny users="*"/> (This'll disable ALL users) -- You'll get a prompt (!) and a nasty 401.2 error when you click cancel.  Switch back to the ? and go back into inetmgr and disable windows authen.  Refresh the page and you'll get the same 401.2 error.

I almost forgot, if you take away the <deny users="?"/> you'll see NO username at the top (its anonymous after all!)