MVC3 Released

Today Microsoft announced the (actual, final, honest) releases of:

  • ASP.NET MVC3 with Razor
    • Lots of new features, the new Razor syntax, more extensibility hooks, new JavaScript features, better validation, easier caching, better dynamic support, and lots more, check it out Hot smile

Open Redirection Attack prevention

If you've had a look at the MVC3 preview generated code you will notice the  Url.IsLocalUrl method getting called from the LogOn action.

[code:c#]

[HttpPost]
public ActionResult LogOn(LogOnModel model, string returnUrl)
{
    if (ModelState.IsValid)
    {
        if (MembershipService.ValidateUser(model.UserName, model.Password))
        {
            FormsService.SignIn(model.UserName, model.RememberMe);
            if (Url.IsLocalUrl(returnUrl))
            {
                return Redirect(returnUrl);
            }
            else
            {
                return RedirectToAction("Index", "Home");
            }
        }
        else
        {
            ModelState.AddModelError("",
            "The user name or password provided is incorrect.");
        }
    }
 
    // If we got this far, something failed, redisplay form
    return View(model);
}

[/code]

This prevents philishing attacks by ensuring that after a successful log on the user only gets directed to the local site and not another site.

Take for example I send you a email with a link to /Account/LogOn?returnUrl=http://brainkeating.net/Account/LogOn
After you successfully enter your log on detail @ briankeating.net you would get redirected to www.brAInkeating.net if you are not quick enough to notice you could now be presented with an identical logon page at this different url, oh darn i typed my password wrong...., BrAIn Keating is a nasty piece of work, he will log your login details to his database and then use it to access briankeating.net with our credentials, not after you login @ brAInkeating.net you will get redirected back here to briankeating.net (where you've already authenticated and be none the wiser).

So what if you are still on MVC2 (most of my web apps these days are...) what can you do to avoid this attack...

That;s an easy one to answer, I've been a lazy bugger and lifted this code from www.asp.net

[code:c#]

public bool IsLocalUrl(string url) {
    return System.Web.WebPages.RequestExtensions.IsUrlLocalToHost(
        RequestContext.HttpContext.Request, url);
}

[/code]

The IsUrlLocalToHost method contains the actual validation logic below

[code:c#]

public static bool IsUrlLocalToHost(this HttpRequestBase request, string url) {
    if (url.IsEmpty()) {
        return false;
    }
 
    Uri absoluteUri;
    if (Uri.TryCreate(url, UriKind.Absolute, out absoluteUri)) {
        return String.Equals(request.Url.Host, absoluteUri.Host,
            StringComparison.OrdinalIgnoreCase);
    }
    else {
        bool isLocal = !url.StartsWith("http:", StringComparison.OrdinalIgnoreCase)
            && !url.StartsWith("https:", StringComparison.OrdinalIgnoreCase)
            && Uri.IsWellFormedUriString(url, UriKind.Relative);
        return isLocal;
    }
}

[/code]

 

Oracle Database Restore

How to create an oracle user/schema and resore an existing database to this new schema.

 

drop tablespace xxx_demo_data including contents and datafiles;


CREATE TABLESPACE xxx_demo_data
       DATAFILE 'd:\oradata\abci\xxx_demo.DBF '
       SIZE 10M
       AUTOEXTEND ON NEXT 10M
       MAXSIZE UNLIMITED;

drop user xxx_demo cascade;
 
   CREATE USER xxx_demo
       IDENTIFIED BY xxx_demo
       DEFAULT TABLESPACE xxx_demo_data
       TEMPORARY TABLESPACE temp;


GRANT CREATE SESSION TO xxx_demo;  

GRANT CREATE TABLE TO xxx_demo;
GRANT CREATE VIEW TO xxx_demo;
GRANT CREATE SEQUENCE TO xxx_demo;
GRANT CREATE TRIGGER TO xxx_demo;
GRANT RESOURCE TO xxx_demo;

ALTER USER xxx_demo QUOTA unlimited ON xxx_demo_data;

// change the passworkd.
//drop to command line

impdp xxx_demo/{passwd} DIRECTORY=expdp_dir DUMPFILE=20101220-DEMO.DMP REMAP_SCHEMA=xxx:xxx_demo  REMAP_tablespace=xxx:xxx_demo

Asyncronous WF4 activities

Anyone that's ever written UX/GUI code will know that while it once was acceptable (unavoidable) to block the UX thread with long running operations, it's now almost always done in a background thread/task etc.

Well with WF4 it's pretty much the same story, it's not the best idea to block the workflow thread while preforming longing running operations.

Take the following example, where I make a webservice call to a server for some information, webservices can take quite some time depending on network load latency etc.

public sealed class GetCurveTenor : AsyncCodeActivity

    {

        public InArgument<string> CurveUri { get; set; }

        public OutArgument<Dictionary<DateTime, double>> CurveDetail { get; set; }

 

        protected override IAsyncResult BeginExecute(

            AsyncCodeActivityContext context, AsyncCallback callback,

            object state)

        {

            Func<string, Dictionary<DateTime, double>> asyncWork =

                curveUri => RetrieveCurveDetail(curveUri);

            context.UserState = asyncWork;

            return asyncWork.BeginInvoke(

                CurveUri.Get(context), callback, state);

        }

        protected override void EndExecute(

            AsyncCodeActivityContext context, IAsyncResult result)

        {

            Dictionary<DateTime, double> curveDetail =

                ((Func<Int32, Dictionary<DateTime, double>>)

                    context.UserState).EndInvoke(result);

            if (curveDetail != null)

            {

                CurveDetail.Set(context, curveDetail);

            }

        }

 

        private Dictionary<DateTime, double> RetrieveCurveDetail(string curveUri)

        {

            Dictionary<DateTime, double> result = new Dictionary<DateTime, double>();

            // Do server stuff ...

            return result;

        }

    }

Most of the code above should be self explanatory.
If you've not seen the "Func" syntax before it's basically just a delegate defined like this (in .NET 4)

public delegate TResult Func<in T, out TResult>(T arg);  (Note the .NET 4 in modifier to indicate contravariance)

I've used lambdas to point to delegate towards the RetrieveCurveDetails function, it's this function that gets executed on the background thread.

Hope this has been of some assistance.

 

 

 

ReHosting the workflow designer

If you've attempted to host the workflow designer in .net <= 3.5 you'll remember it's not such an easy achievement.

However doing so in wpf .net 4.0 is quite trivial.

Have a look at the Visual Studio 2010 .NET 4 training kit and you'll see for your self.

Here's my first appempt this evening that took all of 10 minutes.

 Make sure to download the training kit even if you are an experienced developer, it's got some gems in it.

SQL Server Check Constraints

Here's an easy one to get caught out on.

Say you remove a constraint on a table to do some maintainance ect.

e.g.

ALTER TABLE BANDWIDTH NOCHECK CONSTRAINT FKUserLimits;

When you wish to bring the constraint back on stream you may be surprised to find the following does not quite work...

 

ALTER TABLE BANDWIDTH CHECK CONSTRAINT FKUserLimits;

You may be be able to see this in the execution plan on SSMS if the constraint was used in query optimization.

but you can check for sure by executing the following

select name, is_not_trusted FROM sys.foreign_keys where name = 'FKUserLimits';

you'll find that is_not_trusted is 1, indicating that the constraint is not trusted, this is because someone could have modified the table while the constaint was turned off, the sql to reenable the constraint needs to be told to check it while doing so..

here's how

 

ALTER TABLE BANDWIDTH
WITH CHECK
CHECK CONSTRAINT FKUserLimits;

This option tells SQL server to verify that all rows in the table comply with the constraint prior to turning it back on. If any rows do not comply with the constraint, an error message is returned and the alter table statement is rolled back.

 

WF4 WriteLine testing using extensions

If you wish to test specific writelines on a console application: you can do so by adding a StringWriter object to the workflow extensions.
The writeline activity will use the textwriter if it exists as opposed to the console.

[TestMethod]
public void CheckWorkflowWriteLine()
{   
 var wi = new WorkflowInvoker(new HelloWorld());

        //Add string writer to extensions  
 var writer = new StringWriter();    
 wi.Extensions.Add(writer);    
 wi.Invoke();    
 Assert.AreEqual("Hello Workflow", writer.ToString());
}

HowTo: Consume WCF From WF4

Hi all.

I've discovered this is not as simple as it would appear to be.
Infact it's worse; in "order" to do this you will need to jump through a few hoops...; in a particular order!

 

1. Add an activity library project
2. Add a reference to this new project from your WF4 app (any app with workflows.. silverlight/mvc etc)
    ENSURE: this is done before step 3 or visual studio 2010 will give you a circular reference error!
3. In the activity library add the service reference to your webservice
4. Modify your webconfig file to contain the abc information for the connection (servicemodel stuff)
5. Now use the activities (from the toolbox)

I gather from crawling through google that the above sequence is already well defined as a workaround for the vs2010 bug.

 

 

It's my football and I'm going home

We've all created API libraries, and libraries by their nature encourage resuse.
However what happens if you want to be selective in who else uses your assembly?
One simplistic approach would be to ensure that the calling assembly has the same public key


private void CheckCallerAllowed()
{
var myPubKeyToken = Assembly.GetExecutingAssembly().GetName().GetPublicKeyToken();
var entryPubKeyToken = Assembly.GetEntryAssembly().GetName().GetPublicKeyToken();

if (myPubKeyToken.Length != entryPubKeyToken.Length)
    throw new ApplicationException("Assembly not licensed");

for (int idx = 0; idx < myPubKeyToken.Count(); ++idx)
   
if (myPubKeyToken[idx] != entryPubKeyToken[idx])
       
throw new ApplicationException("Assembly not licensed");
}

 

Place a call to the function above in your public interface.