This post is again motivated by last week's Community Bootcamp on ASP.NET 2.0, the CBC05. I presented "Under the Covers - Exploring Internals, Page Lifecycle and the Compilation Mode" from TechEd, using the samples that Simon Calvert provided me with (special thanks fly out to Simon, Ben Miller and Rich Ersek @MS for providing us with material - I know I can be a royal pain in the posterior... sometimes at least).

The talk included a demo of a database-backed virtual path provider (files don't come from the file system but a database, dynamically). Somehow we started talking about how cool it would be if you could test your Web sites without checking them out from source control in the first place - by simply writing a virtual path provider that goes to the repository on demand. I wrote that idea down.

Actually, I didn't think I'd get around to doing that. But yesterday I decided to pester one of my devs on the #develop project, namely Daniel Grunwald. He has implemented the Subversion addin for our 2.0 version, so he had experience with NSvn, the managed API for talking to Subversion. I sent a stripped down version of the vpath provider to him, and asked him to replace database code with NSvn code where appropriate.

It didn't take long, and I had a command-line verified version back, and all I had to do was make sure that it works with ASP.NET 2.0. There were a few problems I ran into (like Subversion is case-sensitive and I didn't want that for the Web scenario). Some of the issues arose simply because client and Web developers have different backgrounds. Talk about path separators. Or directories where you have to drop assemblies.

Now, let's stop talking, let's take a look at the provider in action:

SvnVPathProvider.wmv (3.76 MB)

Want to get your hands on that DemoSiteSvn directory with the current rendition of the SubversionVirtualPathProvider? No problem, just a couple of notes up front on what you should be aware of:

• Only file names are currently treated specially for casing. Ie directories still do react in a case sensitive way.
• The file name cracking code needs to be reviewed. Currently, this is a quick hack.
• appSettings need to be placed in a separate .config file. Reason is that web.config cannot be obtained via a VirtualPathProvider, and thus this file has to be checked out separately. And I don't want to get in the way of automating this by requiring entries in web.config.
• Package it as an assembly, so only the \bin folder needs to be copied to get up and running.
• The VirtualPathProvider requires (at the very least) anonymous access to the repository. Passing security tokens is not implemented.

With those notes out of the way, thanks fly out to the ASP.NET team for providing me with the sample of their virtual path provider in the first place. It has been a tremendous help to get this thing off the ground. And maybe in turn this sample will help others to get started:

SvnVppDemo.zip (972.37 KB)

Installation note: the two DLLs in the system32 folder need to be dropped in the respective folder of your system. Do not place them into \bin. Unless you want to get into trouble, that is.

What is left to say? Oh, the source code, of course! I thought you might be interested in reading it online instead of having to download an almost 1MB-size file first. Here it is (App_Code\SubversionVirtualPathProvider.cs):

using System;
using System.IO;
using System.Collections;
using System.Globalization;
using System.Configuration;
using System.Text;
using System.Web;
using System.Web.Util;
using System.Web.Hosting;
using System.Web.Caching;
using NSvn.Core;
using NSvn.Common;

namespace ICSharpCode.Web.Providers
{
public class SubversionVirtualPathProvider : VirtualPathProvider
{
#region class HashCodeCombiner
internal sealed class HashCodeCombiner
        {
            // Start with a seed
            private long _combinedHash = 5381;
            
            internal void AddLong(long l)
            {
                _combinedHash = ((_combinedHash << 5) + _combinedHash) ^ l;
            }
            
            internal string CombinedHashString
            {
                get
                {
                    return _combinedHash.ToString("x", CultureInfo.InvariantCulture);
                }
            }
}
#endregion

#region class SubversionVirtualFile
internal class SubversionVirtualFile : VirtualFile
    {
        string fullPath;
        DirectoryEntry entry;
            
        public SubversionVirtualFile(string virtualPath, string fullPath, DirectoryEntry entry)
                : base(virtualPath)
        {
            this.fullPath = fullPath;
            this.entry = entry;
        }
            
        public override bool IsDirectory {
            get {
                return entry.NodeKind == NodeKind.Directory;
            }
        }
            
        public override Stream concat()
        {
            Client client = new Client();
            MemoryStream ms = new MemoryStream();
            client.Cat(ms, fullPath, Revision.Head);

            // .Cat closes the stream, so we have to copy it
            MemoryStream ms2 = new MemoryStream(ms.GetBuffer());
            ms2.Position = 0;
            return ms2;
        }
}
#endregion

public static void AppInitialize()
    {
        SubversionVirtualPathProvider provider = new SubversionVirtualPathProvider();
        HostingEnvironment.RegisterVirtualPathProvider(provider);
    }
        
    string GetSvnFullpath(string virtualPath)
    {
        if (bool.Parse(ConfigurationManager.AppSettings["svnvppStripVdir"]))
        {
            // this will break root Webs, StripVdir should be the default however
            int pos = virtualPath.IndexOf('/', 1);
            virtualPath = virtualPath.Substring(pos, virtualPath.Length - pos);
        }

        return ConfigurationManager.AppSettings["svnvppRepositoryUrl"]
            + virtualPath;
        }

    string GetSvnFullpath(string virtualPath, string fileName)
    {
        return FixupSvnFullpath(GetSvnFullpath(virtualPath), fileName);
    }

    // Subversion is case sensitive, this we switch the filename here
    string FixupSvnFullpath(string svnPath, string fileName)
    {
        int pos = svnPath.LastIndexOf('/');
        string parentDirectory = svnPath.Substring(0, pos + 1);
        return parentDirectory + fileName;
    }
        
    DirectoryEntry GetEntry(string virtualPath)
    {
        Client svnClient = new Client();
        string fullPath = GetSvnFullpath(virtualPath);
        int pos = fullPath.LastIndexOf('/');
        string parentDirectory = fullPath.Substring(0, pos);
        string entryName = fullPath.Substring(pos + 1);

        try
        {
            DirectoryEntry[] entries = svnClient.List(parentDirectory, Revision.Head, false);
            foreach (DirectoryEntry entry in entries) 
            {   
                if (0 == String.Compare(entry.Path, entryName, true))
                        return entry;
            }

            return null;
        }
        catch (SvnClientException ex)
        {
            if (ex.ErrorCode == 160013) // parent directory not found
                return null;

            throw;
        }
    }
        
        public override bool FileExists(string virtualPath)
        {
            DirectoryEntry e = GetEntry(virtualPath);
            if (e != null)
                return e.NodeKind == NodeKind.File;

            return Previous.FileExists(virtualPath);
        }
        
        public override bool DirectoryExists(string virtualDir)
        {
            DirectoryEntry e = GetEntry(virtualDir);
            if (e != null)
                return e.NodeKind == NodeKind.Directory;
            return Previous.FileExists(virtualDir);
        }
        
        // Obtain the file. This will only be called if the hash that we return is
        // different than that the runtime holds on to as a cached indicator.
        public override VirtualFile GetFile(string virtualPath)
        {
            DirectoryEntry e = GetEntry(virtualPath);
            if (e != null)
                return new SubversionVirtualFile(virtualPath, GetSvnFullpath(virtualPath, e.Path), e);
            // Default to the previous implementation
            return Previous.GetFile(virtualPath);
        }
        
        /// ///////////////////////////////////////////////////////////////
        /// Return a hash value indicating a key to test this file and dependencies have not been
        /// modified
        public override string GetFileHash(string virtualPath, IEnumerable virtualPathDependencies)
        {
            HashCodeCombiner hashCodeCombiner = new HashCodeCombiner();
            
            ArrayList unrecognizedDependencies = new ArrayList();
            
            foreach (string virtualDependency in virtualPathDependencies)
            {
                DirectoryEntry e = GetEntry(virtualDependency);
                if (e != null) {
                    hashCodeCombiner.AddLong(e.Size);
                    hashCodeCombiner.AddLong(e.CreatedRevision);
                } else {
                    unrecognizedDependencies.Add(unrecognizedDependencies);
                }
            }
            
            string result = hashCodeCombiner.CombinedHashString;
            
            if (unrecognizedDependencies.Count > 0)
            {
                result += Previous.GetFileHash(virtualPath, unrecognizedDependencies);
            }
            
            return result;
        }
        
        /// ///////////////////////////////////////////////////////////////
        /// The cache dependency is a specialized object that means that the runtime
        /// can perform file monitoring and change notifications directly
        public override CacheDependency GetCacheDependency(string virtualPath, IEnumerable virtualPathDependencies, DateTime utcStart)
        {
            // This VPP does not create CacheDependencies
            DirectoryEntry e = GetEntry(virtualPath);
            if (e != null)
                return null;
            
            return Previous.GetCacheDependency(virtualPath, virtualPathDependencies, utcStart);
        }
    }
}

 

The registration for this year's .NET Community Conference in Austria went live today (register here, it's free). The thread of this years rendition is security: threat modeling, .NET 2.0 security features, SQL Server 2005 security and more. Definitely worth your time, if you have time to spare, join us on 12th of August in Vienna!

Script Callbacks were also part of my "Advanced ASP.NET 2.0" day at the Community Bootcamp 2005 in Bad Ischl. Aside from showing the usual callback sample, I decided that something more useful was in order. That is why I went a tad further by showing off the controls introduced in the RefreshPanel GotDotNet workspace. I came across those a while back when reading articles on Bertrand Le Roy's blog:

• Fun with callbacks Part 1: What's in the ASP.NET box?
• Fun with callbacks, Part 2: The RefreshPanel
• Fun with callbacks Part 3: Strongly-typed callbacks
• Fun with callbacks Part 4: What about postback events?

Of course we did labs on CallbackProxy and RefreshPanel, the latter one is described in this blog entry (again, a streamlined version of the lab done by Alexander Schoeppl).

Let's start with the result we wanted to achieve:

The render date only acts as a "proof" that no Postback happened, the dropdown control lists all customers in Northwind and is also populated up front. The GridView control, however, is filled using out of band calls. Instead of hacking your own ugly JavaScript, we did that using the RefreshPanel control.

Step 1: Copy RefreshPanel.dll

First, copy RefreshPanel.dll to the \bin directory of your site. You can get it here.

Step 2: Set up a connection string in web.config

We will use that later both in markup and code beside file:

<connectionStrings>
 <add name="NorthwindConnectionString" 
   connectionString="Data Source=cbc05vpc\cbc05;Initial Catalog=Northwind;User=sa;Password=P@ssw0rd"/>
</connectionStrings>

Step 3: ShowCustomerOrders.aspx

Basically, "organized" in three sections (separated by a blank line):

<%@ Page Language="C#" AutoEventWireup="true" 
    CodeFile="ShowCustomerOrders.aspx.cs" Inherits="Show_Customer_Orders" 
    Title="Callback Demo" %>
<%@ Register TagPrefix="rp" Namespace="MyControls.RefreshPanel" 
    Assembly="RefreshPanel" %>

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Untitled Page</title>
</head>
<body>
    <form id="form1" runat="server">
    <div>
        Render Date: <asp:Literal ID="Literal1" runat="server"></asp:Literal>
        <br />
        
        <asp:DropDownList ID="DropDownList1" runat="server" 
             DataSourceID="SqlDataSource1" DataTextField="CustomerID" 
             DataValueField="CustomerID">
        </asp:DropDownList>
        <asp:SqlDataSource ID="SqlDataSource1" runat="server" 
            ConnectionString="<%$ ConnectionStrings:NorthwindConnectionString %>"
            SelectCommand="SELECT [CustomerID] FROM [Customers]">
        </asp:SqlDataSource>
        <rp:RefreshButton ID="MyButton" RefreshPanelID="RFPanel1" 
            runat="server" 
            ClientRefreshArgument="this.form.DropDownList1.options[this.form.DropDownList1.selectedIndex].value" 
            Text="Show Orders"/>
        <br />
        
        <rp:RefreshPanel runat="server" ID="RFPanel1" OnRefreshing="FillData">
            <asp:GridView ID="GridView1" runat="server">
            </asp:GridView>
        </rp:RefreshPanel>
    </div>
    </form>
</body>
</html>

Register imports the RefreshPanel control suite for us, the Label and DropDown are also very straightforward. The RefreshPanel control itself contains a single GridView control, and it is linked to the server-side method FillData which we will examine in the next step. The RefreshButton is responsible for activating the out of band call back to the server - that's also where we get the value from the dropdown control, and pass it as an event argument to FillData.

Note that the control names are hardcoded, in the real world we'd build that string dynamically, because otherwise we'd get into trouble, eg with master pages.

Step 4: ShowCustomerOrders.aspx.cs

Page_Load is trivial, we are only interested in FillData:

public void FillData(object sender, RefreshingEventArgs e)
{
string connectionString = ConfigurationManager.ConnectionStrings["NorthwindConnectionString"].ToString();

string sqlCmd = "Select * from Orders where customerID = @CustomerID";

SqlConnection conn = new SqlConnection(connectionString);

SqlCommand cmd = new SqlCommand(sqlCmd, conn);
cmd.Parameters.AddWithValue("@CustomerID", (string)e.EventArgument);

conn.Open();
SqlDataReader reader = cmd.ExecuteReader();

GridView1.DataSource = reader;
GridView1.DataBind();
reader.Close();
conn.Close();
}

No magic in our code, but: RefreshPanel takes care of giving us a GridView control to work with, and shipping the resulting HTML to the client - and inserting it into the page. Very, very neat indeed.

CallbackDemo.zip (43.51 KB)

Via Virtual PC Guy's WebLog: New WinImage Beta with support for editing VHD's. Now that is not only way cool but actually extremely useful if you need that one important file from a virtual machine - now, and not wanting to wait for the vm to start up and then do the copy operation.

On Friday, it was my turn as speaker at the Community Bootcamp 2005 aka CBC05. One of the topics at hand was "The Provider Model", with a focus on Membership providers. Those are the ones most likely being extended / written from scratch, and we did an exercise in that very area: Extend the SqlMembershipProvider to audit successful and failed logins similar to *nix. The solution I present today is a streamlined solution programmed by Alexander Schoeppl, one of the attendees.

Step 1: Create the table

CREATE TABLE [dbo].[myLoginAuditing](
 [username] [varchar](255) NOT NULL,
 [numberofSuccessfulLogins] [int] NOT NULL,
 [numberofFailedLogins] [int] NOT NULL,
 [lastFailedLogin] [datetime] NOT NULL,
 [lastFailedLoginIP] [varchar](15) NOT NULL)

Step 2: Create the stored procedure

create procedure myLogUserVisit(
  @username as Varchar(255), 
  @success as int,
  @lastfailedLoginIP as varchar(15))
as
   IF ( EXISTS ( SELECT username
                  FROM   dbo.myLoginAuditing
                  WHERE  username = @username ) )
    BEGIN
    if (@success = 1)
    Begin
      update myLoginAuditing set 
        numberofSuccessfulLogins = numberofSuccessfulLogins + 1 
        where username = @username
    End
    else
    begin
      update myLoginAuditing set 
                    numberofFailedLogins = numberofFailedLogins + 1,
                    lastFailedLogin = GetDate(),
                    lastfailedLoginIP = @lastFailedLoginIP
        where username = @username
    end
  END
  ELSE
  BEGIN
    if (@success = 1)
    Begin
      insert into myLoginAuditing (username, numberofSuccessfulLogins, 
         numberoffailedlogins, lastfailedlogin, lastfailedloginip) 
      values (@username, 1, 0, '01.01.1900', '')
    End
    else
    begin
      insert into myLoginAuditing (username, numberofSuccessfulLogins, 
         numberoffailedlogins, lastfailedlogin, lastfailedloginip) 
      values (@username, 0, 1, GetDate(), @lastfailedLoginIP)
    end    
  END

Alexander did a smart thing - he looked at the various aspnet* sp's.

Step 3: Write the Membership provider

The class skeleton looks like this:

public class MyMembershipProvider : SqlMembershipProvider
{
public override bool ValidateUser(string username, string password)
{
}

public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config)
{
}

public override MembershipUser GetUser(string username, bool userIsOnline)
{
}
}

Initialize is the easy but essential part - we need the connection string name for later:

private string connectionStringName;

public override void Initialize(string name, System.Collections.Specialized.NameValueCollection config)
{
connectionStringName = config["connectionStringName"];
base.Initialize(name, config);
}

Now we can validate the user - well, the base class does that. We only do the auditing part:

public override bool ValidateUser(string username, string password)
{
HttpContext.Current.Trace.Write("ValidateUser:entry");

bool bSuccess = base.ValidateUser(username, password);

string connectionString = ConfigurationManager.ConnectionStrings[connectionStringName].ConnectionString;

SqlConnection conn = new SqlConnection(connectionString);
SqlCommand cmd = new SqlCommand("exec myLogUserVisit @username, @success, @IP", conn);

cmd.Parameters.AddWithValue("@username", username);
if (bSuccess)
  cmd.Parameters.AddWithValue("@success", 1);
else
  cmd.Parameters.AddWithValue("@success", 0);

cmd.Parameters.AddWithValue("@IP", HttpContext.Current.Request.UserHostAddress);

conn.Open();
cmd.ExecuteNonQuery();
conn.Close();

HttpContext.Current.Trace.Write("ValidateUser:exit");

return bSuccess;
}

Step 4: Set it up - web.config

  <appSettings/>
  <connectionStrings>
    <add name="MyNWind" connectionString="Data Source=cbc05vpc\cbc05;Initial Catalog=Northwind;User=sa;Password=P@ssw0rd"/>
  </connectionStrings>
  
  <system.web>
    <membership defaultProvider="SuperDuperMSProv">
      <providers>
        <clear/>
        <add name="SuperDuperMSProv" connectionStringName="MyNWind" type="MyMembershipProvider"/>
      </providers>
    </membership>

Step 5: View the auditing information - default.aspx.cs

The final "UI" looks like this:

The source code is rather simple:

protected void Page_Load(object sender, EventArgs e)
{
MyMembershipUser currentUser = (MyMembershipUser)Membership.GetUser();

Label1.Text = currentUser.FullName;
string lcConnection = ConfigurationManager.ConnectionStrings["MyNWind"].ConnectionString;

SqlConnection conn = new SqlConnection(lcConnection);

SqlCommand cmd = new SqlCommand("select * from myLoginAuditing where username=@username", conn);
cmd.Parameters.AddWithValue("@Username", currentUser.UserName);

conn.Open();

SqlDataReader reader = cmd.ExecuteReader();

GridView1.DataSource = reader;
GridView1.DataBind();

reader.Close();
conn.Close();
}

Done. By the way, did you notice something? Right! Alexander never fell into the trap of SQL Injection.

ExtendingMembershipProviderDemo.zip (5.64 KB)

Yet another security book is coming: The 19 Deadly Sins of Software Security. You can read about its contents on Michael Howard's blog here. I am not yet done with Protect Your Windows Network : From Perimeter to Data by Jesper Johansson and Steve Riley (great site, btw). I definitely do recommend this book to everyone interested in security!

Order a couple of their security posters and place them at strategical locations in your company. Maybe someone should buy this poster for the UK MOD - they keep having their notebooks stolen.

Check out the article 10 Immutable Laws of Security on TechNet. A couple of those should get you thinking - I especially like #6.

Process Explorer is a really nifty tool, that comes in very handy when you want to take a deep dive into what's running on your machine, and what might be happening behind the scenes:

When you double-click on a .NET application, you get a tab dedicated to AppDomain and performance counter information:

Nice for a quick look around to see what that application is doing.

Mark Russinovich (his blog is highly recommended) commented on that book during one of his TechEd Europe talks. The book is written (including) by the guy running rootkit.com, famous for the Hacker Defender rootkit for Windows. Looks like there's yet another book to be added to my backlog for reading this summer <g />.