Report on the Wichita Code Camp

Raymond Lewallen: http://codebetter.com/blogs/raymond.lewallen
Building strongly-typed session objects, cache objects, and viewstate.

If you aren't using a session management object you must. Do a search for session[] and make your developers give a justifiable business reason they need to use something outside of the project's session object management class. Use code reviews to enforce it.

Why is it that developers can have the confidence to say definitively "this is how it should be done" and are more than willing to follow standards. In fact, by my experience as of late, they are really the ones pushing for it. It makes their jobs easier.

Yet, management and managers can't even agree upon and finalize the simplest decisions? We want the background color blue, no red, okay how about green?
We want this field here and this field there.

Cos Callis: Custom User Objects in ASP.NET

A lot of developers create their own object and store it in Session. Such as Email address, etc. Since this is typically tied to the CurrentUser, you might as well have the additional properties you need there.

Page.User is based off IPrinicipal and all you need to do to add to it is create you own class that implements the IPrinicipal interface. IPrincipal is the important part.

Attaching it to the LoggedOnUser make it so that only the current user can see their data. This data is stored in HttpContext instead of Session, making it even more secure.

(* Note: the following is Pseudo Code:)

Turn on forms authentication in web.config

You build your User Object inside Global.asax
sub Application_AuthenticationRequest
 try
  if not request.cookies(Formsauthenticaion.FormCookieName) is  nothing then
   context.user = new ccuser()
  else
   context.user = new ccanonymoususer
  end if
 catch ex as exception
  context.user = new ccanonymouser
 end try
end sub

Login btn click .
 httpcontext.current.user = new ccuser(textbox1.text, textbox2.text)
 formsauthention.redirectfromloginpage(textbox1.text, true)
end sub

public class CCUser
 inherits System.Data.DatasSet
 implements System.Security.Prinicipal.IIdentity, System.Security.Prinicipal.IPrincipal

public readonly property identity() as identity implements..
 get
  return me
 end get
end property

_email
_firstname
_lastname
_roles
_menuOptions
_CSS
_webparts datatable

(data repeater to display the webparts)

Page.CSS = User.CSS
Me.StyleSheetTheme  = User.CSS

3 constructors

blank new ()

public sub new(byval email as string, byval password as string)
 validateuser(email, password)
 loadcooke(email, password)
end sub

public sub new(byval Cookie as HttpCookie)
 dim exttickit formsauthen.decrypt(tkt)
 validateuser(ctkt.Name, ctkt.UserData)
 HttpContect.Current.User = new System.Security.Principal.GenericPrincipal(id, MyRoles)
end sub

pub sub validateduser(byval email as string, password as string)
 'It doesn't matter type of authentication type you use,
 'you can use mixed, try ActiveDirectory first, and if it fails,
 'then do your custom db user login.
 'IsInternal T/F whether they're in AD.
end sub

public sub LoadCookie(email as string, pwd as string
 Dim tkt as New FormsAuthenticationTicket(1, "CodeCampUser", Now, Now.AddHours(1)), True, "Hello Wichita",
 dim exttickit formsauthen.encrypt(tkt)
 httpcontext.current.response.appendcooke(n httpcookie(forma.formcookiename, ... )
end sub

then login sql stored proc:
select * from menus where userid=##
select * from users where userid=##

public Class InvalidLogonException
 inherits System.Exception

end class

public Class CCAnonymousUser
 inherits CCUser

 public overrides ReadOnly Property IsAuthenticated() As Boolean
  get
   return false
  end get
 end property

 public overrides readonyl property name() as string
  get
   return ""
  end get
 end property
 
 function isinrole
end class

public overrides reado
end sub

class ccbasepage
 inherits System.Web.UI.Page

 public shadows Property User as CCUser
  Get
   return directcast(mybase.user, ccuser)
   'ctype tries to valid first
   'what is full explanation why directcast is better
  End Get
 end property

Great Job! On why it's needed, how useful it is, and why it's best to inherit and implement from the Current.User

'only argument people have voiced: it creates too much bloat, but you're going to do it somewhere (session, application, etc) - why not here - the most logical choice.

Raymond Lewallen - Continuous Integration
www.codebetter.com/blogs/raymond.lewallen/downloads/ci.zip
Continuous information - if you only talked to your customer once a month your project would be in trouble. So why do you wait until deployment to really audit your code?

FxCop - All methods should be Pascal case. )
Only thing that doesn't work with 2.0 is nCover report - it runs but produces empty xml report.

Yours Truly - Introduction to Programming Windows Communication Foundation (WCF)
The presentation went well, it was obvious that everyone understood how easy it is to create services, as well as, how much easier WCF makes it.

I had one question by the most inquisitive of the group:
Can Services or Clients be used to attach as an "EventHandler" to a Service?

After much thought, I realized, the solution to the architecture that he is really looking for would involve a multiple service situation. Trying to use a Client as an EventHandler would logically be the opposite message communication that is typical from Client to Service, so in my opinion, the real solution to what he was asking, would be for the Client to have a Service of it's own (and/or the "EventHandler" Service would be running somewhere), and the Service that is needing to communicate the event would then send it to this Service for any additional handling.

I had one comment afterwards in summation was: "it's hard to get excited about WCF, because Services have been around for several years, and it's so easy to create a service, but I've never done it and I don't see the need in my environment".

After spending a little bit of time thinking about it, the first thing that comes to mind is how developers are always more confused by the things that are simple. As developers, we are so inbreed to think everything is complex. So, when we encounter something that is simple, it really baffles us and we keep thinking there must be something more that I'm missing.

Well, as services go, it is really simple. WCF only makes it even more simplified, which is good. As far as not needing services in any environment, I can see that thinking today, but really the ability to make your business functionality and processes available easily to multiple applications in-house and to your external clients and business partners, it's only a matter of time. Why not be prepared, since it is so easy?

Web Application Security
This was a introductory presentation on all the various aspects security.

All various methods in IIS that are security related: SSL, etc.

Self Certificate Generator w/IIS 6 Resource Kit

SQL 2005 - Native Encryption - 127bits
US.gov & credit card industries, etc. must be encrypted at least 128 bits.

iis vs dba's vs developers (security needs to be implemented by all)

sql injection attacks

sql server security versus windows authentication versus local db security.

aspnet_regsql to install ASP.NET 2.0 user management

'' or '=' and '' or '=' in password

select * from login where user='' or '=' and password='' or '='

select * from login where user='' or 1=1 and password='' or 1=1

select * from login where user='' or delete * from % and password='' or = '='

select * from login where user='' or delete * from % and password='' or = 1=1

use stored procs.

Summary
The thing that stood out the most is that even though a lot of the topics were things we already new, we all still walked away surprisingly learning more than we had ever expected.

Great Job WichitaDevelopers.NET