dotNet

WARNING: Serious ASP.NET issue with Windows Server 2003 and SP1

Marcus Mac Innes — Thu, 04 Aug 2005 17:20:00 GMT

We have been trying to track down a problem with our blog aggregator software B.AG which is currently powering INDA's blog aggregator at www.developers.ie/blogs.

We recently upgraded the server to Windows Server 2003 SP1 and for some reason, threads were simply disappearing from our custom threadpool and the application logging which uses log4net would simply stop without warning. We have just tracked the problem down to the System.Threading.Timer class which according to this has major issues when running on Windows Server 2003 with SP1. It seems the Timer class stops firing at some random point and never fires again...

I know of a number of major ASP.NET sites around the world that have applications that depend on functionality provided by the Timer class and I'm very surprised that this issue has not seen more publicity. So this is just a warning to ensure that you don't fall victim to this issue!

As far am I am aware there is no hotfix available for this problem yet.

TechEd 2005 - Presentations Available Online

Marcus Mac Innes — Thu, 28 Jul 2005 11:56:00 GMT

Following on from my recent post about this year's TechEd Europe. You can now watch some of Kimberly and Rafal's presentations online at http://www.microsoft.com/uk/technet/itsshowtime/.

TechEd 2005 – What’s The Message This Year?

Marcus Mac Innes — Sun, 10 Jul 2005 19:02:00 GMT

Once again, Microsoft pulled off its annual TechEd conference without a hitch. If you’ve never been to TechEd, then it would be difficult to imagine the sheer scale of the event. The conference centre becomes a mini city with 6000 commuters making their way from session room to session room. Between sessions, there is a great buzz of in depth conversations taking place about the previous session content’s validity or relevance to a particular organisation. These conversations as it turns out are often of more benefit than the session content itself!

It’s been an interesting year in the technology community, a year in which Service Oriented Architecture (SOA) appears to have gone mainstream. Last year at the conference, when audiences were asked about how may of them were currently building SOA based applications, I recall a figure of about 15% raising their hands, this year that same question received a 60% vote. This increase is entirely in keeping with what I am seeing across the international communities that I am involved with. It seems that since last year, the majority of new projects are SOA based, which means that Microsoft’s relentless marketing of the SOA strategy is working… But is this right?

There were an abundance of SOA tracks again at this years TechEd. These architecture and “connected systems” tracks had that familiar feel to them, a few words changed here and there but more or less the same slides as last year. Even Clemens Vasters had little to add over the previous year and only got away with it because of his charismatic stage presence. So what’s going on? Why are we hearing the same story over and over again? My guess is that with only 60% of the audience raised their hands… there’s still another 40% to be converted!

Now this begs the big question which dominated most of the offline conversations, is SOA right for every project? There were no sessions on 3-tier, n-tier, client / server or stand alone application architectures. Are these architectures wrong? Should every application no matter how large or small be SOA?

My response is a definite “no” (for the moment). As I’ve said many times before, moving to SOA represents a mind shift much like the shift developers needed to make when they embraced Object Oriented (OO) programming back in the late 80s, early 90s. If we asked the same question in 1990, “should every application be object oriented?” I bet we would have exactly the same response as the question we are asking today about SOA, “No”. OO after all was viewed as too complex for small applications and posed a performance problem on the then slow computers. But if we asked this OO question today, everyone would agree that save a few exceptions, most applications should be built using object oriented methods.

Gregor Hohpe of ThoughtWorks and author of Enterprise Integration Patterns, gave an interesting talk on “Event Driven Architecture, ARC311” in which he gave some practical example of appropriate patterns and their implementations for building and testing event driven architectures. These concepts and implementations are very relevant to building SOA applications and hopefully we shall see more of these advanced talks in the future.

One of the reasons why SOA is not a one size fits all today is that there is a fundamental lack of knowledge, competence and agreement amongst technologists as to exactly how these applications should be built. There is a high barrier to entry in terms of upfront education, an engineering overhead in terms of a increase in design and implementation complexity and to top it all off, a definite runtime performance penalty. While the benefits of a successfully completed SOA project are clear, the investment and risks involved are greater and the business decision mandates caution and careful internal assessments before automatically jumping on board the SOA train.

Regarding education, Microsoft is doing it’s best to pump the message home, telling architects and developers that SOA is the future, teaching them to think about service boundaries, asynchronous programming, reliable versioned messaging… this is the TechEd message. It was the same message last year and people went home filled with new ideas, backed up with memorised example diagrams on how systems could hang together in a new connected, interoperable, scalable and most importantly re-usable way.

I’ve lost count of the number of people I’ve encountered who have run into big trouble trying to implement applications in SOA. The most recent conversation I had was with a US company who were looking for advice on how best to implement an atomic transaction across a service boundary. They explained how they had built an application comprising a number of services and were now having problems ensuring consistency across each of the service databases. If you are reading this thinking “yes, I’m having that problem too”, then hopefully you are in the early stages of your agile development lifecycle!!! Because you are going to need to start again. Requiring an atomic transaction across a service boundary is a clear indication that your services are not divided correctly, your foundations are wrong. This is where SOA projects are running over budget, into difficulty or simply failing. It all boils down to SOA implementation as the classic expression goes “the devil is in the detail”.

Ron Jacobs of Microsoft’s Patterns and Practices group gave a great talk on “Dealing with Data in Service-Oriented Architecture, ARC308” which expands on where Pat Helland left off before he moved to Amazon earlier this year. (Pat if you are reading this… you were missed this year!). This talk deals with the problem of understanding service boundaries from the perspective of segmenting the data within a given domain and deriving your boundaries accordingly. Service orientation is all about “data ownership” and if this message is not crystal clear, then don’t even attempt anything in SOA until this penny drops. (Remember how you needed to understand objects before you could write anything in OO). I would have liked to see a bigger drive from Microsoft in this area, because at then end of the day not every organisation has the skills of a competent and experienced Enterprise Architect on board who fully understands these concepts. Smaller organisations are trying to build SOA applications too and need to understand this cornerstone of the design principal.

The second stumbling block for building SOA or connected systems, is tool support. Those guys who after leaving Amsterdam last year and headed off to build new SOA applications quickly realised that in a non SOA world, they were living in the lap of luxury with respect to the quantity and quality of the tools that were available to help build applications. SOA is new and good tools are few and far between, meaning that you need to do a great deal of extra work (by hand) in order to make things work. Visual Studio 2003 doesn’t provide a great deal of help because once again the devil is in the detail. “[WebMethod]” gave out the entirely wrong message, facilitating ease of construction while negating design. Thankfully, this is something Microsoft is willing to admit and as such had invited my friend Christian Weyer to speak and participate in a number of sessions at this year’s event. Christian who is part of the ThinkTecture team was one of the first to fill the tool support gap with his product WS-ContractFirst which provides a quick and easy way to generate “correct” service interfaces and WSDL code. I believe that Christian also mentioned that the next version of his tool would support WSE 3.0, which will be a great addition.

Furthering the need for better tool support, we are now on the verge of the release of Visual Studio Team System. The more I look at this new suite, the more I realise why it has been so long in the making. The product is simply massive and will present a significant jump in tool support for all .NET technologists from each discipline. I’m not going to go on about this, other than to say that I sincerely believe this release will mark the beginning of a new era of development, the Software Factory.

Thirdly, SOA is currently lacking infrastructure support. Projects soon run into trouble when they realise the complexity of working in a connected (sometimes disconnected) world. Gone are the atomic COM+ transactions and in come the reliably delivered messages… But where is the reliable delivery infrastructure? Indigo will obviously address a number of the infrastructure issues and I would hazard a guess that in the mean time 80% of SOA applications as build using MSMQ as a reliable transport. It seems odd therefore that Microsoft have never released an official MSMQ transport for their Web Services Extension framework (WSE)… You’ve have to rely on third party open source code, mmm.

Benjamin Mitchell, jumps to the rescue and presents a session (CTS350) on WSE 3.0 for which Microsoft have just released a CTP of WS-ReliableMessaging. I’m not sure about the support on this release; I assume it carries a “use at your own risk” label.

In all, TechEd this year could have concentrated a bit more on expanding on last year’s theory with more talk on implementation. Fabriq, EDRA, Proseware, in fact all the implementation references were noticeably missing this year from session titles. Have Microsoft had the same challenges concerning the correct implementation of SOA as the rest of the .NET community? It seems so.

So when I asked earlier about whether SOA was right for every project, I gave a “no” (for the moment) answer. In time, I believe with the right tools, agreement on standards, supporting infrastructure, more groundswell in developer education and experience regarding implementation, I can’t see why it wouldn’t be just as easy to build applications based on SOA architectures.

SQL Server 2005 was also big on the hit list this year. The June CTP is out and appears with improved UI and tools. Kimberly L Tripp is to SQL Server as Clemens Vasters is to Connected Systems. This no nonsense girl has been there and done that, she travels the world fixing problems and as a result just knows what issues we are facing and are likely to face. Her presentation skills are unbeatable and I enjoyed every single moment of each of her talks. Apart from now having the CLR in the database (which I personally believe is of marginal benefit) the new 2005 version seems to have addressed a number of operational issues which enable greatly increased availability. Kim’s demo of online recovery was ingenious created using a tiny 4 port USB hub connected to her laptop. Inserted into the hub were four 128MB USB keys onto which she had partitioned a 1.4 million row database table. While pulling one of the keys out of the hub clearly simulated the complete failure of the drive containing the online data, it didn’t compare to Andy Lees keynote demonstration of clustering in action as he took an actual sledge hammer to a live server on stage in order to simulate a server failure… Kim’s demo however was a little more close to home as she brought the audience through the entire process of a full manual recovery without taking the database or indeed the failed table offline. This is the kind of demo you will be glad to have seen one day…

Testing is also something Microsoft has woken up to and this year’s TechEd saw a number of core personalities, including Roy Osherove of TeamAgile fame making appearances at panel discussions and giving talks on Test strategies. Visual Studio 2005 obviously addresses the need for increased tool support for testing with its introduction of unit testing and load testing capabilities and these were shown off in a number of interesting talks.

Rafal Lukawiecki of Project Botticelli is always a must see with his inspiring security talks. This guy will probably win the best speaker prize again this year…

So to round up TechEd 2005, non-Microsoft people were by far the best speakers in terms of content and presentation skills. If Kimberly L Tripp, Rafal Lukawiecki or Clemens Vasters are around over the coming year and you have an opportunity to attend one of their talks, you’re guaranteed to be inspired.

Also, for the Irish amongst us… be careful (very careful) of Clare and Rob’s generous hospitality, Microsoft style, which ensures that the TechEd experience continues well into the night! These guys really know how to put on the best show!

…and thanks Microsoft for my new phone!

ASP.Net 2.0 Roadshow in Dublin

Marcus Mac Innes — Mon, 07 Mar 2005 10:14:00 GMT

Following my talk on Securing ASP.Net Applications at last Friday’s Dublin leg of Microsoft’s ASP.Net 2.0 European Roadshow, there were a couple of requests for the slides and code samples. They can be downloaded from here.

Talking with developers afterwards in the bar, it was really interesting to see how many of them had heard of SQL Injection and XSS attacks but had not actually realised how vulnerable an application and the other applications which share the same database can be. Most had never actually seen how an attack would be carried out.

I demonstrated how security on a web site can be compromised by taking advantage of holes within the application code. These holes can be discovered by using a series of probes which disclose whether or not vulnerability exists.

The demonstration attacked the site’s Login page to discover vulnerabilities. These were then exploited to bypass the application security altogether. We were then able to take control of the database for this and other applications which share the database, create our own login accounts with administrative privileges and access the site’s customer’s credit card information.

I also demonstrated using a Cross Site Scripting attack how the Forms Authentication cookie could be stolen and silently sent to an attacker’s website to be stored for later use. Once the attacker is in position of this cookie, they would be able to login to the original web site using someone else’s authentication token.

The key message of the talk was to ensure that all user input is validated before any other processing is done. This together with strict use of secure coding standards would have disabled any attacker’s opportunities.

For more information on writing secure code, please feel free to contact me.

And many thanks to Microsoft for asking me to speak at this great event with the ASP.NET team!

Contract First, Guinness Second

Marcus Mac Innes — Fri, 17 Dec 2004 12:22:00 GMT

Yesterday evening, night and the early hours of this morning … (very sore head now) I had the pleasure of meeting Christian Weyer who via INETA was speaking IrishDev.ie’s Christmas Cinema Party.

Christian started off the evening with an excellent talk on the realities we are faced with when building web services. Unlike most talks on this topic, Christian actually provided some of the answers and one pretty good answer in particular.

The biggest problem that plagues the .NET community to date when build Service Orientated Architecture (SOA) applications is the lack of defined process. While SOA is not a new concept, it certainly is a new term and for most, a whole new way of thinking. In the same way that patterns provide standard ways of implementing the same old problems, SOA provides a standard way of architecting applications in order to minimise coupling and maximise interoperability.

Everyone loves the ideas and design paradigms proposed by SOA and everyone can visualise without too much hesitation the advantages and benefits of the final result. Not everyone knows exactly where to start however…

Right at the beginning of Christian’s talk yesterday evening, immediately following his introduction, he alt-tabbed to an eagerly awaiting Visual Studio perched in the background. As he clicked Add Solution, Add New Web Project, my hopes for a serious talk on Web Services were fading fast into the distance. I really thought we were now in for a “here’s how you build your web services using Visual Studio” when all of a sudden my fears were firmly put to rest… “This is not how you should build Web Services”, Christian exclaimed, and now, like the beginning of a good movie, it was time to site back and listen to a man that knows.

When Visual Studio first arrived back in 2001, everyone as Christian points out was amazed by the new productivity features and of course as “Web Services” was fast becoming the next big thing, VS.NET did them too!

I must admit, I was among the impressed when I realised how easy it was going to be to build Web Services using this new tool which gave developers the power to simply adorn their methods with the attribute “[WebMethod]” and have Visual Studio create all the necessary code, Schema and WSDL for you. Within minutes, literally, you could build an application that could communicate using XML and SOAP over HTTP.

It was only when you start to look at a little deeper that you realise that like most things in Visual Studio, this was a “play” implementation of an architecture, great for demos, useless in reality.

The first problem with [WebMethod] is that you are restricted to the RequestResponse pattern. Get something in, process and send something back out the way it came. HTTP is a perfect transport for such an architecture as it is after all a RequestResponse transport.

At this point Christian asked a question of the audience which I shall file away for later use and one which reminded me of Eric Rudder’s recent talk in Dublin when asked about open source software. Eric pointed to a table at the back of the room filled with bottles of water. “Why do we buy bottles of water, when there is perfectly good drinking water available free from the tap downstairs?” Christian asked “When you send a letter in the post, do you wait by the postbox for a reply?”

How could you architect your applications using the RequestResponse pattern having heard this analogy? Problem with Visual Studio number one…

Next we should look at another important aspect of application design, maintainability. The value of software is proportional to the business benefit it provides and is inversely proportional to effort required to make modifications.

As most experienced Visual Studio developers will tell you, Visual Studio is all about productivity. It provides an unparalleled ability to efficiently produce software which provides the business benefit and hence the value I spoke about. What most experienced Visual Studio developers will also tell you is that it provides absolutely no assistance in minimising the impact of later change. This in my opinion negates all the productivity benefits and hence renders most of the toolset useless or as I like to put it, the tools are for “play” only.

The problem here is routed in the fact that Visual Studio is generating code for you. This quickstart is absolutely fantastic and works perfectly until you realise that something is missing or the design isn’t exactly what you require. The code generation templates are fixed and you have a take or leave it scenario.

Building WebServices using the Visual Studio approach falls victim to this problem and everything that is done for you under the covers is going to come back and bite you as your requirements move from those of the demo world to those of the production or real world.

Let’s examine what happens when you add [WebMethod] to a C# or VB.NET method:

Without even thinking about it, you are automatically now using the RequestResponse pattern. Maybe you didn’t even notice, but you are now effectively building a Remote Procedure Call (RPC) web service. Is that what you wanted? Is your design being guided by the implementation tool?

Next the XML Schema and the WSDL are generated for you. But have you had an opportunity to specify whether types are to be shared between methods? Will your Customer class in one method be generated on the client side into a difference namespace from that same Customer class in another method? What will your client proxies look like and will they use clumsy arrays or useful collections for lists? Do you have any opportunity to control what is produced? Not really…

What about Schema validation on received messages or do we just let the deserializer throw exceptions? And aren’t exceptions expensive? Wouldn’t this be a prime target for a denial of service attack? Can we even examine the XML that was received? Not really…

And when version 2 comes along, what are we going to do about backward compatibility?

The list goes on…

If we now look at what has been produced for us by VS.NET, it doesn’t take a genius to realise that we have simply created a XML based interface to an existing Domain Model. This is not Service Orientation or even close.

Service Orientation is about shifting your thinking from an Object Orientated Domain Model to a new architecture which is quite different. This shift is analogous to the shift in mindset from procedural to OO programming and design.

The question comes back then, is Visual Studio assisting us with this process and mind shift or is it actually hampering the process and reducing our options?

Christian obviously felt, as I do, that the latter is the case and has been thinking along with his colleagues at ThinkTecture about ways to help developers overcome these early stumbling blocks. All this thinking has resulted in one of the most important tools available today for the building of real world web service applications. Christian presented “Contract First” a tool and a methodology for the design and flexible generation of the some of the components required to build real world web services.

I’m not going to go into the details of Contract First here, as you can read all about it and even download the tool for free from the ThinkTecture website.

Contract first, Christian wanted Guinness second and believe me Christian has plenty to say about that also…

TestDriven.NET 1.0 Released

Marcus Mac Innes — Tue, 30 Nov 2004 12:42:00 GMT

TestDriven.NET, a handy addin for Visual Studio which allows you to run unit tests from pretty much anywhere from within VS.NET was released as version 1.0 yesterday...

B.AG Blog Aggregator Goes Live

Marcus Mac Innes — Mon, 29 Nov 2004 17:51:00 GMT

When we launched INDA at www.developers.ie a couple of weeks ago, we integrated the .Text blog engine so that our members (most of whom were new to blogging) could have their own blogs on the site. I also created a blog there, but soon I was getting frustrated by having to cross post blog entries both on my own blog here at www.styledesign.biz and on www.developers.ie.

I wanted a simple blog aggregagtor, so that I could automatically pull my most recent posts onto the site without having to cross post. It was during my search for a suitable piece of software that I came across Minh T. Nguyen's .NET Blog Aggregator (which I blogged about previously) and decided that if there was nothing available for download, I would write my own...

Blog AGgregator was born!

Running stand-alone or on top of .Text B.AG pulls content from subscribed RSS feeds and presents the combined content in a sorted, categorised format. I will more than likely blog about the internal design at some point, but for now, you can see B.AG (Beta 1) in action at http://www.developers.ie/blogs/

If you would like to incorporate into your site... just let me know. Marcus

MSN Search Gets My Vote

Marcus Mac Innes — Sat, 13 Nov 2004 01:24:00 GMT

John blogs about the availability of MSN search and mentions that it will take something special before he'll move away from Google. I've been watching MSN Search spider my web sites over the last couple of months and yesterday when I saw the beta announcement, I was thinking exactly the same thing as John. MS are wasting their time, why would anyone use anything other than Google?

24 hours later I'm completely sold.

MSN Search knows what I mean when I type ".NET" (including the dot). INETA is listed in 1st position, Information about Microsoft .NET in 2nd... Now I don't have to limit searches for .NET code examples by language like C# or VB.NET. Sure, with Google you could type ".Net" including the quotes and Google would make sure ".Net" appeared on the result page... but how many web sites are there that include the top-level domain .net? Answer: Too many...

Type "Marcus Mac Innes" (me) and my blog is listed in 1st position. Type that into Google and my aggregated blog on Artima.net is listed first, my blog is actually listed in 5th position. 2nd, 3rd and 4th positions are taken by several of my past posts which appeared on sites like TechEdBloggers.net. Clearly MSN have got the algorithm right!

Type "flight from dublin to london" and as you would expect the national Irish airline AerLingus.com is listed 1st. Type that into Google and I get a host of generic CheapFlights.com equivalents none of which are actually useful for booking a proper flight from dublin to london.

No matter what I enter, I am getting relevant results sets which are more appropriate than Google's results.

As I said above, I'm completely sold and I bet you will be too. Give it a try and let me know what you think...

WSE and Setting up WS-Policy

Marcus Mac Innes — Thu, 11 Nov 2004 08:51:00 GMT

If you have ever looked at setting up WS-Policy, then you will understand that it can be quite tricky to put all the parts together. Thankfully Stuart Gunter has put together a very nice article on introducing, setting up and testing WS-Policy. A great article by any standard, well done Stuart!

.NET Blog Aggregator

Marcus Mac Innes — Wed, 10 Nov 2004 09:44:00 GMT

Just came across this great .NET blog aggregator. If you've got a .NET blog, you can add yours here.