Scott Hanselman

Hidden Gems - Not the same old 3.5 SP1 post

August 13, '08 Comments [32] Posted in ASP.NET | ASP.NET Dynamic Data | ASP.NET MVC | Windows Client | WPF
Sponsored By

Folks were hassling me in the comments for not posting the picosecond that .NET 3.5 SP1 came out (or, as I like to call it, .NET 3.6 - although the bosses really don't like that).

First, the obvious stuff.

Should I fear this release?

I wouldn't. The SP1 Framework is full of goodness. The VS Installer is slow (it was for me) but I just shut everything down, ran it, and was patient. It's POSSIBLE. It's way better than the beta installer was. There's a metric buttload of little VS fixes and tweaks that make the IDE a more pleasant place to spend your day. ScottGu lists a bunch of new stuff, like JavaScript intellisense, formatting, editor performance improvements, and on and on.

If you want to see some crazy interesting statistics, go check out Patrick Smacchia's updated 3.5 SP1 Changes Overview.

You can get it here:

If you've ever installed anything wacky or beta, be sure to run the important Preparation Tool and also R'ingT*M.

Now, why should I bother?

What's it got for ASP.NET?

There are lots of details here http://www.asp.net/downloads/3.5-sp1 including stuff on things we used to call ASP.NET 3.5 Extensions (in case you were wondering where all that went.)

ASP.NET Dynamic Data: This is now included in the .NET Framework 3.5 Service Pack 1 release. You can find further information on ASP.NET Dynamic Data here as well as instructions on how to convert applications written using the ASP.NET 3.5 Extensions December 2007 CTP in the readme. Piles of Dynamic Data videos here.

ASP.NET MVC: Nope! MVC has always been a separate release. Check out Phil Haack's blog for details!

ASP.NET AJAX browser history: This is now included in the .NET Framework 3.5 Service Pack 1 release. You can find details of how to convert applications written using the ASP.NET 3.5 Extensions December 2007 CTP in the readme. Check out the Video on AJAX Browser History.

ADO Data Services - It's RESTful! RESTy! A POX on your data! It's AtomPubtastic. Go check out Pablo's most excellent ADO.NET Data Services ("Project Astoria") videos from Mix.

ADO.NET Entity Framework: The ADO.NET Entity Framework is now included in the .NET Framework 3.5 Service Pack 1 release. You can find the documentation for the ADO.NET Entity Framework here. There's also an EntityDataSource.

ASP.NET controls for Silverlight: These ASP.NET Web server controls make it easier to use Silverlight in ASP.NET Web applications. These controls are now included in the Microsoft Silverlight 2 Software Development Kit.

Not to mention other new features like AJAX Script Combining (check the AJAX Script Combining video by Bertrand) and find out "What's the big deal with Script Combining?"

What's it got for Fat Chubby Smart Rubenesque Clients?

Bunch of new SP1 stuff on the client side, and I fully intend to have BabySmash exploit the new stuff as much as possible.

One of the cooler things is the new 3.5 Client Profile bootstrapper. This means I can get a Windows XP SP2 machine with no .NET Framework installed up and running with the 3.5 Client (WinForms, WPF, etc) assemblies in just 26megs with a 200k bootstrapper. I'm going to blog on how to do this, and use BabySmash as a guinea pig soon.

  • Immediate Responsiveness: Bootstrapper is small (200K) to enable the fastest possible response. After the security prompts, the user immediately is presented with the EULA.
  • 3 Clicks: One for the application, installing certificates, and the EULA. For ClickOnce, the user clicks accept on the EULA and the application automatically launches once setup is complete.
  • Size and Speed: With a typical broadband connection, setup will take ~6 minutes or less.
  • Faster launch time: Bunch of NGen and memory layout and CLR improvements.
  • FireFox ClickOnce and XBAP support. Finally!

What about ASP.NET MVC?

There is likely some confusion around MVC as a few people expected ASP.NET MVC to ship in SP1. This is probably because MVC was included in 3.5 "Extensions Preview." However, the plan was always to ship in Q4CY08.

(That date is marketing speak, I've just learned. I tell people what Eilon told me - it'll ship in a month ending in "-ber." Possible "March-ber" but also maybe "next June-ber.")

Anyway, Phil has always said that MVC is on its own schedule and will ship when its done. Possibly when Duke Nukem Forever ships.

What else is new? What about ASP.NET itself?

Here's the unsung heroes. Scott Galloway and the ASP.NET will do some articles in exquisite (I hope) detail on http://www.asp.net soon on all the subtle good fixes in ASP.NET, so watch for those.

Here's some details on a few niceties for people who like their URLs and Forms a certain way.

  • RenderAllHiddenFieldsAtTopOfForm - In versions of ASP.NET earlier than the .NET Framework 3.5 SP1, ASP.NET renders some hidden fields (for example, __VIEWSTATE) at the top of the form. Other hidden fields (for example, __EVENTVALIDATION) are rendered near the bottom of the form, just before the closing </div> tag. By default, in ASP.NET 3.5 SP1, all system-generated hidden fields are rendered at the top of the page. This makes sure that the information in these fields is sent to the server even if a postback is performed before the page has finished loading. If RenderAllHiddenFieldsAtTopOfForm is set to false, performing a postback before the page has finished loading can cause an "Invalid postback or callback argument" error.

    This is a nice, but subtle fix. Basically if you tried to do a postback (AJAX or otherwise) before the whole page was loaded and one of the hidden fields like __EVENTTARGET wasn't loaded yet because it was rendering at the bottom of the page, you'd be in a pickle. And you'd get a validation error on post. Now you can set this to true and move those hidden fields to just below the <form>.
  • HtmlForm.Action is now settable - Again, subtle, but very cool.  I like to use URL rewriting a lot and want my <form action=""> to be a certain way. Now I can set it manually without fooling around with RegEx's and messing with the whole response.
  • RedirectMode for CustomErrors - Also nice for URL redirects. If you set the redirectMode on <customErrors/> in web.config to "responseRewrite" you can avoid a redirect to a custom error page and leave the URL in the browser untouched.

A few more advanced improvements:

  • There's a new overload of System.Web.Caching.Cache.Insert() and a new CacheItemUpdateCallback. Thomas Marquardt has more on this in detail. Now you can get notified when a cache item is invalid and you get an opportunity to generate a replacement. This means you actually get warned BEFORE the item is yanked.
  • New RemapHandler method on HttpContext lets you swap in your own IHttpHandler mid-request as long as you do it before MapRequestHandler has been called.
  • New throttling option under IIS7 using aspnet.config. You can set MaxConcurrentRequestsPerCpu or MaxConcurrentThreadsPerCpu. For example, if you had a number of high-latency calls that were tying things up, you could use change the Concurrent Threads setting to throttle more logically than Concurrent Requests.
  • Now Response.Flush is safe reliable to call from a background thread. Before you could wreck havoc if you called Flush from the the background in an AJAX app, but no longer!
  • Remember that System.Web.Routing has been brought over from MVC world and is a core part of ASP.NET now. You can use ASP.NET Routing as you like and there's a fine writeup on Routing here. How is Routing different from URL Rewriting?

    ASP.NET routing differs from other URL rewriting schemes. URL rewriting processes incoming requests by actually changing the URL before it sends the request to the Web page. For example, an application that uses URL rewriting might change a URL from /Products/Widgets/ to /Products.aspx?id=4. Also, URL rewriting typically does not have an API for creating URLs that are based on your patterns. In URL rewriting, if you change a URL pattern, you must manually update all hyperlinks that contain the original URL.

    With ASP.NET routing, the URL is not changed when an incoming request is handled, because routing can extract values from the URL. When you have to create a URL, you pass parameter values into a method that generates the URL for you. To change the URL pattern, you change it in one location, and all the links that you create in the application that are based on that pattern will automatically use the new pattern.

If any of these small but important fixes make you smile, thank Stefan Schackow and the ASP.NET team. If you ever see them, give them a hug, it'll make them very uncomfortable. There are more fixes, and I hope ScottGal expounds on them soon at http://www.asp.net

What about Connected Services?

On the services side, Sam Gentile points out a bunch of new WCF features in 3.5 SP1 like:

  • Improvements in writing REST based services ranging from easily supporting ServiceDocuments publication and consumption to providing greater control and usability of UriTemplate with new syntax. AtomPub support in a new Object Model.
  • DataContract Serializer gets way easier by relaxing/removing the ned for [DataContract] and [DataMember] on types. It's POCO (Plain Ol' CLR Object) time, people.
  • More interoperable object references in the serialization format, which means WCF gets along better with Java.
  • New Hosting Wizard when making new WCF Services.
  • Better Partial Trust behavior, particularly when tracing/logging.
  • Support for ADO.NET Entity Framework types in WCF contracts.
  • WCF Templates for consuming services from Silverlight.
  • Scalability increases of 5X-10X (oy!) for WCF services hosted in IIS7-integrated pipeline mode.
  • The Workflow Designer is has a number of performance improvements and is generally quicker.

Related Posts

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hacked! And I didn't like it - URLScan is Step Zero

August 11, '08 Comments [36] Posted in ASP.NET | ASP.NET MVC | IIS | Tools
Sponsored By

My blog was down a few days ago. I've had downtime in the minutes over the last few years, but as far as I recall, it's never been down for any significant time. Keyvan noticed that a bunch of us were attacked. Phil Haack was also, ahem, haacked.

UPDATE: To be clear, I wasn't really hacked. I was "DoS'ed" or brought down for a little bit by a distributed denial of service attack that spiked my CPU. I'm advocating that you constrain the URLs that input that get to your  application by either black-listing, or white-listing allowed content.

I host at ORCSWeb and have forever. We're in the process of making a lot of chances to my blog. I'm on an x64 machine (I've blogged about DasBlog on x64 before), but running in 32-bit AppPool We're moving my blog to a dedicated server, switching to x64, and we also were upgrading to UrlScan 3.0 which just had a Beta Release in June.

Anyway, in this crazy process, there was window of time where I didn't have UrlScan enabled on the machine. I mistakenly thought that the Ninjas wouldn't be able to catch me if I was on fire. In fact, not so.

ninjasonfire

Speaking of Ninjas, Wade Hilmo is a ninja at Microsoft who writes UrlScan.

There's a great IIS7 Request Filter for protecting against nasty attacks, but UrlScan Beta 3.0 still has the edge on the filter for the time being. Version 3.0 of UrlScan adds:

  • Support for query string scanning, including an option to scan an unescaped version of the query string.
  • Change notification for configuration (no more restarts for most settings.)
  • UrlScan can be installed as a site filter.  Different sites can have their own copy, with their own configuration.
  • Escape sequences can be used in the configuration file to express CRLF, a semicolon (normally a comment delimiter) or unprintable characters in rules.
  • Custom rules can be created to scan the URL, query string, a particular header, all headers or combination of these.  The rules can be applied based on the type of file requested.
  • Support for 64 bit IIS worker processes.

This release of UrlScan is a beta, but it's config file is backward compatible and there's a GoLive license. It's working great for me. However, to quote Wade:

"While they are effective against the current wave of automated attacks, they cannot protect against more directed attacks against a specific server."

This was a SQL Injection attack with URLs that looked like this (and some variations):

[08-11-2008 - 17:29:31] Client at 201.67.x.x: Query string length exceeded maximum allowed. Request will be rejected. Site Instance='13', QueryString= 'guid=0b93befc-3543-4bfc-ba8e-6cd340b6d9d3;DECLARE%%20@S%%20VARCHAR(4000);SET%%20@S=CAST(0x4445434C4152452...(incrediblyLONGQueryString)...220%%20AS%%20VARCHAR(4000));EXEC(@S);--', Raw URL='/blog/CommentView.aspx'

In this example, it's hitting CommentView.aspx and trying to add a bunch of T-SQL at the end, with the most evil part encoded inside a CAST() statement. It's a distributed attack with a bunch of (likely innocent) drones reaching out to be mean. In a few hour period, there were thousands of attacks for over 250 different IP addresses.

Fortunately DasBlog doesn't use a database at all, rather a bunch of XML files for storage. Unfortunately, the application was still trying to map these query strings to blog posts, and the result took my blog down.

There's really two main things to think about when dealing with user input, remembering that the URL is an input point for your application!

  1. Trust no input from the user.
  2. Constrain the input that reaches your application code as much as you can. Deny as early as possible (hardware, load-balancer, appliance, module, etc).

We need to tighten up DasBlog to more quickly reject URLs that are surely not requests for blog posts, but a tool like UrlScan allows me to easily reject obvious attacks in an way that is more efficient than letting my application code do it.

I would encourage you to take a moment and do a threat analysis on your own websites, and make sure that you ARE constraining input appropriately.

One thing to note, you can and will likely break things for a while with UrlScan, as it does constrain input and you might have valid URLs you aren't aware of. For example, UrlScan broke OpenID authentication for me as the query strings included dots, which UrlScan was denying and also the presence of the word "open" in the querystring. Other denials can happen because of keywords in the URL or length of the querystring. Be sure to test appropriately and watch the UrlScan logs of denials. You can set very blanket rules, or constrain by extension.

We always installed UrlScan on staging and production machines when I was in banking, and made them part of the testing and deployment process. In these times, having a filter installed like UrlScan is Step Zero. I will remember that in the future! Thanks to ORCSweb for answering my 2am emails and helping me fix it in near-real-time!

Technorati Tags: ,,

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Hanselminutes Podcast 125 - Accessibility in Web and Rich Applications

August 8, '08 Comments [6] Posted in ASP.NET | Podcast | Windows Client | WPF
Sponsored By

Saqib My one-hundred-and-twenty-fifth podcast is up. In this episode Scott talks to Saqib Shaikh, a developer for Microsoft Consulting Services in the UK, who is also blind. They chat about accessibility in Windows, on the Web and in the next generation of Web Applications written with AJAX and Silverlight.

UPDATE: Here's Saqib, Dan and I on Channel 9 talking about accessibility. Saqib gives a demo of how he uses his Windows Mobile phone without sight.


Saqib Shaikh and Scott Hanselman: Designing for Accessibility

Subscribe: Subscribe to Hanselminutes Subscribe to my Podcast in iTunes

If you have trouble downloading, or your download is slow, do try the torrent with Āµtorrent or another BitTorrent Downloader.

Do also remember the complete archives are always up and they have PDF Transcripts, a little known feature that show up a few weeks after each show.

Telerik is our sponsor for this show.

Telerik's new stuff is pretty sweet, check out the ONLINE DEMO of their new ASP.NET AJAX suite. RadGrid handles sorting, filtering, and paging of hundreds of thousands of records in milliseconds, and the RadEditor loads up to 4 times faster and the navigation controls now support binding to web services on the client.

As I've said before this show comes to you with the audio expertise and stewardship of Carl Franklin. The name comes from Travis Illig, but the goal of the show is simple. Avoid wasting the listener's time. (and make the commute less boring)

Enjoy. Who knows what'll happen in the next show?

* Picture of Saqib from James Senior's blog.

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

More Channel 9 Silliness

August 8, '08 Comments [5] Posted in Musings
Sponsored By

While I was up in Redmond this last week, I got to hang out on Channel 9 again. Dan is so cruel to me! ;)


This Week on C9: Scott Hanselman and Charlie Eriksen in the house

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

I like cake! - Cakemail, Ninjas on Fire, and other Anecdotes

August 6, '08 Comments [81] Posted in Musings
Sponsored By

When I worked with Travis Illig (who is the origin of the term "Hanselminute," by the way) and Stuart Thompson at Corillian/CheckFree, we had a project manager who didn't totally "get" stuff.

What I mean is that we'd be in a meeting, perhaps a feature meeting or something, and we'd be firing on all cylinders. Everyone was working well together, communicating clearly, finishing each other's sentences, just an all around great day. Designs become clear, backlog items were created at a furious pace, and it was generally felt that everyone in the meeting "grokked" what we needed to do.

At this point this particular project manager, who had been quiet until this point, would ask something like

"Now, wait, are you saying that Java replaces XML?"

...and silence. Crickets. We were hearing English *words*, but not a cohesive sentence. After all that, the last hour of banging through stuff, he had not just a disconnect, but a total fundamental misunderstanding of some aspect of computers and systems design.

I don't remember who originally said it, it might have been me or Travis, but at some point after one of these uncomfortable moments, someone broke the silence with the non sequitur:

"I LIKE CAKE!"

...and the room exploded. From that point on, any time anyone in any meeting said something that was far enough off topic or sufficiently non-sequiturial, someone would declare "I LIKE CAKE!"

All off-topic email responses are now declared "Cakemail" as in, "Man, I got some Cakemail from Fred this morning. Made no sense." I still use this to this day and it still makes me smile.


Jesse asked me how I was doing yesterday and I replied "Ninjas on fire, man." Four years ago when Halo 2 was coming out it was described like this.

"Halo 2 is alot like Halo 1, except it's Halo 1 on fire going 120 miles per hour through a hospital zone chased by helicopters and ninjas. And the ninjas are all on fire too." -Jason Jones

For me and some of my compatriots, it also become a phrase that referred to our current workload, like:

"How's work?"

"I'm being chased by ninjas."

"Are they on fire?"

"Not yet."

"Oh, so it's Tuesday. You wait."

The short-hand just became "ninjas on fire, man" as a response to when you're totally overwhelmed with deadlines and work.


Open Thread: What anecdotes about life in Software Development do you have to share, Dear Reader? What short-hands or code-words have you developed?

About Scott

Scott Hanselman is a former professor, former Chief Architect in finance, now speaker, consultant, father, diabetic, and Microsoft employee. He is a failed stand-up comic, a cornrower, and a book author.

facebook twitter subscribe
About   Newsletter
Sponsored By
Hosting By
Dedicated Windows Server Hosting by SherWeb

Disclaimer: The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.