Pages

Tuesday, August 30, 2011

TechEd 2011 Round Up / Summary

I've summarised some of the most interesting/important parts of my TechEd 2011 NZ notes here.

WUX206 - Pimp My App - 3 screens and a challenge

DEV302 Lesser Known Design Patterns

  • Null object pattern - Avoid the ceremony of checking if something is null before using it.
  • Command pattern - Alternative to adding additional methods to interface by instead creating new objects.
  • Object Emancipation - Objects are more than just buckets of information. Give your objects responsibility for managing their own State.
  • State Pattern - Partially change the type of the object by swapping out behaviour based on state.

DEV301 Going Mobile: Any System to any Mobile Device

  • With REST. No URI construction on the client; follow the hyperlinks instead. Dependency on the namespace.
  • With REST. DO NOT define new verbs; use GET, PUT, POST, DELETE

WUX101 HTML 5 Hands On

  • Polyfill - A way to support HTML 5 features in older browsers using JavaScript shims.
    What is a Polyfill?
    A polyfill, or polyfiller, is a piece of code (or plugin) that provides the technology that you, the developer, expect the browser to provide natively. Flattening the API landscape if you will.
  • Rather than UserAgent sniffing using feature detection with something like Modernizer

SIM201 Hack-Ed - The Attackers are coming!

  • SQL Injection is still the number one threat to most websites.
    • SQLMAP - a python script fpr automatic SQL injection and database takeover
  • Cross Site Scripting (XSS) variations are still a serious issue. They can be weaponized with a server for the hacker to send instructions to the users browser.
  • Unescaped twitter feeds can be used for XSS attacks.
  • Local proxies for security testing Paros - "Through Paros's proxy nature, all HTTP and HTTPS data between server and client, including cookies and form fields, can be intercepted and modified." Burp proxy - "an intercepting proxy server for security testing of web applications. It operates as a man-in-the-middle between your browser and the target application"
  • It's important to check that the credit card authorized amount was the amount expected amount.

DEV311 A Practical Developer's Introduction to F#

  • A functional language that is native to .NET. It can call and be called by other .NET code.
  • Is well suited for Scientific and numerical computing, Finance, Insurance, Parsers, and Domain Specific Languages
  • Pipeline operator |> makes chaining operators easier to read. Kind of similar to extension methods in C#

DEV309 - Visual Studio vNext Directions

SIM305 - The Attackers are Coming!

  • SQL Injection - As a start, look for calls in SQL to sp_executesql, exec that aren't using parameters correctly
  • Cross Site Scripting (XSS) - With ASP.NET use HttpUtility or AntiXSS Html and Attribute Encode. Consider the Security Runtime Engine - Safety Net
  • Enforce Session logout server-side rather than just removing the cookie client side
  • Set 'httponly' and 'secure' flags on cookies.
  • Cross Site Request Forgery - ASP.NET - Set the ViewStateUserKey in the OnInit of a base page. Used in addition to the MAC Key to hash the ViewState.
  • Send the following HTTP headers when server content uploaded by users:
    • Content-Disposition: Attachment
    • X-Download-Options: noopen
    • X-Content-Type-Options: nosniff
    • Content-Type: [mime-type]

DEV401 Advanced .NET Debugging

  • WinDBG with the SOS Extension from the .NET framework team can make debugging specific classes of bugs much easier.
  • Memory Leaks
  • Deadlocks
  • Race conditions
  • Dumps form production applications (where it isn't otherwise possible to attach a debugger)

DEV204 Tools I use to improve my development

  • Mindscape Web Workbench - Add Sass, Less & CoffeeScript support to VS2010
  • Web Standards Update for VS2010 - Adds support for HTML5 & CSS 3 to VS 2010 SP1
  • Nuget - Manage common packages and dependencies for your projects
  • Chrome Developer Tools - "Pretty Print" to reformat compressed Javascript.

DEV306 The WCF Web Community - REST, jQuery and WebSocket

  • fiddler - a Web Debugging Proxy which logs all HTTP(S) traffic between your computer and the Internet. Fiddler allows you to inspect traffic, set breakpoints, and "fiddle" with incoming or outgoing data.
  • OData is useful in .NET to .NET scenarios
  • RIA Services - OData endpoint that can be queried over LINQ.

DEV312 Getting the most from Visual Studio using Managed Extensibility Framework (MEF)

  • MEF is a framework for creating extensible applications and consuming plug-in parts.
  • Visual Studio 2010 editor extensibility is built through MEF.
  • The VS2010 Find Box is also a command box when prefixed with >
    • > File.CloseAllButThis
    • > File.CopyFullPaths
    • > Tools.GoToCommandLine

DEV308 Visual Studio LightSwitch - Beyond the Basics

  • Submit pipeline
    1. Pre-processing
    2. Process modified entities
    3. Execution – LightSwitch passes all of the changes to the underlying data provider for processing
    4. Post-process modified entities
    5. Post-processing

WUX205 Kick starting your web development with ASP.NET 4.0

DEV303 Making Asynchronous Programming Easy

DEV403 Dynamic and Meta-programming in .NET 4

Online sessions

Breakout Sessions Other Videos
COS302 | Line of Business in the Cloud 2011 Tech·Ed New Zealand Keynote
COS305 | Guidelines and Best Practices for Migrating .NET Web Services to the Azure Platform Welcome to NZ’s Premier IT Conference – Tech·Ed 2011
DBI207 | Trade Me: 0-70 million pages in 0.34 Gigaseconds What is happening in the Hub?
DBI208 | Project "Crescent" the next level of SQL Server BI Data Visualisation: Demos Galore End Of Day 1 - 2011 Tech·Ed NZ
DBI304 | Building a Mission-Critical High Availability Solution Using AlwaysOn HP - Principal Sponsor of 2011 Tech·Ed New Zealand
DEV311 | A Practical Developer's Introduction to F# TechFest MC- Dai Henwood
DEV403 | Dynamic and meta-programming in .NET 4 Interview with Main Act - Fat Freddy's Drop
DPR202 | Good architect vs. Bad architect (coming soon) Highlights from TechFest 2011
DPR209 | Hitchhiker’s Guide To Technical Leadership 2011 TechEd New Zealand - Wrap Up
DYN301 | A Developer's Guide to Integrating Microsoft Dynamics CRM 2011 & SharePoint 2010 Tech Talk Interview with Andrew Ehrensing
DYN304 | When CRM 2011 Goes Viral Tech Talk Interview with Rob Reinauer
EXL302 | Exchange 2010 High Availability Concepts Tech Talk Interview with Scott Schnoll
INO204 | Microsoft Research - Technologies from MSR that YOU can use Tech Talk Interview with the UPT Digital Kids
INO301 | Transforming Our Future Today Tech Talk Interview with Steve Smith
OSP304 | The SharePoint 2010 Search Service Decoupled Tech Talk Interview with Debbie Ireland
SIM201 | 2011 Hack-Ed - The Attackers are coming! Tech Talk Interview with Carolyn Chau
SIM302 | Creating a Federated Extranet with ADFSv2 and SharePoint2010 – Notes from the field Tech Talk Interview with Brendon Ford
SIM305 | Hack-Ed - Boost your defences! Tech Talk Interview with Team Unite
WCL303 | How to develop a successful Desktop Strategy (Thin, Thick, VDI... ) Tech Talk Interview with Eric Chang
WCL304 | How to secure and manage Consumerisation of IT Tech Talk Interview with Team OneBuzz
WPH204 | Windows Phone First Up / All Up Tech Talk Interview with Michael Niehaus
WPH305 | Peeking at the Source of a Successful Windows Phone App Tech Talk Interview with Regan Murphy
WSV302 | Get Out of Dodge: Migrating to Windows Server 2008 R2 x64 Tech Talk Interview with Dr Nitin Paranjape
WSV402 | Network Access Protection (NAP) in the Real World Tech Talk Interview with Miha Kraljis
WUX207 | Releasing Trade Me's Latest Project Tech Talk Interview with Thomas Lewis
WUX208 | Responsive Design - The View of the World Depends on the Glasses I Wear

Sunday, August 28, 2011

DEV403 Dynamic and Metaprogramming in .NET 4

Presenter: Ivan Towlson
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
TechEd Online

What C# dynamic keyword does

dynamic keyword - "I know better than the compiler" - deferred look up until run time.

Old COM libraries - like Microsoft Office 2010.

No intellisense.

MVC ViewBag is of type dynamic. DynamicViewDataDictionary

Inherit from dynamic object. 

DynamicObject.TryInvokeMember

DynamicProgramming - "It's all just string diddling. Diddling is a technical term." 
"Really is is a fancy way of passing strings into a method."

named arguments

Runtime Code Generation

Activator.CreateInstance(type); // Very slow as it uses reflection

Expression.Compile() turns an abstract tree into executable code.

Turn reflection based code into compiled expression trees to improve performance.

Create a class that implements an interface at runtime. Interact with it at runtime.
DynamicAssembly

AssemblyBuilder

"I'm not encouraging you to write code you don't understand. That's what the Entity Framework Generator is for"

DynamicMetaObject


C# Expression Trees

Dynamic operator using Dynamic Language Runtime

DEV303 Making Asynchronous Programming Easy

Jeremy Boyd
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
Synchronous -> Wait for result before returning

Asynchronous ->Return now, but call back with result

Async benefits

 UI responsive: Frees UI thread for interaction
 Server scalability: Thread can be reused for other requests

Connected Systems - Increasing latency due to service calls
Use Async only frameworks -JavaScript and Silverlight

Rise of Async only environments
 Node.js - Promotes a totally async environment
 What is Node.js?

Next version of C# will have features specifically for asynchronous coding.
IAsyncResult Pattern (APM)

.NET 2
Event Based Async Pattern (EAP)
 Method name ends in Async

New Extensions
 Task based Async Pattern (TAP)
 New keywords async and await
 Already available in .NET 4. - Task Parallel Library

Goals:
 Compile time code generation into async patterns
 Supports cancellations
 Easy concurrency management

await keyword
 - used in front of an async call.

async keyword
 - indicates to the compiler that this body of code will run async.

Task - represents the body of work being done.
 Task
 CancellationToken
 taskMethodNameAsync

Compiler is transforming code into the Task Asynchronous Pattern
Task performs initial setup and then installs a callback at await.

.MoveNext()

So its like an async within an async...

Handling Progress

Progress

Handling Cancellation

CancellationTokenSource

Support will go through the framework and to WPF, Silverlight, etc...

Only available in full .NET framework at this time.
 Planned to be supplied in `asynchronous work.

Parallel LINQ (PLINQ)

.AsParallel() extension
Utilizes parallel hardware for LINQ queries
 Partitions and merges data intelligently
 Supports all .NET Standard Query Operators
 Works for any IEnumerable
 
 Built on top of the Task Parallel Library.

.AsOrdered()

Try using .AsParallel() when working with LINQ over in memory objects.

TIP: Async CTP requires a clean install of VS2010 SP1 to install into.

WUX205 Kick starting your web development with ASP.NET 4.0

John-Daniel Trask
jd@mindscape.com
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.

MVC 3 with Razor Views

Gaining momentum

Large enhancements still landing
 Razor templating view engine
 DI enhancements
 jQuery validation improvements

Web Forms 4.0

Nicer control identifiers
Tidier web.config
Routing framework can be used - tidier URLs

ClientIDMode
 - Auto .NET 3.5 behaviour
 - Inherit
 - Predictable - Structure based
 - Static - exactly as entered.

IIS Express 7.5

Far more capable than the existing built in server.

+ Support for SSL (even has self signed cert!)
  Support URL Rewriting rules
  Support custom security settings
  Support for web.config configuration
  Non administrative possible

Almost everything IIS 7 has!

Can be installed by the web platform installer.

NuGet

Web Platform Installer

All in one app for installing MS tools/components.
Popular open source projects and components

WCF RIA Services Toolkit

Where to find things
- Nuget
 Strictly code stuff, DLLs
- Web Platform Installers
 Whole products.
- Visual Studio Extension Manager
  VS specific

Web Matrix

Basic IDE for ASP.NET

"Visual Studio Access Edition"

Introduction to development. Simplified component model. 
Can install side-by-side
Integrates database, Razor, Web Pages (Kind of like ASP classic) and deployment.

DEV308 Visual Studio LightSwitch - Beyond the Basics

Andrew Coates
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
Slides blogs.msdn.com/acoat @coatsy

Makes forms over data easier. For the desktop and the cloud.
The simplest way to create business applications for the desktop and the cloud. Technically adept user.

Uses best practices behind the scenes.

Submit Pipeline - places to hook in for extensibility.
Access Control hooks

VS Pro
Custom WCF Services
SilverLight Controls

MVVM Pattern for GUI


DataWorkspace is the in memory graph of all data at the moment.

Bing Map Control - need a Bing API key

Off topic

"Use VB Inheritance - Ctrl+C, Ctrl+V" "When you fill a gap you need to overlap on each side. Otherwise you've made two gaps"

DEV312 Getting the most from Visual Studio using Managed Extensibility Framework

Owen Evans
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
Managed Extensibility Framework
 Standards for exposing yourself
 Open/Closed Principal
 It's all so Meta

Part
 Anything that can be imported or exported from a project

ComposablePart
 The basic part of MEF

CompositionContainer
 IOC concept
 Ask for and instance of a class

A framework for creating extensible applications
Puts focus on discovery or parts at run time

MEF is NOT IoC
IOC is about knowing what dependencies satisfy given classes and allowing the class to hand this requirement off.

Visual Studio 2010 editor extensibility is built through MEF.

Install the Visual Studio SDK

VSIX Extension - How it gets packaged up for install

Tips

TIP -  
> File.CloseAllButThis
> File.CopyFullPaths
> Tools.GoToCommandLine

TIP - Ctrl+Shift+A - Add Dialog

TIP - Ctrl+, (comma) Navigate To - search by string for methods and classes

TIP - Ctrl+\, D - View CodeDefinitionWindow

TIP - Intellisense will match on CamelCase. E.g. CC

TIP - Insert TracePoint

Off Topic Portal ringtone "Hello, is anyone there"

DEV306 The WCF Web Community - REST, jQuery and WebSockets

Jeremy Boyd
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
CodePlex
 WebAPI
 jQuery for RIA Services
 Express Interop Libraries

HTML5 Labs
 Efforts around WebSockets

Web APIs

E.g. hooking into the twitter API

Be RESTful
 Clear identification of resources using URIs
 Allow for manipulation of those resources through HTTP

Using the WCF Web API

PM> Install-Packager WebApi.All

Declaring a Service
 Specify [ServiceContract]
 [WebGet]
 [WebInvoke(Method="PUT", UriTemplate="")]

fiddler

OData support
public IQueryable GetSomeTs();
More useful in .NET to .NET scenarios

Formatters to return, for example, images.

jQuery

Rise of "single page" Web applications - E.g. gmail

jQuery allows you to:
 Load data on demand using XHR or WebSockets
 Bind that data to the view
 Wire up new events dynamically (e.g. .live())

RIA Services - OData endpoint that can be queried over LINQ.

PM> Install-Package RIAServices.Toolkit.All
(or download samples)
.dataSource()

Sockets on the Web

Currently a request for a resource on the web carries the request and response headers. Heavy tax when doing lots of small "chatty" messages.
High frequency, low latency messaging. Want something more like a TCP socket.
Polling for data can get lots of header tax.

Client Side
WebSocket
ws://server:port
wss://server:port

Server Side
WebSocketHost WebSocketService

E.g. Instant TradeMe updates!
Server messages back to the client - remote control options

http://html5labs.interoperabilitybridges.com/

DEV204 Tools I use to improve my development

John-Daniel Trask
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.

Resharper

Adds interim language support until Visual Studio catches up.
Settings can be shared across teams of developers.

Alternatives:
Productivity Power Tools
VC Commands 2010
Devexpress Code Rush
Telerik Just Code

VS 2010 Extension Manager

Mindscape Web Workbench

Add Sass, Less & CoffeeScript support to VS2010

"See old friend, I brought better code than you did"

Web Standards Update for VS2010

Adds support for HTML5 & CSS 3 to VS 2010 SP1
 HTML 5
 Browser API (GeoLocation, Local Storage)
 CSS3

Nuget

Manage common packages and dependencies for your projects

Right click on references and manage nuget packages. Can update installed packages.

"We've built a deal a day website because they are very rare and hard to come by."

Team City

Continuous Integration Server

Chrome Developer Tools

Firebug
IE Dev Tools

Chrome - developed by the chrome team. Updated every week.

"Pretty Print" to reformat compressed javascript.
$0 - currently selected dom item

DEV401 Advanced .NET Debugging

Orion Edwards
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.

WinDBG with the SOS Extension from the .NET framework team can make debugging specific classes of bugs much easier. Such as:

  • Memory Leaks
  • Deadlocks
  • Race conditions
  • Dumps form production applications (where it isn't otherwise possible to attach a debugger)
Install from the Windows SDK - Select the Re-distributable Packages "Debugging Tools"
WinDBG part of Debugging Tools for Windows Install from the Windows SDK - Select the Re-distributable Packages "Debugging Tools"
It's a native "Bare metal" debugger for windows. After one person has installed it others can get it: C:\Program Files\Microsoft SDKs\Windows\v7.1\Redist\Debugging Tools for Windows WinDBG + SOS SOS Extension from the .NET framework team. Attach To Process .loadby sos clr !help !dumpheap -stat : show summary of all objects !dumpheap -type Person : show objects matching type !dumpobj 025.. () : show an individual object !do XXXX .cls : clear screen !dumparray : see array elements !da !threads : .NET threads ~ : all threads ~0s : switch to thread !clrstack : See .NET view of the call stack !eestack -EE : call stack for all threads !pe or !printexception : print exception Object Object Header (4 bytes) MethodTable Pointer Field Data MethodTable EEClass Pointer Method Definitions EEClass Parent Clas Pointer Field Definitions MethodDesc MSIL / x86

Tracking memory leak

Tracking down managed memory leaks (how to find a GC leak)
!heapstat			: where is the memory all going
!dumpheap -stat			: find large/numerous objects
!dumpheap -mt XYZ		: print objects of that type
!do mt
!gcroot  			: view garbage collector path to X

Deadlock

!syncblk			: who is holding what locks
! ip2md and !dumpil 		: decompile
MethodHeld 1 means it exists but isn't locked

Memory Dump

Write the memory of a process to a file (Need a full dump - all memory in a process to capture heap).

procdump.exe - ma deadlock.exe	: sysInternals
ADPlus
Task Manager (need !wow64exts.sw iii created by 64 bit task manager)
.dump /ma
file > open crash dump
MiniDumpWrireDump p/invoke functional for dbghelp.dll

Race conditions

AppDomain.CurrentDomain.UnhandledException

Tips

Dumps are useful for crashes
Use MiniDumpWriteDump to capture dumps
MS Recommend you create dumps from an external process. A small utility is well worth it
Control with a registry or config entry - dumps are large! (250 - 300 mb)
Can capture dumps from testers
CPU thrashing - take several dumps in quick succession
!dumpheap -stat is surprisingly nice for helping to reduce memory consumption
lm -v		: for troubleshooting "wrong dll" bugs

"SOS commands msdn"
"msdn bugslayer SOS"
Tess Ferrandez

SIM305 - The Attackers are Coming!

Kirk Jackson, Andy Prow
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
TechEd Online
OWASP Top 10
Open Web Security Application Project

SQL Injection

Allowing untrusted user input to reach the database.
In the statement rather than the parameters

Look for:
exec
sp_executesql

Parametrise queries with SqlParameneters

use sp_execute_sql with parameters @ParamName

Cross Site Scripting

Allow untrusted user input to reach the web page

Defence in depth
 Block data on the way in to your server
 And escape on the way on to your page

AntiXss.HtmlEncode();

HTML Context
Javascript contact
URLcontacts
HTML attribute context

Encoding must be done close to the view.

ASP.NET
Use HttpUtility or AntiXSS Html and Attribute Encode
Consider the Security Runtime Engine - Safety Net

MVC
 Use Razor views @value
 Encode using <%: value %> in webforms rather then <%=

Sharepoint
 SPHttpUtility

Auth & Session Management

Don't roll your own
  ASP.NET SessionID and FormsAuth cookies are pretty good
Enforce logout on the server-side **** Expire session on the server rather than just remove the client cookie.
Set 'httponly' and 'secure' flags on cookies ****
  
SharePoint SPHttpUtility
Prevent user name and password brute-force - temporary suspend account after 5 failed attempts
Logging and alerts to system admins - look at logging messages.

Insecure Direct Object References

Users can only access some content:
  http://example.com/docs.aspx?docid=7

Defend:
ASP.NET
 location/authorization tags in web.config
 User.IsInRole("Admin")

Cross Site Request Forgery

Attackers data is posted by the user

Use a CSRF token - info the attacker doesn't know. Hidden form field so that they can't assemble the same post data.

Defend:
ASP.NET
 ViewStateUserKey set in the OnInit in the base page. Used in addition to the MAC Key to hash the ViewState.
MVC
 HtmlHelper.AntiForgeryToken to every form
 [ValidateAntiFOrgergyToken] attribute on each action method
Sharepoint
 Use the FormDigest field on every request
 Call ValidationFormDigest to check it is set correctly

Security Misconfiguration

 Windows Update
 Keep everything up to date
 Close un-used ports, uninstall / disable unused software
 Run Best Practice Analyser
 Encrypt sensitive info in your web config

aspnet_regiss -pef

Failure to Restrict URL access

Put the admin site with in the private network.

Transport Layer Protection

Use SSL / TLS for:
 Login, password change, signup
 Credit Card

Don't include HTTP resources in HTTPS pages
Turn off SSLv2, weak ciphers (system admin)

Unvalidated redirects

Ensure that any Redirects or Transfers only go to white-listed domains
Check RedirectUrl handling on login pages doesn't allow other URL's

File Uploads

Send the following HTTP headers
 Content-Disposition: Attachment
 X-Download-Options: noopen
 X-Content-Type-Options: nosniff
 Content-Type: [mime-type]

Trends

Set Content-Security-Policy

Server headers
 Strict-Transport-Security
 X-Frame-Options

DEV309 - Visual Studio vNext Directions

Anothony Borton @anthonyborton
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
What's New in ASP.NET 4.5 and Visual Web Developer 11 Developer Preview
TFS in the cloud

Collaboration
Actionable feedback - Enough information to fix the bug straight away. Stack holder
Respect your work styles - plug and play setup.
Transparent agile processes - See what people are doing.

Actionable Indident
- Eliminate "no-repro: bugs was a cornerstone of Visual Studio 2010
- IntelliTrace Diagnostic Data Adapter

IntelliTrace in production using powershell commands - start for an application pool
Requires Visual Studio Ultimate

Prototyping the User Interface

Business Stackholders aren't very good at describing how they want the interface to look until after the screens have been built.

Storyboard assistant tool
Plug in for powerpoint

Managing the Backlog

See the backlog of tasks Use the TFS portal to reprioritze tasks for the current iteration.

Sprint Planning

Dealing with sick/annual leave.

Capacity by person view

Personalised Productivity

Context Switching is expensive for developers.

Code reviews are critical to delivering high quality software.

Duplication in code is a form of technical debt.
Copy and paste - the Google coder.

My Work - at a glance all the work assigned in TFS and in progress.

Suspend work - shelve work to TFS and restore windows and breakpoint to how they were. Help with context switching.

Unit test explorer - And plugin unit testing framework of choice. Faster access to test cases and failures.

Rich code review experience. - Request Review - assign to one of more people.
Inline diff viewer
Inline Review comments from reviewer.

Code clone - searches for blocks of code that may be similar. Identify areas to refactor. Can select block of text and search for exact and similar matches.

Stackholder feedback

"Questionable requirement clarity"

Feedback from stakholders outside of emails. Feedback client to be used by customers.

Capture comments and screenshots during review.

Operational Support

System Centre Operations Manager

DEV311 A Practical Developer's Introduction to F#

Ivan Towlson
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
TechEd Online Ivan's website - TechEd NZ 2011 demos and videos

What is F#?

A strongly typed functional programming language for .NET.
Can use existing .NET libraries.

F# outputs .NET assemblies so can be called from C# or VB.NET

Functional language.
Organised by functions rather than classes and objects.

Use cases
 Scientific and numerical computing
 Finance
 Insurance
 Parsers / DSLs
 General purpose

F# 2 is included in Visual Studio 2010
Runs on all major .NET platforms

Variable types are inferred

All functions have a value and will return a value.

Indentation is significant. Indent implies structure (no braces)

Can't leave out else clause from if expression as it should return a value.

BigInteger can handle really large numbers

Can add new infix operators

F# lists are more like linked lists and are immutable.

New lists and share allocated resources to existing lists as the are immutable.

Pipeline operator |> makes chaining operators easier to read. Kind of similar to extension methods in C#

Shorthand lamda syntax. Can leave the full lamba syntax out.

Function composition operator 
(not << divisibleBy 2)

type State = { }

Units of measure can provide compile time checking 

async and let! (yield the thread until the async result is returned)

Considerations:
  Smaller programmer pool - Project managers won't like it.
  Learning curve
  Tooling - language interop is your friend

  Saves work - F# works harder so you don't have to
  Expressive power - e.g. pattern matching, options, infix
  Immutability by default
  Async workflows and agents

blogs.msdn.com/b/fsharpteam
Friendly F#

tryfsharp.org
fssnip.net - F# snippets
hubfs.net

SIM201 Hack-Ed - The Attackers are coming!

Kirk Jackson & Andy Prow
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
TechEd Online

1st Phase is discovery

Cross Site Scripting (XSS)

Javascript rendered back to another client. E.g. Embedding the <script> tag in a comment box.

Weaponized XSS Attack - allows for interaction with the clients browser by the third party.

Reflected XSS

XSS Forgery

Using twitter feeds for XSS attacks.

Paros - local proxy
Burp proxy

Very important to check that the credit card authorized amount was the amount expected amount.

SQL injection attack

SQLMAP - python script

exec xp_cmdshell'dir c:\'--

www.owasp.org 20 September 2011
www.kiwicon.org 5&6 November 2011
www.ruxcon.org.au 19 & 20 November 2011

WUX101 HTML 5 Hands On

Owen Evans
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
Content + Consumption Device

Why not do the best presentation we can get:
Scared? Boss said not too.

Works everywhere.

Defensible Space (mobile apps, tools for devs) - known users

Lack of support is OK

What is a PolyFill?

Try not to use UA sniffing, instead feature detect: Modernizr does that

Dependable Features

contenteditable


39 box shadows, no good reason
CSS drop-shadows without images
text-align: centaur

input autofocus & placeholder

css3 Pattern Gradient
CSS3 Please
Gradient scanner

Isotope
chop slider

Experimental Features

progress bars
web workers to offload logic

history.pushstate
file api (information about a file that someone is trying to send you). - DropMocks

<input type="file" accept="images/*" multiple>
<input speech>

Edge features

CSS Mixins (SASS, Less) regions - column 1, 2, and 3. Just flow the content between them. Polyfill - A way to support HTML 5 features in older browsers using JavaScript shims. HTML5 Cross Browser Polyfills Everything added to the page slows it down. caniuse.com jsperf & browserscope chromestatus.com HTML5 Rocks Mozilla MDN

DEV301 Going Mobile: Any System to any Mobile Device

Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
Lessons from the front line:
- Only architects like the boring bits
- Developers always want to write their own...

Architecture:
Auth
Access Control
Queuing

Native Apps vs HTML5
- Native Apps provide the best brand experience
  They look better

Using HTML5 and JavaScript is becoming a viable options (Appcelerator and PhoneGap)

JavaScript
- Use libraries
- Use Tools - e.g. WebStorm from JetBrains.
- Douglas Crockford's pattern. ****

REST/SOAP

SOAP
- focus on verbs
- Client side proxies
- Hide the transport layer

REST
- Roy Fielding - The web works, so use it.
- Focus on the nouns - expose resources identified by URIs
- Clients talk to resources on the server by sending and receiving documents
- Use the transport layer explicitly (GET, POST, PUT, DELETE)
- Data returned from the server is full of hyperlinks.

REST works really well for mobile applications
- no need to generate client proxy objects
- Clients are very tolerant of server changes if you use REST.
- JSON and REST work really well together, and JSON works well on mobile devices.
- Everything seems to work out simpler with REST

Recommendations
- No URI construction on the client; follow the hyperlinks instead. Dependency on the namespace
- DO NOT define new verbs; use GET, PUT, POST, DELETE
- If you think you need a new verb, e.g. 'Login', or 'FindCustomers', see the previous rule. Instead ask "What is the noun?"
- Start from a document with a big list of hyperlinks - 'root document'

WCF and REST
- IIS and WCF
WCF REST Contrib library
.NET 4 WCF WebHttp Services
"Introducing WCF WebHttp Services in .NET 4"

DEV302 Lesser Known Design Patterns

Bevan Arps
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.

Null object pattern

Ceremony of checking if something is null before using it.

if(_logger != null) { _logger.Debug(""); }

Create a stand in that performs no operations.

* Simplifies the code
* Localise default behaviour 
* Allows API improvements IDisposable Activity ****

Considerations
* Reliance on interface
* Who creates the null object?
* Parameter evaluation cost - was the string.format called to create a parameter?

Command

Method Objects

Alternative to adding additional methods to interface.

Open for extension, closed for modification
Adding a new capability to the system should not require major alterations to the existing system.

Effects
* New function - new object
* Localizes code for a new function
* Extension

Considerations
* Increases the number of classes
* Likelihood of change - another layer of abstraction high overhead if it is unlikely to change or be extended.

Object Emancipation

Respecting Object Autonomy

var person = Person.FindByName("Stephen");
person.Name = "Richard";
person.Save;

Objects are more than just buckets of information.
Give your objects responsibility for managing their State.

person.Rename("Richard");

Effects
* Read/only properties
* Mutator methods - all changes are made via methods
* Validation

Considerations
* Applicability - domain modelling
* Reusability - Method will always do the right thing
* ORMs and other tools - Tools expect objects to be done in a certain way. Expectations of setters on properties.

Why not put the validation in the property? May make more sense if the property can be changed in isolation.

Proposal

Complex Domain Factories

Typical system can only capture valid data.

"Domain object that require a process to create" Wrap the process up as a Domain object.

Effects
* Natural Validation Point
* Reduced Complexity
* Increased Flexibility
* Error Tolerance - Could be saved in invalid state before progressing.

Considerations
* Process Complexity
* Process Duration
Useful pattern if either of these is high.

State Pattern

Complex Domain Behaviour

Partially change the type of the object by swapping out behaviour based on state.

Effects
* Switching removed
* Grouped behaviour

Considerations
* # Classes
* Encapsulation - nested classes
* Complexity of behaviour - not so useful is behaviour doesn't change much. Good for radical change

WUX206 - Pimp My App - 3 screens and a challenge

Shane Morris
Apologies that this post is fairly nonsensical. I've put my raw NZ TechEd 2011 notes up here for my reference. I'd like to think that I'll refine them over time, but that probably won't be the case.
Designing interfaces for:
  • Phone
  • Tablet
  • PC
  • Television (10 foot)
  • Non-screens - Call centre, Shop
Brand is more and more being defined by websites and application integration. E.g. Online banking.

Problems

Different:
  • Screen sizes
  • standards and conventions
  • interaction techniques
  • abilities
  • even different fonts (browsers)
Less Obvious - Difference contexts and objectives The experience needs to match the context HTML
  • Which browsers alters CSS and Javascript.
  • CSS3 Media Queries - integrate the browser for info such as screen size.
XAML
  • Smart Layout
  • Setting MinWIdth
  • WrapPanel
  • Swapping styles and templates
There is more to targeting different platforms that "rearranging the deck chairs" Reverse working order: Visual Design - How to use it, where you are Interaction Design Information Design Conceptual Design

Conceptual Design

What is the right experience for the platform.
What are they doing, where are they? How are they constrained?

Are they on the bus, the couch, an office chair?
Is the phone going to ring at any time that may require the user to leave at any moment?
Posture - wandering around (phone), hunched over (tablet), leaning forward, leaning back (couch)

Rearrange features or curate them differently (which service to offer)

The App/Browser divide
Signal what is an optimized experience and what is a "well, if you must" experience. Transition between app and website.

Phone more passive
Tablet more interactive
PC more interactive

Is it sustainable to have different products for different platforms or is it better to have a single scalable web solution?

Tablets

"We don't quite know what their for yet."
Snaking/Foraging/Consuming/Creation device?
Have attributes of a great input device.
Lightweight, instant on, low maintenance, more affordable, easier to use.

Information Design

Phones give a very small window on the world. (Toilet roll holder)

Less space for navigation controls and context.
Web - Unsure how the user arrived at the page so requires more context, navigation, legal terms...
A Mobile device will usually have a defined path to a page.

Browsers - Don't know what they are looking for (Phone designed mostly for browsing)
Searches - Looking for a particular thing - Tasks to achieve.
Collectors - Will go through the site from end to end

Tasks that:
- Can be interrupted
- are obviously short

Interaction design

Gestures - Discoverable, Standard
www.lukew.com/touch (Touch Gesture Reference Guide)
Emphasis on direct Manipulation
Designing for touch/gesture is more about "Context over chrome"
Design for the small or touch screen first (Lowest Common Demoniator) and then enhance it up to other platforms.

Should the content or the navigation come first?
Mobile - Content first, Navigation last. Larger screen can have navigation first to give context (Orientation)

Visual Design

Platform standards (Native or HTML)
When designing for mobile consider contrast as they may be using it outside under bright light.

Tuesday, August 16, 2011

Salesforce Outbound messages not being sent

I ran into an issue with Salesforce whereby Outbound Messages weren't being sent as the result of a Workflow rule.

I confirmed that the Workflow rule was being triggered correctly by adding an Email Alert to the workflow actions. (Thanks Manu)

The debug logs indicated the outbound rule was being triggered.

03:03:34.066 (66407000)|CODE_UNIT_STARTED|[EXTERNAL]|Workflow:01I50000000HxXS
03:03:34.088 (88062000)|WF_RULE_EVAL_BEGIN|Assignment
03:03:34.088 (88127000)|WF_RULE_EVAL_BEGIN|Response
03:03:34.088 (88153000)|WF_RULE_EVAL_BEGIN|Workflow
03:03:34.088 (88207000)|WF_CRITERIA_BEGIN|[XJob: a0gQ0000001UvXy a09P0000000yVcR]|X Job Configure on Insert|01Q50000000Mcd3|ON_CREATE_OR_TRIGGERING_UPDATE
03:03:34.092 (92958000)|WF_RULE_FILTER|[XJob : Notes contains run]
03:03:34.093 (93021000)|WF_RULE_EVAL_VALUE|null
03:03:34.093 (93062000)|WF_CRITERIA_END|false
03:03:34.093 (93117000)|WF_CRITERIA_BEGIN|[XJob: a0gQ0000001UvXy a09P0000000yVcR]|XJob Triggers by Page Count >0|01Q50000000Mcd8|ON_CREATE_OR_TRIGGERING_UPDATE
03:03:34.093 (93325000)|WF_RULE_FILTER|[XJob : Page Count greater than 0.0]
03:03:34.093 (93375000)|WF_RULE_EVAL_VALUE|0
03:03:34.093 (93406000)|WF_CRITERIA_END|false
03:03:34.093 (93455000)|WF_CRITERIA_BEGIN|[XJob: a0gQ0000001UvXy a09P0000000yVcR]|XJob Process XYZ|01Q50000000Mcks|ON_CREATE_OR_TRIGGERING_UPDATE
03:03:34.093 (93576000)|WF_RULE_FILTER|[XJob : Status equals Ready]
03:03:34.093 (93618000)|WF_RULE_EVAL_VALUE|2
03:03:34.093 (93640000)|WF_CRITERIA_END|true
03:03:34.095 (95547000)|WF_SPOOL_ACTION_BEGIN|Workflow
03:03:34.095 (95614000)|WF_RULE_INVOCATION|[XJob: a0gQ0000001UvXy a09P0000000yVcR]
03:03:34.095 (95641000)|WF_EMAIL_ALERT|Id=01WP0000000Cfow|CurrentRule:XJob Process XYZ (Id=01Q50000000Mcks)
03:03:34.204 (204879000)|WF_EMAIL_SENT|Template:00X30000000ltQt|Recipients:me@example.com |CcEmails:
03:03:34.204 (204966000)|WF_ACTION| Email Alert: 1; Outbound Message: 1;
03:03:34.204 (204997000)|WF_RULE_EVAL_BEGIN|Escalation
03:03:34.205 (205019000)|WF_RULE_EVAL_END
03:03:34.209 (209428000)|WF_ACTIONS_END| Email Alert: 1; Outbound Message: 1;
03:03:34.209 (209468000)|CODE_UNIT_FINISHED|Workflow:01I50000000HxXS

It turns out that the user who was triggering the Outbound Rule had a Profile where Administrative Permissions: Send Outbound Messages was unchecked. As a result the outbound message disappears without a trace (which would have been useful to see in the debug logs).

I've created an idea to see if a message can be logged when the outbound message is suppressed due to the users profile.

Sitecore, Webforms for Marketers, OMS and Salesforce CRM integration

S4S (Sitecore 4 Salesforce) is a product I've been working on at FuseIT. It can be used with the Sitecore Webforms for Marketers (WFFM) module to import data into Salesforce entities.

The following diagram shows how to integrate Salesforce CRM, OMS, Webforms for Marketers together using S4S: (Credit to Alex de Groot who I borrowed the diagram from)

What this gives you

After installing S4S and configuring it to your Salesforce API user you can create WFFM forms that can insert data into Salesforce. These forms can have fields that are populated with data from Salesforce. So, for example, you could have a lead capture form that includes a drop down list of industries defined in Salesforce displayed in Sitecore. When the user submits the form the data is saved back to Salesforce via S4S to create a new lead.

Configuring the WFFM form in Sitecore

Using the form in Sitecore to populate the lead

Note the industry drop down list with metadata from Salesforce.

The new lead created in Salesforce

Sunday, August 14, 2011

Testing a OpenVPN Encrypted Connection

How to detect if a OpenVPN connection is currently active or if it has dropped out

One option is to call ipconfig and look for the IP address assigned by the VPN server under the "Ethernet adapter Local Area Connection 2".

To ensure that IP traffic is actually routed across the VPN and hence encrypted check that the VPN assigned IP Address appears as the first hop when doing a tracert.

See also:

Thursday, August 11, 2011

ADO.NET Entity Framework, Dynamic Data and a large database

Out of the box Dynamic Data over the Entity-Framework doesn't have the best support for large databases.

Note: This post will be a work in progress for a bit.

Avoid the EDMX designer

The designer surface will likely be cluttered to make sense of so stick to editing the XML by hand.

Generate the EDMX using EdmGen.exe or EdmGen2.exe at the command line.

StoreGeneratedPatterns to Identity on Primary Key properties

Dynamic Data Field Templates

Tables that contain a large number of rows and are referenced by a foreign key can be problematic as the default Dynamic Data implementation will create a drop down list to filter search pages.

Switching to alternative controls can resolve this issue.

Model Documentation and meta data

See Also:

Wednesday, August 10, 2011

Convert between base 10 and base 62 in T-SQL

These functions can be used to convert from base 10 to base 62 encoding and vice versa. They were converted from Convert Between Base 10 and Base 62 in PL/SQL by Michael.

Note: I changed the character order in @c_base62_digits to alter the order the characters were applied in.

Convert from Base 10 to Base 62 in T-SQL

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER FUNCTION [dbo].[Base62Encode](@a_number_to_convert [decimal](36, 0))
RETURNS [char](12) WITH EXECUTE AS CALLER
AS 
BEGIN

DECLARE @v_modulo INTEGER;  
DECLARE @v_temp_int decimal(38) = @a_number_to_convert;  
DECLARE @v_temp_val VARCHAR(256) = '';  
DECLARE @v_temp_char VARCHAR(1);    

--DECLARE @c_base62_digits VARCHAR(62) = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
DECLARE @c_base62_digits VARCHAR(62) = '0123456789aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ'; 
   
 IF ( @a_number_to_convert = 0 )
 BEGIN
   SET @v_temp_val = '0';  
 END    
        
 WHILE ( @v_temp_int <> 0 )
 BEGIN
   SET @v_modulo = @v_temp_int % 62;  
   SET @v_temp_char = substring( @c_base62_digits, @v_modulo + 1, 1 );  
   SET @v_temp_val = @v_temp_char + @v_temp_val;   
   SET @v_temp_int = floor(@v_temp_int / 62);  
   
 END
    
 RETURN @v_temp_val;  

END

Convert from Base 62 to Base 10 in T-SQL

SET ANSI_NULLS ON
GO
SET QUOTED_IDENTIFIER ON
GO
ALTER FUNCTION [dbo].[Base62Decode](@a_value_to_convert [char](12))
RETURNS [decimal](36, 0) WITH EXECUTE AS CALLER
AS 
BEGIN

DECLARE @v_iterator int;  
DECLARE @v_length int;  
DECLARE @v_temp_char VARCHAR(1);  
DECLARE @v_temp_int bigint;  
DECLARE @v_return_value decimal(38) = 0;  
DECLARE @v_multiplier decimal(38) = 1;  
DECLARE @v_temp_convert_val VARCHAR(256) = @a_value_to_convert;  

--DECLARE @c_base62_digits VARCHAR(62) = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz';
DECLARE @c_base62_digits VARCHAR(62) = '0123456789aAbBcCdDeEfFgGhHiIjJkKlLmMnNoOpPqQrRsStTuUvVwWxXyYzZ'; 
  
 
 SET @v_length = len( @v_temp_convert_val );  
 SET @v_iterator = @v_length; 
  
 WHILE ( @v_iterator > 0 )   
 BEGIN
   -- The character being converted
   SET @v_temp_char = substring( @v_temp_convert_val, @v_iterator, 1 );  
   -- The index of the character being converted
   SET @v_temp_int = charindex( @v_temp_char collate  SQL_Latin1_General_CP1_CS_AS, @c_base62_digits collate  SQL_Latin1_General_CP1_CS_AS ) - 1;  
   
   SET @v_return_value = @v_return_value + ( @v_temp_int * @v_multiplier );  
   SET @v_multiplier = @v_multiplier * 62;  
   SET @v_iterator = @v_iterator - 1;  
   
 END
  
 RETURN @v_return_value; 

END

Thursday, August 4, 2011

Annotating EDMX with meta data from Sql Server

The EDMX files generated by EntityModelCodeGenerator and EdmGen.exe don't load metadata from SQL, such as the "MS_Description" extended property, into the Documentation. As such you get lots of classes generated with "No Metadata Documentation available." summaries.

I'm working with a database where lots of useful metadata has been loaded into the Extended Properties of tables, columns and foreign keys. Loading this data into the EDMX conceptual schema definition language (CSDL) as annotations allows it to be accessed as MetadataPropertes by the EntityClassGenerator/T4 templates to apply data annotation attributes etc... to classes.

An EDMX EntityType with the Documentation set appears as:

  <EntityType Name="EntityName">
    <!-- Without this element classes are typically generated with 
         "No Metadata Documentation available." -->
    <Documentation>
            <Summary>Entity Summary</Summary>
            <LongDescription>Entity Long Description</LongDescription>
          </Documentation>
    <Key>
      <PropertyRef Name="Id" />
    </Key>
    <Property Name="Id" Type="String" Nullable="false" MaxLength="25" Unicode="false" FixedLength="true" />
    <!-- Lots of other properties -->
  </EntityType>

Annotations to appear as MetadataProperties can be added as well.

See Also: