Archives / 2004 / May
  • Thanks to Contributors of WilsonORMapper v2.2

    I want to give a very special thanks to several of my subscribers for their contributions to the just released WilsonORMapper Version 2.2:

    1) Paul Hatcher added support for embedded user-defined objects, which helps address some of the 1-1 concerns that have been
    raised -- see the demo for a working example. Paul also made some changes to the ObjectHolder, including adding a new Key property.

    2) Gerrod Thomas provided some valuable assistance in resolving several bugs with persisted children not showing up immediately, as well as helping to get auto keys to work for other data types.

    3) Oakleaf Enterprises updated their OPath expression parser, including support for IIF.

    4) Jim Daugherty and Mike Robin both sent some code that enables some additional inheritance scenarios.

    5) Mike Mayer made some changes to the ORHelper to get it to work with MySql using OleDb.

    6) David D'Amico improved his default nulls with the DefaultEmptyString in the Helper.

    By the way, even though ObjectSpaces has now been delayed even further, I suppose I can say that my WilsonORMapper has more documentation and examples than any other since many of those ObjectSpaces articles still apply to my O/R Mapper.  :)

    Thanks to everyone, Paul Wilson


  • ASP.NET: Links are often better than Postbacks

    Craig mentions a reason to avoid links, and Eron follows up by wondering postback or links -- well here's my take:

    I prefer links instead of postbacks.  First, they work for all browsers, and small devices and phones are becoming more common.  Next, the race conditions with postback/viewstate are very common and quite serious.  I can't count the number of times I've approved the wrong post on the ASP.NET forums due to this very type of issue.  If the ASP.NET forums can't get it right, do you really think your common developers can?  This is very common among any high-use ASP.NET apps, although no one ever seems to acknowledge it.  And its so easy to fix by using links, which also can allow you to avoid using response.redirect, let alone server.transfer which is terrible in the state it leaves the browser history.  Speaking of history, links also allow you to set favorites, and also allow your users to use the back button.  Hmmm, so links work in all browsers, give better consistency, allow setting of favorites, don't confuse history, and support the back button . . .   Its just amazing to me that so many people have just bought into the postback model for so much.  Yes, its great for events when you need them, but that doesn't make it a panacea for all things.  And to the original issue -- I'd hardly call that a reason to avoid links -- that's just a reason to avoid stupid links, or at least unsecured stupid link!


  • ASP.NET Security Puzzle -- Need Explanation

    I've got an ASP.NET website that has several IIS sub-applications running on it.  Some of the sub-apps have authentication=None and were always working fine.  I recently changed the root app to have authentication=Forms, with authorization denying anonymous users.  Several tests since that time have always shown the sub-apps still working, as expected since they are separate applications in IIS and ASP.NET.  Now all of a sudden, with no difference that I know of, one of these sub-apps started popping up the Windows Integrated Security dialog.  Looking in IIS showed that anonymous access was still granted on the folders and files of this app.  I also verified that the security permissions for all users were identical with this app and ones still working.  I changed the root app back to what it was, and that didn't fix anything, but I didn't expect it too anyhow.  Somewhere along the way in my checking, one of the other sub-apps also started having this behavior.  I don't know of anything I changed that could possibly have this behavior right in front of my very eyes!  I couldn't figure out any explanation, and therefore no fix, since the only way I know for this dialog to pop up is either anonymous denied in IIS or file/folder security settings.  My colleague finally took a web.config file from one of the working sub-apps and put it in one of the non-working apps -- and it worked!  The only difference we could find between the web.config files was that the non-working app did not have an authorization section.  Of course, it also had authentication=None, and anonymous users were allowed in IIS, so I don't see how this could matter.  We looked at the other non-working app's web.config and it was also missing the authorization section, so we added it -- and it worked too!  By the way, this authorization section simply says to allow authenticated users -- it does not even mention anonymous users.  Even if the app root were affecting this, it also allowed authenticated users except in one unrelated sub-folder, so again I don't see how this change really could help.  I've since tried removing authorization sections on a few of my local web apps and it has yet to make any difference.  Also, to the best of my knowledge, nothing in the first sub-app changed, and I know the other one quit working right before my eyes, again not touching it since it was the other one that was being checked.  I still cannot fathom why adding an authorization section, especially one that does not even mention anonymous users, could make a difference.  Anyone know of an explanation, or some other things that I should look out for that could cause the Windows login dialog to popup?


  • Experience with New Client and Other Happenings

    Its been a month now since I announced I was going independent, and I've now actually been working two weeks with my new client.  First, although I'm certainly very busy learning a new business, I can also report that I really like this client.  Why?  Unlike previous employers / clients, they are actually showing me the current business process and actively engaging me in it.  I know that seems like a no-brainer, but I've found that most companies don't work this way, usually to the detriment of all.  I'm also really getting to brush up on my sql skills -- yea, I thought they were pretty good too, afterall I wrote an O/R mapper.  :)  The reason I say this is because this client has a lot of one-time tasks which are not your typical CRUD persistence.  Some of these are also very large with quite a few joins, so I'm learning some other tricks to, like using NOLOCK and other hints.  None of this is really new to me, but its certainly not been something I've had to do this much of, so its definitely polishing my sql.

    The next thing I like about this client is that they actually want my architectural input, and before I develop it all no less.  Again I agree that seems like common-sense, but its not the status quo that I've found in many businesses out there.  I'm slowly (but not too slowly) designing and building a set of applications that incorporates all the best practices that I know.  We're using my O/R mapper for many things, and having a truly distinct business layer that will allow us to have windows or web GUIs.  We're also doing security right, with salted hashed passwords, and roles -- again something obvious but amazingly not very common!  Our web application is of course using Master Pages and stylesheets to get the most out of reusability -- again rather rare.  None of this is rocket science, in fact its just commonly known best practices as I said earlier, but we're actually doing it.  It takes a little while to set it up right, but then things proceed much faster, so I've never understood not doing it right.

    I'm also getting rather spoiled working at home, with dual monitors unlike anywhere I've ever worked before.  We also use MSN for audio / video conferencing and application sharing -- very easy and convenient, and much cheaper than the alternatives.  Working from home is really cool in this type of environment since I will have a lot of flexibility as I learn the business.  Of course this also means that I really need a dedicated home office, and coincidentally the lot we were waiting for opened up.  So we are now trying to sell our existing house, while building a new bigger house, as if I wasn't busy enough already.  By the way, the dual effect of a new job and the house explains why I haven't finished the next release of my O/R mapper.  Its supposed to clean up a few things, while I was also targetting have some NUnit tests included since I really need that best practice also.  So that's what's been happening with me -- along with all the usual things that everyone else has with small kids in school.


  • Changing ASP.NET Forms Authorization Redirection

    ASP.NET makes it easy to configure Forms Authentication and Authorization, including automatically redirecting you to the login page when necessary.  The problem is that it also redirects authenticated users to the login page when they attempt to access pages that they are not authorized to access.  This gives you the opportunity to login as someone else, and then be automatically redirected back to the page you originally attempted to access.  But that may not be the behavior you want for authenticated users -- do your users really have multiple logins and do they understand why they end up back at the login page?  Instead, I want my authenticated users to be redirected to some other page that tells them they do not have access, and possibly gives them a way to contact an administrator.  So here's the code that you need to put in your Global.asax file:

    protected void Application_AuthorizeRequest(Object sender, EventArgs e) {
      if (this.Request.Path.ToUpper().EndsWith("LOGIN/DEFAULT.ASPX") && this.Request.IsAuthenticated) {

    Note that this will prevent any users with multiple logins from being able to switch their login -- the solution for them is to first logout, or close and reopen the browser.


  • What Exactly is the Point of O/R Mappers ?

    I had a recent email exchange with someone that was observing that they still had to be at least somewhat aware of the workings of the O/R Mapper and their database design when they designed their entity classes.  “To me, this is too intrusive since I have to incorporate a lot of persistence knowledge into my design whilst I'm still designing rather than being able to play around with the design and then add on the persistence.”  This actually made me think a lot of Andrew Conrad's blog postings, as well as a lot of conversations I've had with some of my architect, developer, and DBA friends over the last couple of years.

    So what exactly is the point of using an O/R Mapper if its not completely “transparent”?  For me the main point is freedom -- freedom to focus on the design and not the implementation.  The architect and developers should gain time when using an O/R Mapper, since they don't have to write and maintain all the repetitious and boring persistence code.  Yes they still have to think about persistence, but they have more time to focus on better understanding the real business needs.  Similarly for the DBA -- the point is not to get rid of the DBA -- instead the DBA should be freed to better focus on the database design instead of writing stored procs.

    There are other types of benefits of O/R Mappers too -- but they are also mostly about freedom.  For instance, one of the main selling points of O/R Mappers to management is that you will be able to easily target multiple database platforms.  That sounds like vendor freedom -- you can have your product work equally well with MS SQL, Oracle, MySql, or whatever database you want -- even the lowly Access.  Another feature of O/R Mappers is greater flexibility in your search and sort functionality -- which sounds like freedom from the fixed APIs of stored procedures, without however having to write and maintain your own dynamic sql.

    I think all this additional freedom is well worth it -- as long as the O/R Mapper does not itself take away too much of your freedom by forcing you into its framework any more than necessary.  Some “vendor lockin” is to be expected with any library, and O/R Mappers are certainly no different, but it should be as minimal as possible.  In other words, yes you do need to realize that you are creating entities that are going to be persisted, but you shouldn't have to worry too much about the how your particular mapper accomplishes that persistence.  Of course, I think my WilsonORMapper minimizes that lockin, while maximizing the freedom.