March 2004 - Posts
By way of Rich Turner's blog post:
Many people are concerned about the performance of their Enterprise Services components compared to their old COM+ implementations. In order to discuss this issue, I (along with a couple of colleagues) wrote a paper published here on MSDN.
The paper essentially highlights the most optimal way to create Enterprise Services components and that if our guidelines are followed then your Enterprise Services components will, by and large, match the performance of COM+ components!
Comments welcome ;)
I am looking forward to this one as many of my readers know I have spent a great deal of time with EnterpriseServices, doing my own performance testing, stress testing, etc. If you are considering the need for ES, take a look at this paper.
Chris Sells talks about his experiences learning from Ward Cunningham the importance of Test-Driven Development (TDD) in an excellent post titled “Checking Spec. Compliance at Build Time”. One excerpt stood out for me (among others):
... The very nicest things about TDD is that "fixing breaking changes" becomes the least painful thing to do!
This is huge. In fact, it's so huge, that MS should provide an end point for people to submit their own unit tests against our Windows and .NET APIs so that when we make breaking changes, we can either fix them or know the proportion of folks affected by this breaking change.
What an interesting proposition!
One item I found extremely helpful in the Rotor code, especially when porting it to other OSs, is the large number of unit tests that are included you can run to make sure things still work. Plus, if I make some changes to figure out how things work, I can instantly determine if something else is broken by running the tests.
In my own work, I am firm believer in TDD and unit testing. It also appears it is getting more press time with Microsoft, as it should. This article, “Improve the Design and Flexibility of Your Project with Extreme Programming Techniques“, from the April, 2004 MSDN Magazine is filled with excellent help for the individual developer and developer groups to get on board with TDD and unit testing.
In my own research into .Net Security, one area I have explored is how to correctly set up Partial Trust websites with ASP.NET 1.1 and resources placed in “sandboxed” environments. One of the best resources I have found is the book Improving Web Application Security: Threats and Countermeasures from the Microsoft Patterns and Practices group.
For a quick introduction, Keith Brown has an excellent article in the April, 2004 issue of MSDN Magazine called “Beware of Fully Trusted Code”. Read this and understand the issues.
By way of Brad Abrams' Blog:
I am very happy to have this book done! Ever sense I started working on the CLR, almost 6 years ago, I have wanted SOMEONE to do a book like this. In a past life when I did Java development, I really liked Chan (et al)’s The Java Class Libraries, Volume 1 and I wanted a similar book covering the BCL. At the time I didn’t think I would be the editor. This book could have never come together without significant help from a large number of folks. I will not repeat the book’s acknowledgements here, but know that it is more their work than mine.
So, consider this the first plug for the .NET Framework Standard Library Annotated Reference Vol 1 (I think this needs a shorter name, how about SLAR)?
I have been watching for this book for awhile; waiting for it to be available so that I can dig in. In fact, I was looking to buy this one earlier today and noticed it's finally available on Amazon. If you enjoyed The Common Language Infrastructure Annotated Standard as much as I did, you will definitely want to get hold of Brad's book as well.
One of my favorite authors, Tom Barnaby, has written a short article titled “Preparing for Indigo” in preparation for his “Get Ready for Longhorn: Going Indigo“ talk at VSLive! San Francisco on Friday, March 26. [by way of Chris Sells]
Another good source of Indigo information is from Brent Rector's book Introducing "Longhorn" for Developers: Chapter 6: Communication
Over this past weekend, I took some time to expand my understanding and knowledge of other areas in .Net (besides EnterpriseServices, Security, Rotor, etc.) and was again looking at .Net Remoting. There are some good resources out there, but two of the best I have found are these: Distributed .Net Programming in C# by Tom Barnaby (for an introduction to .Net Remoting) and Advanced .Net Remoting by Ingo Rammer.
When I looked at .Net Remoting last November, I was concerned with Code Access Security (CAS) working across machines. I was also concerned about securing the Remoting transport when communicating across boxes. I just noticed this morning that a couple of older articles on this topic:
.NET Remoting Authentication and Authorization Sample - Part I
.NET Remoting Authentication and Authorization Sample - Part II
were updated January, 2004. According to the first article, here is what has been updated:
Note This is an update to the original article published in the summer of 2002. This update was mostly done to provide a version of the sample that works with the .NET Framework version 1.1. However, additional features have been added. Mutual authentication is now supported for Kerberos and the Identify flag is now supported for NTLM and Kerberos.
Some implementation details have also been changed in the sample. All classes now implement IDisposable where appropriate, allowing resources to be collected more aggressively than before. This is important for the authentication channel sinks which may run for long periods of time under high load.
As far as this article is concerned, the only significant change is to the section on Kerberos. Additional text has been added to explain the User2User sub-protocol which is now standard on the Microsoft Windows XP and Windows Server 2003 Kerberos implementations.
And from the second article:
The Microsoft.Samples.Runtime.Remoting.Security assembly has been rewritten. The relatively monolithic implementation in the first version has been replaced with a more granular design that's easier to understand. The channel sinks now feature a client and server state machine which manage the authentication handshake.
Impersonation no longer happens automatically on the server side. Instead, the developer of the remote object now has full control over impersonation by calling Thread.CurrentPrincipal.Identity.Impersonate().
The security sinks now always set a Principal on the thread calling the remote object. This allows the object implementer to take advantage of declarative security regardless of whether they explicitly inject a custom principal themselves.
These articles are definitely worth looking at as examples of securing the Remoting channels.
As Sam blogs today, the product we have worked on for the last 10 months is going public. That product is: bcgi Mobile Guardian ™. Mobile Guardian is a first-ever solution that gives carriers the ability to provide businesses and families the real-time, Web-based controls they need to manage wireless phone usage and expense among single or multiple users. Recently, it was featured in a Yahoo press release.
As Sam said:
I have worked with a unique and talented team, including Robert to deliver three versions of the product (1.0, 1.1 and 2.0) in a 10 month time frame. Please either come see the world debut of the product at the CTIA show or look for the press coverage. I obviously cannot give technical details of the architecture other than to note that 2.0 is completely based on the .NET platform, written in C#, and utilizes advanced distributed features of .NET, presenting a visually appealing web experience for users through ASP.NET Web pages. Look for it at your carrier this year.
It's been a long journey, but as Sam mentions, this has been an excellent team. I personally haven't grown more professionally anywhere else than I have working with this team.
Along with that exciting news is some sad news for our team. Sam has finished his architecture and development work here and will be moving on to provide his expertise to other clients. Speaking for myself, its been a pleasure working with Sam. Sam has exhibited technical excellence, leadership, and insight to our team. I have learned much from him and owe him a great deal. He got me to start blogging, speaking at user groups, and interested in writing. Plus, working with Sam has been rewarding, as he definitely knows .Net inside and out. For all of these things, I am forever grateful.
Good luck Sam! I know you will be a great benefit to any team you work with next.
Update: The Boston Globe has published an article about the product as well: Another wrinkle: permitted numbers.
By way of Dana Epp,
I found a great article/interview on ComputerWorld with Gary McGraw, discussing hacker exploits and the state of software quality.
I just can't wait to get Gary's book. If his writing style is anything like his interview style, it should be really good.
Anyways, if you are into learning Gary's take on building more secure software by writing better quality software, consider reading the interview.
I agree, read the interview. Plus, read the book (Exploiting Software: How to Break Code). I have been reading my copy over the past week and it is excellent. Best I have read, I think, since Writing Secure Code, Second Edition. Get it, read it, live it!
My good friend Sam Gentile will be presenting one of his best INETA talks (which I had the pleasure in seeing in Vermont) on the CLR at the New Hampshire .Net User's Group meeting on Thursday, March 18. Over the past week, Sam has made his best even better: he is also presenting a section on Rotor code, including demos/code samples using Rotor. And, as he did in Vermont, he is writing all of the code using Textpad as his editor, rather than Visual Studio.Net.
Sam and I have both worked extensively with Rotor, with my compiling and running it on FreeBSD, and he compiling and running it on Mac OS X. We have both said it is one of the best educational tools to learn how .Net works underneath. I still use it nearly everyday when I have a question about System objects, Remoting, Garbage Collection, Fusion, etc. Sam is taking the lead to show developers just how easy it is to dive right into the source.
If you are in the area, be sure to stop by for this very special presentation.
Update: If you are new to Rotor, Joel has compiled an excellent list of resources to help you get started.
Update 2: As Sam mentioned, the presentation went extremely well. The Rotor content, as well as each CLR demo, was excellent!
Gary McGraw (co-author of the newest must-read application security book, Exploiting Software: How to Break Code) mentioned his own list of recommended application security books to the SC-L yesterday. You can see the list on Amazon:
I have most of these, and I also highly recommend these books. I don't have, though, the “Cowgirls” book. But as he said in his comment: “One of these things is not like the others...”. :)
More Posts Next page »