UPDATED: 4/25/2008 – See my new post of Partial SSL in Asp.Net MVC using the RequireSSL attribute from the MVC Futures Project

Tonight I was working on a small Asp.Net MVC project and was trying to add authorization and “require ssl” to specific pages using IIS. Of course you don’t have pages like you used to in Web Forms, so setting security and SSL on a per directory and per file basis doesn’t work like I’m used to.

The authorization requirement is actually pretty easy to handle once I approached the problem from a strictly MVC point of view. Using the Authorize attribute, which is included with Asp.Net MVC, I was able to pick and choose which controller actions I wanted to secure. In the code sample below I’m requiring the requestor to belong to the Users role.

[AcceptVerbs(HttpVerbs.Get), RequireSslFilter(Order=1), Authorize(Roles="Users",Order=2)]
public ActionResult ToServer()
{
   return View("ToServer");
}

When you need a little more control, you can implement a class that inherits from AuthorizeAttribute. Examples of when you might want to do this, would be if you wanted to change the authorized role at runtime, or not require any role (perhaps in your dev environment), or when you want to require SSL. In the above example you can see the RequiresSslFilter, which is a custom filter implemented as shown below which requires the use of SSL.

public class RequireSslFilter:AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
   if (httpContext.Request.IsLocal == false && httpContext.Request.IsSecureConnection == false)
   httpContext.Response.Redirect(httpContext.Request.Url.ToString().ToLower().Replace("http", "https"));

   return base.AuthorizeCore(httpContext);
}

}

In the code, I’m checking for if the request is local and secure, and redirecting to a secure version of the request. The check for IsLocal is useful for development scenarios. I added the Order parameter to the use of the RequiresSslFilter attribute to ensure that I check for the use of SSL before the check for the role. This helps ensure that credentials are only sent over SSL.

Tonight I was doing some load testing on an application I’m developing. Initially I was testing without SSL, but then needed to switch over to SSL, but hadn’t setup by development server with a cert. I jumped onto ssl4net (a free online certificate management site) and created a new cert for my server and proceeded to import it in IIS 7, but got the error “A specified login session does not exist. It may already have been terminated”.

I jumped around on Google for a bit and found this post by Omri Gazitt, and another post by FreakCode. The first talked about granting everyone permissions to the file that corresponds to the cert (on my computer the RSA certs are located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys). I remember doing something similar to this before, but it just didn’t seem right. The second post suggested marking the certificate as exportable when importing in IIS, and I had already done that so that wasn’t my problem either.

I decided to remove the cert, and try using the MMC Certificate snap-in to import the cert. I also gave it a friendly name from with-in the MMC. Going back to IIS and selecting this cert in the binding dialog no longer produced an error. I don’t know if it was how I imported it, or the friendly name, but it is/was too late to go back and play with it any more.

I was having some problems with file permissions, my web hosting provider and DasBlog. It seems to have been related to compiling and e-mailing the daily status report, so I've turned that off for now. Hopefully it will stay running.

I have been toying with the idea of hosting my stuff back at home like I used to back in the day. I was the first of my friends to get broadband, thanks in part to UW-Madison and my dad (paying the bill). Great thing about the UW-Madison DSL was that they let you host all the services you wanted to. At one point I was running a mail server on linux (can't remember which one), web, DNS, and a dedicated Unreal Tournament server.

I've been working on upgrading my home gear. I recently purchased a slew of UPS's (thanks to Circuit City going bye-bye), and while they won't protect against anything longer then probably 20 minutes, still good enough for my "mission critial" website ;). Also picked up two more WD Caviar Black HD's to create anothe Raid-1 array for my VM's. Also on the to-do list is to setup a pfSense firewall so I can have a properly segmented network between my internal services and external (DMZ).

The only thing I'm missing is my iSCSI array so I can setup clusterd hyper-v machnes with quick motion to avoid downtime, but again, we're not talking mission critial stuff here. I think I can afford 10-15 minutes of downtime each month while I patch all the VM's and the host machine.

I went to RDP into one of my local Hyper-V virtual machines this morning, only to find out I wasn’t able to connect. Browsing to the Hyper-V manager I saw that none of my VM’s were running. At first I couldn’t figure out why this was, until I remembered that my desktop machine was powered off this morning, indicating we had a brief power outage. The laptop, which obviously has a battery, was able to withstand the power outage, but the external hard drive, which requires external power was not. While I do have a UPS, it’s a piece of crap that never worked. Maybe now would be a good time to pick up another UPS on closeout from Circuit City, I’ll have to run that one past my manager.

I tried starting my VM’s, but most of them wouldn’t start, giving an error stating that the VM couldn’t start in it’s current state (which appeared to be saved). I tried to delete the saved state, and got an error stating that the saved state could not be deleted in the current state. The common thing between the VM’s that would start, and those that wouldn’t, was that the VM config files were also on the external hard drive. Browsing to the external hard drive, showed that the folder that contained the VM config files was empty (not a good sign). I checked the event log to see if I could get some more information, and 100’s of warnings indicating a problem with my external hard drive. I figured the best thing to do at this point was to shut down my laptop, power cycle the external hard drive and double check all connections.

After the reboot, the drive was functional (well almost) again, and there were no more warnings in the event log. While the VM config files were back where they were supposed to be, I still couldn’t start the VM’s. I also could not delete the VM config files from within Hyper-V manager. I went back to the config folder and went to Cut/Paste (move) the config files someplace else thinking I would just recreate the VM config. However, I couldn’t cut, move, delete or do anything other then browse (read) the files and folders.

Jumping back to Server Manager, I opened up Disk Management utility and saw that my external hard drive was listed as read only. I looked in just about every place I could think of, but could not find a way to make the disk read/write again. A Google search yielded no usable results, as it seems this is a pretty obscure problem. Aside from the legitimate answer of “does your removable media have a write protect switch”, all the other answers seemed to focus around viruses and other seemingly unrelated solutions.

Finally I decided to try my the only option that wasn’t grayed out for the read only disk in Disk Manger, and that was to take the disk offline, then bring it online again. Wow, that fixed it, the disk was now back in the standard read/write mode, and finally my VM’s would start. It appears as if the VM config file on at least one of the VM’s was corrupted, as I had to reselect my network adapters, but that was an easy fix.

If you are reading this, it means I’ve successfully updated to the latest version of DasBlog, version 2.2. I’m calling this the 1.1 version of my blog, with a couple of point releases scheduled in the near future focused on a new theme, proper support for uploading images, and code formatting.

I don’t even know what version of DasBlog I was running before this, so I wanted as clean an upgrade as possible. I decided to start with a completely clean install, then copy my posts over, diff the config files and see what happens. Since I run my blog in a virtual directory with a sub domain pointer, I created a new virtual directory to do testing, and then updated the sub domain pointer when everything was ready to go.

Here are the steps I took to upgade to DasBlog 2.2:

1. Download DasBlog 2.2 from the CodePlex Site. I chose the web-files.zip file.
2. Unzip the web-files.zip to a temp directory
3. Copy my content folder from my old blog to the dasblogce folder in the new temp folder. I actually backup my content folder daily from my hosting provider, so I already had this locally.
4. Leaving everything else the same for now, I zipped up the contents of the dasblogce folder and uploaded it to my hosting provider
5. Create a new sub folder on the root of my website called blog2
6. Extract the contents of the zip file I uploaded in step 4 to the blog2 sub folder.
7. Using WinMerge, diff the web.config file between the old and new site
8. Again, using WinMerge, diff the SiteConfig folder
9. Finally diff the theme I am using, re-adding support for
1. Google Analytics
2. OpenID
10. Test
11. Update blog.salvoz.com to point to the new folder
12. Final updates to configuration
13. Update backup routine to pull from the new folder

All in all it wasn’t too painful to do a clean update, and I’m glad I went that way. Total time start to finish was about 2.5 hours.

This week was a pretty good week for training, in that I achieved two milestones, all before even starting my formal training plan. I have to admit that I’ve been doing “training” for the last couple of months, where the rest of the tri-community are all doing cross training. I was doing cross training last fall until it started to take a toll on my legs (interior shin splints), and then switched over to biking, followed by swimming, and then decided, why not try running a triathlon. 

Anyway, about those two milestones I archived this week. First, I averaged over 230 watts (232 watts) for the first time on my two hour endurance ride. All of my winter training is done on a Keiser M3 stationary bike wearing my normal biking shoes. The workout consists of 120 minutes of tempo work, divided up between a base gear (~90 RPM to hit target wattage) for 40 minutes, 20 minutes of a higher gear, then 60 minutes of the base gear. The gearing really won’t mean much to anyone else, but I did 13, 16, and then 14. I was doing 13, 15, 13 for a 8 weeks, but switched up to 13,16,13 a couple of weeks ago, and this week was the first time I was able to push gear 14 for the full second half of the workout.

The second milestone, was a 1500m time trial in a pool, in which I broke the 30 minute mark, setting a new personal best at 29:26. When I first started swimming back in November I think, I was able to swim 1500m in around 38 minutes, so in about three months I’ve shaved off over 8 minutes. Now if only it would be as “easy” to shave another 8 minutes off. I think the biggest impact on my swimming has been improving my technique, although I do feel my swim endurance getting better, and I feel less out of breath.

I am really looking forward to starting my actual 16 week training plan next week, in preparation for the Capital View triathlon. I still have to work out the details of the plan, and am trying to decide between a couple of different “levels” as defined in the book I have. Some of the starting distances for the swim, and bike duration seem awfully low, but instead of stepping up a level, I could just try to increase the intensity. Most of the reading I have done indicates that higher intensity workouts pay greater dividends then lower intensity but longer workouts.

Given my 1500m time of 29:26, I figure I could have increased my pace for a 20 minute test by 10%, so my 100m pace would be 1:45. I will use this number to figure out my different training zones for swimming, and based on some training sets I’ve done in the past, this will be a very good pace for me to shoot for. At this point, I’m hoping to break the 25 minute mark in the pool by June, which should hopefully equate to a 30 minute open water swim, although I have nothing to base this on.

You can view my online training log at Buckeye Outdoors (yeah, I think it’s a weird name for a training log site as well).

Last night was the regularly scheduled meeting for the Madison .Net Users Group and consisted of a presentation on MVVM by Christopher Huganen, and the first meeting of the TFS SIG, led by Travis Feirtag.

MVVM

MVVM stands for Model, View, View Model, and is an architectural pattern that focuses on testability and separation of concerns. While MVVM can be used in a variety of application environments, the focus of this presentation was on it’s use with WPF. As a matter of fact, I’m seeing MVVM paired specifically with WPF more and more.

Some key advantages of MVVM that were talked about include:

• Separation of Concerns
• Use the force of WPF (bindings)
• Write less code
• Easy to Unit test
• Split Designer/Developer responsibilities

To the inexperienced WPF developer (which includes myself), it may seem difficult to believe that MVVM leads to writing less code. At first glance, and from reviewing numerous (short) examples, it basically looks like you are rewriting your business entity class, but adding support for binding and other View concerns. I believe that overall it will lead to less code, but I can’t comment directly on it until I actually implement something using this pattern (which I hope to start soon).

Here are a few links that were provided last night that talk more about the MVVM pattern:

• MSDN Article - WPF Apps With The Model-View-ViewModel Design Pattern written by Josh Smith
• Karl Shifflett's blog and section of MVVM

And for the sake of completeness, here are a couple of definitions for some similar patterns.

• Supervising Presenter
• Passive View

TFS

As I mentioned in my opening, last night was the first meeting of the TFS SIG. Travis put together a short slide deck outlining the purpose of the SIG (TFS SIG Slides), and also brought an external hard drive with a VPC image containing TFS 2008 and Team Suite 2008 (running on top of Win2k3 Server).

• VPC Image
• Hyper-V Image

I am really excited about participating in the TFS SIG, as TFS is something I started, but I guess you could say never finished. So in addition to the labs and topics covered initially at the SIG, I’m hoping to start a project with the purpose of better understanding TFS from the project management point of view.

Here are some links to some of the things I brought up during the SIG portion of the meeting (and a few other links):

• My blog posts (part1, part2) on migrating from TFS 2005 to 2008 Beta, which covers migrating between domains and servers
• TFS Branching Guide 2.0
• MSBuild Extension Pack
• SvnBridge - Use TortoiseSVN with Team Foundation Server
• http://localhost:8080/Warehouse/v1.0/warehousecontroller.asmx – This is the URL to the warehouse controller web service in TFS. From here you can manually invoke the warehouse update job so you can get updated reports. Also great for trouble shooting.

MVC

After the meeting I got to talking with a couple of people about Asp.Net MVC and promised a couple of links:

• Jeff Palermo's Blog
• http://www.codeplex.com/MVCContrib
• Code Camp Server – A “reference” application built using Asp.Net MVC, TDD and DDD.

Last week, I registered for my first Triathlon, the Capital View Triathlon, held here in Madison, WI. I will be competing at the Olympic distance, which is a 1500m swim, 24.85 mile bike, and 6.2 mile run. I’ve been spending about 6-7 hours per week getting ready to start my 2009 annual training plan (which I still have to finish creating). Following the guidance of “The Triathlete’s Training Bible” by Joe Friel, I’m looking at some weeks requiring 14 hours of training, or double what I’m used to. I don’t know if I’ll be able to fit in all that training, but we’ll see how it goes. I would like to start doing some workout before work, but waking up before 6am does not seem like fun, although I better get used to it, as I can’t just wake up at 5:45am on race day after months of waking up closer to 7.

I’ve been pretty happy with the stats in the various disciplines. I’ve had a couple of spinning sessions were I have had 255 watts over 40 minutes, and I’ve been averaging 8.6 mph (7:00 minute mile) over 30 minutes running. I’ve recently begun altering my running style/technique in an effort to increase my cadence (number of times my foot strikes the ground). So far that has been going pretty well, I’m able to keep a higher cadence without counting all the time, although on my last run I brought a metronome, and realized I have a lot more work to do in keeping that cadence where I want it (180-190 foot strikes/minute).

I’ve been getting to the pool once or twice a week for about an hour each time. I’m still a complete novice when it comes to swimming, so after doing 1500m in my first couple of workouts just to make sure I could go the distance (note: just swimming 1500m in a pool, grabing the wall each time and getting that extra breath does not equate to 1500m in the open water), I’ve been trying to work more on technique. I think I’m making some good progress on this front. Today after my drill set which consisted of 1350m, I swam another 250m in 4:51, which is a new personal best for me. It’s sad comparing my times to those of actual swimmers, who are almost twice as fast as I am. Oh well, gives me something to shoot for.

I’m creating my shopping list for the event in June:

• New Bike Helmet (my current helmet was a fairly cheap one, and is almost 6 years old. Looking for something a littler lighter and comfortable)
• Sun Glasses (My current el-cheapo pair won’t stay on while running unless I have a head band on, and all scratched up)
• Wet Suit Rental
• Power Meter (the stationary bike I use has one built in, and I’ve really gotten use to using it.)
• New Heart Rate Monitor
• Bike Fit (I switched cleats and pulled my seat off to use the stationary bike, so I need to get everything set back up once spring comes along).
• New Bike Seat
• Aero Bars (Maybe)
• Areo Wheels Rental (Maybe)

I recently ordered some training gear for swimming, including some freestyle stroke/pull things (yeah, not sure how to describe them), freestyle snorkel, underwater metronome (help work on stroke count). The coolest thing in my order, a large, underwater stopwatch/lap counter. As a techie, my motivation for training usually involves gadgetry of some sort. Speaking of gadgets, my list above lists a power meter and new heart rate monitor. Not sure what I’ll get, as I don’t have an unlimited budget, and would like something that will work on the bike and run portions. I’ve been thinking about the iBike Pro wireless with a Garmin Edge 305 or 405, as it should all work together. However, people have been giving mixed reviews on the Garmin stuff. The other option are two completely different systems, one for the Bike and one for the run.

That’s all for now. I’ll try to post some reviews of the gear as I get it.

While looking for a fix to my TestDriven.Net problem (couldn’t get it to run all Xunit tests in a class or assembly), I came across an open question on Stack Overflow from a developer having the same problem. For some reason I felt compelled to answer this question once I found the answer. After a bit of searching and registry browsing, I found out that I needed to move a registry key from the Wow6432node to the “regular” section of the registry.

So back to Stack Overflow I went to answer. This being the first time I’ve answered anything on there, I figured I should sign up so I get “credit” for my one whole answer. While I have a couple of accounts from other places that support open ID, I felt that claiming my blog URL would be the techie thing to do.

I picked Claim Id from a list of open id providers because I thought Scott Hanselman recommended it, but couldn’t remember for sure, but it looked ok. Sign up was easy, and they even provided instructions for claiming my blog URL, including the HTML code, complete with my username. If you view the source of my blog page, you will see the following two lines in the <Head> section.

<link rel="openid.server" href="http://openid.claimid.com/server" />
<link rel="openid.delegate" href="http://openid.claimid.com/asalvo" />

In DasBlog, I added these to lines to the homeTemplate.blogtemplate file for my current theme. This is also where I placed the code to enable Google Analytics awhile back. Speaking of Google, I came across their Ajax API which I talked about briefly, and though as long as I’m in here editing for openId, might as well try adding the search functionality.

At this point it’s close to 2am, and I started this around 10:30pm. The whole ajax google search turned into a real chore to get working even close to the way I would like it. However, since I invested all this time into it, I felt like leaving it as is for now. There are some CSS entries needed to get the results to show up where they do on my page, so if you want, take a look at my CSS file as well (the relevant stuff is at the top under center column stuff).

I’d like to revisit this post when I update my theme, hopefully in the near future.

Final Script located in the head section (feel free to view source on this page as well)

<script src=”http://www.google.com/jsapi?key=YourKey” type="text/javascript"></script>  

google.load('search', '1.0');

    function OnLoad() {
      var controlRoot = document.getElementById("searchControl");

      // create the search control
      coreSearch = new GSearchControl();
      coreSearch.setLinkTarget(GSearch.LINK_TARGET_SELF);
      coreSearch.setResultSetSize(GSearch.LARGE_RESULTSET);

       // prep for decoupled search form
      var searchFormElement = document.getElementById("searchform");
      var drawOptions = new GdrawOptions();
      drawOptions.setSearchFormRoot(searchFormElement);
      drawOptions.setDrawMode(GSearchControl.DRAW_MODE_TABBED);

      // populate - web, this blog, all blogs
      var searcher = new GwebSearch();
      searcher.setSiteRestriction("http://blog.salvoz.com/");
      searcher.setUserDefinedLabel("Salvoz Blog");
      coreSearch.addSearcher(searcher);
      searcher = new GwebSearch();
      searcher.setUserDefinedLabel("The Web");
      coreSearch.addSearcher(searcher);

      coreSearch.draw(controlRoot, drawOptions);
    }
    function doCoreSearch(q) {
      coreSearch.execute(q);
    }
    google.setOnLoadCallback(OnLoad, true);

    </script>

Like a lot of developers, I am an early adopter, and as such I downloaded and installed Windows 7 beta (blog post forthcoming) on a variety of my computers and created new VM’s. I decided to try to switch over to a Windows 7 beta dev machine at home, to see if there are any gotchas. So far there is nothing related to Windows 7, but getting VS to work fully with my projects stored on a network share took some additional time.

Apparently I completely forgot I had to set Code Access Security on my original development machine, and even after I remember vaguely doing it, I don’t remember what I did. Going back and looking at the settings via mscorcfg.msc, it looks like I just granted the local intranet full trust. This time around I wanted to just grant the full trust permission set to my projects folder on my network share. Not that I don’t trust my local intranet, it just seems like the correct thing to do.

First I tried messing around with the command like tool, caspol, but my command line skills just were not cutting it. I looked for mscorcfg, but it’s no longer installed with Visual Studio (2008), so I downloaded and installed the latest .net SDK. I figure there are some other good tools in it any way. With access to mscorcfg, I set out to grant my user share, U:\Projects full trust permissions.

I figured out that I needed to add a new code group, but I didn’t know under which zone. Reviewing the error in Visual Studio, it referenced both My Computer and Local Intranet. I decided to try My Computer first, and that didn’t work, so I created a second code group under Local Intranet and that did work. I didn’t want to leave extra stuff around, so I removed the code group from My Computer and everything still worked.

Here are the steps I took:

1. Open mscorcfg (as an administrator if you want to modify the CAS at the machine level)
2. Under Runtime Security Policy, expand the Enterprise, Machine, or User, and then under Code Groups drill down to the Local Intranet Zone
3. Right click on Local Intranet Zone and choose new
1. Ender a name and description for your code group and click next
2. For the condition condition, change it to URL.
3. This is the tricky part, entering a correct URL. The path I wanted to add, as shown in windows explorer is U:\Projects, but the error message in VS showed file:///U:/Projects/, so I used that as the URL and added a * at the end, so I ended up with file:///U:/Projects/*. Click Next.
4. Select Full Trust, and click next
5. Click finish

You need to restart Visual Studio after you make a change. While looking for some help on the Internet, I also saw that you can use mscorcfg to create a MSI installer package with your CAS settings, which you can run on other machines, or deploy via group policy. This option is available as “Create Deployment Package” when you left click and select Runtime Security Policy.