Back in March, I posted about creating a custom authorization filter to enable Partial SSL. While using the filter on an application I was porting to Windows Azure, I discovered a bug, which has led me to revisit my implementation. Here is the original code.

   1: public class RequireSslFilter:AuthorizeAttribute

   2: {

   3:  protected override bool AuthorizeCore(HttpContextBase httpContext)

   4:  {

   5:   if (httpContext.Request.IsLocal == false && httpContext.Request.IsSecureConnection == false)

   6:   httpContext.Response.Redirect(httpContext.Request.Url.ToString().ToLower().Replace("http", "https"));

   7:  

   8:   return base.AuthorizeCore(httpContext);

   9:  }

  10: }

As you can see, I’m calling base.AuthorizeCore at the end, which is what you usually do when overriding a method. However, since the purpose of he Authorize Filter is to, well authorize, the call to base.AuthorizeCore will return false if the user is not authenticated. This is a problem because you might not be authenticated at the time that this filter runs.

The reason I chose to use the Authorize Filter, is because it’s called before any other filter, as explained by Phill Haack. At first I thought about removing the call to the base.AuthorzieCore, but that seemed more like a hack, then a correct solution. Digging deeper, I discovered that the AuthorizeAttribute that I am inheriting from, implements the IAuthorizeFilter, which requires you implement the OnAuthorization method. So instead of inheriting from AuthorizeAttribute, I could just implement IAuthorizeFilter.

However, someone already did it for me. In the Asp.Net MVC futures project, released with the Asp.Net MVC RTM source, there is a RequireSSL attribute ready to use. The future’s project has more functionality then mine, allowing for the option to redirect or throw an exception. It’s nice to see I was on the right track at least.

RequireSSL Attribute from Asp.Net MVC Futures:

   1: public void OnAuthorization(AuthorizationContext filterContext) {

   2:             if (filterContext == null) {

   3:                 throw new ArgumentNullException("filterContext");

   4:             }

   5:  

   6:             if (!filterContext.HttpContext.Request.IsSecureConnection) {

   7:                 // request is not SSL-protected, so throw or redirect

   8:                 if (Redirect) {

   9:                     // form new URL

  10:                     UriBuilder builder = new UriBuilder() {

  11:                         Scheme = "https",

  12:                         Host = filterContext.HttpContext.Request.Url.Host,

  13:                         // use the RawUrl since it works with URL Rewriting

  14:                         Path = filterContext.HttpContext.Request.RawUrl

  15:                     };

  16:                     filterContext.Result = new RedirectResult(builder.ToString());

  17:                 }

  18:                 else {

  19:                     throw new HttpException((int)HttpStatusCode.Forbidden, MvcResources.RequireSslAttribute_MustUseSsl);

  20:                 }

  21:             }

  22:         }

Since my last training update post (Indoor Triathlon), I’ve had a couple of rough weeks. Immediately following the indoor tri, I was out of town in Las Vegas for over a week. Biking was non-existent, I got a little bit of swimming in, and also some running. The running was really slow as I didn’t know how long my route was ahead of time, and my new Gamin Forerunner 305 was waiting for me at home.

Back from vacation, I set about picking up where I left off. My biking performance was the most impacted, with running and swimming close to wear I left off. This makes sense since I got no biking in, running was focused on base building, so not much to loose, and swimming was focused on technique, which I didn’t seem to forget. However, by the following week, things were back to normal, at least for a couple of days.

About a week and a half after my return from Vegas, I came down with the stomach flu, which sidelined me from Wednesday to the following Monday. Once again, my biking was shot, and running was about the same. In addition to the stomach flu, our community pool was closed for a annual maintenance and I lost out on 3 swim workouts. However, I’m still doing pretty good on the swimming. My 200m intervals are a couple of seconds slower then they were before, but today I swam 1000m and then did 8x75m on 1:15 (actually a little faster). I’m also starting a 4 week master swim program in a couple of days, and I’m really looking forward to some instruction/coaching.

With the unusually warm weather we had this past week, I decided it was time to switch over to biking outdoors instead of on the indoor trainer. I forgot how much wind resistance plays a roll in outdoor riding, and I’m really thinking a tri-bike would make things easier ;) I got in 21, 24, and 30 mile rides and I am looking forward to the most riding I’ve ever done this season. The 24 miler, was supposed to be 43 miles, but unexpected rain and an unsure forecast forced me to cut my ride way short. I did however complete my brick workout by doing a 30 minute run after the bike, and that went really well. While the route was a little flatter then what I have been running on, it was still a great confidence builder to feel as good as I did on the run after 24 miles on the bike.

This season, starting sometime in may, my goal is to ride to/from work at least 3 times per week. I will be incorporating a specific bike workout on the ride home at least 2 times per week in order to continue to build my bike skills. This will be in addition to my long Saturday endurance ride, which will feature quite a few attempts at the Ironman Wisconsin bike course. A co-worker of mine also gave me some info on local coach who offers bike classes 3 times per week, but at $20 per class, I’ll probably only do a few this season just to try them out.

What’s a training update without some new gear? I mentioned earlier that I picked up a Garmin Forerunner 305, and could not be any happier with it. The constant knowledge of how fast your are going is great for training. I was a little worried the Garmin software wouldn’t work on my 64bit Windows Server 2008 install, but it installed and runs great. It’s not crappy software either, it actually has a decent UI with lots of meaningful data. I think one of the coolest features of the software and watch, is the ability to program in workouts, like interval sets. Using the software, you can program something like, warm up in zone 3 for 10 minutes, then do a 30 second sprint in zone 7 followed by a 30 second cool down, repeat 10 times. If you are looking for a wrist mount GPS for running or biking, look no further then the Garmin 305 (I think it’s better then the 405 even). The price on the 305 has been slashed. I got mine off E-Bay, new, for around $130. I just saw Bet Buy advertising it for $149 as well.

Next up is the iBike Aero power meter I purchased for my bike. After training with a power meter on the stationary bike all winter, I just couldn’t see switching to outdoor riding without one. Not only that, but the data I get off the iBike and the analysis provided by Training Peaks is worlds better then the average watts I’d get off the stationary bike. I picked up a used iBike Gen 2 Aero for $314 off E-Bay, and then used the iBike upgrade program to get a brand new Gen 3 unit for only $249. So instead of paying $799, I only had to pay $563. Getting the wireless sensors mounted turned out to be a longer task then I had anticipated. You need to have at least 12 inches, if not more, between the cadence and speed sensor, or you will get whack readings. The speed magnet that goes on the wheel also gave me a good deal of trouble, as I couldn’t seem to get it tight enough to keep it in-place without deforming it.

The iBike is a little more complicated then the Garmin, but I don’t consider that a con in anyway. The calibration rides were pretty easy, at least easier then mounting the wireless sensors. The amount of information available from the iBike is overwhelming, and I will need to finish reading the instruction manual to learn all the features and how to begin to interpret the data. Thankfully I also picked up a book, “Training and Racing with a Power Meter” which has a lot of good info on how to interpret, and act on the data provided by a power meter.

With the acquisition of the Garmin Forerunner 305 and iBike Aero, I’ve gone back to TrainingPeaks.com and signed up for a premium account. While BuckeyeOutdoors.com is free, and has some nice features (Interval and Race specific workout entry), the analysis features in TrainingPeaks is too much to give up. Also, you can upload workouts from the Garmin and iBike to TrainingPeaks, and this saves on a lot of data entry. I had only wished I would have made the decision earlier, as not only did I spend an hour moving the last 8 weeks worth of workouts over to TraininPeaks, but now I’m in the middle of   my training plan, and can’t very easily switch over to the virtual coaching (training plan) that Training Peaks offers. I think I’ll wait until after my first race in June and then look to make the adjustment over to the TrainingPeaks virtual coach.

Until next time.

I’m using LinqToSql as a quick way to access my database for some brownfield testing. I needed to execute a stored procedure that returned a result set, but after adding it to the LinqToSql design surface, I noticed that the return value was set to none, and I was unable to change it.

This stored procedure had two exec statements, and a Set Transaction Isolation level statement as well.  After commenting these out and re-adding the stored procedure to the design surface, I was still faced with a return value of none. I ended up deleting the stored procedure, rebuilding, and then re-adding. This finally resulted in a auto generated return value. I then uncommented the lines I had previously commented out.

While researching this, I found some other people with a similar problem, and rebuilding helped a few people, but not all, so your mileage may vary.

This is the first of a two part post on my trip to Las Vegas for the Microsoft Mix 2009 conference. This first part will focus on Las Vegas from the tourist point of view, with part two focusing on Mix itself.

Hotel

This was my first time in Las Vegas and I stayed at the Trump Hotel, which is only a 5 minute walk from the strip (Las Vegas Blvd). Located on Fashion Mall drive, it is on the North end of the strip (Fasion Mall Drive is across the street from the Wynn). I highly recommend the Trump Hotel, and both my wife and I enjoyed our stay there. The room was only $89/night plus the mandatory $15 resort fee (which seems to be common).

The rooms themselves are like a studio apartment, complete with enough of a kitchen to cook some basic meals, and a huge marble tiled bathroom with a whirlpool tub. There is a 32” LCD TV in the living area, and a 9” LCD in the bathroom mirror. I’m surprised they didn’t have a LCD TV next to the toilet to go with the phone. I didn’t do any cooking, but I did make use of the refrigerator to keep some beverages available.

They have a pretty nice exercise room, and a pool area with lots of room to just layout in the sun. The pool isn’t fancy, there are no fake rocks, slides, or kiddie play areas, but it is quite functional and heated. In addition to the pool, there are two hot tubs and two rows of cabanas available for rent. While I didn’t walk around to the other side, I noticed on the model of the hotel property which was in the lobby, that the other side had additional room for sun bathing. I saw a couple of kids in the pool, but for the most part, it was pretty quiet, and I was even able to get in some “lap” swimming on Thursday night before the pool closed. 

The Strip

I spent a lot of time walking up and down the strip, before and after my wife came. There is quite a parity between walking the strip at night, and heading over to the Venetian for the conference in the morning. At night, it’s like you see in the movies, big crowds and bright lights, while in the morning it’s like any other busy downtown city street. I noticed a good number of people out jogging on the strip, and I just couldn’t pass up the opportunity to go running in the idea morning weather. Maybe it was the result of being inside all winter, but the air smelled very fresh in the morning, and I really enjoyed the two runs I got in. I was pressed for time, so I was only able to do a 30 minute run (15 out and 15 back), which got me as far south as south end of Caesars Palace one morning, and up to the Stratosphere on the other morning. 

A good amount of my time was spent in the Venetian and Plazo, since that is where the conference was, and by the end of the week, I felt pretty good at navigating the labyrinth under the two hotels. I think that the Venetian and Plazo were my favorite hotels to wander around in. My wife really liked Caesars Palace and the Forum shops (so much that I had the pleasure of walking all the way thru the Forum shops twice) due to the roman architecture and theme. Everyone says the Wynn is awesome, but I must have missing something because I was unimpressed given the high praise.

I think I ended up catching the TI Pirates/Siren show 3-4 times during the week. You can get a pretty good view from across the street, and it’s usually less crowed on the north side (closest to the Fashion Mall). However, I would recommend watching it at least once from the “front row” which would be on the bridge that leads to the hotel, closest to the Siren’s ship. Also, the show is more impressive in complete darkness, as you get to see the full light show.

Also at TI, is a most excellent brunch buffet, offered on Saturday and Sunday until 4pm I believe. Without champagne, it’s only $17/person, which is really cheap compared to other buffets and sit down restaurants in Vegas. Considering a large orange juice would easily run you $3/glass, and I had two, that’s $6 right there. The line was long, but moved fast. They have a VIP line, so if you hunt around, you can probably get your hands on some VIP tickets and skip the line. Other notable dining experiences were Del Torro (Lamborghini resturant) in the Venetian, and the Harley Davidson Cafe towards the south end of the strip.

Shows and Attractions

We saw two Cirque du Soleil shows, Ka at the MGM Grand and Mystere at TI, and they were freckin awesome. I was a little apprehensive about spending $400 on show tickets, but it was worth it. I highly recommend spending the extra money and getting the best possible seats you can. We had front row seats for Mystere and were able to see everything in such detail, from the performers costumes to the expressions on their faces. The half price ticket place was actually a pretty good deal. Right now if you buy online thru Ciruqe Du Soleil, you can get two category 1 tickets for $257.50 after a 25% discount and all fees, where as we only paid $218 a the half price ticket place.

Ka is the only Cirque du Soleil show that has an actual story line to it, set in ancient china I believe and follows the ordeal of a young brother and sister (prince and princess) caught in the middle of a war. It is a high energy performance with incredible choreography, stunts and martial arts. My wife described it best as live action anime. Check out the trailer on youtube, and another video that shows some of the mechanical engineering behind the scenes. Mystere is similar to Ka without the storyline and martial arts influence, however it is no less incredible. It would be hard to choose just one. Next time we are looking to go to O, and then change things up with the Blue Man Group.

On our last full day in Vegas, we rented a BMW Z4 convertible and drove to the Hoover Dam. The last 4 miles to the dam was bumper to bumper traffic, as all the weekend visitors were trying to get back to Arizona, and it’s only a 2 lane road over the dam. However, they are working on a 4 lane highway and brand new bridge over the river just south of the dam, which looks impressive itself. We opted for the 45 minute power plant tour, and felt a little underwhelmed. We both thought that the 2 hour dam tour might have been better, but we didn’t have enough time for that.

Needless to say, it was somewhat of a downer coming back home to cold weather, and snow. Both my wife and I were looking for Vegas deals all week, and we will definitely be going back sometime.

On Wednesday, March 25, the first meeting of the Madison All.Net special interest group (SIG) was held at Herzing College. The All.Net SIG is all about discussing all things related to Microsoft .Net technologies in an open spaces style meeting. Instead of the lecture hall style room we traditionally use for the Madison .Net User Group meetings, we opted for a classroom style room due to the format of the meeting itself. Aside from a brief survey form I created to get an idea on what people were interested in, we had no set agenda.

Below are the results of the survey, which I took to get a general idea of what people were looking to get out of the group. Just because something didn’t get a lot of votes (i.e. Windows Embedded only got one vote, which was me) doesn’t mean people can’t come to a meeting to ask for help, share their code and participate.

Topics

Asp.Net MVC	8	WCF	5	Windows Mobile	2
Architecture	8	Project Management	5	Windows Forms	2
Silverlight	8	SQL Server	4	IIS	2
Agile	7	Asp.Net Web Forms	4	BizTalk	2
Test Driven Design/Development	7	TFS	4	Other ORM	1
Entity Framework	6	WPF	4	XNA	1
Alt.Net (General)	6	Sharepoint	4	Linq2Sql	1
Domain Driven Design	6	nHibernate	3	Windows Embedded	1

 

Topics – Write-in Suggestions

Scrum, Prototyping, Requirements Gathering and Analysis, Networking (Wired, Wireless, etc), Dynamic Languages (Iron Ruby/Python), Security, WMI, Debugging, Best Practices, Subversion, db40 SQL CE, Sync Framework, Ado.Net Data Services, Azure

Meeting Formats

Group Project	8	Peer Code Reviews	6	Open Spaces	3
Pair Coding	6	Scheduled Topics	6	Guest Speakers	3

After the survey, I talked about the Mix09 conference I attended last week. This was a two way discussion, with lots of good questions, and not a presentation (no power point at all!). We talked briefly about Silverlight 3, Blend 3 (Sketchflow), Expression Web 3 (Super Preview), and .Net RIA services. While we were enjoying some Pizza, we watched a bit of the Bill Buxton/Scott Guthrie keynote, and had a good laugh at Scott’s intro video.

After the Pizza break we started looking at the Entity Framework, and some ideas on a group project. I did a quick tally in my head of the technologies people were interested in, and Asp.Net MVC, ORM (EF, nHibernate, etc), and general architecture were the top 3. I sketched out a pretty lame diagram showing how we could create a project that allowed us to tackle the top 3 (and other) technologies.

The project I proposed was basically a typical 3 tier application consisting of a Asp.Net MVC front end, domain layer (business logic/objects), and a data access layer implemented using a variety of ORMs. The reason for working with multiple ORMs, is that everyone has different needs, wants and desires, and we’re trying to be as inclusive as possible. I think almost everybody has some type of standard they need to use at work, and in addition to pushing the boundaries of technology they be already familiar with, they also want to try new things, and see how things work when implemented with a different ORM.

In order to allow for the use of multiple ORMs, I suggested the use of a repository pattern, which in simple terms, is a in memory collection of domain objects. To implement, you define a set of interfaces in your domain (business layer), and then create concrete implementations of the interfaces for each ORM you wish to implement. This is quite a common approach in Domain Driven design, and in the Alt.Net space, however, it’s usually done to aid in the testability and maintainability of the code base.

The following is my best attempt to create a list of all the web sites and projects that I referenced during the discussion (in no particular order). It is important to note that everyone’s implementation and terminology is a little bit different.

• Jeff Palermo's Onion Architecture
• Code Camp Server – Asp.Net application used to manage code camps
• Foundations of Programming E-Book and Sample Application
• Sharp Architecture – “a solid architectural foundation for rapidly building maintainable web applications leveraging the ASP.NET MVC framework with NHibernate”
• ASP.NET MVC Storefront Starter Kit – It’s listed under sample applications halfway down the page

I don’t believe there was any final decision made on if or when we will start a group project, but I am excited to continue to talk about this. I already got one e-mail from someone who attended asking for examples which is why I included the list above.

Our next meeting should be around April 15th, but be sure to check the MadDotNet web site for the official date and time.

Even though I’m not actively developing in BizTalk these days, I still have a need to go in and do some support on an existing system a couple of times a year. Of course it takes me a little bit to get back into the BizTalk frame of mind. Today, I had to make a couple of changes to an orchestration and deploy. Part of this process involved un-enlisting several receive locations while I made this change.

When I re-enlisted the receive locations and went to check for problems, I noticed that all of my messages where not being processed due to there be no subscription setup for them. I knew that my orchestration should be subscribed to these messages, and thankfully BizTalk creates a suspended message instance that lists the context of the message at the time of the routing failure. I immediately noticed that none of my promoted properties were in the context, which would explain the routing issue.

It took me a while to figure out how to fix this, but in the end I noticed that the receive pipeline on my receive locations looked incorrect. Checking a staging server, documentation, and an XML copy of the bindings I exported before the change, I confirmed my suspicion. It seems that during the the deployment process and the un-enlist and re-enlist, some of my receive locations reverted to the default pass thru receive pipeline. After changing them back the XML receive pipeline, things are all good.

On Sunday, March 15th, I participated in the Harbor Athletic Club Dust the Rust Indoor Triathlon (sponsored by Endurance House). This was my first competitive event in the sport of Triathlon, and I had a great time, taking 2nd. There were about 14 total participants, so while it would have been nice to have some more competition, it did keep things moving smoothly.

The format of the event was a 10 minute swim, 30 minute bike and 15 minute run. You had to swim as many pool lengths, and run as many times around the indoor track as possible in the given time limit. The biking portion, which was done on the same Keiser M3 spinners I’ve been training on all off season, was based on how many miles the display showed after 30 minutes. Unfortunately, this isn’t very realistic, as the mileage shown is dependent on the how fast you could pedal, not on the amount of watts.

So while I was aware of this fact, I just didn’t feel like pedaling at 160+ RPM for 30 minutes. I’ve been training all season to push a harder gear at around 90 RPMs, so the high RPM game just wasn’t my thing. I made a suggestion that a more realistic measurement would be to use the average watts you are able to sustain over the 30 minute time frame. It’s not that I think this would have allowed me to do significantly better, but would be more representative of the actual biking event.

I also have some concern over the calibration of the bikes, both between the bikes at the club, and with the bikes I’ve been training on this off season. My baseline is usually around 90 RPM at gear 13 which produces approximately 230 watts (or so the display says). At the event, I was pushing gear 14 at 120 RPM producing 350-360 watts and it felt easier then the 230 watts I’m used to. So while my usual training bike might be off on the low end, these were definitly off on the high end. Maybe I’m too much of a stat junky?

However, the biking thing aside, I did have a really great time. This was partly do to how well I did on the swim and run portion of the event. I actually tied for 1st in the swim, completing 25 lengths or 625 yards in 10 minutes. This worked out to a 1:45 min/100m pace which is awesome for me. I’ve been working on 200m sets in training, and having a hard time maintaining that pace (after the first set), so keeping it for 625 yards is very satisfying. 625 yards is about 571 meters, so I definitely set a new personal best for the 500 meter distance. I feel as if the 1:45 min/100m pace is attainable for my triathlon in June as I have 12 weeks of training left.

I also did well in the run, completely 30 laps or 2.5 miles on the indoor track which is a 10mph average. Again, this was a personal best, although not a sustainable speed. I think I did the first mile in 5:30, which is the fastest I’ve run, albeit on a flat indoor track. Training with a 1% grade on the tread mill really paid off.

Personal Results (2nd place overall):

UPDATED: 4/25/2008 – See my new post of Partial SSL in Asp.Net MVC using the RequireSSL attribute from the MVC Futures Project

Tonight I was working on a small Asp.Net MVC project and was trying to add authorization and “require ssl” to specific pages using IIS. Of course you don’t have pages like you used to in Web Forms, so setting security and SSL on a per directory and per file basis doesn’t work like I’m used to.

The authorization requirement is actually pretty easy to handle once I approached the problem from a strictly MVC point of view. Using the Authorize attribute, which is included with Asp.Net MVC, I was able to pick and choose which controller actions I wanted to secure. In the code sample below I’m requiring the requestor to belong to the Users role.

[AcceptVerbs(HttpVerbs.Get), RequireSslFilter(Order=1), Authorize(Roles="Users",Order=2)]
public ActionResult ToServer()
{
   return View("ToServer");
}

When you need a little more control, you can implement a class that inherits from AuthorizeAttribute. Examples of when you might want to do this, would be if you wanted to change the authorized role at runtime, or not require any role (perhaps in your dev environment), or when you want to require SSL. In the above example you can see the RequiresSslFilter, which is a custom filter implemented as shown below which requires the use of SSL.

public class RequireSslFilter:AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
   if (httpContext.Request.IsLocal == false && httpContext.Request.IsSecureConnection == false)
   httpContext.Response.Redirect(httpContext.Request.Url.ToString().ToLower().Replace("http", "https"));

   return base.AuthorizeCore(httpContext);
}

}

In the code, I’m checking for if the request is local and secure, and redirecting to a secure version of the request. The check for IsLocal is useful for development scenarios. I added the Order parameter to the use of the RequiresSslFilter attribute to ensure that I check for the use of SSL before the check for the role. This helps ensure that credentials are only sent over SSL.

Tonight I was doing some load testing on an application I’m developing. Initially I was testing without SSL, but then needed to switch over to SSL, but hadn’t setup by development server with a cert. I jumped onto ssl4net (a free online certificate management site) and created a new cert for my server and proceeded to import it in IIS 7, but got the error “A specified login session does not exist. It may already have been terminated”.

I jumped around on Google for a bit and found this post by Omri Gazitt, and another post by FreakCode. The first talked about granting everyone permissions to the file that corresponds to the cert (on my computer the RSA certs are located at C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys). I remember doing something similar to this before, but it just didn’t seem right. The second post suggested marking the certificate as exportable when importing in IIS, and I had already done that so that wasn’t my problem either.

I decided to remove the cert, and try using the MMC Certificate snap-in to import the cert. I also gave it a friendly name from with-in the MMC. Going back to IIS and selecting this cert in the binding dialog no longer produced an error. I don’t know if it was how I imported it, or the friendly name, but it is/was too late to go back and play with it any more.

I was having some problems with file permissions, my web hosting provider and DasBlog. It seems to have been related to compiling and e-mailing the daily status report, so I've turned that off for now. Hopefully it will stay running.

I have been toying with the idea of hosting my stuff back at home like I used to back in the day. I was the first of my friends to get broadband, thanks in part to UW-Madison and my dad (paying the bill). Great thing about the UW-Madison DSL was that they let you host all the services you wanted to. At one point I was running a mail server on linux (can't remember which one), web, DNS, and a dedicated Unreal Tournament server.

I've been working on upgrading my home gear. I recently purchased a slew of UPS's (thanks to Circuit City going bye-bye), and while they won't protect against anything longer then probably 20 minutes, still good enough for my "mission critial" website ;). Also picked up two more WD Caviar Black HD's to create anothe Raid-1 array for my VM's. Also on the to-do list is to setup a pfSense firewall so I can have a properly segmented network between my internal services and external (DMZ).

The only thing I'm missing is my iSCSI array so I can setup clusterd hyper-v machnes with quick motion to avoid downtime, but again, we're not talking mission critial stuff here. I think I can afford 10-15 minutes of downtime each month while I patch all the VM's and the host machine.