July 2008 Entries
UPDATE: I linked to the wrong post. I corrected the link.
During the recent Insiders summit, Wally cornered me into recording a really short video demonstrating a feature of ASP.NET MVC. I decided to sprinkle a little Ajax in my demo by showing how to use jQuery to call an action that returns a JsonResult.
Specifically, I show how to update a couple of regions in the page (two dom elements) with data pulled from the server. I then add a little sparkle to the demo by implementing the ubiquitous yellow fade when adding the content to the DOM. As you’re watching it, you’ll notice that I’m making it up on the fly based on another demo I did earlier that day.
He’s posted the video here in show #106 121. That’s heckuva a lot of shows Wally!
Technorati Tags:
aspnetmvc,
ajax,
jquery
It’s a quiet friday afternoon with all of our devs in training today, so I figured I’d take a breather and respond to this meme I’ve been tagged with by Simone, Keyvan, Steve and others.
How Old Were You When You Started Programming?
Have I even started really programming yet? I guess I got my first taste when I was around eight with my first computer, a TRS-80 Color Computer. That sucker could display 9 colors, all at once, believe it or not. My programming experience back then was pretty minimal. My dad and I mostly spent hours typing in program listings from books, complete with pages of DATA lines consisting entirely of 0s and 1s. Pretty much typing by hand the equivalent of binary resources. I also wrote simple programs that would draw pictures and my dumb attempts at Zork-like text adventures.
How Did You Get Started In Programming?
Well I would write dumb little programs for my TRS-80, then Commodore 128, then Amiga. But I never wrote any programs of any significance till I took a C and C++ class in college. Even then, those programs were not “real world” programs, but simple assignments. It wasn’t till after college when I had to get a J-O-B that I learned how to really program.
And it was a rough start, writing the most knotty spaghetti ASP code in VBScript ever. It wasn’t till I read Code Complete that I realized that I wasn’t programming yet, I was barfing code.
What Was Your First Language?
English. My first programming language was BASIC for the TRS-80. My first professional language was VBScript. My first Object Oriented language was C++.
What Was The First Real Program You Wrote?
Man, I can barely remember that far back. All I remember was on my first day of my first programming job, a helpful consultant/coworker showing me the ropes. The main thing she taught me that day was when looping through a RecordSet, don’t forget the rs.MoveNext call, or else!
Around that time, I started working on a website for a company called MyLaunch.com which later became Launch.com which later got bought by Yahoo. That was the first large website I worked on and the place I had my first and worse major production bug ever. It was a lot of fun because I also signed up on the site and would interact with the other members, since it was a community music site.
What Languages Have You Used Since You Started Programming?
What is this? Some sort of interview? The programming languages I’ve used professionally are: BASIC, Visual Basic, VBScript, Java, J++, Ruby, C#.
What Was Your First Programming Gig?
As I mentioned before, it was right after college I got a job at a consulting firm named Sequoia Softworks in Seal Beach, CA. We had an office right on main street near the beach above some antique store or something. We later changed our name to Solien. They’re still around, but their site needs some love.
If You Knew Then What You Know Now, Would You Have Started Programming?
Well in between investing large sums of money in the right stocks and getting out at the right time, yes, absolutely! I love to write code and write about code.
If There is One Thing You Learned Along the Way That You Would Tell New Developers, What Would It Be?
Learn to write and communicate well. Software development is rich in ideas and being able to communicate your ideas well will get you places. And keep an open mind. Things you’re absolutely sure about now, you might not be so sure about tomorrow.
What's the Most Fun You've Ever Had ... Programming?
Hacking on Open Source projects such as Subtext. Recently, working on my IronRuby + MVC prototype has been a lot of fun. I find it fun to try out new things as well as making old things better.
Technorati Tags:
Personal
One principle to follow when writing a unit test is that a unit test should ideally not cross boundaries.
Michael Feathers takes a harder stance in saying…
A test is not a unit test if:
- It talks to the database
- It communicates across the network
- It touches the file system
- It can’t run at the same time as any of your other unit tests
- You have to do special things to your environment (such as editing config files) to run it
Tests that do these things aren’t bad. Often they are worth writing, and they can be written in a unit test harness. However, it is important to be able to separate them from true unit tests so that we can keep a set of tests that we can run fast whenever we make our changes.
Speed isn’t the only benefit of following these rules. In order to make sure your tests don’t reach across boundaries, you have to make sure the unit under test is easily decoupled from code across its boundary, which provides benefits for the code being tested.
Suppose you have a function that pulls a list of coordinates from the database and calculated the best fit line for those coordinates. Your unit test for this method should ideally not make an actual database call, as that is reaching across a boundary and coupling your method to a specific data access layer.
Reaching across a boundary is not the only sin of this method. Data access is an orthogonal concern to calculating the best-fit line of a series of points. In The Pragmatic Programmer, Andrew Hunt and Dave Thomas tout Orthogonality as a key trait of well written code. In an interview on artima.com, Andy describes orthogonality like so:
The basic idea of orthogonality is that things that are not related conceptually should not be related in the system. Parts of the architecture that really have nothing to do with the other, such as the database and the UI, should not need to be changed together. A change to one should not cause a change to the other. Unfortunately, we've seen systems throughout our careers where that's not the case.
Ideally, you would refactor the method so that the data the method needs is provided to it via some other means (another method passing the data via arguments, dependency injection, whatever). That other means, whatever it is, can perform the necessary data access: that’s not your concern at this moment. You aren’t testing that other means (right now at least, you might later), you’re focused on testing this unit.
This isolation enforced by unit test can be challenging, as it’s easy to get distracted by these other orthogonal concerns. For example, if this method doesn’t do data access, which one does? However, having the discipline to focus on the unit being tested can help shape your code so that it follows the single responsibility principle (SRP for short). If your test needs to access an external resource, it might just be violating SRP.
This provides several key benefits.
- Your function is no longer tightly coupled to the current system. You could easily move it to another system that happened to have a different data access layer.
- Your unit test of this function no longer needs to access the database, helping to keep execution of your unit tests extremely fast.
- It keeps your unit test from being too fragile. Changes to the data access layer will not affect this function, and therefore the unit test of this function.
All this decoupling will provide long term benefits for the maintainability of your code.
Update: I updated the source today. It now has minimal support for layouts. It needs more improvement for sure.
In June, John Lam wrote about a demo he gave at Tech-Ed 2008 where he showed IronRuby running on ASP.NET MVC. He posted the code for the demo online, but it relied on an unreleased version of MVC, so the code didn’t actually work.
Now that Preview 4 is out, I revisited the prototype and got it working again. I use the term working loosely here. Yeah, it works, but it is really rough around the edges. As in, get a bunch of splinters rough. At least it looks better as I did take a moment to use a CSS layout from Free CSS Templates slightly tweaked by me.
Getting the Prototype Up And Running
The IronRuby assemblies are based on an internal build, so they aren’t the same version as the publicly available ones. As such, they are not fully signed so you might get an ugly error message when you try to run the demo. You’ll need to add a verification entry into the GAC using the sn –Vr assemblyname.dll command.
I was lazy and just ran the following to add a verification entry for any assembly (note: there is a security risk in doing this):
sn –Vr *,*
And when I was done, I ran:
sn –Vu *,*
to remove that catch-all verification entry.
Other Notes
I made a few small improvements to the project since John posted the code. I added helper overloads that accept ruby hashes, for example. This allows you to do the following within the view:
<%= $html.ActionLink("Home", {:controller => "Home", :action => "index"}) %>
I also implemented more of the application, including the ability to edit an item. That forced me to get some more of the form helpers working with IronRuby.
As I mentioned in my previous post on this topic, IronRuby and ASP.NET MVC BFFs Forever:
Disclaimer: This is all a very rough prototype that we’ve been doing in our spare time for fun. We just wanted to prove this could work at all.
If this sort of stuff interests you, have fun with it. I’ll try and post updates as we take this prototype further. It has definitely been a worthwhile exercise as we’ve found many areas for improvement in our extensibility layer. I believe ASP.NET MVC will be better overall because we spent the time to do this.
And before I forget, here’s the DOWNLOAD LINK.
Technorati Tags:
Ironruby,
aspnetmvc
(If you want to skip all the blah blah blah, go straight to the release)
What I love about working with The Gu (aka ScottGu, the man with many aliases) is that he makes my life easier with his gargantuan and detailed blog posts covering the features of each release. This allows me to follow up and fill in some details with a much shorter post, as by the time we get a release out the door, I’m usually too exhausted to write such a detailed post as he does. Yeah, excuses excuses.
In his latest post, Scott covers the ASP.NET MVC CodePlex Preview 4 release in two parts. This is the next in a continuing series of preview releases that alternate between full CTP level releases on ASP.NET and interim releases on CodePlex. Unlike previous CodePlex releases, this one contains an MSI installer for convenience. There are still some rough spots with some of the new features as we tried to get a lot into this release to elicit feedback. In fact, I’ve been doing some app building today and have already run into some areas for improvements with the Ajax helpers. I look forward to hearing your feedback as well.
MVC Futures
One thing you’ll notice in the project template that Scott didn’t cover in much detail is that we include a new assembly, Microsoft.Web.Mvc.dll. The release notes explain what this is.
The ASP.NET MVC team builds prototypes for a lot of features during the course of normal development. Some of these features will not be included in the RTM release, but are very likely to be included in a future full release. We’ve moved many of these features into a separate assembly, Microsoft.Web.Mvc.dll.
This follows what the ASP.NET’s team intends the term Futures to mean when it comes to products. Futures should contain features that we think has a decent chance of making it into the framework. If we implement something we are pretty sure we have no intention of including in the framework, we’ll typically post it as a blog sample or something to that effect.
Component Controller
For those that have used this, you’ll notice that we removed the ComponentController class. Instead, we renamed RenderComponent to be RenderAction and re-implemented it so that it works against a normal controller. This code is was moved to the MVC Futures assembly since we’re not planning to include it in the RTM.
My personal opinion is that this violates the separation of concerns so important to the MVC pattern. Having a method within your view calling back into a controller in order to render out a bit more view makes me feel a wee bit dirty ;). We’re developing prototypes for an alternative approach. In the meanwhile, I recognize that for a small sacrifice of pattern purity, this method is very useful, hence its inclusion in the MVC Futures assembly, but do understand that you use it at your own risk.
What’s Next?
The roadmap for ASP.NET MVC has been up on the CodePlex site for a while. We still have more cleanup and implementation work to do on the Ajax features, as well as existing and new helper methods. Likewise, we are tackling the problem of how should you report validation errors to the user via a common error reporting mechanism. This might not handle validation itself, but gives everyone a common place to put validation messages and allows for some of HTML helpers to be aware of these messages and render themselves accordingly.
And before I forget, you can download ASP.NET MVC CodePlex Preview 4 from the release page.
Technorati Tags:
aspnetmvc
By default, ASP.NET Routing ignores requests for files that do not exist on disk. I explained the reason for this in a previous post on upcoming routing changes.
Long story short, we didn’t want routing to attempt to route requests for static files such as images. Unfortunately, this caused us a headache when we remembered that many features of ASP.NET make requests for .axd files which do not exist on disk.
To fix this, we included a new extension method on RouteCollection, IgnoreRoute, that creates a Route mapped to the StopRoutingHandler route handler (class that implements IRouteHandler). Effectively, any request that matches an “ignore route” will be ignored by routing and normal ASP.NET handling will occur based on existing http handler mappings.
Hence in our default template, you’ll notice we have the following route defined.
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
This handles the standard .axd requests.
However, there are other cases where you might have requests for files that don’t exist on disk. For example, if you register an HTTP Handler directly to a type that implements IHttpHandler. Not to mention requests for favicon.ico that the browser makes automatically. ASP.NET Routing attempts to route these requests to a controller.
One solution to this is to add an appropriate ignore route to indicate that routing should ignore these requests. Unfortunately, we can’t do something like this: {*path}.aspx/{*pathinfo}
We only allow one catch-all route and it must happen at the end of the URL. However, you can take the following approach. In this example, I added the following two routes.
routes.IgnoreRoute("{*allaspx}", new {allaspx=@".*\.aspx(/.*)?"});
routes.IgnoreRoute("{*favicon}", new {favicon=@"(.*/)?favicon.ico(/.*)?"});
What I’m doing here is a technique Eilon showed me which is to map all URLs to these routes, but then restrict which routes to ignore via the constraints dictionary. So in this case, these routes will match (and thus ignore) all requests for favicon.ico (no matter which directory) as well as requests for a .aspx file. Since we told routing to ignore these requests, normal ASP.NET processing of these requests will occur.
For a code sample of this in action, download this project. In this project, I map Errors.aspx to a custom HTTP Handler I wrote within Web.config. Notice that when you navigate to /Errors.aspx, you see a message that it worked. Remove the first route above, recompile, and try again and you’ll see an error message.
Technorati Tags:
aspnetmvc,
routing
We all know that it is bad bad bad to trust user input. I don’t care if your users are all ascetic monks in a remote monastery, do not trust their input. However, user input often likes to put on sheep’s clothing and disguise itself as something else entirely, such as the case with ViewState.
Another example of this is highlighted in the latest entry of his excellent series of ASP.NET MVC tips. In this post, Stephen Walther writes about how cookie values and server variables can be passed as parameters to action methods.
Immediately, commenters understably asked whether this was safe or not. One person went so far as to call this a security hole in controller actions.
However, to be extremely nitpicky, the security implication isn't in passing server variables this way. That’s perfectly safe. The security implication is in trusting the values passed to an action method in the first place. If your action method makes decisions with security implications based on assuming that these values are accurate, then you have a potential security problem.
Keep in mind, many of these values can be spoofed with or without ASP.NET MVC. Many of the server variables should never be trusted no matter how you access them, whether via this technique or a call to Request.ServerVariables["variable_name"].
In fact, right there near the top of the MSDN documentation for the IIS Server Variables, it warns against trusting these values:
Some server variables get their information from HTTP headers. It is recommended that you distrust information in HTTP headers because this data can be falsified by malicious users.
In the same way, in a typical configuration for ASP.NET MVC, the parameter values for action methods come directly from the user in the form of the URL or Request parameters. This makes sense after all, since the whole point of a controller in the MVC pattern, according to Wikipedia, is to:
Processes and responds to events, typically user actions, and may invoke changes on the model.
The parameters to an action method generally correspond to user input. It’s really asking for trouble to have parameters in an action method that you consider to be anything but user input.
In the end, I don’t consider this a security flaw so much as a security lure. This is the type of thing that might tempt someone to do the wrong thing and trust these values. We will review this particular case and consider not passing in server variables into action methods, but doing so doesn’t really solve the fundamental issue. There are other ways to pass data to an action method (defaults on a route) that a developer might be tempted to trust (don’t trust it!).
Whether we change this or not, the fundamental issue is that developers should never trust user input and developers should always treat action parameter values as user input.
Yesterday, I wrote a quick and dirty ASP.NET HttpModule for displaying the time that a request takes to process. Note that by turning on trace output for a page, you can get timing information for that page. But as far as I understand, and I need to double check this, this only applies to the page lifecycle, which might not have all the information you want in the context of ASP.NET MVC.
Not to mention, I just wanted to see a simple number at the end of the page and not have to wade through all that trace output. Also keep in mind that this number only applies to the time spent in the ASP.NET pipeline. It obviously doesn’t tell you the full time of the request from browser sending the request to the browser rendering the response. For that I would use something like Firebug in Firefox.
Here’s the code for the module. Note that it only works from local requests in Debug mode. That’s a safety precaution so that if someone accidentally deploys this to a production machine, they won’t see this number at the bottom.
using System;
using System.Diagnostics;
using System.Web;
public class TimingModule : IHttpModule {
public void Dispose() {
}
public void Init(HttpApplication context) {
context.BeginRequest += OnBeginRequest;
context.EndRequest += OnEndRequest;
}
void OnBeginRequest(object sender, System.EventArgs e) {
if (HttpContext.Current.Request.IsLocal
&& HttpContext.Current.IsDebuggingEnabled) {
var stopwatch = new Stopwatch();
HttpContext.Current.Items["Stopwatch"] = stopwatch;
stopwatch.Start();
}
}
void OnEndRequest(object sender, System.EventArgs e) {
if (HttpContext.Current.Request.IsLocal
&& HttpContext.Current.IsDebuggingEnabled) {
Stopwatch stopwatch =
(Stopwatch)HttpContext.Current.Items["Stopwatch"];
stopwatch.Stop();
TimeSpan ts = stopwatch.Elapsed;
string elapsedTime = String.Format("{0}ms", ts.TotalMilliseconds);
HttpContext.Current.Response.Write("<p>" + elapsedTime + "</p>");
}
}
}
Notice that I made use of the System.Diagnostics.Stopwatch class, which provides more accuracy than simply calling taking the difference between two calls to DateTime.Now.
In my web.config, I just needed to add the following to the httpModules section (replacing Namespace and AssemblyName with their appropriate values):
<httpModules>
<!-- ...other modules... -->
<add name="TimingModule" type="Namespace.TimingModule, AssemblyName" />
</httpModules>
For IIS 7, this configuration would go in the <modules /> section.
Lastly, don’t forget to set your website to debug mode by adding the following in your Web.config. If you want to test your perf in release mode, just remove the IsDebuggingEnabled clause in the module and you don’t need to make the following change.
<compilation debug="true">
<!-- ... -->
</compilation>
Hope you find this useful.
I credit Google AdSense for really opening up the possibility for small blogs to become sources of passive income. Look around the web and you’ll see nearly every blog sport an AdSense ad or two…or three.
For most people, it amounts to a bit of pocket change - maybe enough money for a coffee or an occasional indulgence. But soon, the lure of adding more ads from other ad networks overwhelms publishers and soon blogs start to look more like the movie Idiocracy.
A while back, Jeff Atwood wrote about how content is becoming dwarfed by advertisements in his post, A World of Endless Advertisements, which is where I took that photo. I was heading down that path when I read his post and it gave me pause.
At that time, I had recently started a new business with a friend and we were struggling, so any source of extra income was welcome. But I was always hoping to tone it down a bit.
Now I’m at a pretty stable company, so I don’t necessarily need the extra income, but I don’t mind it because I also have a kid who can eat us out of house and home. Fortunately, I have the opportunity to have my cake and eat it too by removing all of my ads except for The Lounge. Hopefully this makes my site move farther and farther from the screenshot above.
James Avery and I go way back. He’s been involved with Subtext in the past, I contributed some chapters to a book he and Jim Holmes put together. Like many relationships forged in the online community, we’ve never actually met in person, but I feel like I’ve known the guy for a long time.
What I like about James is he’s a real hustler, which you have to be as an independent entrepreneur/consultant/contractor. He seems to be executing on a huge roster of ideas all at once all the time. I’ve gone that route, and found it both exhilarating and downright tough. So my hats off to James.
The other notable thing about The Lounge is that James is using ASP.NET MVC to build it out and is so far finding the experience to be a good one. Right James?
Technorati Tags:
The Lounge,
blog,
ads