On Tuesday January 22 I will be presenting to the Twin Cities Windows 8 User Group on Data Access and Asynchronous Programming for Windows Store Applications -
Dave Stienessen’s blog
Code Mastery sample data solution
Solution zip file available here
NOTE: I still have a problem with the SQL Lite example-
however to use the samples, you simply have to open the app.xaml.cs file in the windows 8 project and comment/uncomment the view model in use.
Code Mastery Minneapolis
Still time to register for Code Mastery Minneapolis on October 2!! http://codemastery.com/minneapolis
Code Mastery Minneapolis is hosted by Magenic with the goal to present attendees with meaningful technical content by the professionals that are using the subject matter every day.
The featured speaker for the Minneapolis event is Magenic CTO and CSLA .NET creator Rockford Lhotka. Along with a great agenda, we’ll make time for you to network and make some great connections.
Please pass this on to your friends and colleagues that may be interested in the event.
Posted in Uncategorized
Leave a comment
Windows 8 Storage pools!! – Welcome Back WHS Drive Extender
I’ve been wrangling with how to build a home server storage volumne with my mix match of hard drives I have on hand – frustrated by Windows Home server having deprecated the drive extender feature I was exploring the OpenSolaris ZFS file system because of it’s capability to have a volume built with different capacity drives, dynamically extended, and resilient to failure. Of course I’d like to do this on the windows box I have so without sacrificing the ability to play games and other stuff I want windows for – so I thought I’d use solaris with virtualbox to run a windows VM – thankfully before I reformated and tried to knock the rust off my unix skills I saw this post on Windows 8 Storage Pools.
Virtualizing storage for scale, resiliency, and efficiency
Bring on the beta!! I may have to knock the dust of a few drives I’ve been sitting on but I can’t wait (sorry I’m not throwing the dev preview on my home PC where I want a chance at recovering data 
Posted in Uncategorized
Leave a comment
Please Stop Storing Plain-Text Passwords!!!
Too often I still see plain-text passwords in a database – really, what need is there to store the actual password? I find it rather funny that some of the IT types out there will fret for days over performing a firewall change but don’t really bat an eye at the fact that a simple SQL Select query may return all of their user’s password data. I’ve heard arguments like “but the database server isn’t accessible to the internet” – really? So can you really guarantee that your entire app is immune to SQL injection attacks? And it will always remain that way? And what about the administrative DBA that becomes disgruntled and quits? Are you at risk now? I think anyone that stores a password in plain text or even using SQL Server’s encryption should say they are at risk in the last scenario (DBA’s made the encryption key backups, right?)
At this point, if I have to do an evaluation of an existing application, one of the first things I’d do is query the main user table and just look at the data set – if I see passwords, it’s a FAIL IMHO. There was a time where the encryption and/or hash was more difficult to do, but that time has passed. Let’s move on 
.
Recommended Approach
My best recommendation to you would be to use what is called a salted hash to store a representation of the password (but not the password itself) – there are plenty of detailed articles online for more detail, feel free to search for more information – my goal here is to quickly define what this means and to show how little code is needed with the .NET framework to achieve a functional salted hash.
Definitions
First some quick definitions:
- Hash – generally a math formula that is applied to a given string or set of bytes that provides a numeric derivation or hash of the value provided – good algorithms offer excellent protection against 2 different values hashing to the same hash value. In cryptography the common hash algorithms are SHA-1 and MD5 with more recent advancements being SHA-256 and SHA-512. Hash values are often used for what is called a digest in security systems.
- Salt – a cryptographically random sequence of bytes generated once for each user – the function of salt in a user store is to generally obscure the fact that 2 users may actually have the same password.
How it Works
OK, so the basic idea is that when you create a user account, you generate a ‘salt’ – that is a random sequence of bytes usually 6-8 bytes long. This is generated once and ONLY once – it can never be updated or you’ll break the password authentication.
So with a user created with a salt, you then calculate a hash by doing the following (pseudo code)
user.PasswordHash = CalculateHash(Concat(user.Salt,passwordString);
OK, now to validate a user’s login, it’s basically the same calculation and you compare the hashes – again pseudo-code for this section
if (user.PasswordHash == CalculateHash(Concat(user.Salt,passwordString)) // user entered the correct password else // passwords don't match
Update to My Twin Cities Code Camp solution
The solution I did for TCCC 10 had a couple problems – I corrected the edit page so it actually saves the changes and also added a new business rule (attribute) based code generation T4 template for the EF context so simple attributes get your business rules invoked on change to an entity. see my earlier blog entries for more info on this.
Anyway the solution is here ExampleNTier V2
Posted in .NET Development
Leave a comment
Attribute based business rules with EF model
This entry is an example illustrating how you’d apply the attributes generated by my T4 template add-in.
The solution for the extension itself is here EF4 Attribute Business Rule Code Gen Solution. Feel free to customize it to your own needs.
– the vsix (installer for it) is here EF4 Attribute BR Code Generator Extension
Please note – right now the T4 template generates the attribute classes themselves along with a UnitOfWork helper class – in larger solutions where there will likely be multiple edmx files you wouldn’t want multiple copies of these classes – so treat this as a starting point for solutions like that.
Example using the business rule attribute – assuming you have a table mapped called Customer (and hence a generated to represent this called Customer in the EF generated code and a context interface of IAdventureworksEntities)
// note the rest of the Customer class is generated by the T4 template
[BusinessRule(typeof(CustomerRules))]
public partial class Customer {}
public class CustomerRules
{
public CustomerRules(IAdventureworksEntities context)
{
CurrentDataSource=context; //save the context in case the business rule needs them
}
[BeforeInsert(typeof(Customer))]
public void BeforeInsert(Customer cust)
{
// before insert logic here
}
[BeforeUpdate(typeof(Customer))]
public void BeforeUpdate(Customer cust)
{
// before update logic here
}
[BeforeDelete(typeof(Customer))]
public void BeforeDelete(Customer cust)
{
// before delete logic here
}
[AfterInsert(typeof(Customer))]
public void AfterInsert(Customer cust)
{
// after insert logic here
}
[AfterUpdate(typeof(Customer))]
public void AfterUpdate(Customer cust)
{
// after update logic here
}
[AfterDelete(typeof(Customer))]
public void AfterDelete(Customer cust)
{
// after delete logic here
}
}
Twin Cities Code Camp interview available
Many thanks to the folks that run TCCC 10 – the speaking experience was great. I was fun to get back into the swing of speaking in front of a bunch of people about a fun piece of technology..
They interviewed all the speakers and my interview is available at…
http://www.youtube.com/watch?v=kqagpdBnOYY
I still can’t get used to seeing myself on video – oh well.
Posted in Uncategorized
Leave a comment
Twin Cities Code Camp: Build a N-Tier App with Entity Framework, WCF Data Services, and ASP.NET MVC
For those of you who saw my presentation at Twin Cities Code Camp, the sample code download can be downloaded as a solution zip file: ExampleNTier
Posted in .NET Development
Leave a comment
Mixed Mode ADFS 2.0 and Forms Authentication in a Single ASP.NET Web Application
One project I worked on was for a custom Software as a Service (SaaS) application that needed to support federated log-in for some tenants, but standard forms authentication for others. After extensive research (aka ya-goo-bing) , it always looks like ASP.NET applications can only support one authentication mechanism at a time. This seemed stupid to me (and in particular because I was working on a SaaS app that requires something else) so I looked for ways to get around this. Its probably important to note that this isn’t the only reason you might want to support ADFS along with another security mechanism – other reasons might include:
- Supporting single sign-on users from within the corporate network across both intranet and cloud applications without having to re-enter credentials
- Perhaps your IT department doesn’t allow you or want you to add temporary contract workers to AD but yet they need access to an application
- And, of course multi-tenant SaaS
First the use case – in this case, a multi-tenant SaaS application wants to allows some customers (tenants) to authenticate using ‘normal’ forms authentication. Other customer wish to federate their active directory using ADFS (or another WS-Federation compliant service that works with ADFS). Anyway, the problem is two fold – how to pre-identify the tenant so we know whether to send them down the ADFS route or the Forms Authentication route and secondly how to make the 2 authentication mechanisms play nice with one another.
Continue reading