A friend of mine has been in school for programming now for nearly 2 years and getting his associates really soon.  Good for him!  On and off he's come and asked me some questions about how to approach certain problems, most of which have been fairly easy to me so I was happy to help and walk him though some of the confusing aspects.  No sweat.

About 2 days ago he approached me about his senior project and that they were doing a website and needed some help with editing, updating employee info.  He also noted that just getting data was a huge pain and took hours for them to get it to work.  No problem, that's easy stuff.  I busted out my favorite ORM tool (subsonic!!!) and showed him how to make his data access life easy.  None of this inline sql crap.  Then I discovered something downright offensive.

We all know architechure is important.  Someone forgot to tell them that.  Further, they didn't seek out any assistance and went crazy.  What they ended up with was a horrific db structure and data access the hardest way known to man (by hand using the object data source).  I kid you not there's a page, an aspx page that has over 1000 lines and its just displaying simple address info, nothing more.  Adding more pain, instead of using 1 page as a one stop shop, every CRUD operation is broken up into individual pages.  View the data over here, edit it over there and save it somewhere else.  I'm not joking.  Just to step it up a notch, the naming conventions are "NewUser" (new employee), "Employee Management" (editing employee data) and "ManagePhoneNumbers" (just to edit phone numbers).  In their defense, the graphics and layout aren't bad, B+.  The links and useability, F.

What are they teaching these students?!  Are the professors this far removed from the real world?  This isn't the first time I've heard of teachers being way way off base and furthers my desire to teach.  It's terrible, sad and pathetic.

If the custom module wasn't enough, I'm now wondering off into encryption land.  A quick scouting of the System.Security.Cryptography namespace shows me a ton of stuff to play with.

Ooo, AES.  I like AES.  It runs on my router(s) @ home and is viciously annoying to crack (TKIP f0r t3h w1n!!!11).  Cool, let's use that, its good enough for top secret docs for the gov so it should be good enough for me.  But, as with anything else, there's a catch or ...20.  Here's some basic considerations.

Will this data be searched? 

Searching encrypted data is a royal PITA and a huge overhead.  Example : saving data to a db with encryption happening in the business layer.  A perfectly viable user says to the application "hey, find this" -- you cannot directly ask the database to find it, it is impossible, so every search that happens comes across, ALL OF IT (say 2 million records), decrypts, the search happens, find the records necessary and passes that on.  Not very reasonable nor scalable.  2nd option for this is do it on the sql server itself.  Fundamentally I have a problem with this for 2 reasons.  1, a purely architecture standpoint, this should never be passed off to the data source.  In the real world, it's probably ok to offload some of that overhead, but still, using the OSI model alone says "no no" -- encryption happens in the presentation level and offloading it means you pass though all 7 layers ONCE before you encrypt -- bad bad bad.  2nd, unless the data connection between app/server is encrypted to hell and back itself, your encryption is trumped and effectively worthless.

How much protection is necessary?

The question of the ages.  Understanding the CISSP-ism of protection and risk management: the amount of protection spent on it should be equal to the amount of total loss of one breach by the inverse of the possibility of recurrence.  So say the data is worth 10 million dollars for ONE loss.  The probability of loss is once every 5 years.  10m/5y = 2 million a year should be spent to protect it.  No really.  Now, if there's no REAL value to the data, ie, its personal junk you keep at home for giggles, then whatever the server can handle works fine.  Otherwise, use reasonable + 1.

I'll stop there.  Other questions can range from "Who needs access to it?" to "Where will the server be physically housed" -- but thats somewhat outside of the scope of this post.  Not saying they're unimportant, just "too much" for this post.  I think my first task will be working on getting something simple to encrypt, like a file or a string and work up from there to see how much overhead this thing creates.

Right now I'm working on deploying a project that I never would imagine would be this difficult.  The idea was to swoop in, drop the code, show off (ooooooo ahhhhhhhh) and done.  Does anything ever go according to plan?  Of course not.  Well, this one had a rude surprise waiting on us.

The client I speak of has a huge, global network.  Active directory (which is good!) and somewhere around 10+ forests and god knows how many domains.  It's massive, utterly massive.  I would GUESS they have at least 5000 users on this one domain and probably 50-100k user accounts globally, ignoring groups.  So why is this a problem? :Sarcastic laugh:  A couple few reasons.

1. Not all (logical) networks are setup "best practice".  Best practice is a cookie cutter template, it doesn't always fit and should be used as a guide so immediately you cannot assume "all domains trust each other" or "all accounts have rights".  Transitive trusts, one way trusts, mutual trusts all mean very different things -- they could screw you in different ways too.
2. Not all authentication can be trusted to work across domains.  This includes SQL accounts.
3. Not all network devices allow traffic.  This means your www traffic, ftp, etc might not work across the world.  Chances are, http traffic is your best bet, but its not a sure shot.
4. Network policies (more specifically, group policy) can be your best friend and your worst enemy.  You may not know which nor have a straight answer.

So translate : it means your codes magic won't always work thanks to network conditions -- it also means it might work on one domain (ohio domain lets say), it might on one network (wired works whereas a wireless may not), or it might work across one domain and not another (ohio might work with texas, but not necessarily in reverse or from colorado to texas), it may not run at full speed (ohio's domain has flood control turned on).

This makes my head hurt.  I have to think of ALL the network stuff I haven't used in a while plus the admin stuff and toss some happy code to get a wonderful steaming pile of confusion and pain.  After thinking about this for a minute (ok, half hour) I've decided that after this, I'm going to insist web services, anonymously.  Now before you have me skinned alive, hear me out and here's my thinking behind it.

Anonymous webservices can still be secured protected via https, certificates and credentials.  Sure, you can make a request without any network creds, but the service won't talk back because you don't meet the needs.  "But this'll increase the overhead on the server, it'll slow everything down!" and you would need to be fired -- speed should never trump a security decision.  "But what if an account isn't disabled and cleaned up?!" good point, not your problem, a well administered network will not have this concern. 

Now that those problems are addressed, why anonymous?  More likely than not, a network, and I'm speaking of the whole network, will allow web traffic from point A to point X without too much drama.  Furthermore, once the request gets to that service, I'd bet money that server is sitting in a screened subnet/protected area (I've yet to see one NOT setup like this in a really long time) -- perfect place to make all your sql calls (via ipsec I'm sure).

Will this make code more complicated?  Yes.  Will it tax the server/client more?  No doubt.  Will it drive up costs?  Yes -- BUT, and thats a full, wholesome but, it's meant for enterprise, treat it as such and bring the big guns.

I've had the pain joy opportunity to work with Subsonic, Linq, NHibernate and good ole ADO.  The only one I haven't got to mess with yet is that new MVC thing.  My girlfriend, god love her, asked an amazing question - "What's the difference?  Don't they do the same thing?" Er ...yea I guess they do.  They all write to a database of some kind, somewhere.  So what is the difference?  Well, based on my humble experience, this is my thoughts on each.  Sadly, I don't think there's a clear, big time winner, but there are some that are somewhat better than others.  This'll be a general overview with not a ton of tech detail.

Subsonic is the latest thing I've had to use.  It's very Linq-ish, but not exactly.  Subsonic generates classes for you based on a command line executable and from there, you get your basic goodies, update, save, delete, -destory- and other things.

A nice touch to this is three things, 1, all classes generated are partial classes so extending them is uber easy.  Just keep your namespace the same and you'll have NO problems expanding the class to do other things.  2, overloads of some items, such as "Validate", which by default confines to the table/column definition like "must be varchar, cannot be null". 3, if you have a "IsDeleted" column in your database, or "LastModified" ...when you call <entity>.delete(), IsDeleted goes to true and LastModified gets updated too.  4, the "Query" object is cool, I like it, you write various statements that append to your query for different situations (say, if you get an ID back that's greater than 0, that means you should go try to find it) and just do query.AndWhere("

and this magically paging feature.  My page index is 3 (I'm on page 3) and my page size is 20.  Done and done, no drama (makes repeaters easy to work with in that regard)

Of course, there's a few catches.  Joins are ...a royal pain -- creating views seems to be the best work-around (which are picked up by the code generation) and -any- change to the database -requires- a regeneration of the classes.  So if someone changes a column to a bit field, annddd you run your code without the new bits, kaboom.

Loading data is very easy, <Entity> entity = new <Entity>(Id) along with collections, for example <EntityCollection> collection = new <EntityCollection>.FetchAll() and it does bring back related data (database relationships).  Overall I like it, the learning curve is short and does its job with very few surprises.

Linq I've been using in my chapters in tandom and writing up my own little app using Linq.  Linq is part of the .Net 3 framework meaning "its built in!", no extra downloads but you do have to download the extension for VS2005.  Within Vstudio, "Linq to Sql" and you're well on your way.  Drag/drop the tables you want, save it, you've got your entites.  These are also partial classes, so extending them is easy.

Linq also introduces a new ...thing called "var".  Consider var your container for ANYTHING you'd want from your database.  Syntax goes something ...like this.

Product now becomes like an instant database collection with a bunch of really slick stuff on-tap as shown below

One of the advantages with Linq is its built into .net 3 so additional references are not needed, everything's in the GAC.  Second is that anything returned can be used like a database on tap -- don't like your results?  Need them filtered?  Do it right there on the spot if you want.  I think that's huge and uber flexible.  Another thing is more or less SQL like queries are used to get your data so the structure is familiar (just slightly out of order).  And Jon's a big fan -- that counts for something right?

Disadvantage, like SubSonic, every time you change the database, its time to go regenerate the classes (only this time you get to use a GUI!).  Also misuse of var could get nasty.  I've read a few warnings on this, but we're all smart devs, we'd NEVER do that ...right?  I tried to find the post I was thinking of ...can't find it.  Oh well. 

Part two I'll cover NHibernate and ADO because this got a lot longer than I suspected (2-3 days on and off)

Ran into an interesting problem yesterday and it continues today.  I'm tossing in a more useful network awareness method into the project simply because ...well, its kinda weak to have it only check when the app starts so I find this awesome event handler that does exactly what I want.  It checks for a network connection of any kind (and ignores loopback) and by using System.Net.NetworkInformation, 1 line sets this up ...if you press tab and let vstudio write the rest of it ...

and it gives you the method "NetworkChange_NetworkAvailabilityChanged" -- a delegate method, which is fine, until you try to update stuff on a winform and you get this nasty "Cross-thread" error -- rude surprise.  Ok, fine.  I find a param I can set to disable this exception, but we're not about that -- we're going to do it right so off to ::shivers:: MSDN help.  2 hours pass and it shows me an example of a good threading call and a bad threading call, both of which are like saying "nuclear physics starts with this 3 mile long calculation" and its great, but I want something thats clear, less cluttered and to the point.  Well, the accountant suggests I check out CLR via C# and brain up on threads, so I do.  Since delegates is a good place to start, I pop open chapter 15 to better understand what all a delegate does and expects and within that chapter it refers me to chapter 23 which talks in great depth about async operations -- imagine that.

Ok, so now it makes sense why its complaining.  The two threads are independent and for no real good reason should one ever be allowed to talk to the other.  Think about an HR app that would allow this ...mmm scary eh?  So I come across a few year old blog, the only one I find that answers my question just the way I like it -- short, sweet, to the point and with the least amount of code as possible -- and it all makes perfect sense.

The long and short of it?  Within the method it creates, use System.Thread and do a This.Invoke(new WaitCallback(<methodName>), <methodArguments if any>); and within your <methodName> call up your usual control.text = "new stuff" ...with no cross thread complains.  Here's the rest of the snippet.

I've been tasked with testing our ajax enabled admin site for a project we've been working on for a little while now.  Jim, the head dev, asked me to use this thing called Selenium to test it with since current unit tests wigs out with ajax items.  So off I go to figure this thing.  After a short learning curve, its not all that hard, but I DEFINITELY recommend some downloads to supplement.

If you're lucky enough to be like me and know absolutely nothing about how this thing works, don't worry -- it only took me ...2 hours? to get this running and firing off tests.  This should cut that down into a few minutes.  Before I send you off into the wild unknown, here's a market-less overview of what this thing is.  Selenium is a web unit tester that uses specifically formed html pages (tables, thats it) to run against your site.  That's it, thats all.  All you need is the site setup locally and this thing installed in another place, using the same IIS.  Now was that so bad?

Now for the meat.  Download this (its small, under 2MB), create a new IIS app and dump the zip file contents into it.  Wow that was hard.  Navigate your browser to your new IIS app/index.html and you should something like this.

Click the Selenium TestRunner, it'll bring you to another page, on the left, you'll see "Test Suite" and a link, click go, and a ton of stuff will appear.  At the top right, you'll see "Selenium TestRunner" in bold and "Execute tests" -- click the left most of those tests (this is run all) and wait a minute -- it'll rip though a ton of tests.  Most, if not all should pass (ideally, all pass).

Ok, great it works, now what?  Here's were I take everything on their site and ignore it.  "But what about all the functions, methods, blah blah?!?" I like to cheat and work more efficiently by letting software do the work and thankfully, they have and "IDE" for download as a firefox extension -- besides, reading the site its like reading msdn, yea its "cool" but 99.999999% of it you won't use.  Anyway, so now what?  That thing you just downloaded has ALL the stuff in it making it a million times easier to make this stuff work and now you can make tests to your hearts content, very quickly, which is great.

Now we switch gears a bit because as you will discover, its a ROYAL PITA to figure out what the controls are named and you WILL need this info.  So instead of hunting though that notepad, may I suggest you try this, IE Dev Toolbar.  Using this is easy and here's your learning curve.  After you've downloaded this go into IE and (if you don't have menu bar showing, you shall suffer) click view, Explorer Bar, IE Developer Toolbar and you'll get this at the bottom of your IE. 

You're only really worried about the first two buttons which are "Select Element by click" and "Refresh".  Basically if selecting by click isn't working, click the refresh button and it works.  To get this to work, click that first button and click something on a webpage you want to know.  The middle box will be populated and look as such.

You're only worried about "Name" which in this case is "connspeed" which you can double click on and copy/paste.  Now to bring all this together.  Go into firefox, click tools, Selenium IDE and close firefox.  You'll get this very uninteresting looking thing which is about to make your life easier.  Under "Command" in the big box, click the top most row (there's one there, believe me) and all the other controls below become active.  Oh and for the sake of blog, I'm only doing a SHORT example, open a page, type some stuff, click a link (google search).  This'll seem cumbersome at first, but its the fastest way I've found so far, so stick with me on this.

Where it says "Command/Target/Value" click the dropdown arrow and look for "open" (or just type it, it'll autocomplete), type in the base URL for your site and leave value blank.  Click the row below the command you just created (trust me again, there's one there) and now hunt for the "type" command (or again, type it) and here's where IE dev comes in handy -- open up google, and click the "Select By Element" button, click on the search text box.  You'll find its name is simply "q", so in the target column, type in Q and set your value for blog.rileytech.net.  Finally, we want to click the search button, so we give it another command of "click" with the target being the "Google Search" button which name value is "btnG".  Your result should look something like this.

Now save as html into the directory where you copied the Selenium files over earlier and remember the filename.  Only one final step to make this puppy work, you need a test master file of sorts -- its sole purpose is to house links to the tests you just created.  No more, no less.  So fire up your favorite html editor, create a table that looks something like this (or just copy this and save it)

<html><body><table><tr>
<td>Test Suite</td></tr>
<tr><td><a href="./mytest.html">google test</a></td></tr>
</table></body></html>

Go back into Selenium, Selenium Test Runner and type in the url for your newly created master file and it should come up nicely.  Run it like you did the other tests and away you go.  Other useful commands are "verify" commands which you'll find there's a nice collection of them, along with "assert" (assertCheck is a good one).

Wow that was a long post.

I've been tasked with doing some investigational work regarding Com Wrappers for .net.  So far it seems fairly easy with a good number of articles around the web.  I've been able to find some good stuff right on the MSDN website along with few more sites explaining the operations/expectations.  The skinny of it is a client has a com object that does most of the talking between its external face and internal face -- now they're looking to create a stripped down version of the external face.  It should be straight forward, but we know how that goes.

*Update* Ok so I found some stuff in a certification book.  Talks about using a proxy (hmm, this sounds fimiliar - wcf what?) to create a runtime callable wrapper.  Using a tool called the Type Library Importer Tool to suck out all the meta data the COM file has and creates a .net proxy for it.  The command to do this is looks a little something like this.

tlbimp <somedll.dll> /out:<new.NETdll.dll>

You then add the new.NETdll to your project and you're done.