now available in digital format!

If you are an MSDN program subscriber MSDN Magazine is a

free benefit of your MSDN subscription.

To register for your digital subscription, go to:

http://msdn.microsoft.com/subscriptions
sign in (link upper left), and then click on MSDN Magazine
Subscription in the My MSDN Subscription box on the right.
You'll be redirected to the registration page for this exclusive
offer. Submit the form to start your free digital subscription.

If you not an MSDN Program subscriber and would like to apply for
your own digital version, 12 issues for $25.00 please apply here:
https://cmp-sub.halldata.com/mfdigital

If you would like to learn more about an MSDN program

subscription please click here:
http://msdn.microsoft.com/en-us/subscriptions/aa718656.aspx

Composite Web Apps With Prism
Shawn Wildermuth page 35
COLUMNS
Toolbox
Static Analysis Database Tools,
Managing Remote Computers,
And More Scott Mitchell page 11

CLR Inside Out

Building Tuple
Matt Ellis page 14

Basic Instincts
Stay Error Free With Error
Corrections Dustin Campbell page 21

RESTful Services With ASP.NET MVC Cutting Edge

Aaron Skonnard page 48 Comparing Web Forms And
ASP.NET MVC
Dino Esposito page 28

Test Run
Request-Response Testing
With F# James McCaffrey page 72

Distributed Caching On The Path Service Station

To Scalability
Iqbal Khan page 62
THIS MONTH at msdn.microsoft.com/magazine:
More On REST
Jon Flanders page 79
Extreme ASP.NET
Guiding Principles For Your
ASP.NET MVC Applications
Scott Allen page 85

Wicked Code
USABILITY IN PRACTICE: Usability Testing Taking Silverlight Deep Zoom
Dr. Charles B. Kreitzberg & Ambrose Little
To The Next Level
INSIDE WINDOWS 7: Introducing The Taskbar APIs Jeff Prosise page 90
Yochay Kiriaty & Sasha Goldshtein
Foundations
TESTABLE MVC: Unit Testing ASP.NET MVC Securing The .NET Service Bus
Justin Etheredge Juval Lowy page 99

JULY 2009 VOL 24 NO 7

learn more at: infragistics.com
Superior UI Components for Windows Forms, WPF, ASP.NET & Silverlight
From the experts in creating exceptional User Experiences

Four Platforms. One Package.

Copyright 1996-2009 Infragistics, Inc. All rights reserved. Infragistics, the Infragistics logo and NetAdvantage are registered trademarks of Infragistics, Inc. All other trademarks or registered trademarks are the respective property of their owners.
 Instantly Search
Terabytes of Text
N dozens of indexed, JULY 2009 VOLUME 24 NUMBER 7

unindexed,
LUCINDA ROWLEY Director
fielded data and
EDITORIAL: mmeditor@microsoft.com
full-text search HOWARD DIERKING Editor-in-Chief
options (including
WEB SITE
Unicode support MICHAEL RICHTER Webmaster
for hundreds
CONTRIBUTING EDITORS Don Box, Keith Brown, Dino Esposito, Juval Lowy,
of international Dr. James McCaffrey, Fritz Onion, John Papa, Ted Pattison, Charles Petzold,
languages) Jeff Prosise, Jeffrey Richter, John Robbins, Aaron Skonnard, Stephen Toub
MSDN Magazine (ISSN # 1528-4859) is published monthly by TechWeb, a division of United Business
Media LLC., 600 Community Drive, Manhasset, NY 11030 516-562-5000. Periodicals Postage Paid
N file parsers / at Manhasset, NY and at additional mailing offices. Back issue rates: U.S. $10. All others: $12. Basic
one-year subscription rates: U.S. $45. Canada and Mexico $55. Registered for GST as TechWeb, a
converters for division of United Business Media LLC., GST No. R13288078, Customer No. 2116057 Canada Post:
Publications Mail Agreement #40612608. Canada Returns to be sent to Bleuchip International, P.O.
hit-highlighted Box 25542, London, ON N6C 6B2. All other foreign orders $70, must be prepaid in U.S. dollars drawn
on a U.S. bank. Circulation Department, MSDN Magazine, P.O. Box 1081, Skokie, IL 60076-8081, fax
display of all 847-763-9583. Subscribers may call from 8:00 AM to 4:00 PM CST M-F. In the U.S. and Canada 888-
847-6188; all others 847-763-9606. U.K. subscribers may call Jill Sutcliffe at Parkway Gordon 01-49-
1875-386. Manuscript submissions and all other correspondence should be sent to MSDN Magazine,
popular file 6th Floor, 1290 Avenue of the Americas, New York, NY 10104. Copyright © 2009 Microsoft Corporation.
All rights reserved; reproduction in part or in whole without permission is prohibited.
types
h Spider
Desktop wit
POSTMASTER: Send address changes to MSDN Magazine, P.O. Box 1081, Skokie, IL 60076-8081

N Spider supports h Spider

READERS: Order, renew, or make payment for subscriptions; order back issues; and submit

static and Network wit customer service inquiries via the Web at http://msdn.microsoft.com/msdnmag/service.

CD/DVDs
dynamic web Publish for PUBLISHER:
data; highlights
hits while Web with S
pider
New Jill Thiry jthiry@techweb.com

Win & .NET 64-bit

ADVERTISING SALES: 785-838-7573/dtimmons@techweb.com
displaying links, Engine for David Timmons Associate Publisher
formatting and Linux Jon Hampson Regional Account Director, Northeast US and EMEA
images intact Engine for Ed Day Regional Account Manager, West & South US and APAC
Brenner Fuller Strategic Account Manager, West & South US and APAC
Michele Hurabiell-Beasley Strategic Account Manager, Key Accounts
N API supports .NET, C++, Java, databases, etc. Julie Thibault Strategic Account Manager, Northeast US and EMEA
Meagon Marshall Account Manager
New .NET Spider API Pete C. Scibilia Production Manager / 516-562-5134
Wright’s Reprints 877-652-5295
® ubmreprints@wrightsreprints.com
The Smart Choice for Text Retrieval ONLINE SERVICES: 415-947-6158/mposth@techweb.com
since 1991 Mark Posth Community Manager
Meagon Marshall Online Specialist
N “Bottom line: dtSearch manages a terabyte of AUDIENCE SERVICES: 516-562-7833/kmcaleer@techweb.com
text in a single index and returns results in less Karen McAleer Audience Development Director
than a second” – InfoWorld SUBSCRIBER SERVICES: 800-677-2452/lawrencecs@techinsights.com

N “For combing through large amounts of data,”
dtSearch “leads the market”
– Network Computing
N dtSearch “covers all data sources ... powerful
Web-based engines” – eWEEK
N dtSearch “searches at blazing speeds”
– Computer Reseller News Test Center
TechWeb, a division of United Business Media LLC.–The Global Leader in Business Technology Media
Tony L. Uphoff CEO
Bob Evans SVP and Content Director
Eric Faurot SVP, Live Events Group
Joseph Braue SVP, Light Reading Communications Group
John Siefert VP and Publisher, InformationWeek and TechWeb Network
Scott Vaughan VP, Marketing Services
John Ecke VP, Financial Technology Group
Jill Thiry Publisher, MSDN Magazine and TechNet Magazine
John Dennehy General Manager
Fritz Nelson Executive Producer, TechWeb TV
Scott Popowitz Senior Group Director, Audience Development
Beth Rivera Senior Human Resources Manager

See www.dtsearch.com for hundreds more reviews,

and hundreds of developer case studies

Contact dtSearch for

fully-functional evaluations

1-800-IT-FINDS • www.dtsearch.com
4 msdn magazine Printed in the USA
 Your best source for
software development tools!
LEADTOOLS Document
Imaging v 16.5:
by LEAD Technologies
LEADTOOLS Document Imaging has every
component you need to develop powerful
image-enabled business applications including
specialized bi-tonal image display and
processing, document clean up, high-speed
scanning, advanced compression (CCITT
New G3/G4, JBIG2, MRC, ABC) and more.
Re lea se!
• Multi-threaded OCR/ICR/OMR/
MICR/Barcodes (1D/2D)
• Forms recognition/processing
Paradise # • PDF and PDF/A
L05 03201A01 • Annotation (Image Mark-up)
• C/C++, .NET, WPF - Win32/64, WCF, WF
$
2,007. 99
programmers.com/lead
Pragma Fortress SSH
—SSH Server for Windows
by Pragma Systems
Contains Windows SSH & SFTP Servers. Certified database alternative proven by developers in mission
for Windows Server 2008. Works with PowerShell. critical enterprise systems, desktop deployments, and
• Full-featured server with centralized
& graphical management
• GSSAPI Kerberos & NTLM authentication
• Fastest SFTP & SCP file transfer
• Supports over 1000 sessions
• Runs console applications & allows history
Paradise #
scroll back within the same session
• Runs in Windows 2008/2003/Vista/XP/2000
P35 0439
$
550.99 programmers.com/pragma
FarPoint Spread
for Windows Forms
The Best Grid is a Spreadsheet. Give your users
the look, feel, and power of Microsoft® Excel®,
without needing Excel installed on their machines.
Join the professional developers around the
world who consistently turn to FarPoint Spread
to add powerful, extendable spreadsheet solu-
tions to their COM, ASP.NET, .NET, BizTalk Server
and SharePoint Server applications.
• World’s #1 selling development spreadsheet
• Read/Write native Microsoft Excel Files
Paradise #
• Cross-sheet formula referencing
F02 01101A01 • Fully extensible models
• Royalty-free, run-time free
$
936.99 programmers.com/farpoint
Mindjet MindManager 8
for Windows
by Mindjet
Do you harness the wealth of data, Web pages,
and other input that comes your way every
day? Is there a way to use it more effectively
to formulate new ideas, sharpen your focus,
and ultimately drive your success? New
MindManager 8 for Windows is the answer.
Unlike the usual linear-based approach of most
productivity tools, MindManager 8 uses mind-
1 User mapping technology to let you capture, organ-
Paradise # ize, and communicate information using an
F15 17301A02 intuitive visual canvas. You’ll be able to work
smarter and transform your ideas into action
$
299. 99 more quickly.
programmers.com/mindjet
800-445-7899
Prices subject to change. Not responsible for typographical errors.
dtSearch Engine for Win & .NET
Add dtSearch‘s “blazing speeds”
(CRN Test Center) searching and New
file format support 64-bit
Version!
• dozens of full-text and fielded
data search options
• file parsers/converters for hit-highlighted
display of all popular file types
• Spider supports dynamic and static web data;
highlights hits with links, images, etc. intact
• API supports .NET, C++, Java, SQL and more;
new .NET Spider API
“Bottom line: dtSearch manages a terabyte of
text in a single index and returns results in
less than a second.” —InfoWorld
c-treeACE™ Professional
by FairCom
The c-treeACE database engine is a high performance
embedded devices for over 25 years.
• Complete set of APIs including ADO.NET, LINQ,
C#, C/C++, ODBC, JDBC, VCL, and dbExpress
• Graphical productivity tools
• Simple deployment
• No DBA or ongoing administration
• Low deployment licensing costs
• Cross-platform support for all major platforms
including Windows, UNIX, Linux, and Mac OS X
Make your applications faster, easier to deploy,
and more affordable with c-treeACE.
Enterprise Architect 7.5
Visualize, Document and NEW
Control Your Software Project RELEASE!
by Sparx Systems
Enterprise Architect is a comprehensive,
integrated UML 2.1 modeling suite
providing key benefits at each stage of
system development. Enterprise Architect
7.5 supports UML, SysML, BPMN and
other open standards to analyze, design,
test and construct reliable, well under-
stood systems. Additional plug-ins are
also available for Zachman Framework,
MODAF, DoDAF and TOGAF, and to
integrate with Eclipse and Visual Studio
2005/2008.
programmers.com/sparxsystems
Orion Network
Performance Monitor
by Solarwinds
Orion Network Performance Monitor is a
comprehensive fault and network performance
management platform that scales with the
rapid growth of your network and expands
with your network management needs.
It offers out-of-the-box network-centric views
that are designed to deliver the critical
information network engineers need.
Orion NPM is the easiest product of its
kind to use and maintain, meaning you
will spend more time actually managing
networks, not supporting Orion NPM.
programmers.com/solarwinds
programmersparadise.com
®
VMware vSphere Essentials
New VMware Solutions for Small Businesses
VMware vSphere Essentials Editions combine the
high availability, performance and reliability of
our enterprise class solutions with packaging ideal
for smaller IT environments and a price starting
at less than $1,000 for a complete solution.
• VMware vSphere Essentials provides an New
all-in-one solution for small offices to virtualize Release!
three physical servers for consolidating and
managing applications to reduce hardware and
3 Server Pack operating costs with a low up front investment. VMware
Paradise # vSphere
• VMware vSphere Essentials Plus adds
D29 02101A08 Essentials
high application availability and data protection
$
2,375. 99 for a complete server consolidation, manage-
ment and business continuity solution
CALLI
programmers.com/dtsearch for the small office IT environment. programmers.com/vmware
TX Text Control 15
Word Processing Components NEW
RELEASE!
TX Text Control is royalty-free,
robust and powerful word processing
software in reusable component form.
• .NET WinForms control for VB.NET and C#
• ActiveX for VB6, Delphi, VBScript/HTML, ASP
• File formats DOCX, DOC, RTF, HTML, XML, TXT
Professional Edition
• PDF and PDF/A export, PDF text import
Paradise #
• Tables, headers & footers, text frames, bullets,
T79 02101A02
Paradise # structured numbered lists, multiple undo/redo,
F01 0131
sections, merge fields, columns $
848. 99
• Ready-to-use toolbars and dialog boxes
792.
$ 99 Download a demo today.
programmers.com/faircom programmers.com/theimagingsource
CA ERwin r7.3
CA ERwin® Data Modeler
r7.3 – Product Plus 1 Year
Enterprise Maintenance
CA ERwin Data Modeler is a data modeling
solution that enables you to create and
maintain databases, data warehouses
and enterprise data resource models.
Corporate Edition These models help you visualize data Paradise #
1-4 Users structures so that you can effectively P26 04201E01
Paradise # organize, manage and moderate data
SP6 03101A02 complexities, database technologies and $
3,832.99
the deployment environment.
$
182.99
programmers.com/ca
FREE WEBINAR SERIES:
MORE Maximum Data
Modeling with CA ERwin 7.3
In our last webinar series, we looked at CA
ERwin’s core functionality. In this second series,
we’ll provide a grounding in how CA ERwin r7.3’s
new features help you with Master Data Management, Metadata
Management, Data Warehousing, Data Governance and Business Intelligence.
There will be six sessions in the series:
• What’s New in CA ERwin 7.3
• MDM (Master Data Management) with CA ERwin and Data
Profiling tool
• Collaborative model management with CA ERwin ModelManager
Paradise # • Validate the integrity of your model with CA ERwin Validator
S4A 08201E02 • Reporting: Crystal Reports, PDF, HTML
$
4,606.99 • SAPHIR Option: light at the end of the metadata tunnel
REGISTER TODAY: programmers.com/MDM_2009
 EDITOR’S NOTE

Viva la Evolution!
In this issue of MSDN Magazine,
we will take a more focused look at the state
of Web development. This is actually a pretty
relevant topic for me at the moment, as I’ve been
in and out of meetings over the past month in
which we’ve been trying to define and come to
consensus around what MSDN (not just the
magazine) should be and how it should evolve.
As such, I want to give you my perspective as a content publisher
on how the problem domain of the Web has evolved and how Web
applications are going to need to evolve to solve them.
It’s interesting to see how far the pendulum has swung in terms
of the fundamental problems related to content and the Web. Not
too long ago, the major challenge was making content available.
Evolution happened quickly, however—and handwritten HTML
was replaced by WYSIWYG editors, and then the whole edit-
ing environment was supplanted entirely by blogs and wikis.
The problem of publishing effectively disappeared. Anyone with
an idea and an Internet connection could publish content for all
to consume.
Before the novelty of this newly democratized world of content
could sink in, the core problem shifted from making content
available to finding the right content. Enter the rise of search
engines. Now, I’ve got no problem with search—I use it as a regu-
lar part of doing business. For example, have you ever submitted
an article idea and received a response similar to, “There’s already
a sufficient amount of coverage on this topic?” You can blame
your search engine for that. For all of its eff ectiveness in finding
content, however, I think that search has effectively enabled folks
in the content business to gloss over some more fundamental
problems in our approach to publishing and managing content
on the Web—particularly with respect to information architecture.
As I look over all of the content that can be found today on MSDN,
I am overwhelmed at both the sheer volume of content and the lack
of cohesion among the various content elements. I’m also both-
ered by the fact that I can search for MSDN Magazine articles on
WCF and be presented with an article that was based on an early
CTP of Indigo. I’m not suggesting that such an article should
be outright pulled down—there may be value in the conceptual
explanations. However, there should absolutely be more attention
given to lifetime management policy.
So why am I bringing up issues of content management? For
one, it’s a domain that I’m pretty familiar with. More important,
however, I think it highlights where the problems are now shifting
on the Web. For example, we’ve solved the problem of publishing
and we have decent a solution for finding content. The next major
evolution is in composing experiences that bring together lots
of disparate elements into a single context. This means thinking
about how to break apart various application and content silos
such that a combination of content and application services can
be put together into any context, as decided by the user—in short,
this means thinking of everything as a mashup. For me, it means
that if my intent—my context—is to read an article about WCF,
I shouldn’t have to stop what I’m doing so that I can navigate to a
different Web application if I have a question to post, only to later
rely on the back button to return to the article. I should be able to
construct a single context consisting of a content item and a forums
application service.
Getting to this next step is going to require some work, in both
refactoring to break application silos into services and learning to
think of Web applications as compositions. I’m therefore excited
to see articles like Shawn Wildermuth’s article on composite
Silverlight applications (Page ) and Aaron Skonnard’s article on
REST and the ASP.NET MVC framework (Page ). Finally, for
more on refactoring Web applications, check James Kovacs’ series
on brownfield development, aptly titled “Extreme
ASP.NET Makeover,” at msdn.microsoft.com/magazine.
Viva la evolution!
THANKS TO THE FOLLOWING MICROSOFT TECHNICAL EXPERTS FOR THEIR HELP WITH
THIS ISSUE: Adrian Bateman, Sam Bent, Laurent Bugnion, Matt Ellis, Mike Fourie,
Steve Fox, Don Funk, Alex Gorev, Aaron Hallberg, Luke Hoban, Robert Horvick,
John Hrvatin, Bret Humphrey, Katy King, Brian Kretzler, Bertrand LeRoy, Dan
Moseley, Stephen Powell, and Delian Tchoparinov.

Visit us at msdn.microsoft.com/magazine. Questions, comments, or suggestions for MSDN Magazine? Send them to the editor: mmeditor@microsoft.com.

© 2009 Microsoft Corporation. All rights reserved.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, you are not permitted to reproduce, store, or introduce into a retrieval system MSDN Magazine or any part of MSDN
Magazine. If you have purchased or have otherwise properly acquired a copy of MSDN Magazine in paper format, you are permitted to physically transfer this paper copy in unmodified form. Otherwise, you are not permitted to transmit
copies of MSDN Magazine (or any part of MSDN Magazine) in any form or by any means without the express written permission of Microsoft Corporation.
A listing of Microsoft Corporation trademarks can be found at microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx. Other trademarks or trade names mentioned herein are the property of their respective owners.
MSDN Magazine is published by United Business Media LLC. United Business Media LLC is an independent company not affiliated with Microsoft Corporation. Microsoft Corporation is solely responsible for the editorial contents of this
magazine. The recommendations and technical guidelines in MSDN Magazine are based on specific environments and configurations. These recommendations or guidelines may not apply to dissimilar configurations. Microsoft Corporation
does not make any representation or warranty, express or implied, with respect to any code or other information herein and disclaims any liability whatsoever for any use of such code or other information. MSDN Magazine, MSDN, and
Microsoft logos are used by United Business Media under license from owner.

8 msdn magazine
FOCUS ON YOUR CODE.
AND LET CRYSTAL REPORTS
HANDLE THE REPORTING.
NEW ROYALTY-FREE
RUNTIME NOW AVAILABLE.

WWW.SAP.COM/CRYSTAL
REPORTS/DEV

OR CONTACT US AT 1-888-
333-6007.

Copyright © 2008 Business Objects SA. All rights reserved. Business Objects and the Business Objects logo and Crystal Reports are
trademarks or registered trademarks of Business Objects SA or its affiliated companies in the United States and/or other countries.
Business Objects is an SAP company. SAP is a registered trademark of SAP AG in Germany and in other countries.
 EVOLVE YOUR CODE.
Parallelism breakthrough.
Analyze, compile, debug, check, and tune your code for multicore
with Intel® Parallel Studio. Designed for today’s serial apps and
tomorrow’s parallel innovators.
Get free eval software: www.intel.com/software/products/eval

© 2009-2010, Intel Corporation. All rights reserved. Intel and the Intel logo are trademarks of Intel Corporation in the U.S. and other countries. *Other names and brands may be claimed as the property of others.
SCOTT MITCHELL TOOLBOX

Static Analysis Database Tools, Managing

Remote Computers, and More

Static Analysis for Your

Database Design
Software design standards are an
important aspect of building reliable and
maintainable applications. Most compa-
nies have some sort of coding standards,
such as naming conventions and security
guidelines. Static code analysis tools, such as
FxCop and StyleCop, are useful for evaluat-
ing an application’s intermediate code or
source code to ensure that it conforms to
the standards recommended by Microsoft
or defined by your company. (FxCop and
StyleCop were reviewed in the December
2008 issue, available at msdn.microsoft.com/
en-us/magazine/dd263071.aspx.)
But what about database design and con-
figuration? Many companies have naming
ApexSQL Enforce
conventions for tables and their columns,
as well as guidelines for column data types,
Critical. A Best Practices rule base ships runs the selected rules against the specified
such as under what circumstances NULLable
with ApexSQL Enforce and contains more database and displays any rule violations in
columns are permissible. The same applies
than 80 rules, including ones that apply to a separate tab. Each rule violation includes a
for the use and cascade behavior of foreign
database maintenance and administra- summary, noting the rule that was violated
key constraints and triggers. There may also
tion. The Critical severity rule, for example, and the database object in violation; a
be configuration standards that apply to
login credentials, backup schedules, and requires that the database be backed up at description of the violated rule; and advice
other concerns. least every seven days. There are also data on how to remedy the violation. For some
modeling rules, such as a High severity rule rules, ApexSQL Enforce can provide the
ApexSQL Enforce (version 2008.04) is a
that ensures all tables have a primary key T-SQL syntax to fix the violation.
static analysis tool for Microsoft SQL Server
and a Tip rule that recommends against ApexSQL Enforce offers a high degree of
databases. When you first run ApexSQL
naming tables with a “tbl” prefix. customization and flexibility. For instance,
Enforce, you are prompted to select the
After selecting the rule base and the you can create your own rule bases or
rule base to use. Each rule is associated with
particular rules to apply, you choose the modify the built-in Best Practices rule
a database object type, such as the server,
database to analyze. ApexSQL Enforce base. Rules are defined using C# or Visual
a table, a trigger, a column, or a primary
key. The rules are classified further into
categories such as Server Configuration, Send your questions and comments for Scott to toolsmm@microsoft.com.
Database Modeling, Performance, and
All prices confirmed at press time are subject to change. The opinions expressed in this column are solely
so on. Each rule is assigned one out of six those of the author and do not necessarily reflect the opinions at Microsoft.
possible severities, ranging from Info to
July 2009 11
 Basic code. Creating and modifying these
rules is straightforward thanks to a built-in
rule editor that offers syntax highlighting
and IntelliSense support. ApexSQL Enforce
can be run from its graphical user interface
or from the command line, and violation
reports can be exported to XML or rendered
into an HTML report.
Static analysis is a useful and automated
technique for ensuring that your software
design adheres to prescribed standards.
ApexSQL Enforce is a powerful and cus-
tomizable tool for applying static analysis
to your databases.
Price: $999
www.apexsql.com/sql_tools_enforce.asp
.NET Podcasts
Podcasts are audio or video productions
that are available for download over the
Internet and are typically played on por-
table MP3 players, such as the Apple iPod
or the Microsoft Zune. Unlike streaming
audio shows, podcasts are prerecorded
and syndicated. You can configure your
MP3 player’s software to automatically
download the latest shows of your favorite
podcasts—they are great listening material
for your daily commute.
There are a number of very interesting,
educational, and well-produced podcasts
specifically for Microsoft .NET developers.
One of my favorite .NET-focused shows is
Hanselminutes, a weekly audio podcast
hosted by Scott Hansel man, a senior pro-
gram manager at Microsoft. Most episodes
are around 30 minutes in length, focus on
a single topic, and include a guest who
is a pioneer or an expert on the topic of
discussion. What I like best about the show
is the wide range of subject matter, with
episodes on specific technologies—such
as JavaScript, ADO.NET Data Services, and
parallel programming in .NET—as well as
shows that discuss software development
models like Scrum, test-driven develop-
ment, and the SOLID principles of object-
oriented design.
What sets Hanselminutes apart from
many other podcasts is its consistent
schedule and level of quality. A new
Hanselminutes episode has appeared nearly
every single week since January 2006, with
over 155 episodes so far. All past episodes
12 msdn magazine
(as well as each week’s new episode) are
available for download in several popular
multimedia formats. And Scott does a great
job interviewing his guests and keeping the
dialogue interesting and on-topic.
Price: Free
hanselminutes.com
Manage Remote Computers
from One Program
Tools like Virtual Network Computing
(VNC) and the Microsoft Remote Desktop
Protocol (RDP) make it easy to log into
and manage remote computers from your
home or office and have long been used by
system administrators to manage remote
computer assets. If you are tasked with
managing many different computers, or
routinely find yourself with multiple remote
connections open at the same time, check
out Terminals (version 1.7e), an open-
source project that consolidates managing
and running remote connections. When
a remote connection is launched from
Terminals, it is displayed in a new tab within
the Terminals user interface. This tabbed UI
streamlines multiple, simultaneous remote
connections into a single window. And
Terminals works with a variety of proto-
cols, including VNC, RDP, Virtual Machine
Remote Control (VMRC), Remote Access
Service (RAS), Telecommunication network
(Telnet), and Secure Shell (SSH).
When Terminals is launched for the first
time, it searches your computer for remote
connection files and adds any discovered
connections to the Favorites window. You
can edit these automatically added entries,
or you can manually add your own remote
connections to Favorites. And with a few
clicks of the mouse, you can customize
Terminals
these remote connections’ display and
behavior properties, supply connection
credentials, or categorize the connec-
tions using tags. Double-clicking one of
the remote connections in the Favorites
window causes Terminals to connect to
that computer in a new tab. There’s also a
History view that shows what connections
were made today, yesterday, in the past
week, and so on.
Terminals includes a number of helpful
tools and utilities. There’s a feature that
makes taking screen captures of remote
connections as easy as clicking a button,
and a manager that catalogues and orga-
nizes your screen captures. Terminals also
offers a suite of network-related utilities.
For example, you’ll find tools for perform-
ing a Whois or DNS lookup from within
Terminals, along with tools for examining
the shares on a local or remote computer.
Other tools show information about
the local computer’s Network Interface
Controllers (NICs), the open connections,
and the packet traffic. There’s also one-click
access to common system administration
and network maintenance configuration.
The Terminals toolbar contains shortcut
icons to programs like the Registry Editor
(regedit.exe), the Computer Management
Console, the Control Panel, and the local
computer’s Internet Properties, Network
Connections, and Services Manager, among
many others.
Terminals is a nifty application that
consolidates working with remote connec-
tions into a single, simple interface. If you
regularly connect to remote computers,
give Terminals a try.
Price: Free, open-source
terminals.codeplex.com
Toolbox
The Bookshelf
Most .NET developers are familiar with
ADO.NET, the data access library that has
been part of the .NET Framework since its
inception. One challenge of using ADO.NET
is that the developer must always keep the
details of the underlying data store in mind.
When querying data, the developer must
be cognizant of the tables to query, their
relationships, what JOINs are needed and
whether they are INNER or OUTER JOINs.
When retrieving data from a DataSet or a
DataReader, the developer must recall the
column names and their data types.
Programming Entity Framework
Over the past several years, Microsoft
has been developing the ADO.NET Entity
Framework, a new library for accessing data.
When using the Entity Framework, you do
not run queries against the database. Instead,
you query the Entity Data Model, which is a
set of classes in your application that model
the database’s structure in an object-oriented
manner. In addition to the Entity Data Model,
the Entity Framework maintains a logical
model of the database and a map that indi-
cates how the objects in the logical model
correspond to the objects in the Entity Data
Model. While the Entity Framework is not a
replacement for ADO.NET, it is an important
tool that Microsoft is investing in and is be-
ing used in technologies like ADO.NET Data
Services and ASP.NET Dynamic Data.
One of the best ways to learn about the
Entity Framework is to read Julia Lerman’s
book, Programming Entity Framework
msdnmagazine.com
(O’Reilly, 2009). Julia’s book starts with a solid Designer and to demonstrate working with
overview of the design goals of the Entity entities using both LINQ to Entities and Entity
Framework, its pros and cons, and where it fits SQL queries. Later, in Chapter 7, Julia unveils
into Microsoft’s data access story. The reader a more complex, real-world database that
is shown how to create an Entity Data Model contains many more tables and more types
using the Designer, how to query against this of relationships. She uses this new database
model, how to insert, update, and delete enti- throughout the remainder of the book to
ties, and how to display and manage data via illustrate more advanced topics, such as
the Entity Framework in WinForms, Windows customizing entities and the Entity Data
Presentation Foundation (WPF), and ASP. Model, transaction processing, handling
NET applications, as well as in Web Services exceptions raised by the Entity Framework,
and Windows Communication Foundation and so on. These two databases, along with
(WCF) services. the complete sample code, are available
At nearly 800 pages, Programming Entity for download from the book’s Web site,
Framework is fairly hefty, but it offers a solid LearnEntityFramework.com.
grounding in using the Entity Framework. Price: $54.99, 792 pages
The book assumes its readers are intermedi- oreilly.com
ate to advanced .NET developers who are
already familiar with database concepts,
ADO.NET, LINQ, and other core .NET SCOTT MITCHELL, author of numerous books and
features and spends no time introducing founder of GuysFromRolla.com, is an MVP who has
been working with Microsoft Web technologies since
these topics. Instead, the book is packed . Scott is an independent consultant, trainer, and
with walkthroughs that illustrate the use writer. Reach him at Mitchell@guysfromrolla.com
of Entity Framework in various scenarios. or via his blog at ScottOnWriting.NET.
It also does a great
job pointing out
what this first ver-
sion of the Entity
Framework can
and cannot do and
what use cases are
difficult or tricky
to implement,
along with work-
arounds where
appropriate.
Julia’s use of real-
world examples
really helped me
to understand and
become familiar
with using the Entity
Framework. In the
second chapter,
Julia introduces a
simple database
with a handful
of tables, views,
and stored proce-
dures. She uses this
database over the
next several chap-
ters to highlight
the features of the
July 2009 13
 CLR INSIDE OUT
Building Tuple
The upcoming . release of Microsoft .NET Framework introduces
a new type called System.Tuple. System.Tuple is a fixed-size col-
lection of heterogeneously typed data. Like an array, a tuple has a
fixed size that can’t be changed once it has been created. Unlike an
array, each element in a tuple may be a different type, and a tuple
is able to guarantee strong typing for each element. Consider try-
ing to use an array to store a string and integer value together, as
in the following:
static void Main(string[] args) {
object[] t = new object[2];
t[0] = "Hello";
t[1] = 4;
PrintStringAndInt((string) t[0], (int) t[1]);
}
static void PrintStringAndInt(string s, int i) {
Console.WriteLine("{0} {1}", s, i);
} namespace: KeyValuePair. While KeyValuePair<TKey, TValue>
The above code is both awkward to read and dangerous from a
type safety point of view. We have no guarantee that the elements
of the tuple are the correct type when we go to use them. What if,
instead of an integer, we put a string in the second element in our
tuple, as follows:
static void Main(string[] args) {
object[] t = new object[2];
t[0] = "Hello";
t[1] = "World";
PrintStringAndInt((string) t[0], (int) t[1]);
} uses when designing their version of tuple. After other teams heard
static void PrintStringAndInt(string s, int i) {
Console.WriteLine("{0} {1}", s, i);
}
This code would compile, but at run time, the call to
PrintStringAndInt would fail with an InvalidCastException when
we tried to cast the string “World” to an integer. Let’s now take a
look at what the code might look like with a tuple type:
static void Main(string[] args) {
Tuple<string, int> t = new Tuple<string, int>("Hello", 4);
PrintStringAndInt(t.Item1, t.Item2);
}
static void PrintStringAndInt(string s, int i) {
Console.WriteLine("{0} {1}", s, i);
}
This column is based on a prerelease version of the Microsoft .NET Framework 4.
Details are subject to change.
Send your questions and comments to clrinout@microsoft.com.
14 msdn magazine
MATT ELLIS
With the tuple type, we’ve been able to remove the cast opera-
tors from our code, giving us better error checking at compile time.
When constructing and using elements from the tuple, the compiler
will ensure our types are correct.
As this example shows, it’s obvious that a tuple is a useful type
to have in the Microsoft .NET Framework. At first, it might seem
like a very easy enhancement. However, we’ll discuss some of the
interesting design challenges that the team faced while designing
System.Tuple. We’ll also explore more about what we added to the
Microsoft .NET Framework and why these additions were made.
Existing Tuple Types
There is already one example of a tuple floating around the
Microsoft .NET Framework, in the System.Collections.Generic
can be thought of as the same as Tuple<T, T>, since they are
both types that hold two things, KeyValuePair feels different from
Tuple because it evokes a relationship between the two values it
stores (and with good reason, as it supports the Dictionary class).
Furthermore, tuples can be arbitrarily sized, whereas KeyValuePair
holds only two things: a key and a value.
Within the framework, many teams created, each for its own use,
a private version of a tuple but didn’t share their versions across
teams. The Base Class Libraries (BCL) team looked at all of these
that the BCL team would be adding a tuple in Microsoft .NET
Framework , other teams felt a strong desire to start using tuples
in their code, too. The Managed Extensibility Framework (MEF)
team even took a look at the draft of one of BCL’s specs before im-
plementing a version of tuple in their code. They later released this
version as part of a consumer technology preview, with a support-
ing comment that it was a temporary implementation until tuples
were added to the Microsoft .NET Framework!
Interoperability
One of the biggest set of customers inside Microsoft for tuple was
the language teams themselves. While C# and VB.NET languages
do not have the concept of a tuple as part of the core language, it
is a common feature of many functional languages. When target-
ing such languages to the Micrososft.NET Framework, language
developers had to define a managed representation of a tuple,
which leads to unnecessary duplication. One language suffering
 that problem was F#, which previously had defined its own tuple
type in FSharp.Core.dll but will now use the tuple added in Mi-
crosoft .NET Framework .
In addition to enabling the removal of duplicate types, having
a common type ensures that it is easy to call functions across lan-
guage boundaries. Consider what would happen if C# had added a
tuple type (as well as new syntax to support it) to the language, but
didn’t use the same managed representation as F#. If this were the
case, any time you wanted to call a method from an F# assembly
A common tuple type makes
interoperability that much
easier.
that took a tuple as an argument, you would be unable to use the
normal C# syntax for a tuple or pass an existing C# tuple. Instead,
you would be forced to convert your C# tuple to an F# tuple, and
then call the method. It’s our hope that by providing a common
tuple type, we’ll make interoperability between managed languages
with tuples that much easier.
Using Tuple from C#
While some languages like F# have special syntax for tuples, you
can use the new common tuple type from any language. Revisiting
the first example, we can see that while useful, tuples can be overly
verbose in languages without syntax for a tuple:
class Program {
static void Main(string[] args) {
Tuple<string, int> t = new Tuple<string, int>("Hello", 4);
PrintStringAndInt(t.Item1, t.Item2);
} but we were able to create only a finite number of classes to
static void PrintStringAndInt(string s, int i) {
Console.WriteLine("{0} {1}", s, i);
}
} tuples be encoded? Deciding on how many generic parameters to
Using the var keyword from C# ., we can remove the type
signature on the tuple variable, which allows for somewhat more
readable code.
var t = new Tuple<string, int>("Hello", 4);
We’ve also added some factory methods to a static Tuple class
which makes it easier to build tuples in a language that supports
type inference, like C#.
var t = Tuple.Create("Hello", 4);
Don’t be fooled by the apparent lack of types here. The type of t
is still Tuple<string, int> and the compiler won’t allow you to treat
the elements as different types.
Now that we’ve seen how the tuple type works, we can take a look
at the design behind the type itself.
Reference or Value Type?
At first glance, there isn’t much to the tuple type, and it seems like
something that could be designed and implemented over a long
weekend. However, looks are often deceiving, and there were some
16 msdn magazine
very interesting design decisions that needed to be made during
its development.
The first major decision was whether to treat tuples either as a ref-
erence or value type. Since they are immutable any time you want
to change the values of a tuple, you have to create a new one. If they
are reference types, this means there can be lots of garbage gener-
ated if you are changing elements in a tuple in a tight loop. F# tuples
were reference types, but there was a feeling from the team that they
could realize a performance improvement if two, and perhaps three,
element tuples were value types instead. Some teams that had creat-
ed internal tuples had used value instead of reference types, because
their scenarios were very sensitive to creating lots of managed objects.
They found that using a value type gave them better performance.
In our first draft of the tuple specification, we kept the two-, three-,
and four-element tuples as value types, with the rest being reference
types. However, during a design meeting that included represen-
tatives from other languages it was decided that this “split” design
would be confusing, due to the slightly different semantics between
the two types. Consistency in behavior and design was determined
to be of higher priority than potential performance increases. Based
on this input, we changed the design so that all tuples are reference
types, although we asked the F# team to do some performance in-
vestigation to see if it experienced a speedup when using a value
type for some sizes of tuples. It had a good way to test this, since its
compiler, written in F#, was a good example of a large program that
used tuples in a variety of scenarios. In the end, the F# team found
that it did not get a performance improvement when some tuples
were value types instead of reference types. This made us feel better
about our decision to use reference types for tuple.
Tuples of Arbitrary Length
Theoretically, a tuple can contain as many elements as needed,
represent tuples. This raised two major questions: how many generic
parameters should the largest tuple have, and how should the larger
have in the largest tuple ended up being somewhat arbitrary. Since
Microsoft .NET Framework  introduces new versions of the Action
and Func delegates that take up to eight generic parameters, we
chose to have System.Tuple work the same way. One nice feature
of this design is that there’s a correspondence between these two
types. We could add an Apply method to each tuple that takes a
correspondingly sized Action or Func of the same type and pass
each element from the tuple as an argument to the delegate. While
we ultimately didn’t add this in order to keep the surface area of
the type clean, it’s something that could be added in a later release
or with extension methods. There is certainly a nice symmetry in
the number of generic parameters that belong to Tuple, Action,
and Func. An aside: After System.Tuple was finished being de-
signed, the owners of Action and Func created more instances of
each type; they went up to  generic parameters. Ultimately, we
decided not to follow suit: the decision on sizing was somewhat
arbitrary to begin with, and we didn’t feel the time we would spend
adding eight more tuple types would be worth it.
CLR Inside Out
 Once we answered our first question, we still had to figure out a
way to represent tuples with more than eight elements. We decid-
ed that the last element of an eight-element tuple would be called
“Rest” and we would require it to be a tuple. The elements of this
tuple would be the eighth, ninth, and so on, elements of the overall
tuple. Therefore, users who wanted an eight-element tuple would
create two instances of the tuple classes. The first would be the
eight-element tuple, which would contain the first seven items of
the tuple, and the second would be a one-element tuple that held
the last tuple. In C#, it might look like this:
Tuple.Create(1, 2, 3, 4, 5, 6, 7, Tuple.Create(8));
In languages like F# that already have concrete syntax for tuples,
the compiler handles this encoding for you.
Properties
For languages that provide syntax for interacting with tuples,
the names of the properties used to access each element aren’t
very interesting, since they are shielded from the developer. This
is a very important question for languages like C#, where you have
to interact with the type directly. We started with the idea of using
Item, Item, and so on as the property names for the elements, but
we received some interesting feedback from our framework design
reviewers. They said that while these property names make sense
when someone thinks about them at first glance, it gives the feeling
that the type was auto-generated, instead of designed. They sug-
gested that we name the properties First, Second, and so on, which
felt more accessible. Ultimately, we rejected this feedback for a few
reasons: first, we liked the experience of being able to change the
element you access by changing one character of the property name;
second, we felt that the English names were difficult to use (typing
Fourth or Sixth is more work than Item or Item) and would lead
to a very weird IntelliSense experience, since property names would
be alphabetized instead of showing up in numerical order.
Interfaces Implemented
System.Tuple implements very few interfaces and no generic
interfaces. The F# team was very concerned about tuple being a
very lightweight type, because it uses so many different generic
instantiations of the type across its product. If Tuple were to
implement a large number of generic interfaces, they felt it would
have an impact on their working set and NGen image size. In light of
this argument, we were unable to find compelling reasons for Tuple
to implement interfaces like IEquatable<T> and IComparable<T>,
even though it overrides Equals and implements IComparable.
Structural Equality, Comparison, and Equivalence
The most interesting challenge we faced when designing Tuple
was to figure out how to support the following:
• structural equality
• structural comparison
•partial equivalence relations
We did as much design work around these concepts as we did
for Tuple itself. Structural equality and comparison relate to what
Equals means for a type like Tuple that simply holds other data.
msdnmagazine.com
In F#, equality over tuples and arrays is structural. This means
that two arrays or tuples are equal if all their elements are the
same. This differs from C#. By default, the contents of arrays and
tuples don’t matter for equality. It is the location in memory that
is important.
Since this idea of structural equality and comparison is already
part of the F# specification, the F# team had already come up
with a partial solution to the problem. However, it applied only
to the types that the team created. Since it also needed structural
The design team iterated on
a few different designs to help
solve structural equality and
comparison problems.
equality over arrays, the compiler generated special code to test if
it was doing equality comparison on an array. If so, it would do a
structural comparison instead of just calling the Equals method on
Array. The design team iterated on a few different designs on how
to solve these sorts of structural equality and comparison prob-
lems. It settled on creating a few interfaces that structural types
needed to implement.
IStructualEquatable and IStructuralComparable
IStructualEquatable and IStructuralComparable interfaces pro-
vide a way for a type to opt in to structural equality or comparison.
They also provide a way for a comparer to be used for each element
in the object. Using these interfaces, as well as a specially defined
comparer, we can have deep equality over tuples and arrays when
it is required, but we don’t have to force the semantics on all users
of the type. The design is deceptively simple:
public interface IStructuralComparable {
Int32 CompareTo(Object other, IComparer comparer);
}
public interface IStructuralEquatable {
Boolean Equals(Object other, IEqualityComparer comparer);
Int32 GetHashCode(IEqualityComparer comparer);
}
These interfaces work by separating the act of iterating over ele-
ments in the structural type, for which the implementer of the in-
terface is responsible, from the actual comparison, for which the
caller is responsible. Comparers can decide if they want to pro-
vide a deep structural equality (by recursively calling the IStruc-
tualEquatable or IStructualComparable methods, if the elements
implement them), a shallow one (by not doing so), or something
completely different. Both Tuple and Array now implement both
of these interfaces explicitly.
Partial Equivalence Relations
Tuple also needed to support the semantics of partial equivalence
relations. An example of a partial equivalence relation in the Microsoft
July 2009 17
 .NET Framework is the relationship between NaN and other floating-
point numbers. For example: NaN<NaN is false, but the same holds
for NaN>NaN and NaN == NaN and NaN != NaN. This is due to
NaN being fundamentally incomparable, since it does not represent
any number. While we are able to encode this sort of relationship
with operators, the same does not hold for the CompareTo method
on IComparable. This is because there is no value that CompareTo
can return that signals the two values are incomparable.
F# requires that the structural equality on tuples also works with
partial equivalence relationships. Therefore in F#, [NaN, NaN] ==
[NaN, NaN] is false, but so is [NaN, NaN] != [NaN, NaN].
Our first tentative solution was to have overloaded operators on
Tuple. This worked by using operators on the underlying types, if
they existed, and by falling back to Equals or CompareTo, if they
did not. A second option was to create a new interface like ICom-
parable but with a different return type so that it could signal cases
where things were not comparable. Ultimately, we decided that we
would hold off on building something like this until we saw more
examples of partial equivalence being needed across the Microsoft
.NET Framework. Instead, we recommended that F# implement
this sort of logic in the IComparer and IEqualityComparer methods
that they passed into the IStructrual variants of CompareTo and
Equals methods by detecting these cases and having some sort of
out-of-band signaling mechanism when it encountered NaNs.
Popular Microsoft Developer Titles
Free eBook with content from these titles at
informit.com/msdeveloper
9780321508799 9780321564160
FOLLOW US! twitter.com/informit | FIND US ON FACEBOOK! informit.com/fb-msdeveloper
AVA I L A B L E N O W I N P R I N T, E B O O K , A N D S A FA R I B O O K S O N L I N E
For more information and online sample material visit informit.com
Available wherever technical books are sold.
20 msdn magazine
Worth the Effort
Though it took a great deal more design iteration than anyone
expected, we were able to create a tuple type that we feel is flexible
enough for use in a variety of languages, regardless of syntactic
support for tuples. At the same time, we’ve created interfaces that
help describe the important concepts of structural equality and
comparison, which have value in the Microsoft .NET Framework
outside of tuple itself.
Over the past few months, the F# team has updated its compiler
to use System.Tuple as the underlying type for all F# tuples. This
ensures that we can start building toward a common tuple type
across the Microsoft .NET ecosystem. In addition to this exciting
development, tuple was demoed at this year’s Professional Devel-
opers Conference as a new feature for Microsoft .NET Framework
 and received much applause from the crowd. Watching the video
and seeing how excited developers are to start using tuples has made
all the time spent on this deceptively simple feature all the more
worthwhile.

MATT ELLIS is a Software Design Engineer on the Base Class Libraries team
responsible for diagnostics, isolated storage, and other little features like Tuple.
When he’s not thinking about frameworks or programming language design, he
spends his time with his wife Victoria and their two dogs, Nibbler and Snoopy.
GET THE BOOK BEFORE
IT IS PUBLISHED!
9780321562319
9780672330223
CLR Inside Out
DUSTIN CAMPBELL BASIC INSTINCTS

Stay Error Free with Error Corrections

One of the most useful features of the Microsoft Visual Basic editing the editor, a small red bar is added to the squiggle underline that
experience in Microsoft Visual Studio is background compilation. indicates that a smart tag is available at that location, as shown in
You’re probably already familiar with this feature, as it is similar Figure 1.
in spirit to the spelling and grammar checker found in Microsoft If you hover the mouse over the smart tag indicator, the collapsed
Word. As you type code, the Visual Basic compiler runs in the back- smart tag will appear along with a tooltip description. This is
ground. When you type an error, it is underlined with a squiggle pictured in Figure 2.
in the editor and added to the Error List window. In Figure 3, clicking on the smart tag expands the error
Prior to Visual Studio , the only guidance for fixing errors correction UI with the options that are available for this particular
came primarily from the error messages themselves. When possible, code error.
the Visual Basic Compiler generates error messages that are intended The error correction UI makes it easy to fix errors quickly and
to explain not only what the error is, but also how to fix it. accurately. The preview windows clearly show what changes will
Let’s look at an example. Suppose that you
have the following Visual Basic code:
Module Module1
Sub Main()
Dim i As Integer = "1"c
End Sub
End Module
The code above produces a compiler error
because it isn’t clear which conversion from
Char to Integer is expected. Should the com- Figure 2 Collapsed Smart Tag
piler insert a conversion to produce the ASCII
value of “”c, or should it insert a conversion that produces the
numerical value of “”c? The compiler has no option but to generate
this error message:
“‘Char’ values cannot be converted to ‘Integer’. Use ‘Microsoft.
VisualBasic.AscW’ to interpret a character as a Unicode value or
‘Microsoft.VisualBasic.Val’ to interpret it as a digit.”
While the preceding error message goes to great lengths to
explain how the problem can be fixed, it requires more coding on
your part to actually fix it.

Introducing Error Corrections

To make fixing errors easier, the Error Correction UI was intro-
duced. In Visual Studio  and , when an error is typed in

Figure 3 Expanded Smart Tag with Available Error Corrections

This article is partly based on a prerelease version of Visual Studio.

All information is subject to change.
Send your questions and comments to instinct@microsoft.com.
Figure 1 Error Squiggle with a Smart Tag Indicator
July 2009 21
 End Sub
End Module
When code does not compile because it is invalid (e.g., the
missing parenthesis in the call to Console.Write above), the Visual
Basic IDE will suggest error corrections that make your code valid
if applied. In Figure 5, the error correction offers to insert the
missing parenthesis.
Figure 4 No Correction Suggestions
Error corrections for invalid code aren’t limited to code within a
be made to your code, and it’s a simple matter of clicking on either method body. For example, suppose that you have a read-only prop-
of the two hyperlinks to apply a fix. erty and would like to convert it into a full property with a setter:
Class Person
Sometimes, a particular compiler is fixable in some cases, but Private _name As String
not all. In these doubtful instances, the Visual Basic IDE will Public ReadOnly Property Name() As String
optimistically create a smart tag indicator for that error, primarily Get
Return _name
to improve performance. It is much quicker to create a smart tag End Get
indicator for errors that can be fixed some of the time than to check End Property
End Class
each error to determine if it can definitely be fixed before creat-
To add a setter in the code above, you would
ing the indicator. When you hover over a smart tag indicator that
. Move the editor caret after End Get.
doesn’t have any error corrections, you will see the “no correction
. Press Enter.
suggestions” message shown in Figure 4.
. Type Set.
Applying Error Corrections with the Keyboard . Press Enter again.
That would leave you with the following invalid code:
Error corrections can be applied by using the keyboard as well
Class Person
as the mouse. If the editor caret is located on an error squiggle with Private _name As String
a smart tag indicator, you can press Shift+Alt+F to immediately Public ReadOnly Property Name() As String
expand the smart tag and show the error correction options. With Get
Return _name
the smart tag expanded, the Up-Arrow and Down-Arrow keys End Get
will navigate the options and you can apply an error correction by Set(ByVal value As String)
pressing the Enter key. If you dislike the Shift+Alt+F keyboard End Set
shortcut, Ctrl+. will also display the smart tag. (I personally find End Property
End Class
Ctrl+. much easier to remember and to press!)
To make the property valid, the ReadOnly keyword needs to be
removed. Now, deleting the keyword is trivial, but it is easier and
Fixing Invalid Code more efficient if you use the error correction to do the job:
Often, code will contain an error simply because it has an invalid
. Press Up to move the editor caret to the error squiggle.
structure. One common mistake is to write code that has unbal-
. Press Ctrl+. to display the suggestion error corrections shown
anced parentheses. Can you spot the error in the code below?
in Figure 6.
Module Module1
Sub Main() . Press Down to focus the first error correction.
Dim quad = Function(a, b, c) _
Function(x) (a * x * x) + (b * x) + c

Dim f = quad(1.0, -79.0, 1601.0)

Console.Write(f(42.0)

Figure 5 Error Correction for Inserting Parenthesis Figure 6 Error Corrections for a Read-only Property with a Setter
22 msdn magazine Basic Instincts
 the following code, which contains a spelling mistake:
Class Class1
End Class

Class Class2
End Class

Module Module1
Sub Main()
Dim c As New Clss
End Sub
End Module
The code above mistakenly attempts to instantiate a type named
Clss, but none exists. In this situation, two error corrections are
available, one to change Clss to Class and another to change Clss
Figure 7 Error Correction to Convert an Integer to a String to Class, as shown in Figure 8.
Currently, the spell checker is fairly simple and works only for
. Press Enter to apply. type names. However, this is an area that the Visual Basic team
As you can see, not only do error corrections help you write the would like to improve in a future release.
correct code, they can be a big time saver!
Importing Namespaces
Using the Right Type Conversions After shipping Visual Studio , the Visual Basic team received
By default, Visual Basic leaves strict typing off. This allows you to several requests for additional error corrections. Chief among these
take advantage of the Visual Basic compiler’s support for implicit was an error correction for automatically adding Imports statements.
data type conversions and late binding: It can be pretty irritating to start using a type and realize that you’ve
Module Module1 forgotten to import its namespace. For example, suppose you were
Sub Main() using the System.IO.File class to open and read a file from disk:
Dim s As String = 42
End Sub Module Module1
End Module Sub Main()

Given the code above, the compiler will properly insert a type
conversion from Integer to String.
However, if you use strict typing, Visual Basic error correc-
tions will be available to help you insert the same type conversion
that the compiler would have, if strict typing were off. Figure 7
shows the error correction for the code above when strict typing
is enabled.

Correcting Spelling Mistakes

Sometimes a code error might simply be a spelling mistake. For
spelling errors in type names, Visual Basic will provide error cor-
rections that suggest existing types with similar names. Consider

Figure 8 Error Correction for Spelling Mistake

msdnmagazine.com July 2009 23

Figure 9 Error Correction for Adding Imports Statements
Dim fileName = Path.Combine("C:\Temp", "Sizes.txt")
Using f = File.OpenRead(fileName)
End Using
End Sub
End Module
This code results in an error if you haven’t imported the System.
IO namespace yet. In Visual Studio , there are two possible
error corrections for this error:
. Import the namespace.
. Qualify the reference.
This is shown in Figure 9. By choosing the first suggested error
correction, we can easily import the System.IO namespace.
This begs the question: what if importing a namespace would
change the meaning of your code? Suppose that the code above
will use the Windows Presentation Framework (WPF) to create a
System.Windows.Shapes.Rectangle, using data read from the Sizes.
txt file. With the WPF references added, you start by instantiating
a new Rectangle:
Imports System.IO
Figure 11 The Add Imports Validation Error Dialog
Fortunately, the logic to avoid these situations is built into the
error correction for adding Imports statements. The error correction
recognizes the problem and displays the Add Imports Validation
Error dialog, pictured in Figure 11.
This dialog gives you two options for tweaking the error correction,
so the meaning of your code isn’t changed:
. Import ‘System.Windows.Shapes’ and qualify the affected
identifiers.
. Do not import ‘System.Windows.Shapes’, but change ‘Rectangle’
to ‘Windows.Shapes.Rectangle’.
By picking the first option, an Imports statement is added
for System.Windows.Shapes, and the reference to Path is fully
qualified:
Imports System.IO
Imports System.Windows.Shapes
Module Module1
Sub Main()
Dim fileName = System.IO.Path.Combine("C:\Temp", "Sizes.txt")

Module Module1
Sub Main()
Dim fileName = Path.Combine("C:\Temp", "Sizes.txt")
Using f = File.OpenRead(fileName)
Dim r As New Rectangle
End Using
End Sub
End Module
Like before, the namespace hasn’t been imported yet, so you
use the error correction UI pictured in Figure 10 to import it for
you. However, this time there’s a problem. The System.Windows.
Figure 12 Generate Class
Shapes namespace also includes a type named Path, so importing
the namespace would change the meaning of your code.

Figure 10 Error Corrections for Importing System.Windows.

Shapes Figure 13 Generate Property or Field
24 msdn magazine Basic Instincts
 Using f = File.OpenRead(fileName)
Dim r As New Rectangle
End Using
End Sub
End Module
Again, this error correction is available only in Visual Studio
. If you are using Visual Studio , you won’t see suggestions
for adding Imports statements.

Generating New Types and Members

Visual Basic isn’t done with error corrections yet! Visual
Studio  will introduce a new feature called Generate from
Usage, which allows you to easily generate new types and
members. For Visual Basic, this feature is implemented as a
set of error corrections, so you can access them through the
existing error corrections. In many cases, the Generate from
Usage error corrections offer suggestions for compiler errors
that previously had none. For example, look back at Figure 4.
In Visual Studio , that code has no error corrections avail-
able. But in Visual Studio , the new Generate from Usage
error corrections are suggested. Figure 12 shows the difference
in the error corrections between Visual Studio  and Visual
Studio  for the same code.
By choosing the first suggestion, a new class named Customer is
generated in a new file. Now, you can continue to write code that
uses members of the Customer class and use the error corrections
to stub out the members for you. For example, Figure 13 shows
the error corrections after you’ve assigned a value to a member of
a class that hasn’t been declared yet.
After choosing the first suggestion, the generated Customer
class looks like this:
Class Customer
Property Name As String
End Class
In Visual Studio , you will be able to leverage the Generate
from Usage error corrections for maximum efficiency.

Conclusion
Error corrections are an essential part of the Visual Basic coding
experience. Not only do they help you immediately spot and fix
errors, but you can use them to write code more efficiently. This
article only scratches the surface of the hundreds of suggestions
offered by Visual Basic. And with Visual Studio , there is an
error correction for most coding errors.
Don’t forget to use Ctrl+.!

DUSTIN CAMPBELL is the Microsoft Visual Basic IDE Program Manager on the
Microsoft Visual Studio Languages Team. He works primarily on the editor and
debugger product features. As a programming language nut, he also contributes
to other languages in Visual Studio, such as C# and F#. Before joining Microsoft,
Dustin helped to develop the award-winning CodeRush and Refactor! tools at
Developer Express Inc. Dustin’s favorite color is blue.
msdnmagazine.com July 2009 25
 CUTTING EDGE
Comparing Web Forms and ASP.NET MVC
I first saw Microsoft ASP.NET in action in , when
it was tentatively named ASP+. At that time, build-
Ten years ago,
ing a Web application on the Microsoft platform was
a matter of assembling a bunch of Active Server
ASP developers
Pages (ASP).
In a typical ASP page, you find HTML literals
were looking
interspersed with code blocks. In code blocks, script
code (mostly VBScript) is used to incorporate data
for exactly the
generated by COM objects, such as components
from the ActiveX Data Objects (ADO) framework.
set of features
Undoubtedly, the introduction of ASP.NET in the
late s was a big step forward, as it represented
that Web Forms
a smart way to automate the production of HTML
displayed in a client’s browser.
ended up
ASP.NET simplified a number of everyday tasks
and, more importantly, enabled developers to work at
providing.
a higher level of abstraction.This allowed them to fo-
cus more on the core functions of the Web application rather than on
common tasks around Web page design.
Based on server controls, ASP.NET allows developers to build real-
world Web sites and applications with minimal HTML and JavaScript
skills. The whole point of ASP.NET is productivity, achieved through
powerful tools integrated in the runtime as well as the provision of
development facilities, such as server controls, user controls, postback
events, viewstate, forms authentication, and intrinsic objects. The model
behind ASP.NET is called Web Forms and it was clearly inspired by
the desktop Windows Forms model (in turn deeply inspired by the
Visual Basic Rapid Application Development philosophy).
So why did Microsoft release “another” ASP.NET framework,
called ASP.NET MVC? In this article, I’ll explore the pros and cons
of both ASP.NET Web Forms and ASP.NET MVC.
Benefits of ASP.NET Web Forms
As noted, ASP.NET Web Forms is stable and mature, and it is
supported by heaps of third party controls and tools.
One of the keys to the rapid adoption of ASP.NET is certainly the
point-and-click metaphor taken from Windows desktop develop-
ment. With Web Forms, Microsoft basically extended the Visual Basic
programming model to the Web. Desktop development, however, is
stateful whereas the Web is inherently stateless. So the Web Forms
Send your questions and comments for Dino to cutting@microsoft.com.
28 msdn magazine
DINO ESPOSITO
model essentially abstracted a number of features to
provide a simulated stateful model for Web developers.
As a result, you didn’t have to be a Web expert with a lot
of HTML and JavaScript knowledgeto write effective
Web applications.
To simulate stateful programming over the Web,
ASP.NET Web Forms introduced features such as
viewstate, postbacks, and an overall event-driven
paradigm.For example, the developer can, say,
double-click on a button to automatically generate
a stub of code that will handle the user’s clicking to
the server. To get started writing an ASP.NET Web
application, you just need to know the basics of .NET
development, the programming interface of some
ad hoc components, like server controls. Server
controls that generate HTML programmatically,
and the runtime pipeline, contribute significantly
to a fast development cycle.
At the end of the day, key features of ASP.NET Web Forms
are just the componentization of some ASP best practices. For
example, postback, auto-population of input fields, authentica-
tion and authorization before page rendering, server controls, and
compilation of the page, are not features devised and created from
scratch for ASP.NET Web Forms. All of them evolved from ASP
best practices. Ten years ago, ASP developers (including myself)
were looking for exactly the set of features that Web Forms end-
ed up providing. Furthermore, ASP.NET Web Forms generally
exceeded our expectations by providing a full abstraction layer
atop the whole Web stack: JavaScript, CSS, HTML.
To write an ASP page, you did need to know quite a bit about the
Web and script languages. To write an ASP.NET page, in contrast,
you need to know primarily about .NET and its compiled languages.
Productivity and rapid development of data-driven, line-of-business
applications have been the selling points of ASP.NET Web Forms.
Until now, that is.
Drawbacks of Web Forms
Like many other things in this imperfect world, ASP.NET Web
Forms is not free of issues. Years of experience prove beyond any
reasonable doubt that separation of concerns (SoC) has not been
a natural fit with the Web Forms paradigm.
Automated testing of an ASP.NET Web Forms application is
hard, and not just because of a lack of SoC. ASP.NET Web Forms is
/update/2009/07
www.componentsource.com

BEST SELLER Janus WinForms Controls Suite from $757.44

Add Outlook style interfaces to your WinForms applications.
• Janus GridEX for .NET (Outlook style grid)
• Janus Schedule for .NET and Timeline for .NET (Outlook style calendar view and journal)
• Janus ButtonBar for .NET and ExplorerBar for .NET (Outlook style shortcut bars)
• Janus UI Bars and Ribbon Control (menus, toolbars, panels, tab controls and Office 2007 ribbon)
• Now includes Office 2007 visual style for all controls

BEST SELLER ContourCube from $825.00

OLAP component for interactive reporting and data analysis.
• Embed Business Intelligence functionality into database applications
• Zero report coding - design reports with drag and drop
• Self-service interactive reporting - get hundreds of reports by managing rows/columns
• Royalty free - only development licenses are needed
• Provides extremely fast processing of large data volumes

SELLER
BESTVERSION
NEW TX Text Control .NET and .NET Server from $494.10
Word processing components for Visual Studio .NET.
• Add professional word processing to your applications
• Royalty-free Windows Forms text box
• True WYSIWYG, nested tables, text frames, headers and footers, images, bullets,
structured numbered lists, zoom, dialog boxes, section breaks, page columns
• Load, save and edit DOCX, DOC, PDF, PDF/A, RTF, HTML, TXT and XML

BEST SELLER FusionCharts from $195.02

Interactive and animated charts for ASP and ASP.NET apps.
• Liven up your Web applications using animated Flash charts
• Create AJAX-enabled charts that can change at client-side without invoking server requests
• Implement drill-down functionality to show optimum amount of data at a time
• Export charts as images/PDF and data as CSV for use in reporting
• Also create gauges, financial charts, Gantt charts, funnel charts and over 450 maps

We accept purchase orders.

© 1996-2009 ComponentSource. All Rights Reserved. All prices correct at the time of press. Online prices may vary from those shown due to daily fluctuations & online discounts. Contact us to apply for a credit account.

US Headquarters
ComponentSource
European Headquarters
ComponentSource
Asia / Pacific Headquarters
ComponentSource Sales Hotline - US & Canada:
(888) 850-9911
650 Claremore Prof Way 30 Greyfriars Road 3F Kojimachi Square Bldg
Suite 100 Reading 3-3 Kojimachi Chiyoda-ku
Woodstock Berkshire Tokyo
GA 30188-5188 RG1 1PE Japan
USA United Kingdom 102-0083 www.componentsource.com
 based on a monolithic runtime environment that can be extended,
to some extent, but it is not a pluggable and flexible system. It’s
nearly impossible to test an ASP.NET application without spinning
up the whole runtime.
To achieve statefulness, the last known state of each server page
is stored within the client page as a hidden field—the viewstate.
Though viewstate has too often been held up as an example of what’s
wrong with Web Forms, it is not the monster it’s made out to be. In
fact, using a viewstate-like structure in classic ASP was a cutting-
edge solution. From an ASP perspective, simulation of statefulness
(that is, postback, viewstate, controls) was a great achievement, and
the same was also said at first about how Web Forms isolated itself
from HTML and JavaScript details.
For modern Web pages, abstraction from HTML is a serious issue
as it hinders accessibility, browser compatibility, and integration with
popular JavaScript frameworks like jQuery, Dojo, and PrototypeJS. The
postback model that defaults each page to post to itself, makes it harder
for search engines to rank ASP.NET pages high. Search engines and
spiders work better with links with parameters, better if rationalized
to human-readable strings. The postback model goes in the opposite
direction. Also, an excessively large viewstate is problematic because
the keyword the rank is based on may be located past the viewstate,
and therefore far from the top of the document. Some engines recog-
nize a lower rank in this case.
Benefits of ASP.NET MVC
Some of the recognized issues with the Web Forms model can be fixed
within ASP.NET .. You can disable or control the size of the viewstate.
(Even though very few developers seem to have noticed, the size of the
viewstate decreased significantly in the transition from ASP.NET . to
ASP.NET . when Microsoft introduced a much more efficient seri-
alization algorithm. In ASP.NET ., you should also expect improve-
ments in the way in which viewstate can be disabled and controlled.)
You can use an ad hoc HTTP module to do URL rewriting or, better
yet, you can use the newest Web routing API from ASP.NET . SP. In
ASP.NET ., you can minutely control the ID of elements, including
scoped elements. Likewise, in ASP.NET . the integration of external
JavaScript frameworks will be simpler and more effective. Finally, the
history management API in ASP.NET . SP made AJAX and postback
work together while producing a search-engine-friendly page.
In many aspects, the Web Forms model in ASP.NET . is a
better environment that tackles some of the aforementioned flaws.
So what’s the point of ASP.NET MVC?
You’ll find a good introduction to ASP.NET MVC in the March
 issue MSDN Magazine (msdn.microsoft.com/en-us/magazine/
cc337884.aspx), where Chris Tavares explains the basics of ASP.NET
development without Web Forms. In summary, ASP.NET MVC is
a completely new framework for building ASP.NET applications,
designed from the ground up with SoC and testability in mind.
When you write an ASP.NET MVC application, you think in terms
of controllers and views. You make your decisions about how to
pass data to the view and how to expose your middle tier to the
controllers. The controller chooses which view to display based
on the requested URL and pertinent data. Each request is resolved
30 msdn magazine
by invoking a method on a controller class. No postbacks are ever
required to service a user request. No viewstate is ever required to
persist the state of the page. No arraysof black-box server controls
exist to produce the HTML for the browser.
With ASP.NET MVC, you rediscover the good old taste of the
Web—stateless behavior, full control over every single bit of HTML,
total script and CSS freedom.
The HTML served to the browser is generated by a separate, and
replaceable, engine. There’s no dependency on ASPX physical server
files. ASPX files may still be part of your project, but they now serve
as plain HTML templates, along with their code-behind classes.
The default view engine is based on the Web Forms rendering
engine, but you can use other pluggable engines such as nVelocity
or XSLT. (For more details, have a look at the MVCContrib Web
site at mvccontrib.codeplex.com.)
The runtime environment is largely the same as in ASP.NET Web
Forms, but the request cycle is simpler and more direct. An essen-
tial part of the Web Forms model, the page lifecycle, is no longer
necessary in ASP.NET MVC. It should be noted, though, that the
default view engine in ASP.NET MVC is still based on the Web
Forms rendering engine. This is the trick that allows you to use
master pages and some server controls in ASP.NET MVC views.
As long as the view engine is based on Web Forms, the view is an
ASPX file with a regular code-behind class where you can handle
classic events such as Init, Load, PreRender, plus control-specific
events such as RowDataBound for a GridView control. If you switch
off the default view engine, you no longer need Page_Loador other
events of the standard page lifecycle. Figure 1 compares the run-
time stack for Web Forms and ASP.NET MVC.
It should be noted that the “Page lifecycle” boxes in Figure 1 have
been collapsed for readability and include several additional events
each. Anyway, the run-time stack of ASP.NET MVC is simpler and
the difference is due to the lack of a page lifecycle. However, this
makes it problematic to maintain the state of visual elements across
page requests. State can be stored into Session or Cache, but this
decision is left to the developer.
Figure 1 The Run-Time Stack at a Glance
Cutting Edge

Figure 2 The Sequence Diagram of an ASP.NET MVC Request
Figure 2 illustrates the sequence of an ASP.NET MVC
request.
The MVC acronym stands for Model-View-Controller. However,
you should note that the pattern depicted in Figure 2 doesn’t exactly
match the classic formulation of the MVC pattern. In particular, in
the original MVC paper, Model and View are tied together through
an Observer relationship. The MVC pattern, though, is deliberately
loosely defined and, even more importantly, was devised when the
Web was still to come. Adapting MVC to the Web moved it toward
the model in Figure 2, which is also known as Model. In general,
when you talk or read about MVC be aware that there are quite a
few slightly different flavors of it within the literature.
Drawbacks of ASP.NET MVC
So ASP.NET MVC brings to the table a clean design with a neat
separation of concerns, a leaner run-time stack, full control over
HTML, an unparalleled level of extensibility, and a working environ-
ment that enables, not penalizes, test-driven development (TDD).
Is ASP.NET MVC, therefore, a paradise for Web developers?
Just like with Web Forms, what some perceive as a clear strength
of ASP.NET MVC, others may see as a weakness. For example, full
control over HTML, JavaScript, and CSS, ASP.NET MVC means
that you enter the Web elements manually. Much of this pain can be
mitigated, however, with some of the more recent JavaScript libraries
and even different view engine. In general, though, there’s no sort of
component model to help you with the generation of HTML, as there
is in the Web Forms approach. Currently, HTML helpers and user
controls are the only tools you can leverage to write HTML more
quickly. As a result, , some ASP.NET developers may see ASP.NET
MVC as taking a step backward in terms of usability and produc-
tivity. Another point to be made, regarding the impact of ASP.NET
MVC on everyday development, is that it requires some upfront fa-
miliarity with the MVC pattern. You need to know how controllers

This Makes You

Look Better.
Introducing DataParts, Data Visualization
Tools For SharePoint 2007
DataParts is a powerful new way to add interactive
business intelligence to SharePoint portals. With
DataParts, visualizing and analyzing data becomes
remarkably easy – and code free. DataParts includes
our complete suite of advanced lists, card views,
charts, digital panels and gauges as web parts that
can be easily configured in just minutes for the type
of data desired.

WSS 3.0 and Visit SoftwareFX.com for free trial versions, interactive
MOSS 2007 demos and more information about our latest products.
32 msdn magazine Cutting Edge
SharePoint is a trademark or a registered trademark of Microsoft Corporation. DataParts is a registered trademark of Software FX, Inc. Other names are trademarks or registered trademarks of their respective owners.
and views work together in the ASP.NET implementation. In other
words, ASP.NET MVC is not something you can easily learn by ex-
perimenting. In my experience, this may be the source of decreased
productivity for the average Web Forms developer.
The Right Perspective
As an architect or developer, it is essential that you understand
the structural differences between the frameworks so that you can
make a thoughtful decision. All in all, ASP.NET Web Forms and
ASP.NET MVC are functionally equivalent in the sense that a skilled
team can successfully use either to build any Web solution.
The skills, education, and attitude of the team, though, are the
key points to bear in mind. As you may have figured out yourself,
most of the features presented as a plus for either framework may
also be seen as a minus, and vice versa. Full control over HTML,
for example, may be a lifesaver to one person but a nightmare to
another. Personally, I was shocked the first time I saw the content
of a nontrivial view page in ASP.NET MVC. But when I showed
the same page to a customer whose application was still using a
significant number of ASP pages, well, he was relieved. If you have
accessibility as a strict requirement, you probably want to take full
control over the HTML being displayed. And this is not entirely
possible with Web Forms. On the other hand, if you’re building a
heavy data-driven application, you’ll welcome the set of data-bound
controls and statefulness offered by Web Forms.
Correctly, Microsoft has not positioned ASP.NET MVC as a
replacement for ASP.NET Web Forms. Web Forms is definitely a
pattern that works for Web applications. At the same time, Ruby-
on-Rails has proved that MVC can also be a successful pattern for
Web applications; and ASP.NET MVC confirms this.
In the end, Web Forms and ASP.NET MVC have pros, cons, and
structural differences that affect various levels. Generalizing, I’d say
that Web Forms embraces the RAD philosophy whereas ASP.NET
MVC is TDD-oriented. Further, Web Forms goes toward an abstrac-
tion of the Web that simulates a stateful environment, while ASP.NET
MVC leverages the natural statelessness of the Web and guides you
towards building applications that are loosely coupled and inherently
testable, search-engine friendly, and with full control of HTML.
What’s the Perfect Model for ASP.NET?
After using Web Forms for years, I recognize a number of its
drawbacks, and ASP.NET MVC addresses them quite well: test-
ability, HTML control, and separation of concerns. But though I
see ASP.NET MVC as an equally valid option at this time, I don’t
believe it to be the silver bullet for every Web application. In my
opinion, ASP.NET MVC today lacks some level of abstraction
for creating standard pieces of HTML. HTML helpers are just an
interesting attempt to speed up HTML creation. I hope to see in the
near future a new generation of MVC-specific server controls, as
easy and quick to learn and use as Web Forms server controls, but

This Makes Your

Life Easier.
Introducing VTC, The Virtual Training Center
For SharePoint 2007
With VTC, IT and help desk personnel will no longer be
overloaded with SharePoint questions and training tasks.
VTC delivers a complete program of expertly produced,
self-paced tutorial modules designed to empower every
user and maximize the value of every SharePoint feature.
VTC installs in minutes on your server – providing instant
on-demand access for everyone in your organization.

msdnmagazine.com July 2009 33

Data visualization for every need, every platform
 totally unbound from the postback and viewstate model. My hopes
are for a System.Web.Mvc.GridView control that saves me from
writing a loop to generate an HTML table, while offering column
templates, server-side data-binding events, and styling options.
What would be the difference between such an MVC GridView
and today’s Web Forms GridView? The MVC GridView would only
emit HTML plus, optionally, some row-specific JavaScript, but it
wouldn’t manage things like paging and sorting. Paging and sorting
will be delegated to other specific controls or plain links created by
the developer. In this way, the MVC GridView could bring some
RAD flavor to ASP.NET MVC, speeding up the development of
pages without precluding handcrafted pages.
Going back to the root of the problem, the key difference between
Web Forms and ASP.NET MVC is the underlying pattern. Web Forms
is a model based on the “Page Controller” pattern. Web Forms are
UI-focused and centered around the concept of a page: the page gets
input, posts back, and determines the output for the browser. The
development environment was therefore devised to enable rapid pro-
totyping, via wizards and rich designers. Any user action ends up in a
method on the code-behind class of each page. At that point, though,
nothing prevents you from using proper SoC and nothing really stops
architects from imposing patterns like MVC, Model-View-Presenter
(MVP) or even Model-View-View-Model (MVVM).
The Web Forms architecture does not encourage SoC, but it doesn’t
prevent it either. The Web Forms architecture makes it seductive
to opt for drag-and-drop of controls, to code logic right in event
stubs without further separation, and to drop data sources right
on the page, which couples the UI directly to the database. MVC
is neither prohibited nor a blasphemy in Web Forms; it’s just that
very few developers practice it because it requires working around
much of the Web Forms infrastructure.
Testability is a different story. ASP.NET Web Forms doesn’t prevent
unit testing, but it requires much disciple and repetitive boilerplate
coding to do so.As long as you code your way to SoC you can test
and reuse presentation and business logic. Sure, you likely don’t have
the Visual Studio project template to create a test project for you. You
need to become familiar with testing and mocking frameworks and
manage those projects yourself. But this can be done. From a testability
perspective, though, a real difference exists between Web Forms and
ASP.NET MVC. In Web Forms, you just don’t have the flexibility of
ASP.NET MVC. This is a true limitation. ASP.NET MVC is designed
with testability in mind,which means that the framework architec-
ture guides the developer to write code that is inherently testable,
that is isolated from the context or connected to it via contracted
interfaces. Even more importantly, in ASP.NET MVC intrinsic ob-
jects are mockable as they expose interface and base classes. From a
testing standpoint, the best you can do in Web Forms is to move your
logic into separate and easily testable classes. Then, you test the pre-
sentation (ASPX and code-behind) by sending HTTP requests and
checking the results. You can’t do this in Web Forms without spin-
ning up the whole ASP.NET runtime, however. In ASP.NET MVC,
the majority of testing is to assure that the data being passed into the
view is correct. In addition, you can mock up intrinsic objects and
run your tests in a genuinely isolated environment.
34 msdn magazine
We should also note that control over HTML and SEO-friendly
URLs, both advantages of ASP.NET MVC, can be achieved to some
extent in Web Forms. ASP.NET . SP, in particular, includes the
URL Routing and History API for SEO. CSS adapters, instead,
are the tools to leverage to try to control HTML in Web Forms.
Integration with JavaScript and AJAX frameworks is, frankly, no
longer an issue in Web Forms.
Undisputable Facts
ASP.NET Web Forms and ASP.NET MVC are not competitors
in the sense that one is supposed to replace the other. You have
to choose one, but different applications may force you to make
different choices. In the end, it’s really like choosing between a car
and a motorcycle when making a trip. Each trip requires a choice,
and having both vehicles available should be seen as an opportunity,
not as a curse. Here are some facts about the frameworks:
• Web Forms is hard to test.
• ASP.NET MVC requires you to manage the generation of
HTML at a more detailed level.
• ASP.NET MVC is not the only way to get SoC in ASP.NET.
• Web Forms allows you to learn as you go.
• Viewstate can be controlled or disabled.
• Web Forms was designed to abstract the Web machinery.
• ASP.NET MVC exposes Web architecture.
• ASP.NET MVC was designed with testability and Dependency
Injection in mind.
• ASP.NET MVC takes you towards a better design of the code.
• ASP.NET MVC is young and lacks a component model.
• ASP.NET MVC is not anti-Web Forms.
ASP.NET MVC was not created to replace Web Forms but to
partner it. ASP.NET MVC turns some of the weaker elements of
Web Forms into its own internal strengths. However, problems such
as lack of testability, SoC, SEO, and HTML control can be avoided
or reduced in Web Forms with some discipline and good design,
though the framework itself doesn’t provide enough guidance.
At the End of the Day
We have seen that there are pros and cons in both Web Forms
and ASP.NET MVC. Many developers, however, seem to favor ASP.
NET MVC because it represents the only way to get SoC and test-
ability into their applications. Is it really the only way? No. However,
ASP.NET MVC makes it easier and natural to achieve SoC and
write more testable code. ASP.NET MVC doesn’t magically trans-
form every developer into an expert architect and doesn’t prevent
developers from writing bloated and poorly designed code. At the
end of the day, both Web Forms and ASP.NET MVC help to build
applications that are designed and implemented to deal eff ective-
ly with the complexity of real-world solutions. No software magic
exists, and none is yet supported by the ASP.NET platform. „
DINO ESPOSITO is an architect at IDesign and the co-author of “Microsoft .NET:
Architecting Applications for the Enterprise” (Microsoft Press, ). Based in
Italy, Dino is a frequent speaker at industry events worldwide. You can join his
blog at weblogs.asp.net/despos.
Cutting Edge

Composite Web Apps
with Prism
Shawn Wildermuth
Your first experience with Silverlight was probably some-
thing small: a video player, a simple charting application, or even a
menu. These types of applications are simple and straightforward
to design, and segmenting them into rigorous layers with separate
responsibilities is overkill.
Problems surface, however, when you try to apply a tightly coupled
style to large applications. As the number of moving parts grows,
the simple style of application development falls apart. Part of the
remedy is layering (see my article “Model-View-ViewModel In
Silverlight  Apps” at msdn.microsoft.com/en-us/magazine/dd458800.aspx),
but a tightly coupled architecture is just one of a number of prob-
lems that need to be solved in large Silverlight projects.
In this article, I show you how to build an application using the
composition techniques of the Composite Application Library
from the Prism project. The example I develop is a simple editor
of database data.
Why Prism?
As requirements change and a project matures, it is helpful if you
can change parts of the application without having these changes
cascade throughout the system. Modularizing an application
allows you to build application components separately (and loosely
coupled) and to change whole parts of your application without
affecting the rest of the code.
Also, you might not want to load all the pieces of your application
at once. Imagine a customer management application in which users
log on and can then manage their prospect pipeline as well as check e-
mail from any of their prospects. If a user checks e-mail several times
a day but manages the pipeline only every day or two, why load the
code to manage the pipeline until it is needed? It would be great if an
application supported on-demand loading of parts of the application,
a situation that can be addressed by modularizing the application.
The patterns & practices team at Microsoft created a project called
Prism (or CompositeWPF) that is meant to address problems like
S I LV E R L I G H T
these for Windows Presentation Foundation (WPF) applications,
and Prism has been updated to support Silverlight as well. The
Prism package is a mix of framework and guidance for building
applications. The framework, called the Component Application
Library (CAL), enables the following:
• Application modularity: Build applications from partitioned
components.
• UI composition: Allows loosely coupled components to form
user interfaces without discrete knowledge of the rest of the
application.
• Service location: Separate horizontal services (for example,
logging and authentication) from vertical services (business
logic) to promote clean layering of an application.
The CAL is written with these same design principles in mind,
and for application developers it is a buffet-style framework—take
what you need and leave the rest. Figure 1 shows the basic layout
of the CAL in relation to your own application.
The CAL supports these services to aid you in composing your
application from smaller parts. This means the CAL handles which
pieces are loaded (and when) as well as providing base function-
ality. You can decide which of these capabilities help you do your
job and which might get in the way.
This article discusses:
• Silverlight 2
• Application composition
• Dependency injection
Technologies discussed:
Silverlight 2, Prism
Code download available at:
code.msdn.microsoft.com/mag200907Prism
July 2009 35
Get the richest set of controls in one great suite. Studio Enterprise 2009
will amaze you with enhanced performance and presentation.

NEW Studio for Silverlight

• Add style to your UI with built-in support for the most
popular Microsoft Silverlight Toolkit themes
• Create graphical navigation with 3D effects using the
new C1CoverFlow control
• Import and export RTF files with C1RichTextBox
• Get ahead of the pack with access to the best resources,
including 40+ samples with source code for quick learning
& online forums

NEW Studio for ASP.NET

• Experience more interaction on the client-side with new
lightweight, high-performance controls
• Create themed and animated apps using dozens of
built-in styles & effects
• Eliminate the learning curve with new C1GridView
control that mimics the Microsoft ASP.NET GridView
control with added features like row filtering, virtual
scrolling & more

NEW Studio for iPhone

• Build iPhone apps using ASP.NET

• Give end-users a familiar experience across Web sites

while taking advantage of the iPhone's unique interface

GET STARTED TODAY • DOWNLOAD YOUR FREE TRIAL @

componentone.com/amazingweb

ComponentOne Sales
1.800.858.2739 or 1.412.681.4343
 Reduce the size of XAP
files by up to 70%
TRY IT FREE ONLINE @
labs.componentone.com

Grids • Char ting • Repor ting • Scheduling • Menus and Toolbars • Ribbon • Data Input • Editors • PDF
WinForms • WPF • ASP.NET • Silverlight • iPhone • Mobile • ActiveX
© 1987-2009 ComponentOne. All rights reserved. iPhone and iPod are trademarks of Apple Inc. Guitar Hero is a registered trademark of
Activision Publishing, Inc. All other product and brand names are trademarks and/or registered trademarks of their respective holders.

Figure 1 Composite Application Library
My example in this article uses as much of the CAL as possible.
It is a shell application that uses the CAL to load several modules
at run time, place views in regions (as shown in Figure 2), and sup-
port services. But before we get to that code, you need to under-
stand some basic concepts about dependency injection (also called
Inversion of Control, or IoC). Many of the CAL’s features rely on
dependency injection, so understanding the basics will help you
develop the architecture of your Silverlight project with Prism.
Introducing Dependency Injection
In typical development, a project starts with an entry point (an
executable, a default.aspx page, and so on). You might develop
your application as one giant project, but in most cases some level
of modularity exists in that your application loads a number of
assemblies that are part of the project. The main assembly knows
what assemblies it needs and creates hard references to those pieces.
At compile time, the main project knows about all the referenced
assemblies, and the user interface consists of static controls. The
application is in control of what code it needs and usually knows all
the code it might use. This becomes a problem, however, because
development takes place inside the main application project. As a
monolithic application grows, build time and conflicting changes
can slow down development.
Dependency injection aims to reverse this situation by provid-
ing instructions that set up dependencies at run time. Instead of
the project controlling these dependencies, a piece of code called
a container is responsible for injecting them.
Figure 2 Composite Application Architecture
38 msdn magazine
But why is this important? For one thing, modularizing your
code should make it easier to test. Being able to swap out a project’s
dependencies enables cleaner testing so that only the code to be
tested can be the source of a test failing, instead of code some-
where in the nested chain of dependencies. Here’s a concrete
example. Imagine you have a component that other developers
use to look up addresses for particular companies. Your com-
ponent depends on a data access component that retrieves the
data for you. When you test your component, you start by test-
ing it against the database, and some of the tests fail. But because
the schema and builds of the database are constantly changing,
you don’t know whether your tests are failing because of your
own code or the data access code. With your component’s hard
dependency on the data access component, testing the applica-
tion becomes unreliable and causes churn while you track down
failures in your code or in other’s code.
Your component might look something like this:
public class AddressComponent
{
DataAccessComponent data = new DataAccessComponent();
public AddressComponent()
{
}
...
}
Instead of a hard-wired component, you could accept an inter-
face that represents your data access, as shown here:
public interface IDataAccess
{
...
}
public class AddressComponent
{
IDataAccess data;
public AddressComponent(IDataAccess da)
{
data = da;
}
...
}
Ordinarily, an interface is used so you can create a version
that allows you to adjust your code. This approach is often called
“mocking.” Mocking means creating an implementation of the
dependency that does not actually represent the real version.
Literally, you’re creating a mock implementation.
This approach is better because the dependency (IDataAccess)
can be injected into the project during construction of the object.
The implementation of the IDataAccess component will depend
on the requirements (testing or real).
That’s essentially how dependency injection works, but how
is the injection handled? The job of the container is to handle
creation of the types, which it does by allowing you to register
types and then resolving them. For example, assume you have
a concrete class that implements the IDataAccess interface.
During start up of the application, you can tell the container
to register the type. Anywhere else in your application where
you need the type, you can ask the container to resolve the
Silverlight
 Figure 3 Type Resolution by the Container
public class AddressComponent : IAddressComponent
{ container.RegisterType<IAddressComponent, AddressComponent>(
IDataAccess data;
public AddressComponent(IDataAccess da)
{ from the patterns & practices group. I’ll use the Unity container in
data = da;
}
} alternatives to the Unity IoC container, such as Ninject, Spring.NET,
...
public void App_Startup()
{
container.RegisterType<IAddressComponent, AddressComponent>();
container.RegisterType<IDataAccess, DbDataAccess>();
}
public void GetAddresses()
{
// When we ask the container to create the AddressComponent,
// it sees that a constructor takes a IDataAccess object
// so it automatically resolves that dependency
IAddressComponent addr = container.Resolve<IAddressComponent>();
} to handle startup behavior.
type, as shown here:
public void App_Startup()
{
container.RegisterType<IDataAccess, DbDataAccess>();
} necessary. The two methods you must override are CreateShell
...
public void GetData()
{ This is typically called the shell because it is the visual container for the
IDataAccess acc = container.Resolve<IDataAccess>();
}
Depending on the situation (testing or production), you can
swap out the implementation of IDataAccess simply by changing
the registration. Additionally, the container can handle construc-
tion injection of dependencies. If an object that needs to be created
by the container’s constructor takes an interface that the container
can resolve, it resolves the type and passes it to the constructor, as
shown in Figure 3.
Notice that the AddressComponent’s constructor takes an
implementation of IDataAccess. When the constructor creates
the AddressComponent class during resolution, it automatically
creates the instance of IDataAccess and passes it to the Address-
Component.
When you register types with the container, you also tell the
container to deal with the lifetime of the type in special ways. For
example, if you are working with a logging component, you might
want to treat it as a singleton so that every part of the application
that needs logging does not get its own copy (which is the default
behavior). To do this, you can supply an implementation of the
abstract LifetimeManager class. Several lifetime managers are sup-
ported. ContainerControlledLifetimeManager is a singleton per
process and PerThreadLifetimeManager is a singleton per thread.
For ExternallyControlledLifetimeManager, the container holds a
weak reference to the singleton. If the object is released externally,
the container creates a new instance, otherwise it returns the live
object contained in the weak reference.
40 msdn magazine
You use the LifetimeManager class by specifying it when regis-
tering a type. Here’s an example:
new ContainerControlledLifetimeManager());
In the CAL, the IoC container is based on the Unity framework
the following examples, but there are also a number of open source
Castle, and StructureMap. If you are familiar with and already using
an IoC container other than Unity, you can supply your own con-
tainer (although it takes a little more eff ort).
Startup Behavior
Ordinarily in a Silverlight application, the startup behavior is
simply to create the main XAML page’s class and assign it to the
application’s RootVisual property. In a composite application,
this work is still required, but instead of creating the XAML page
class, a composite application typically uses a bootstrapping class
To start, you need a new class that derives from the
UnityBootstrapper class. This class is in the Microsoft.Practices.
Composite.UnityExtensions assembly. The bootstrapper contains
overridable methods that handle different parts of startup behavior.
Often, you will not override every startup method, only the ones
and GetModuleCatalog.
The CreateShell method is where the main XAML class is created.
application’s components. My example includes a bootstrapper that
creates a new instance of the Shell class and assigns it to RootVisual
before returning this new Shell class, as shown here:
public class Bootstrapper : UnityBootstrapper
{
protected override DependencyObject CreateShell()
{
Shell theShell = new Shell();
App.Current.RootVisual = theShell;
return theShell;
}
protected override IModuleCatalog GetModuleCatalog()
{
...
}
}
The GetModuleCatalog method, which I’ll explain in the next
section, returns the list of modules to load.
Now that you have a bootstrapper class, you can use it in your
Silverlight application’s startup method. Usually, you create a new
instance of the bootstrapper class and call its Run method, as
shown in Figure 4.
The bootstrapper is also involved in registering types with
the container that different parts of the application require. To
accomplish this, you override the ConfigureContainer method
of the bootstrapper. This gives you a chance to register any types
that are going to be used by the rest of the application. Figure 5
shows the code.
Here, the code registers an interface for a class that implements
the IShellProvider interface, which is created in our example and
Silverlight
Figure 4 Creating an Instance of the Bootstrapper needs to supports the IModule interface. The IModule interface
public partial class App : Application
requires a single method called Initialize that allows the module
{ to set itself up to be used in the rest of the application. The example
public App()
includes a ServerLogger module that contains the logging capabili-
{ ties for our application. The ServerLoggingModule class supports
this.Startup += this.Application_Startup;
this.Exit += this.Application_Exit;
the IModule interface as shown here:
this.UnhandledException += this.Application_UnhandledException; public class ServerLoggerModule : IModule
{
InitializeComponent(); public void Initialize()
} {
...
private void Application_Startup(object sender, StartupEventArgs e) }
{ }
Bootstrapper boot = new Bootstrapper(); The problem is that we don’t know what we want to initialize
boot.Run();
} in our module. Since it’s a ServerLogging module, it seems logical
that we want to register a type that does logging for us. We want
...
} to use the container to register the type so that whoever needs the
logging facility can simply use our implementation without know-
ing the exact type of logging it performs.
We get the container by creating a constructor that takes the
is not part of the CAL framework. That way we can use it in our
IUnityContainer interface. If you remember the discussion of
implementation of the CreateShell method. We can resolve the
dependency injection, the container uses constructor injection
interface and then use it to create an instance of the shell so we
to add types that it knows about. IUnityContainer represents the
can assign it to RootVisual and return it. This methodology may
container in our application, so if we add that constructor, we can
seem like extra work, but as you delve into how the CAL helps you
then save it and use it in our initialization like so:
build your application, it becomes clear how this bootstrapper is
public class ServerLoggerModule : IModule
helping you. {
IUnityContainer theContainer;

Modularity public ServerLoggerModule(IUnityContainer container)

{
In a typical .NET environment, the assembly is the main unit theContainer = container;
of work. This designation allows developers to work on their code }
separately from each other. In the CAL, each of these units of work public void Initialize()
is a module, and for the CAL to use a module, it needs a class that {
theContainer.RegisterType<ILoggerFacade, ServerBasedLogger>(
can communicate the module’s startup behavior. This class also new ContainerControlledLifetimeManager());
}
}

Figure 5 Registering Types Once initialized, this module is responsible for the logging
implementation for the application. But how does this module
public class Bootstrapper : UnityBootstrapper get loaded?
{
protected override void ConfigureContainer() When using the CAL to compose an application, you need
{ to create a ModuleCatalog that contains all the modules for the
Container.RegisterType<IShellProvider, Shell>();
base.ConfigureContainer(); application. You create this catalog by overriding the bootstrapper’s
} GetModuleCatalog call. In Silverlight, you can populate this catalog
protected override DependencyObject CreateShell() with code or with XAML.
{ With code, you create a new instance of the ModuleCatalog class
// Get the provider for the shell
IShellProvider shellProvider = Container.Resolve<IShellProvider>(); and populate it with the modules. For example, look at this:
protected override IModuleCatalog GetModuleCatalog()
// Tell the provider to create the shell {
UIElement theShell = shellProvider.CreateShell(); var logModule = new ModuleInfo()
{
// Assign the shell to the root visual of our App ModuleName = "ServerLogger",
App.Current.RootVisual = theShell; ModuleType =
"ServerLogger.ServerLoggerModule, ServerLogger, Version = 1.0.0.0"
// Return the Shell };
return theShell;
} var catalog = new ModuleCatalog();
catalog.AddModule(logModule);
protected override IModuleCatalog GetModuleCatalog()
{ return catalog;
... }
} Here, I simply add a single module called ServerLogger, the type
}
defined in the ModuleInfo’s ModuleType property. In addition, you
msdnmagazine.com July 2009 41
 can specify dependencies between modules. Because some modules
might depend on others, using dependencies helps the catalog
know the order in which to bring in the dependencies. Using the
ModuleInfo.DependsOn property, you can specify which named
modules are required to load another module.
You can load the catalog directly from a XAML file, as shown
here:
protected override IModuleCatalog GetModuleCatalog()
{
var catalog = ModuleCatalog.CreateFromXaml(new Uri("catalog.xaml",
UriKind.Relative));
return catalog;
}
The XAML file contains the same type information you can cre-
ate with code. The benefit of using XAML is that you can change it
on the fly. (Imagine retrieving the XAML file from a server or from
another location based on which user logged on.) An example of
a catalog.xaml file is shown in Figure 6.
In this XAML catalog, the group includes two modules and the
second module depends on the first. You could use a specific XAML
catalog based on roles or permissions, as you could with code.
Once the catalog is loaded by the bootstrapper, it attempts to
create instances of the module classes and allow them to initialize
themselves. In the code examples here, the types have to be refer-
enced by the application (therefore, already loaded into memory)
for this catalog to work.
This is where this facility becomes indispensible to Silverlight.
Although the unit of work is the assembly, you can specify a .xap
file that contains the module or modules. To do this, you specify
a Ref value in ModuleInfo. The Ref value is a path to the .xap file
that contains the module:
protected override IModuleCatalog GetModuleCatalog()
{ has already loaded them, so the catalog will not try to load them
var logModule = new ModuleInfo()
{
ModuleName = "ServerLogger",
ModuleType =
"ServerLogger.ServerLoggerModule, ServerLogger, Version= 1.0.0.0",
Ref = "ServerLogger.xap"
};
var catalog = new ModuleCatalog();
catalog.AddModule(logModule);
return catalog;
}
When you specify a .xap file, the bootstrapper knows that the
assembly is not available and goes out to the server and retrieves
the .xap file asynchronously. Once the .xap file is loaded, Prism
loads the assembly and creates the module type and initializes
the module.
For .xap files that contain multiple modules, you can create a
ModuleGroup that contains a set of ModuleInfo objects and set
the Ref of the ModuleGroup to load all those modules from a
single .xap file:
var modGroup = new ModuleInfoGroup();
modGroup.Ref = "MyMods.xap";
modGroup.Add(logModule);
modGroup.Add(dataModule);
modGroup.Add(viewModule);
var catalog = new ModuleCatalog();
catalog.AddGroup(modGroup);
42 msdn magazine
Figure 6 A Sample Catalog.xaml File
<m:ModuleCatalog
xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
xmlns:sys="clr-namespace:System;assembly=mscorlib"
xmlns:m="clr-namespace:Microsoft.Practices.Composite.Modularity;
assembly=Microsoft.Practices.Composite">
<m:ModuleInfoGroup InitializationMode="WhenAvailable">
<m:ModuleInfo ModuleName="GameEditor.Client.Data"
ModuleType="GameEditor.Client.Data.GameEditorDataModule,
GameEditor.Client.Data, Version=1.0.0.0"/>
<m:ModuleInfo ModuleName="GameEditor.GameList"
ModuleType="GameEditor.GameList.GameListModule,
GameEditor.GameList, Version=1.0.0.0"
InitializationMode="WhenAvailable">
<m:ModuleInfo.DependsOn>
<sys:String>GameEditor.Client.Data</sys:String>
</m:ModuleInfo.DependsOn>
</m:ModuleInfo>
</m:ModuleInfoGroup>
</m:ModuleCatalog>
For Silverlight applications, this is a way to compose your
applications from multiple .xap files, which allows you to version
different sections of your composed application separately.
When creating Silverlight modules to be housed in a .xap file,
you create a Silverlight Application (not a Silverlight Library).
Then you reference all the module projects you want to put in
the .xap file. You need to remove the app.xaml and page.xaml
files because this .xap file will not be loaded and run like a typi-
cal .xap file. The .xap file is just a container (could be a .zip file,
it doesn’t matter). Also, if you are referencing projects that are
already referenced in the main project, you can change those
references to Copy Local=false in the properties because you
don’t need the assemblies in the .xap file (the main application
a second time.)
But loading a huge application with multiple calls across
the wire does not seem like it would help performance. That is
where the ModuleInfo’s InitializationMode property comes into
play. InitializationMode supports two modes: WhenAvailable,
in which the .xap file is loaded asynchronously and then initial-
ized (this is the default behavior), and OnDemand, in which
the .xap is loaded when explicitly requested. Since the module
catalog does not know the types in the modules until initial-
ization, resolving types that are initialized with OnDemand
will fail.
On-demand support for modules and groups allows you to
load certain functionality in a large application as needed. Startup
time is accelerated, and other required code can be loaded as users
interact with an application. This is a great feature to use when you
have authorization to separate parts of an application. Users who
need only a few parts of the application do not have to download
code they’ll never use.
To load a module on demand, you need access to an IModule-
Manager interface. Most often, you request this in the construc-
tor of the class that needs to load a module on demand. Then you
use IModuleManager to load the module by calling LoadModule,
as shown in Figure 7.
Silverlight
 Willie the Wintellectual

memory leaks?
poor performance
& scalability?
unexplained
crashes?

www.wintellect.com • 877-968-5528 (consulting) | 866-968-5528 (training) • wintellect is know how

 Figure 7 Calling LoadModule
public class GameListViewModel : IGameListViewModel
{ to place views into the region, allowing the shell to be completely
IModuleManager theModuleManager = null;
public GameListViewModel(IModuleManager modMgr)
{
theModuleManager = modMgr;
}
void theModel_LoadGamesComplete(object sender,
LoadEntityCompleteEventArgs<Game> e)
{ shows up as a new item in the ItemsControl. That facility makes it
...
// Since we now have games, let's load the detail pane
theModuleManager.LoadModule("GameEditor.GameDetails");
} mix the regions and the service location aspects of the container
}
Modules are simply the unit of modularization in your applica-
tions. In Silverlight, treat a module much like you would a library
project, but with the extra work of module initialization, you can
decouple your modules from the main project.
UI Composition
In a typical Explorer application, the left pane displays a list or
tree of information and the right side contains details about the item
selected in the left pane. In the CAL, these areas are called regions.
The CAL supports defining regions directly in XAML by using
an attached property on the RegionManager class. This property
allows you to specify regions in your shell and then indicate what
views should be hosted in the region. For example, our shell has two
regions, LookupRegion and DetailRegion, as shown here:
<UserControl
...
xmlns:rg=
"clr-namespace:Microsoft.Practices.Composite.Presentation.Regions;
assembly=Microsoft.Practices.Composite.Presentation">
...
<ScrollViewer rg:RegionManager.RegionName="LookupRegion" />
<ScrollViewer rg:RegionManager.RegionName="DetailRegion" />
</UserControl>
A RegionName can be applied to the an ItemsControl and its
derived controls (for example, ListBox); Selector and its derived
controls (for example, TabControl); and ContentControl and its
derived controls (for example, ScrollViewer).
Once you define regions, you can direct modules to load their
views into the regions by using the IRegionManager interface, as
shown here:
public class GameListModule : IModule
{
IRegionManager regionManager = null;
public GameListModule(IRegionManager mgr)
{ // Marry Them
regionManager = mgr;
}
public void Initialize()
{ }
// Build the View
var view = new GameListView();
// Show it in the region
regionManager.AddToRegion("LookupRegion", view);
} }
}
44 msdn magazine
This facility allows you to define regions in your application
where views can appear and then have the modules define how
ignorant of the views.
The behavior of the regions might be different depending on the
control type being hosted. The example uses a ScrollViewer so that
one and only one view can be added to the region. In contrast, Item-
Control regions allow for multiple views. As each view is added, it
easier to build functionality like a dashboard.
If you are using an MVVM pattern to define your views, you can
to make your views and view models ignorant of each other and
then let the module join them at run time. For example, if I change
the GameListModule, I can register views and views models with
the container and then join them before applying the view to the
region, as shown in Figure 8.
This approach allows you to use UI composition while maintaining
the strict separation of MVVM.
Event Aggregation
After you have multiple views in your applications through UI
composition, you face a common problem. Even though you have
built independent views to support better testing and development,
there are often touch points where the views cannot be completely
isolated. They are logically coupled because they need to commu-
nicate, but you want to keep them as loosely coupled as possible
regardless of the logical coupling.
Figure 8 Joining Views in a Region
public class GameListModule : IModule
{
IRegionManager regionManager = null;
IUnityContainer container = null;
public GameListModule(IUnityContainer con, IRegionManager mgr)
{
regionManager = mgr;
container = con;
}
public void Initialize()
{
RegisterServices();
// Build the View
var view = container.Resolve<IGameListView>();
// Get an Implemenation of IViewModel
var viewModel = container.Resolve<IGameListViewModel>();
view.ApplyModel(viewModel);
// Show it in the region
regionManager.AddToRegion("LookupRegion", view);
void RegisterServices()
{
container.RegisterType<IGameListView, GameListView>();
container.RegisterType<IGameListViewModel, GameListViewModel>();
}
Silverlight
 To enable loose coupling and cross-view communication, the
CAL supports a service called event aggregation. Event aggre-
gation allows access to different parts of the code to publishers
and consumers of global events. Such access provides a straight-
forward way of communicating without being tightly coupled
and is accomplished using the CAL’s IEventAggregator interface.
IEventAggregator allows you to publish and subscribe to events
across the different modules of your application.
Before you can communicate, you need a class that derives from
EventBase. Typically, you create a simple event that derives from the
CompositePresentationEvent<T> class. This generic class allows
you to specify the payload of the event you are going to publish.
In this case, the GameListViewModel is going to publish an event
after a game is selected so that other controls that want to change
their context as the user selects a game can subscribe to that event.
Our event class looks like the following:
public class GameSelectedEvent : CompositePresentationEvent<Game>
{
}
Once the event is defined, the event aggregator can publish the event
by calling its GetEvent method. This retrieves the singleton event that
is going to be aggregated. The first one who calls this method cre-
ates the singleton. From the event, you can call the Publish method
to create the event. Publishing the event is like firing an event. You
do not need to publish the event until it needs to send information.
For example, when a game is selected in the GameList, our example
publishes the selected game using the new event:
// Fire Selection Changed with Global Event
theEventAggregator.GetEvent<GameSelectedEvent>().Publish(o as Game);
In other parts of your composed application, you can subscribe
to the event to be called after the event is published. The Subscribe
method of the event allows you to specify the method to be called
when the event is published, an option that allows you to request
threading semantics for calling the event (for example, the UI
thread is commonly used), and whether to have the aggregator
hold a reference to the passed in information so that it is not sub-
ject to garbage collection:
// Register for the aggregated event
aggregator.GetEvent<GameSelectedEvent>().Subscribe(SetGame,
ThreadOption.UIThread,
false);
As a subscriber, you can also specify filters that are called only in spe-
cific situations. Imagine an event that returns the state of an application
and a filter that is called only during certain data states.
The event aggregator allows you to have communication between
your modules without causing tight coupling. If you subscribe to
an event that is never published or publish an event that is never
subscribed, your code will never fail.
Delegate Commands
In Silverlight (unlike WPF), a true commanding infrastructure
does not exist. This forces the use of code-behind in views to
accomplish tasks that would be accomplished more readily directly
in XAML using the commanding infrastructure. Until Silverlight
supports this facility, the CAL supports a class that helps solve this
problem: the DelegateCommand.
msdnmagazine.com
To get started with DelegateCommand, you need to define the
DelegateCommand in your ViewModel so you can data-bind to it.
In the ViewModel, you would create a new DelegateCommand. The
DelegateCommand expects the type of data to be sent to it (often
Object if no data is used) and one or two callback methods (or lambda
functions). The first of these methods is the action to execute when
the command is fired. Optionally, you can specify a second callback
to be called to test whether the command can be fired. The idea is to
enable the disabling of objects in the UI (buttons, for example) when
it is not valid to fire the command. For example, our GameDetails-
ViewModel contains a command to support saving data:
// Create the DelegateCommand
SaveCommand = new DelegateCommand<object>(c => Save(), c => CanSave());
When SaveCommand is executed, it calls the Save method on our
ViewModel. The CanSave method is then called to make sure the com-
mand is valid. This allows the DelegateCommand to disable the UI if
necessary. As the state of the view changes, you can call the Delegate-
Command.RaiseCanExecuteChanged method to force a new inspec-
tion of the CanSave method to enable or disable the UI as necessary.
To bind this to XAML, use the Click.Command attached prop-
erty that is in the Microsoft.Practices.Composite.Presentation.
Commands namespace. Then bind the value of the command to
be the command you have in your ViewModel, like so:
<Button Content="Save"
cmd:Click.Command="{Binding SaveCommand}"
Style="{StaticResource ourButton}"
Grid.Column="1" />
Now when the Click event is fired, our command is executed. If
you want, you can specify a command parameter to be sent to the
command so you can reuse it.
As you might be wondering, the only command that exists
in the CAL is the Click event for a button (or any other selec-
tor). But the classes you can use to write your own commands
are fairly straightforward. The sample code includes a command
for SelectionChanged on a ListBox/ComboBox. This command
is called the SelectorCommandBehavior and derives from the
CommandBehaviorBase<T> class. Looking at the custom com-
mand behavior implementation will provide you with a starting
place to write your own command behaviors.
Wrapping Up
There are definite pain points when developing large Silverlight
applications. By building your applications with loose coupling
and modularity, you gain benefits and can be agile in responding
to change. The Prism project from Microsoft provides the tools and
guidance to allow that agility to come to the surface of your proj-
ect. While Prism is not a one-size-fits-all approach, the modularity
of the CAL means you can use what fits in your specific scenarios
and leave the rest. „
SHAWN WILDEMUTH is a Microsoft MVP (C#) and the founder of Wildermuth
Consulting Services. He is the author of several books and numerous articles. In
addition, Shawn currently runs the Silverlight Tour, teaching Silverlight  around
the country. He can be contacted at shawn@wildermuthconsulting.com.
July 2009 45
 R E S Tf u l X H T M L

Building XHTML-
Based RESTful Services
with ASP.NET MVC
Aaron Skonnard

A RESTful service is a web of resources that programs
can navigate. When designing a RESTful service, you have to think
carefully about how your web will work. This means designing
resource representations with links that facilitate navigation, de-
scribing service input somehow, and considering how consumers
will navigate around your service at run time. Getting these things
right is often overlooked, but they’re central to realizing the full
potential REST has to offer.
Today, humans navigate sites using Web browsers that know how
to render HTML and other popular content types. HTML provides
the syntax and semantics for establishing links between resources
(<a> element) and for describing and submitting application input
(<form> and <input> elements).
This article discusses:
• REST
• XHTML
• ASP.NET MVC
Technologies discussed:
REST, XHTML, ASP.NET
Code download available at:
msdn.microsoft.com/mag200907REST
48 msdn magazine
When a user clicks on an <a> element in the rendered page, the
browser knows to issue an HTTP GET request for the target resource
and render the response. When a browser encounters a <form>
element, it knows how to render the form description into a user
interface that the user can fill out and submit using either a GET or
POST request. When the user presses a submit button, the browser
encodes the data and sends it using the specified request. These two
features are largely responsible for the success of the Web.
Using links in conjunction with the universal HTTP interface
makes it possible to redirect requests to new locations over time
and change certain aspects of security on the fly without changing
the client code. A standard approach for forms means that you can
add or remove input properties and change default values, again
without changing the client code. Both features are very useful for
building applications that evolve over time.
Your RESTful services should also somehow provide these two
features through whatever resource representation you decide to
use. For example, if you’re designing a custom XML dialect for your
service, you should probably come up with your own elements
for establishing links and describing service input that will guide
consumers through your web. Or you can simply use XHTML.
Most developers don’t immediately consider XHTML as an
option for “services,” but that’s actually one of the ways it was intend-
ed to be used. XHTML documents are by definition well-formed
XML, which allows for automated processing using standard XML
APIs. And since XHTML is also HTML, it comes with <a>, <form>,
and <input> elements for modeling link navigation and service
input as I described earlier. The only thing that’s a little strange at
first is how you model user-defined data structures—however, you
can model classes and fields with <div> and <span> elements and
collections of entities with <ol> and <li> elements. I’ll walk through
how to do this in more detail later in the article.
To summarize, there are several reasons to consider XHTML
as the default representation for your RESTful services. First, you
can leverage the syntax and semantics for important elements like
<a>, <form>, and <input> instead of inventing your own. Second,
you’ll end up with services that feel a lot like sites because they’ll
be browsable by both users and applications. The XHTML is still
interpreted by a human—it’s just a programmer during development
instead of a user at runtime. This simplifies things throughout the
development process and makes it easier for consumers to learn
how your service works. And finally, you can leverage standard Web
development frameworks to build your RESTful services.
ASP.NET MVC is one such framework that provides an inherently
RESTful model for building XHTML-based services. This article
walks through some XHTML design concepts and then shows you
how to build a complete XHTML-based RESTful service that you
can download from the MSDN Magazine site.
XHTML: Representing Data and Links
Before I dive into the details of ASP.NET MVC, let’s first look at
how you can represent common data structures and collections in
XHTML. This approach isn’t the only way to accomplish this, but
it’s a fairly common practice in XHTML-based services today.
Throughout this article, I’ll describe how to implement a simple
bookmark service. The service allows users to create, retrieve,
update, and delete bookmarks and navigate a web of bookmarks
in a variety of ways. Suppose you have a C# class representing a
bookmark that looks like this:
public class Bookmark
{ </ol>
public int Id { get; set; }
public string Title { get; set; }
public string Url { get; set; }
public string User { get; set; }
}
The first question is how can you represent a Bookmark instance
in XHTML? One approach is to combine <div>, <span>, and <a>
elements, where <div> elements represent structures, <span>
elements represent fields, and <a> elements represent identity
and links to other resources. In addition, you can annotate these
elements with the XHTML “class” attribute to provide additional
type metadata. Here’s a complete example:
<div class="bookmark">
<span class="bookmark-id">25</span>
<span class="bookmark-title">Aaron's Blog</span>
<a class="bookmark-url-link" href="http://pluralsight.com/aaron"
>http://pluralsight.com/aaron</a>
<span class="bookmark-username">skonnard</span>
</div>
The next question is how will consumers process this informa-
tion? Since it’s well-formed XML, consumers can use any XML API
to extract the bookmark information. Most .NET programmers will
msdnmagazine.com
probably find that XLinq provides the most natural programming
model for consuming XHTML programmatically. In addition, you
can go one step further by enhancing XLinq with some helpful
XHTML-focused extension methods that make the programming
model even easier.
Throughout this article, I’ll use a set of XLinq extension methods
that I’ve included in the downloadable sample code. These exten-
sions give you a good idea of what’s possible. The following code
shows how to consume the bookmark XHTML shown previously
using XLinq and some of these extensions:
var bookmarkDetails = bookmarkDoc.Body().Struct("bookmark");
Console.WriteLine(bookmarkDetails["bookmark-id"].Value);
Console.WriteLine(bookmarkDetails["bookmark-url"].Value);
Console.WriteLine(bookmarkDetails["bookmark-title"].Value);
Now, if you want to improve how this bookmark renders in
a browser, you can add a Cascading Stylesheet (CSS) to control
browser-specific rendering details or add some additional UI
elements and text that don’t compromise the consumer’s ability to
extract the data of interest. For example, the following XHTML
will be easier for humans to process, but you can still use the
previous .NET code sample to process the information without
any modification:
<h1>Bookmark Details: 3</h1>
<div class="bookmark">
BookmarkID: <span class="bookmark-id">25</span><br />
Title: <span class="bookmark-title">Aaron's Blog</span><br />
Url: <a class="bookmark-url-link" href="http://pluralsight.com/aaron"
>http://pluralsight.com/aaron</a><br />
Username: <span class="bookmark-username">skonnard</span></a><br />
</div>
Collections of resources aren’t hard to model either. You can
represent a list of bookmarks with a combination of <ol>, <li>,
and <a> elements as shown here:
<ol class="bookmark-list">
<li><a class="bookmark-link" href="/bookmarks/1">Pluralsight Home</
a></li>
<li><a class="bookmark-link" href="/bookmarks/2">Pluralsight On-
Demand!</a></li>
<li><a class="bookmark-link" href="/bookmarks/3">Aaron's Blog</a></li>
<li><a class="bookmark-link" href="/bookmarks/4">Fritz's Blog</a></li>
<li><a class="bookmark-link" href="/bookmarks/5">Keith's Blog</a></li>
The following code shows how to print this list of bookmarks
to the console:
var bookmarks = bookmarksDoc.Body().Ol("bookmark-list").Lis();
bookmarks.Each(bm => Console.WriteLine("{0}: {1}",
bm.Anchor().AnchorText, bm.Anchor().AnchorLink));
Notice how each <li> contains an <a> element that links to a spe-
cific bookmark. If you were to navigate one of the anchor elements,
you would retrieve the bookmark details representation shown
earlier. As you begin to define links between resources like this,
your service starts becoming a web of linked resources.
It’s pretty obvious how humans can navigate between resources
using a Web browser, but how about consuming applications? A
consuming application just needs to programmatically locate the
anchor element of interest and then issue a GET request targeting
the URI specified in the “href ” attribute. These details can also
be hidden behind an XLinq extension method that encapsulates
anchor navigation.
The following code shows how to navigate to the first book-
mark in the bookmark list and then to the target bookmark URL.
July 2009 49
 The resulting XHTML is printed to the console:
var bookmarkDoc = bookmarks.First().Anchor().Navigate();
var bookmarkDetails = bookmarkDoc.Body().Struct("bookmark");
var targetDoc = bookmarkDetails.Anchor("bookmark-url-link").Navigate();
Console.WriteLine(targetDoc);
Once you start thinking about building consumers that navigate
your service as a web of resources, you’re officially starting to think
in a more RESTful way.
XHTML: Representing Input with Forms
Now let’s say a consumer wants to create a new bookmark in the
system. How does the consumer figure out what data to send and how
to send it without WSDL? The answer is easy: XHTML forms.
The consumer first issues a GET request to the URI for retrieving
the create bookmark form. The service returns a form that looks
something like this:
<h1>Create Bookmark</h1>
<form action="/bookmark/create" class="create-bookmark-form" method="post">
<p>
<label for="bookmark-title">Title:</label><br />
<input id="bookmark-title" name="bookmark-title" type="text" value="" />
</p>
<p>
<label for="bookmark-url">Url:</label><br />
<input id="bookmark-url" name="bookmark-url" type="text" value="" />
</p>
<p><input type="submit" value="Create" name="submit" /></p>
</form>
The form describes how to build an HTTP POST request for
creating a new bookmark. The form indicates that you need to
provide the bookmark-title and bookmark-url fields. In this example,
bookmark-id will be autogenerated during creation, and bookmark-
username will be derived from the logged-in user identity. The form
also tells you what you need to send and how to send it.
When this form is rendered in a browser, a human can simply
fill out the form and click Submit to create a new bookmark. A
consuming application basically does the same thing by submitting
the form programmatically. Again, this process can be made easier
by using some form-based extension methods, shown here:
var createBookmarkForm = createBookmarkDoc.Body().Form("create-bookmark-
form");
createBookmarkForm["bookmark-title"] = "Windows Live";
createBookmarkForm["bookmark-url"] = "http://live.com/";
createBookmarkForm.Submit();
When this code runs, the Submit method generates an HTTP
POST request targeting the “action” URL, and the input fields
are formatted together as a URL-encoded string (application/x-
www-form-urlencoded). In the end, it’s no different from using
the browser—the result is a new bookmark.
Figure 1 ASP.NET MVC Architecture
50 msdn magazine
Although today’s browsers support GET and POST only for the
form method, nothing is stopping you from also specifying PUT or
DELETE as the form “method” when targeting nonbrowser con-
sumers. The Submit extension method performs equally well for
any HTTP method you specify.
Understanding the ASP.NET MVC Architecture
The ASP.NET MVC architecture is based on the popular model-
view-controller design pattern that has been around for decades.
Figure 1 illustrates the various ASP.NET MVC components and
how they relate to one another. ASP.NET MVC comes with a rout-
ing engine that sits in front of the other MVC components. The
routing engine receives incoming HTTP requests and routes them
to a controller method. The routing engine relies on a centralized
set of routes that you define in Global.asax.
The centralized routes define mappings between URL patterns
and specific controller methods and arguments. When you generate
links, you use these routes to generate the links appropriately.
This makes it easy to modify your URL design throughout the
development process in one central location.
It’s the job of the controller to extract information from the incom-
ing request and to interact with the user-defined model layer. The
model layer can be anything ( Linq to SQL, ADO.NET Entity Frame-
work, NHibernate, and so on)—it’s the layer that performs business
logic and talks to the underlying database. Notice how the model is
not within the System.Web.Mvc namespace. Once the controller has
finished using the model, it creates a view, supplying the view with
model data for the view to use while rendering the output.
In the following sections, I’ll walk through the process of imple-
menting a complete bookmark service using the ASP.NET MVC
architecture. The service supports multiple users and both public
and private bookmarks. Users can browse all public bookmarks and
filter them based on username or tags, and they can fully manage
(CRUD) their own collection of private bookmarks.
To get started, you need to create an ASP.NET MVC project.
You’ll find the ASP.NET MVC Web Application project template
in the list of Web project types. The default project template gives
you a sample MVC starter application that you can actually run
by pressing F.
Notice how the solution structure provides directories for Models,
Views, and Controllers—this is where you place the code for these
different components. The default template comes with two controllers:
one for managing user accounts (AccountController), and another
for supporting requests to the home directory (HomeController).
Both of these are used in the bookmark service.
Implementing the Model
The first thing you should focus on is the model for the book-
mark service. I’ve built a simple SQL Server database that contains
three tables for managing bookmark information—Bookmark,
Tag, and BookmarkTag (see Figure 2)—and they’re pretty self-
explanatory.
The only caveat is that the example relies on the built-in ASP.NET
forms authentication and membership service, which is provided
RESTful XHTML
20 Minutes
to 4 Seconds...
SpreadsheetGear for .NET reduced the time to generate a critical Excel Report
“from 20 minutes to 4 seconds” making his team “look like miracle workers”
Luke Melia, Software Development Manager
at Oxygen Media in New York

ASP.NET Excel Reporting

Easily create richly formatted Excel reports without Excel using the new
generation of spreadsheet technology built from the ground up for scalability
and reliability.

Excel Compatible Windows Forms Control

Add powerful Excel compatible viewing, editing, formatting, calculating,
charting and printing to your Windows Forms applications with the easy to
use WorkbookView control.

Create Dashboards from Excel Charts and Ranges

You and your users can design dashboards, reports, charts, and models in
Excel rather than hard to learn developer tools and you can easily deploy
them with one line of code.

Download the FREE fully functional 30-Day

evaluation of SpreadsheetGear for .NET today at
www.SpreadsheetGear.com.
Toll Free USA (888) 774-3273 | Phone (913) 390-4797 | sales@spreadsheetgear.com

Figure 2 Bookmark Service Linq to SQL Model
by the default AccountController that comes with the project, to
manage the service user accounts, Hence, user account informa-
tion will be stored in a different database (aspnetdb.mdf), separate
from the bookmark information. The username is simply stored
in the Bookmark table.
It’s the job of the model to provide business objects and logic on
top of the database. For this example, I’ve defined the Linq to SQL
model shown in Figure 2. This model, defined in BookmarksModel.
dbml, generates the C# code found in BookmarksModel.designer.
cs. You’ll find classes named Bookmark, Tag, and BookmarkTag.
You’ll also find a BookmarksModelDataContext class, which
bootstraps the entities.
At this point, you can decide to work directly with the Linq to
SQL classes as your MVC model layer, or you can go a step fur-
ther by defining a higher-level repository class that defines the
logical business operations and shields the controller/view from
Figure 3 BookmarksRepository Class
public class BookmarksRepository
{ public ActionResult
// generated Linq to SQL DataContext class
BookmarksModelDataContext db = new BookmarksModelDataContext();
// query methods
public IQueryable<Bookmark> FindAllBookmarks() { ... }
public IQueryable<Bookmark> FindAllPublicBookmarks() { ... }
public IQueryable<Bookmark> FindBookmarksByUser(string username)
{ ... }
public IQueryable<Bookmark> FindPublicBookmarksByUser(string
username) { ... }
public IQueryable<Bookmark> FindBookmarksByTag(string tag) { ... }
public Bookmark FindBookmarkById(int id) { ... }
public IQueryable<string> FindUsers(){ ... }
public IQueryable<Tag> FindTags() { ... }
public Tag FindTag(string tag) { ... }
// insert/delete methods
public void AddBookmark(Bookmark bm) { ... }
public void AddTag(Tag t) { ... }
public void AddTagForBookmark(string tagText, Bookmark bm) { ... }
public void DeleteBookmark(Bookmark bm) { ... }
// persistence
public void Save() { ... }
} }
52 msdn magazine
even more of the underlying data manipulation details. Figure 3
shows the definition for the BookmarksRepository class used in
the bookmark service.
Implementing the Controller
The controller is the piece of code responsible for managing
the HTTP request life cycle. When a request arrives, the ASP.NET
MVC routing engine determines which controller to use (based on
the URL) and then routes the request to the controller by calling a
specific method on it. Hence, when you write a controller, you’re
writing the entry points that will be called by the routing engine.
For the bookmark service, we want to allow authenticated users
to create, edit, and delete bookmarks. When creating bookmarks,
users should be able to mark them as public (shared) or private.
All users should be able to browse public bookmarks and filter
them by username or tags. Private bookmarks, however, should
be visible only to the owner. Consumers should also be able to
retrieve the details for a particular bookmark, assuming they are
authorized to do so. We should also make it possible to browse all
users and tags in the system as a way to navigate the public book-
marks associated with them.
Figure 4 shows the methods the BookmarkController class needs
to support the service requirements I just described. The first three
query methods make it possible to retrieve all public bookmarks,
bookmarks by user, or bookmarks by tag. The class also includes
methods for retrieving users and tags and for retrieving the de-
tails of a specific bookmark instance. All these methods respond
Figure 4 BookmarkController Class
[HandleError]
public class BookmarkController : Controller
{
// underlying model
BookmarksRepository bmRepository = new BookmarksRepository();
// query methods
public ActionResult BookmarkIndex() { ... }
public ActionResult BookmarksByUserIndex(string username) { ... }
BookmarksByTagIndex(string tag) { ... }
public ActionResult UserIndex() { ... }
public ActionResult TagIndex() { ... }
public ActionResult Details(int id) { ... }
// create boomark
[Authorize]
public ActionResult Create() { ... }
[Authorize]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(FormCollection collection) { ... }
// update bookmark
[Authorize]
public ActionResult Edit(int id) { ... }
[Authorize]
[AcceptVerbs(HttpVerbs.Put | HttpVerbs.Post)]
public ActionResult Edit(int id, FormCollection collection)
// delete bookmark
[Authorize]
public ActionResult Delete(int id) { ... }
[Authorize]
[AcceptVerbs(HttpVerbs.Delete | HttpVerbs.Post)]
public ActionResult Delete(int id, FormCollection collection) { ... }
RESTful XHTML
 $YNAMIC0$&x0ROVEN.%4#OMPONENTSFOR2EAL
4IME0$&S

%ASY TO USE (IGHLYEFFICIENT

)NDUSTRYLEADINGSUPPORT (UGEFEATURESET
4RYIT&2%%TODAY
,AYOUTREPORTSIN$YNAMIC0$&$ESIGNERWITHITS6ISUAL3TUDIOLOOKANDFEEL
%XPERIENCEOURFULLYFUNCTIONALNEVEREXPIRINGEVALUATION
ANDCOMMUNITYEDITIONS
$YNAMIC0$&'ENERATORVFOR.%4
$YNAMIC0$&3UITEVFOR.%4 s,INEARIZE&AST7EB6IEWs*AVA3CRIPT
/UREASY TO USETOOLSINTEGRATEWITH!30.%4 s%NCRYPTION3ECURITYs0$&8 As)##0ROFILES
AND!$/.%4ALLOWINGFORTHEQUICKREAL TIME s)NTERACTIVE&ORM&IELDSs&LEXIBLE4EMPLATES
GENERATIONOF0$&DOCUMENTSANDREPORTS s/VER2EADY 4O 5SE0AGE%LEMENTS)NCLUDING
"AR#ODESAND#HARTINGs$IGITAL3IGNATURES
&OREASYMAINTENANCEANDDEPLOYMENT
OURMOSTPOPULARTOOLSARENOWAVAILABLE
ASABUNDLEDSUITE
$YNAMIC0$&-ERGERVFOR.%4
s-ERGEs3TAMPs!PPENDs3PLITs0ASSWORD3ECURITY
s&ORM &ILLs/UTLINEAND!NNOTATION0RESERVATION
s0LACE2OTATE3CALEAND#LIP0AGESs$ECRYPTION

$YNAMIC0$&2EPORT7RITERVFOR.%4
s'5)2EPORT$ESIGNERs%VENT$RIVENs2ECURSIVE3UB 2EPORTS
s5SE0$&4EMPLATESs!UTOMATIC0AGINATIONs0LACEHOLDERS
s2ECORD3PLITTINGAND%XPANSIONs#OLUMN3UPPORT
s&ULL$YNAMIC0$&-ERGERAND'ENERATOR)NTEGRATION

/UR%NTERPRISE%DITIONSNOWINCLUDE$YNAMIC0$&7EB#ACHEAND&IRE-AIL

CE4E3OFTWAREHASBEENDELIVERINGQUALITYSOFTWAREAPPLICATIONSANDCOMPONENTSTOOURCUSTOMERSFOROVERYEARS/UR
$YNAMIC0$&PRODUCTLINEHASPROVENOURCOMMITMENTTODELIVERINGINNOVATIVESOFTWARECOMPONENTSANDOURABILITYTO
RESPONDTOTHECHANGINGNEEDSOFSOFTWAREDEVELOPERS7EBACKOURPRODUCTSWITHAFIRSTCLASSSUPPORTTEAMTRAINEDTO
PROVIDETIMELYACCURATEANDTHOROUGHRESPONSESTOANYSUPPORTNEEDS
 to HTTP GET requests, but each one will be bound to a different
URI template when the routes are defined.
The rest of the methods are for creating, editing, and deleting
bookmark instances. Notice that there are two methods for each
logical operation—one for retrieving the input form, and another for
responding to the form submission—and each one of these meth-
ods requires authorization. The Authorize attribute ensures that
the caller is authenticated and authorized to access the controller
method. (The attribute also allows you to specify users and roles.) If
an unauthenticated or unauthorized user attempts to access a con-
troller method annotated with [Authorize], the authorization filter
automatically redirects the user to the AccountController’s Logon
method, which presents the “Logon” view to the consumer.
You use the AcceptVerbs attribute to specify which HTTP verbs
a particular controller method will handle (the default is GET). A
single method can handle multiple verbs by ORing the HttpVerb
values together. The reason I’ve bound the second Edit method to
both PUT and POST is to accommodate browsers. This configu-
ration allows browsers to invoke the operation using POST, while
nonbrowser consumers can use PUT (which is more correct). I’ve
done something similar on the second Delete method, binding it to
both DELETE and POST. I still have to be careful that my method
implementations ensure idempotency, which is a requirement for
both PUT and DELETE.
Let’s look at how a few of these methods have been implemented.
First is BookmarkIndex:
public ActionResult BookmarkIndex()
{
var bms = bmRepository.FindAllPublicBookmarks().ToList();
return View("BookmarkIndex", bms);
}
This implementation simply retrieves the list of public Bookmark
entities from the repository and then returns a view called
BookmarkIndex (passing in the list of Bookmark entities). The
view is responsible for displaying the list of Bookmark entities
supplied to it by the controller.
The Details method looks up the target bookmark and returns a
 Not Found error if it doesn’t exist. Then it ensures that the user
is authorized to view the bookmark. If so, it returns the Details view,
supplying the identified Bookmark entity. Otherwise it returns an
Unauthorized response to the consumer.
public ActionResult Details(int id)
{ The single call to MapRoute creates a default routing rule that
var bm = bmRepository.FindBookmarkById(id);
if (bm == null)
throw new HttpException(404, "Not Found");
if (!bm.Shared)
{ segment represents the action name (controller method), and
if (!bm.Username.Equals(HttpContext.User.Identity.Name))
return new HttpUnauthorizedResult();
} can handle the following URIs and route them to the appropriate
return View("Details", bm);
}
As a final example, let’s look at the two Create methods. The first
is actually quite simple—it returns the Create view to present the
form description for creating a new bookmark:
[Authorize]
public ActionResult Create()
{
return View("Create");
} list of tags, or “/bookmarks” to retrieve the list of public bookmarks.
54 msdn magazine
Figure 5 The Create Method That Responds to a Form
Submission Request
[Authorize]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(FormCollection collection)
{
try
{
Bookmark bm = new Bookmark();
bm.Title = collection["bookmark-title"];
bm.Url = collection["bookmark-url"];
bm.Shared = collection["bookmark-shared"].Contains("true");
bm.LastModified = DateTime.Now;
bm.Username = HttpContext.User.Identity.Name;
bm.Tags = collection["bookmark-tags"];
bmRepository.AddBookmark(bm);
bmRepository.Save();
... // create any new tags that are necessary
return RedirectToAction("BookmaryByUserIndex",
new { username = HttpContext.User.Identity.Name });
}
catch
{
return View("Error");
}
}
Figure 5 shows the second Create method, which responds to
the form submission request. It creates a new Bookmark entity from
the bookmark information found in the incoming FormCollection
object and then saves it to the database. It also updates the database
with any new tags that were associated with the bookmark and
then redirects users to their lists of personal bookmarks to indicate
success.
I don’t have space to cover the entire controller implementation,
but these code samples should give you a taste for the kind of code
you write in the controller.
Designing URIs with Routes
The next thing you need to do is define URL routes that map to the
various BookmarkController methods. You define your application
routes in Global.asax within the RegisterRoutes method. When
you first create an MVC project, your Global.asax will contain the
default routing code shown in Figure 6.
acts like a catchall for all URIs. This route outlines that the first
path segment represents the controller name, the second path
the third path segment represents an ID value. This single rule
controller method:
/Account/Logon
/Bookmark/Create
/Bookmark/Details/25
/Bookmark/Edit/25
Figure 7 shows the routes I’m using for this bookmark service
example. With these additional routes in place, consumers can
browse to “/users” to retrieve the list of users, “/tags” to retrieve the
RESTful XHTML
 Figure 6 Default Routing Code Figure 8 Bookmark Service Master Page
public class MvcApplication : System.Web.HttpApplication <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
{ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
public static void RegisterRoutes(RouteCollection routes) <html xmlns="http://www.w3.org/1999/xhtml">
{ <head runat="server">
routes.IgnoreRoute("{resource}.axd/{*pathInfo}"); <title><asp:ContentPlaceHolder ID="Title" runat="server" /></title>
</head>
routes.MapRoute( <body>
"Default", // Route name <div style="text-align:right">
"{controller}/{action}/{id}", // URL with parameters <% Html.RenderPartial("LogOnUserControl"); %>
new { controller="Home", // Parameter defaults </div>
action="Index", id="" } <h1><asp:ContentPlaceHolder ID="Heading" runat="server" /></h1>
); <hr />
<asp:ContentPlaceHolder ID="MainContent" runat="server" />
} <hr />
<div class="nav-links-footer">
protected void Application_Start() <%=Html.ActionLink("Home", "Index", "Home", null,
{ new { @class = "root-link" } )%> |
RegisterRoutes(RouteTable.Routes); <%=Html.ActionLink("Public Bookmarks", "BookmarkIndex",
} "Bookmark", null,
} new { @class = "public-bookmarks-link" } )%> |
<%=Html.ActionLink("User Bookmarks", "BookmarksByUserIndex", "Bookmark",
new { username = HttpContext.Current.User.Identity.Name },
new { @class = "my-bookmarks-link" })%> |
Consumers can also browse to “/tags/{tagname}” or “/users/{user- <%=Html.ActionLink("Users", "UserIndex", "Bookmark", null,
name}” to filter bookmarks by tag or username, respectively. All new { @class = "users-link" } )%> |
<%=Html.ActionLink("Tags", "TagIndex", "Bookmark", null,
other URIs are handled by the default route shown in Figure 6. new { @class = "tags-link" } )%>
</div>

Implementing the Views

Up to this point, most of what we’ve done applies to both
MVC “sites” and “services.” All MVC applications need models,
controllers, and routes. Most of what’s different about building
MVC “services” is found in the view. Instead of producing a
traditional HTML view for human consumption, a service
must produce a view that’s appropriate for both human and
programmatic consumption.
We’re going to use XHTML for our default service representation
and apply the techniques described earlier for mapping bookmark
data to XHTML. We’ll map data entities to <div> and <span>
elements, and we’ll represent collections using a combination of
<ol> and <li>. We’ll also annotate these elements with the “class”
attribute to provide consumers with additional type metadata.
ASP.NET MVC “views” are just .aspx pages that define a view
template. The .aspx pages are organized by controller name within
the Views directory. Each view can be associated with an ASP.NET
Figure 7 Bookmark Service Routes
public static void RegisterRoutes(RouteCollection routes)
{ <IEnumerable<MvcBookmarkService.Models.Bookmark>>" %>
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
// customer routes
routes.MapRoute("Users", "users",
new { controller = "Bookmark", action = "UserIndex" });
routes.MapRoute("Tags", "tags",
new { controller = "Bookmark", action = "TagIndex" });
routes.MapRoute("Bookmarks", "bookmarks",
new { controller = "Bookmark", action = "BookmarkIndex" });
routes.MapRoute("BookmarksByTag", "tags/{tag}",
new { controller = "Bookmark", action = "BookmarksByTagIndex",
tag = "" });
routes.MapRoute("BookmarksByUser", "users/{username}",
new { controller="Bookmark", action="BookmarksByUserIndex",
username="" });
// default route
routes.MapRoute("Default", "{controller}/{action}/{id}",
new { controller = "Home", action = "Index", id = ""});
} </asp:Content>
</body>
</html>
master page to maintain a consistent template. Figure 8 shows the
master page for the bookmark service.
The master page defines three placeholders: one for the page title,
another for the <h> heading, and another for the main content
area. These placeholders will be filled in by each individual view.
In addition, the master page displays a login control at the top of
the page, and it provides a footer containing the root service links
to simplify navigation. Notice how I’m using the Html.ActionLink
method to generate these links based on the predefined routes and
controller actions.
Figure 9 shows the main Bookmark Index view you get back
when you browse to “/bookmarks”. It displays the list of bookmarks
Figure 9 Bookmark Index View
<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.
Master" Inherits="System.Web.Mvc.ViewPage
<asp:Content ID="Content1" ContentPlaceHolderID="Title" runat="server">
Public Bookmarks</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="Heading" runat="server">
Public Bookmarks</asp:Content>
<asp:Content ID="Content3" ContentPlaceHolderID="MainContent" runat="server">
<%= Html.ActionLink("Create bookmark", "Create", "Bookmark",
new { id = "" },
new { @class = "create-bookmark-form-link" } )%>
<ol class="bookmark-list">
<% foreach (var item in Model) { %>
<li><%= Html.ActionLink(Html.Encode(item.Title), "Details",
"Bookmark",
new { id = item.BookmarkID }, new { @class =
"bookmark-link" })%></li>
<% } %>
</ol>

56 msdn magazine RESTful XHTML

Figure 10 Bookmark Create View XHTML description of how to programmatically create a new book-
<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master"
mark using our service (by simply submitting the form).
Inherits="System.Web.Mvc.ViewPage<MvcBookmarkService.Models.Bookmark>" %> As a final example, Figure 11 shows the beginning of the Book-
<asp:Content ID="Content1" ContentPlaceHolderID="Title" runat="server">
mark Details view. Here I’m using a <div> element to represent
Create Bookmark</asp:Content> the bookmark structure (class=“bookmark”) along with <span>
<asp:Content ID="Content2" ContentPlaceHolderID="Heading" runat="server">
Create Bookmark</asp:Content>
and <a> elements to represent the bookmark fields. Each carries a
<asp:Content ID="Content3" ContentPlaceHolderID="MainContent" runat="server"> “class” attribute to specify the field name.
<% using (Html.BeginForm("Create", "Bookmark", FormMethod.Post,
new { @class = "create-bookmark-form" } ))
Again, I don’t have space to look at all the view examples in detail,
{%> but I hope this illustrates how you can produce clean XHTML result
<p>
<label for="Title">Title:</label><br />
sets that are easy for both applications and humans to consume.

Consuming the Bookmark Service

<%= Html.TextBox("bookmark-title")%>
</p>
<p>
<label for="Url">Url:</label><br />
The easiest way to consume the bookmark service is through a
<%= Html.TextBox("bookmark-url")%> Web browser. Thanks to the XHTML design, you should be able to
</p>
<p>
browse to the service’s root URL and begin navigation from there.
<label for="Tags">Tags:</label><br /> Figure 12 shows what the browser looks like when you browse to
<%= Html.TextBox("bookmark-tags")%>
</p>
the root of the bookmark service and log in. You can click Public
<p> Bookmarks to navigate to the list of all public bookmarks, and then
<label for="Shared">Share with public: </label>
<%= Html.CheckBox("bookmark-shared")%>
navigate to a specific bookmark in the list. If you click Edit, you can
</p> actually edit the bookmark details (see Figure 13). The service is
<p>
<input type="submit" value="Create" name="submit" />
fully usable from any Web browser.
</p>
<% } %>
</asp:Content>

using a combination of <ol>, <li>, and <a> elements. The <ol>

elements are annotated with class=“bookmark-list”, and each <a>
element is annotated with class=“bookmark-link”. This view also
provides a link to retrieve the Create bookmark form description
(right above the list). If you navigate to the link, the Create view
shown in Figure 10 comes into action.
The Create view produces a simple XHTML form, but the <form>
element is annotated with class=“create-bookmark-form”, and each
<input> element has been given a contextual name/ID value that
identifies each bookmark field. This form gives consumers a complete

Figure 12 Browsing to the MVC Bookmark Service

Figure 11 Bookmark Details View
<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.
Master" Inherits="System.Web.Mvc.ViewPage<MvcBookmarkService.Models.
Bookmark>" %>

<asp:Content ID="Content1" ContentPlaceHolderID="Title" runat="server">

Bookmark Details: <%= Model.BookmarkID %></asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="Heading" runat="server">
Bookmark Details: <%= Model.BookmarkID %></asp:Content>
<asp:Content ID="Content3" ContentPlaceHolderID="MainContent"
runat="server">
<br />
<div class="bookmark">
BookmarkID: <span class="bookmark-id"><%= Html.Encode(Model.
BookmarkID) %></span><br />
Title: <span class="bookmark-title"><%= Html.Encode(Model.Title)
%></span><br />
Url: <a class="bookmark-url-link" href="<%= Html.Encode(Model.Url) %>">
<%= Html.Encode(Model.Url) %></a><br />
Username: <%=Html.ActionLink(Model.Username, "BookmarksByUserIndex",
"Bookmark",
new { username=Model.Username }, new { @class="bookmark-username-
link" }) %><br />
...
Figure 13 Editing a Specific Bookmark
msdnmagazine.com July 2009 57
 Figure 14 Writing a .NET Client to Consume the Bookmark Service using XLinq
class Program
{ Console.WriteLine("bookmark-title: {0}",
static void Main(string[] args)
{ Console.WriteLine("bookmark-shared: {0}",
// navigate to the root of the service
Console.WriteLine("Navigating to the root of the service...");
Uri uri = new Uri("http://localhost:63965/");
CookieContainer cookies = new CookieContainer();
var doc = XDocument.Load(uri.ToString());
doc.AddAnnotation(uri);
// navigate to public bookmarks
Console.WriteLine("Navigating to public bookmarks...");
var links = doc.Body().Ul("nav-links").Lis();
var bookmarksLink = links.Where(l => l.HasAnchor("public-
bookmarks-link")).First();
var bookmarksDoc = bookmarksLink.Anchor().Navigate();
bookmarksDoc.AddAnnotation(cookies);
// display list of bookmarks
Console.WriteLine("\nPublic bookmarks found in the system:");
var bookmarks = bookmarksDoc.Body().Ol("bookmark-list").Lis();
bookmarks.Each(bm => Console.WriteLine("{0}: {1}",
bm.Anchor().AnchorText, bm.Anchor().AnchorLink));
// navigate to the first bookmark in the list
Console.WriteLine("\nNavigating to the first bookmark in the
list...");
var bookmarkDoc = bookmarks.First().Anchor().Navigate();
var bookmarkDetails = bookmarkDoc.Body().Struct("bookmark");
// print the bookmark details out to the console window
Console.WriteLine("Bookmark details:");
Console.WriteLine("bookmark-id: {0}", bookmarkDetails["bookmark-
id"].Value);
Console.WriteLine("bookmark-url-link: {0}",
While you’re browsing around the service, select View Source
occasionally in your browser, and you’ll notice how simple the
resulting XHTML looks, which again makes it easy to program
against.
Figure 14 shows the code for a complete .NET client applica-
tion that consumes the bookmark service. It uses the set of XLinq
extension methods I described earlier to simplify the XHTML and
HTTP processing details. What’s interesting about this sample is that
it acts more like a human—it needs only the root URI to navigate to
everything else of interest exposed by the bookmark service.
The client starts by navigating to the root address, and then it
looks for the link to the public bookmarks. Next it navigates to the
public bookmark list and identifies a specific bookmark of inter-
est (in this case, the first one). Next it navigates to the bookmark
details and displays them to the console window. Then it retrieves
the login form and performs a login using a set of credentials. Once
logged in, the application retrieves the create bookmark form, fills
it out, and submits a new bookmark to the system.
There are a few key observations to make at this point. First, the
console application is capable of doing everything a human can do
through the Web browser. That’s the killer feature of this XHTML
design style. Second, consumers need only to be hard-coded against
the root URIs exposed by the service. All other URIs are discov-
erable at run time by navigating links found within the XHTML.
And finally, processing XHTML structures isn’t that much differ-
ent from anything else—it’s just data. Plus, this type of code only
60 msdn magazine
bookmarkDetails["bookmark-url-link"].Value);
bookmarkDetails["bookmark-title"].Value);
bookmarkDetails["bookmark-shared"].Value);
Console.WriteLine("bookmark-last-modified: {0}",
bookmarkDetails["bookmark-last-modified"].Value);
// retrieving login form
Console.WriteLine("\nRetrieving login form...");
Uri logonUri = new Uri("http://localhost:63965/Account/Logon");
var logonDoc = XDocument.Load(logonUri.ToString());
logonDoc.AddAnnotation(logonUri);
logonDoc.AddAnnotation(cookies);
// logging on as skonnard
Console.WriteLine("Logging in as 'skonnard'");
var logonForm = logonDoc.Body().Form("account-logon-form");
logonForm["username"] = "skonnard";
logonForm["password"] = "password";
logonForm.Submit();
Console.WriteLine("Login successful!");
// create a new bookmark as 'skonnard'
var createBookmarkDoc = bookmarksDoc.Body().Anchor(
"create-bookmark-form-link").Navigate();
createBookmarkDoc.AddAnnotation(cookies);
var createBookmarkForm = createBookmarkDoc.Body().Form("create-
bookmark-form");
createBookmarkForm["bookmark-title"] = "Test from console!";
createBookmarkForm["bookmark-url"] = "http://live.com/";
createBookmarkForm["bookmark-tags"] = "Microsoft, Search";
createBookmarkForm.Submit();
Console.WriteLine("\nBookmark created!");
}
}
gets easier as you move toward dynamic languages in future ver-
sions of .NET.
Ultimately, ASP.NET MVC provides an inherently RESTful
framework for implementing a web of XHTML-based resources
that can be consumed by both humans and applications simulta-
neously. You can download the entire sample application shown
in this article from the MSDN Magazine Web site.
For another complete example of an XHTML-based RESTful
service found in the real world, browse to the Microsoft/TechNet
Publishing System (MTPS) Content Services at labs.msdn.microsoft.com/
RESTAPI/. This service uses many of the practices I’ve outlined in
this article.
Acknowledgments
Thanks to both Tim Ewald and Craig Andera, whose creative
thinking in this area provided fuel for my article. Tim also provided
the XLinq extension methods found in the accompanying sample
application. „
AARON SKONNARD is a cofounder of Pluralsight, a Microsoft training provider
offering both instructor-led and on-demand developer courses. These days Aar-
on spends most of his time recording Pluralsight On-Demand! courses focused
on Cloud Computing, Windows Azure, WCF and REST. You can reach him at
http://pluralsight.com/aaron and http://twitter.com/skonnard.
RESTful XHTML
 Mother Nature understands the
importance of building in security.
Do you?

Did you know malicious attackers are intentionally seeking out

software vulnerabilities? Threats to application security have
Register for the
become more prevalent in an increasingly interconnected world.
CSSLP Education
You must devise ways to ensure your applications are built
securely in accordance with your policies and procedures. Take
Seminar or Exam.
the lead in building security into every aspect of the software
lifecycle by becoming an (ISC)2® Certified Secure Software
Start Here.
Lifecycle Professional (CSSLPCM). You’ll prove your knowledge on visit www.isc2.org/csslp
how security should be applied. No one understands the critical
nature of security like Mother Nature. We couldn’t ask for a
better teacher. Become a CSSLP today!
 SCALE OUT
Distributed Caching
on the Path
to Scalability
Iqbal Khan
If you’re developing an ASP.NET application, Web computing) has traditionally used Java, but as .NET gains market
services or a high-performance computing (HPC) application,
you’re likely to encounter major scalability issues as you try to
scale and put more load on your application. With an ASP.NET
application, bottlenecks occur in two data stores. The first is the
application data that resides in the database, and the other is ASP.
NET session state data that is typically stored in one of three modes
(InProc, StateServer, or SqlServer) provided by Microsoft. All three
have major scalability issues.
Web services typically do not use session state, but they do have
scalability bottlenecks when it comes to application data. Just like
ASP.NET applications, Web services can be hosted in IIS and
deployed in a Web farm for scalability.
HPC applications that are designed to perform massive par-
allel processing also have scalability problems because the data
store does not scale in the same manner. HPC (also called grid
This article discusses:
• Distributed caching
• Scalability
• Database synchronization
Technologies discussed:
ASP.NET, Web services, HPC applications
62 msdn magazine
share, it is becoming more popular for HPC applications as well.
HPC applications are deployed to hundreds and sometimes
thousands of computers for parallel processing, and they often
need to operate on large amounts of data and share intermediate
results with other computers. HPC applications use a database
or a shared file system as a data store, and both of these do not
scale very well.
Distributed Caching
Caching is a well-known concept in both the hardware and
software worlds. Traditionally, caching has been a stand-alone
mechanism, but that is not workable anymore in most environ-
ments because applications now run on multiple servers and in
multiple processes within each server.
In-memory distributed caching is a form of caching that allows
the cache to span multiple servers so that it can grow in size and in
transactional capacity. Distributed caching has become feasible now
for a number of reasons. First, memory has become very cheap, and
you can stuff computers with many gigabytes at throwaway prices.
Second, network cards have become very fast, with Gbit now stan-
dard everywhere and Gbit gaining traction. Finally, unlike a data-
base server, which usually requires a high-end machine, distributed
caching works well on lower cost machines (like those used for Web
servers), which allows you to add more machines easily.

Figure 1 Distributed Cache Shared by Various Apps in an Enterprise
Distributed caching is scalable because of the architecture it employs.
It distributes its work across multiple servers but still gives you a logical
view of a single cache. For application data, a distributed cache keeps a
copy of a subset of the data in the database. This is meant to be a tem-
porary store, which might mean hours, days or weeks. In a lot of situa-
tions, the data being used in an application does not need to be stored
permanently. In ASP.NET, for example, session data is temporary and
needed for maybe a few minutes to a few hours at most.
Similarly, in HPC, large portions of the processing requires
storing intermediate data in a data store, and this is also temporary
in nature. The final outcome of HPC might be stored in a database,
however. Figure 1 shows a typical configuration of a distributed
cache in an enterprise.
Must-Have Features in Distributed Cache
Traditionally, developers have considered caching only static
data, meaning data that never changes throughout the life of the
application. But that data is usually a very small subset—maybe
%—of the data that an application processes. Although you can
keep static data in the cache, the real value comes if you can cache
dynamic or transactional data—data that keeps changing every
few minutes. You still cache it because within that time span, you
might fetch it tens of times and save that many trips to the data-
base. If you multiply that by thousands of users who are trying to
perform operations simultaneously, you can imagine how many
fewer reads you have on the database.
But if you cache dynamic data, the cache has to have certain features
designed to avoid data integrity problems. A typical cache should have
features for expiring and evicting items, as well as other capabilities.
I’ll explore these features in the following sections.
Expirations
Expirations are at the top of the list. They let you specify how
long data should stay in the cache before the cache automatically
msdnmagazine.com
removes it. You can specify two types of expirations: absolute-time
expiration and sliding-time (or idle-time) expiration.
If the data in your cache also exists in a master data source,
you know that this data can be changed in the database by users
or applications that might not have access to the cache. When
that happens, the data in the cache becomes stale. If you’re able
to estimate how long this data can be safely kept in the cache,
you can specify absolute-time expiration—something like,
“Expire this item  minutes from now” or “Expire this item at
midnight tonight.”
One interesting variation to absolute expiration is whether your
cache can reload an updated copy of the cached item directly from
your data source. This is possible only if your cache provides a
read-through feature (see later sections) and allows you to regis-
ter a read-through handler that reloads cached items when abso-
lute expiration occurs. Except for a few commercial caches, most
caches do not support this feature.
You can use idle-time (sliding-time) expiration to expire an item
if it is not used for a given period of time. You can specify some-
thing like, “Expire this item if nobody reads or updates it for 
minutes.” This approach is useful when your application needs the
data temporarily, but once the application is finished using it, you
want the cache to automatically expire it. ASP.NET session state is
a good candidate for idle-time expiration.
Absolute-time expiration helps you avoid situations in which
the cache has a stale copy of the data or a copy that is older than
the master copy in the database. Idle-time expiration is meant to
clean up the cache after your application no longer needs certain
data. Instead of having your application keep track of necessary
cleanup, you let the cache take care of it.
Evictions
Most distributed caches are in-memory and do not persist the
cache to disk. This means that in most situations, memory is limited
and the cache size cannot grow beyond a certain limit, which could
be the total memory available or much less than that if you have
other applications running on the same machine.
Either way, a distributed cache should allow you to specify a
maximum cache size (ideally, in terms of memory size). When
the cache reaches this size, it should start removing cached
items to make room for new ones, a process usually referred to
as evictions.
Evictions are made based on various algorithms. The most popular
is least recently used (LRU), where those cached items that have not
been touched for the longest time are removed. Another algorithm
is least frequently used (LFU). Here, those items that have been
touched the least number of times are removed. There are a few
other variations, but these two are the most popular.
Caching Relational Data
Most data comes from a relational database, but even if it does
not, it is relational in nature, meaning that different pieces of data
are related to one another—for example, a customer object and
an order object.
July 2009 63
 Figure 2 Keeping Track of Relationships Among Cached Items
using System.Web.Caching;
...
public void CreateKeyDependency()
{
Cache["key1"] = "Value 1";
// Make key2 dependent on key1.
String[] dependencyKey = new String[1];
dependencyKey[0] = "key1";
CacheDependency dep1 = new CacheDependency(null, dependencyKey);
Cache.Insert("key2", "Value 2", dep2);
}
When you have these relationships, you need to handle them in
a cache. That means the cache should know about the relationship
between a customer and an order. If you update or remove a cus-
tomer from the cache, you might want the cache to also automati-
cally update or remove related order objects from the cache. This
helps maintain data integrity in many situations.
But again, if a cache cannot keep track of these relationships, you
have to do it, and that makes your application much more cumber-
some and complex. It’s a lot easier if you just tell the cache at the time
data is added that an order is associated with a customer, and the
cache then knows that if that customer is updated or removed, related
orders also have to be updated or removed from the cache.
ASP.NET Cache has a really cool feature called CacheDependency,
which allows you to keep track of relationships between differ-
ent cached items. Some commercial caches also have this feature.
Figure 2 shows an example of how ASP.NET Cache works.
This is a multilayer dependency, meaning that A can depend on
B and B can depend on C. So, if your application removes C, A and
B have to be removed from the cache as well.
Synchronizing a Cache with Other Environments
Expirations and cache dependency features are intended to help
you keep the cache fresh and correct. You also need to synchronize
your cache with data sources that you and your cache don’t have
access to so that changes in those data sources are reflected in your
cache to keep it fresh.
For example, let’s say your cache is written using the Microsoft
.NET Framework, but you have Java or C++ applications modifying
data in your master data source. You want these applications to notify
your cache when certain data changes in the master data sources so
that your cache can invalidate a corresponding cached item.
Ideally, your cache should support this capability. If it doesn’t,
this burden falls on your application. ASP.NET Cache provides
this feature through CacheDependency, as do some commercial
caching solutions. It allows you to specify that a certain cached
item depends on a file and that whenever this file is updated or re-
moved, the cache discovers this and invalidates the cached item.
Invalidating the item forces your application to fetch the latest copy
of this object the next time your application needs it and does not
find it in the cache.
64 msdn magazine
If you had , items in the cache, , of them might
have file dependencies, and for that you might have , files in
a special folder. Each file has a special name associated with that
cached item. When some other application—whether written in
.NET or not—changes the data in the master data source, that
application can communicate to the cache through an update of
the file time stamp.
Database Synchronization
The need for database synchronization arises because the
database is being shared across multiple applications, and not all
those applications have access to your cache. If your application
is the only application updating the database and it can also easily
update the cache, you probably don’t need the database synchro-
nization capability. But in a real-life environment, that’s not always
the case. Whenever a third party or any other application changes
the database data, you want the cache to reflect that change. The
cache reflects changes by reloading the data, or at least by not having
the older data in the cache.
If the cache has an old copy and the database a new copy, you
now have a data integrity problem because you don’t know which
copy is right. Of course, the database is always right, but you don’t
always go to the database. You get data from the cache because your
application trusts that the cache will always be correct or that the
cache will be correct enough for its needs.
Synchronizing with the database can mean invalidating the related
item in the cache so that the next time your application needs it,
it will fetch it from the database. One interesting variant to this
process is when the cache automatically reloads an updated copy
of the object when the data changes in the database. However, this
is possible only if your cache allows you to provide a read-through
handler (see the next section) and then uses it to reload the cached
item from the database. However, only some of the commercial
caches support this feature, and none of the free ones do.
ASP.NET Cache has a SqlCacheDependency feature (see Figure 3)
that allows you to synchronize the cache with a SQL Server /
Figure 3 Using SqlDependency to Synchronize with a Relational
Database
using System.Web.Caching;
using System.Data.SqlClient;
...
public void CreateSqlDependency(Customers cust, SqlConnection conn)
{
// Make cust dependent on a corresponding row in the
// Customers table in Northwind database
string sql = "SELECT CustomerID FROM Customers WHERE ";
sql += "CustomerID = @ID";
SqlCommand cmd = new SqlCommand(sql, conn);
cmd.Parameters.Add("@ID", System.Data.SqlDbType.VarChar);
cmd.Parameters["@ID"].Value = cust.CustomerID;
SqlCacheDependency dep = new SqlCacheDependency(cmd);
string key = "Customers:CustomerID:" + cust.CustomerID;
Cache.Insert(key, cust, dep);
}
Scale Out
 or Oracle g R or later version database—basically any database
that has the .NET CLR built into it. Some of the commercial caches
also provide this capability.
ASP.NET Cache SqlCacheDependency allows you to specify a
SQL string to match one or more rows in a table in the database.
If this row is ever updated, the DBMS fires a .NET event that your
cache catches. It then knows which cached item is related to this
row in the database and invalidates that cached item.
One capability that ASP.NET Cache does not provide but that
some commercial solutions do is polling-based database synchro-
nization. This capability is helpful in two situations. First, if your
DBMS does not have the .NET CLR built into it, you cannot benefit
from SqlCacheDependency. In that case, it would be nice if your
cache could poll your database on configurable intervals and detect
changes in certain rows in a table. If those rows have changed, your
cache invalidates their corresponding cached items.
The second situation is when data in your database is frequently
changing and .NET events are becoming too chatty. This occurs be-
cause a separate .NET event is fired for each SqlCacheDependency
change, and if you have thousands of rows that are updated frequently,
Figure 4 Example of a Read-Through Handler for SQL Server
using System.Web.Caching;
using System.Data.SqlClient;
using Company.MyDistributedCache;
...
public class SqlReadThruProvider : IReadhThruProvider
{ all those users would be going directly to the database, inundating
private SqlConnection _connection;
// Called upon startup to initialize connection
public void Start(IDictionary parameters)
{
_connection = new SqlConnection(parameters["connstring"]);
_connection.Open();
}
// Called at the end to close connection
public void Stop() { _connection.Close(); }
// Responsible for loading object from external data source
public object Load(string key, ref CacheDependency dep)
{ operations. Having a cache that serves as an enterprise-level data
string sql = "SELECT * FROM Customers WHERE ";
sql += "CustomerID = @ID";
SqlCommand cmd = new SqlCommand(sql, _connection);
cmd.Parameters.Add("@ID", System.Data.SqlDbType.VarChar);
// Let’s extract actual customerID from "key"
int keyFormatLen = "Customers:CustomerID:".Length;
string custId = key.Substring(keyFormatLen,
key.Length - keyFormatLen);
cmd.Parameters["@ID"].Value = custId;
// fetch the row in the table
SqlDataReader reader = cmd.ExecuteReader();
// copy data from "reader" to "cust" object
Customers cust = new Customers();
FillCustomers(reader, cust);
// specify a SqlCacheDependency for this object
dep = new SqlCacheDependency(cmd);
return cust;
} cache does it for you. This simplifies your application code because
}
66 msdn magazine
this could easily crowd your cache. In such cases, it is much more
efficient to rely on polling, where with one database query you can
fetch hundreds or thousands of rows that have changed and then
invalidate corresponding cached items. Of course, polling creates
a slight delay in synchronization (maybe – seconds), but this
is acceptable in many cases.
Read-Through
In a nutshell, read-through is a feature that allows your cache to
directly read data from your data source, whatever that may be. You
write a read-through handler and register it with your cache, and
then your cache calls this handler at appropriate times. Figure 4
shows an example.
Because a distributed cache usually lives outside your application,
it is shared across multiple instances of your application or even mul-
tiple applications. One important capability of a read-through handler
is that the data you cache is fetched by the cache directly from the
database. Hence, your applications don’t have to have database code.
They can just fetch data from the cache, and if the cache doesn’t have
it, the cache goes and takes it from the database.
You gain even more important benefits if you combine read-through
capabilities with expirations. Whenever an item in the cache expires,
the cache automatically reloads it by calling your read-through han-
dler. You save a lot of traffic to the database with this mechanism. The
cache uses only one thread, one database trip, to reload that data from
the database, whereas you might have thousands of users trying to
access that same data. If you did not have read-through capability,
the database with thousands of parallel requests.
Read-through allows you to establish an enterprise-level data
grid, meaning a data store that not only is highly scalable, but can
also refresh itself from master data sources. This provides your
applications with an alternate data source from which to read data
and relieves a lot of pressure on your databases.
As mentioned earlier, databases are always the bottleneck in
high-transaction environments, and they become bottlenecks due
mostly to excessive read operations, which also slow down write
grid above your database gives your applications a major perfor-
mance and scalability boost.
However, keep in mind that read-through is not a substitute for
performing some complex joined queries in the database. A typical
cache does not let you do these types of queries. A read-through
capability works well for individual object read operations but not
in operations involving complex joined queries, which you always
need to perform on the database.
Write Through, Write Behind
Write-through is just like read-through: you provide a handler,
and the cache calls the handler, which writes the data to the database
whenever you update the cache. One major benefit is that your ap-
plication doesn’t have to write directly to the database because the
the cache, rather than your application, has the data access code.
Scale Out
 Map, Chart, and DataGrid out-of-the-box ready
ComponentOne® SharePoint Web Parts bring you superior performance, styling,
animation, and interactivity with no coding required. Build rich data visualization
into your Microsoft Office SharePoint Server 2007 and Windows SharePoint
Services 3.0 sites using these feature-packed, easily configurable Web Parts.

Try them for Free at www.componentone.com/webparts

Doc-To-Help makes both end-user and reference documentation easy by allowing you to
publish multiple formats and versions from one project. Doc-To-Help is also the only tool
to incorporate features specifically for software developers such as Microsoft Sandcastle
integration, Help 2.0 output, an embeddable Dynamic Help pane, and more!

nual outpu ts
Great Help & printed ma
Easy-to-use interface
Get everything you need in one solution.

ComponentOne Sales 1.800.858.2739 or 1.412.681.4343

© 1987-2009 ComponentOne. All rights reserved. All product and brand names are trademarks and/or registered trademarks of their respective holders.
 Normally, your application issues an update to the cache (for
example, Add, Insert, or Remove). The cache updates itself first
and then issues an update call to the database through your write-
through handler. Your application waits until both the cache and
the database are updated.
What if you want to wait for the cache to be updated, but you
don’t want to wait for the database to be updated because that slows
down your application’s performance? That’s where write-behind
comes in, which uses the same write-through handler but updates
the cache synchronously and the database asynchronously. This
means that your application waits for the cache to be updated, but
you don’t wait for the database to be updated.
You know that the database update is queued up and that the
database is updated fairly quickly by the cache. This is another
way to improve your application performance. You have to write
to the database anyway, but why wait? If the cache has the data,
you don’t even suffer the consequences of other instances of
your application not finding the data in the database because
you just updated the cache, and the other instances of your
application will find the data in the cache and won’t need to go
to the database.
Cache Query
Normally, your application finds objects in the cache based on a
key, just like a hash table, as you’ve seen in the source code examples
above. You have the key, and the value is your object. But sometimes
you need to search for objects based on attributes other than the
key. Therefore, your cache needs to provide the capability for you
to search or query the cache.
There are a couple of ways you can do this. One is to search on
the attributes of the object. The other involves situations in which
you’ve assigned arbitrary tags to cached objects and want to search
based on the tags. Attribute-based searching is currently available
only in some commercial solutions through object query languages,
but tag-based searching is available in commercial caches and in
Microsoft Velocity.
Let’s say you’ve saved a customer object. You could say, “Give me
all the customers where the city is San Francisco,” when you want
only customer objects, even though your cache has employees,
customers, orders, order items, and more. When you issue a SQL-
like query such as the one shown in Figure 5, it finds the objects
that match your criteria.
Figure 5 Using a LINQ Query to Search Items in the Cache
using Company.MyDistributedCache;
...
public List<Customers> FindCustomersByCity(Cache cache, string city)
{
// Search cache with a LINQ query
List<Customers> custs = from cust in cache.Customers
where cust.City == city
select cust;
return custs;
}
68 msdn magazine
Tagging lets you attach multiple arbitrary tags to a specific ob-
ject, and the same tag can be associated with multiple objects. Tags
are usually string-based, and tagging also allows you to categorize
objects into groups and then find the objects later through these
tags or groups.
Event Propagation
You might not always need event propagation in your cache, but
it is an important feature that you should know about. It’s a good
feature to have if you have distributed applications, HPC applica-
tions, or multiple applications sharing data through a cache. What
event propagation does is ask the cache to fire events when certain
things happen in the cache. Your applications can capture these
events and take appropriate actions in response.
Say your application has fetched some object from the cache
and is displaying it to the user. You might be interested to know if
anybody updates or removes this object from the cache while it is
displayed. In this case, your application will be notified, and you
can update the user interface.
This is, of course, is a very simple example. In other cases, you
might have a distributed application where some instances of
your application are producing data and other instances need to
consume it. The producers can inform the consumers when data
is ready by firing an event through the cache that the consumers
receive. There are many examples of this type, where collabora-
tion or data sharing through the cache can be achieved through
event propagation.
Cache Performance and Scalability
When considering the caching features discussed in the previous
sections, you must not forget that the main reasons you’re think-
ing of using a distributed cache, which are to improve performance
and, more important, to improve the scalability of your applica-
tion. Also, because your cache runs in a production environment
as a server, it must also provide high availability.
Scalability is the fundamental problem a distributed cache
addresses. A scalable cache is one that can maintain performance
even when you increase the transaction load on it. So, if you have
an ASP.NET application in a Web farm and you grow your Web
farm from five Web servers to  or even  Web servers, you should
be able to grow the number of cache servers proportionately and
keep the same response time. This is something you cannot do
with a database.
A distributed cache avoids the scalability problems that a database
usually faces because it is much simpler in nature than a DBMS
and also because it uses different storage mechanisms (also known
as caching topologies) than a DBMS. These include replicated,
partitioned, and client cache topologies.
In most distributed cache situations, you have two or more
cache servers hosting the cache. I’ll use the term “cache cluster”
to indicate two or more cache servers joined together to form
one logical cache. A replicated cache copies the entire cache on
each cache server in the cache cluster. This means that a replicat-
ed cache provides high availability. If any one cache server goes
Scale Out
 down, you don’t lose any data in the cache because another copy
is immediately available to the application. It’s also an extremely
efficient topology and provides great scalability if your applica-
tion needs to do a lot of read-intensive operations. As you add
more cache servers, you add that much more read-transaction
capacity to your cache cluster. But a replicated cache is not the
ideal topology for write-intensive operations. If you are updat-
ing the cache as frequently as you are reading it, don’t use the
replicated topology.
A partitioned cache breaks up the cache into partitions and then
stores one partition on each cache server in the cluster. This topol-
ogy is the most scalable for transactional data caching (when writes
to the cache are as frequent as reads). As you add more cache serv-
ers to the cluster, you increase not only the transaction capacity
but also the storage capacity of the cache, since all those partitions
together form the entire cache.
Many distributed caches provide a variant of a partitioned cache
for high availability, where each partition is also replicated so that
one cache server contains a partition and a copy or a backup of an-
other server’s partition. This way, you don’t lose any data if any one
server goes down. Some caching solutions allow you to create more
than one copy of each partition for added reliability.
Another very powerful caching topology is client cache (also
called near cache), which is very useful if your cache resides in a
remote dedicated caching tier. The idea behind a client cache is
that each client keeps a working set of the cache close by (even
within the application’s process) on the client machine. However,
just as a distributed cache has to be synchronized with the data-
base through different means (as discussed earlier), a client cache
needs to be synchronized with the distributed cache. Some com-
mercial caching solutions provide this synchronization mecha-
nism, but most provide only a stand-alone client cache without
any synchronization.
In the same way that a distributed cache reduces traffi c to the
database, a client cache reduces traffic to the distributed cache. It
is not only faster than the distributed cache because it is closer to
the application (and can also be InProc), it also improves the scal-
ability of the distributed cache by reducing trips to the distributed
cache. Of course, a client cache is a good approach only when you
are performing many more reads than writes. If the number of reads
and writes are equal, don’t use a client cache. Writes will become
slower because you now have to update both the client cache and
the distributed cache.
High Availability
Because a distributed cache runs as a server in your production
environment, and in many cases serves as the only data store for
your application (for example, ASP.NET session state), the cache
must provide high availability. This means that your cache must
be very stable so that it never crashes and provides the ability to
make configuration changes without stopping the cache.
Most users of a distributed cache require the cache to run with-
out any interruptions for months at a time. Whenever they have to
stop the cache, it is usually during a scheduled down time. That is
70 msdn magazine
why high availability is so critical for a distributed cache. Here are
a few questions to keep in mind when evaluating whether a cach-
ing solution provides high availability.
• Can you bring one of the cache servers down without stopping
the entire cache?
• Can you add a new cache server without stopping the cache?
• Can you add new clients without stopping the cache?
In most caches, you use a specified maximum cache size so that
the cache doesn’t exceed the amount of data. The cache size is based
on how much memory you have available on that system. Can
you change that capacity? Let’s say you initially set the cache size
to be GB but now want to make it GB. Can you do that without
stopping the cache?
Those are the types of questions you want to consider. How many
of these configuration changes really require the cache to be restart-
ed? The fewer, the better. Other than the caching features, the first
criteria for having a cache that can run in a production environ-
ment is how much uptime the cache is going to give you.
Performance
Simply put, if accessing the cache is not faster than accessing
your database, there is no need to have it. Having said that, what
should you expect in terms of performance from a good distrib-
uted cache?
The first thing to remember is that a distributed cache is usu-
ally OutProc or remote, so access time will never be as fast as that
of a stand-alone InProc cache (for example, ASP.NET Cache). In
an InProc stand-alone cache, you can probably read , to
, items per second (KB object size). With an OutProc or a
remote cache, this number drops significantly. In terms of perfor-
mance, you should expect about , to , reads per second
(KB object size) as the throughput of an individual cache server
(from all clients hitting on it). You can achieve some of this InProc
performance by using a client cache (in InProc mode), but that is
only for read operations and not for write operations. You sacri-
fice some performance in order to gain scalability, but the slower
performance is still much faster than database access.
Gaining Popularity
A distributed cache as a concept and as a best practice is gain-
ing more popularity. Only a few years ago, very few people in the
.NET space knew about it, although the Java community has been
ahead of .NET in this area. With the explosive growth in applica-
tion transactions, databases are stressed beyond their limits, and
distributed caching is now accepted as a vital part of any scalable
application architecture. „
IQBAL KHAN is president and technology evangelist at Alachisoft (www.alachisoft.com).
Alachisoft provides NCache , an industry-leading .NET distributed cache for boost-
ing performance and scalability in enterprise applications. Iqbal has an MS in
computer science from Indiana University, Bloomington. You can reach him at
iqbal@alachisoft.com.
Scale Out
Get ready for…
the all-in-one .Net toolbox
One vendor. The Telerik quality. The Telerik support.

www.telerik.com

US Sales: +1.888.365.2779 • Germany Sales: +49.89.8780687.70 • Europe HQ: +359.2.80.99.850 • e-mail: sales@telerik.com

* Telerik WebUI Test Studio and WinUI Test Studio include Automation Design Canvas software, owned and developed by ArtOfTest, Inc.
 TEST RUN JAMES MCCAFFREY

Request-Response Testing with F#

The F# programming language has several parameterize the test harness later. My har-
characteristics that make it well-suited for soft- ness begins by echoing the target URL of
ware test automation. In this month’s column, localhost:/MiniCalc/Default.aspx. Notice
I show you how to use F# to perform HTTP that I am using the Visual Studio development
request-response testing for ASP.NET Web Web server rather than IIS, so I specify a port
applications. Specifically, I create a short test- number () instead of the IIS default port
harness program that simulates a user exercis- . In test case , my F# harness program-
ing an ASP.NET application. The F# harness matically posts information that corresponds
programmatically posts HTTP request infor- to a user typing  into control TextBox, typing
mation to the application on a Web server. It a  into TextBox, selecting RadioButton (to
then fetches the HTTP response stream and indicate an addition operation), and clicking
examines the HTML text for an expected value on Button (to calculate). Behind the scenes,
of some sort to determine a pass/fail result. In the harness captures the HTTP response from
addition to being a useful testing technique in the Web server and then searches the response
its own right, learning how to perform HTTP for an indication that . (the correct result
request-response testing with F# provides Figure 1 ASP.NET Web Application of  + ) is in the TextBox result control. The
you with an excellent way to learn about the Under Test harness tracks the number of test cases that
F# language. This column assumes you have pass and the number that fail (which is a sur-
basic familiarity with ASP.NET technology and intermediate .NET prisingly interesting operation in F#) and displays those results after
programming skills with C# or VB.NET, but does not assume you all test cases have been processed.
have any experience with the F# language. However, even if you In the sections of this column that follow, I briefly describe the
are new to ASP.NET and test automation in general, you should Web application under test so you’ll know exactly what is being
still be able to follow this month’s column without too much dif- tested. Next, I walk you through the details of creating lightweight
ficulty. To see where I’m headed, take a look at Figures 1 and 2. HTTP request-response automation using the F# language. I wrap
Figure 1 illustrates the example ASP.NET Web application under up by describing how you can modify the techniques I’ve presented
test that I use. The system under test is a simple but representative to meet your own needs. I also present a few opinions about why
Web application, named MiniCalc. you should take time to investigate F#. I think you’ll find the
I deliberately keep my ASP.NET Web application under test as information presented here interesting and a useful addition to
simple as possible so that I don’t obscure the key points in the test your testing toolset.
automation. Realistic Web applications are significantly more com-
plex than the dummy MiniCalc application shown in Figure 1, but The Application Under Test
the F# testing techniques I describe here easily generalize to com- Let’s take a look at the code for the MiniCalc ASP.NET Web
plex applications. The MiniCalc Web application accepts two inte- application, which is the target of my test automation. I created the
gers and an instruction to add or multiply. It then sends the values MiniCalc application using Visual Studio  to take advantage of
to a Web server where the result is computed. The server creates the built-in development Web server. After launching Visual Studio,
the HTML response and sends it back to the client browser where I clicked on File | New | Web Site. In order to avoid the ASP.NET
the result is displayed to four decimal places. Figure 2 shows an code-behind mechanism and keep all the code for my Web applica-
F# test harness in action. tion in a single file, I selected the Empty Web Site option. To avoid
My F# harness is named project.exe and does not accept any
command-line arguments. For simplicity, I have hard-coded Send your questions and comments for James to testrun@microsoft.com.
information including the URL of the Web application, test case Code download is available at code.msdn.microsoft.com/mag200907 Testing.
input, and test case expected results. I will explain how you can
72 msdn magazine
 To verify that my Web application under test was built correctly, I hit
the <F> key. I clicked OK on the resulting Debugging Not Enabled
dialog to instruct Visual Studio to modify the Web application’s
Web.config file. Visual Studio then started the development server
and assigned a random port number to the Web application—in this
case , as you can see in Figure 1. If I had wanted to specify a
port number, I could have selected the MiniCalc project in Solu-
tion Explorer, and then clicked on the View main menu item and
selected the Properties Window option. This would display a “Use
dynamic ports” option set to a default of True, and I could change
the value to False and enter a value in the “Port number” field.

Figure 3 MiniCalc Web Application Under Test Source

<%@ Page Language="C#" %>
<script language="C#" runat="server">
private void Button1_Click(object sender, System.EventArgs e)
{
Figure 2 Request-Response Testing with F# int alpha = int.Parse(TextBox1.Text.Trim());
int beta = int.Parse(TextBox2.Text.Trim());

if (RadioButton1.Checked) {
using IIS, I selected the File System option from the Location field TextBox3.Text = Sum(alpha, beta).ToString("F4");
drop-down control. I decided to use C# for the MiniCalc applica- }
else if (RadioButton2.Checked) {
tion, but the F# test harness I present in this column works with TextBox3.Text = Product(alpha, beta).ToString("F4");
ASP.NET applications written in VB.NET. Additionally, with slight }
else
modifications the harness can target non-.NET Web applications that TextBox3.Text = "Select method";
are written using technologies such as classic ASP, CGI, PHP, JSP, }
private static double Sum(int a, int b) {
Ruby, and so on. Because I intend to use the Visual Studio develop- double ans = a + b;
ment server, I specified a standard location in the file system, such return ans;
}
as C:\MyWebApps\MiniCalc, rather than an IIS-specific location, private static double Product(int a, int b) {
such as C:\Inetpub\wwwroot\MiniCalc. I clicked OK on the New double ans = a * b;
return ans;
Web Site dialog to generate the structure of my Web application. }
Next, I went to the Solution Explorer window, right-clicked on the </script>

MiniCalc project name, and selected Add New Item from the context <html>
menu. I then selected Web Form from the list of installed templates <head>
<style type=”text/css”>
and accepted the Default.aspx file name. I cleared the “Place code in fieldset { width: 16em }
separate file” option and then clicked the Add button. body { font-size: 10pt; font-family: Arial }
</style>
Next, I double-clicked on the Default.aspx file name in Solution <title>Default.aspx</title>
Explorer to edit the template-generated code. I deleted all the tem- </head>
<body bgColor=”#ffcc99”>
plate code and replaced it with the code shown in Figure 3. <h3>MiniCalc by ASP.NET</h3>
In order to keep my source code small in size and easy to <form method=”post” name=”theForm” id=”theForm”
runat=”server” action=”Default.aspx”>
understand, I am not using good coding practices in this Web <p><asp:Label id=”Label1” runat=”server”>
application. In particular, I do not do any error checking and I use Enter integer:&nbsp&nbsp</asp:Label>
<asp:TextBox id=”TextBox1” width=”100” runat=”server” /></p>
a somewhat haphazard design approach by combining server-side <p><asp:Label id=”Label2” runat=”server”>
controls (such as <asp:TextBox>) with plain HTML (such as <field- Enter another:&nbsp</asp:Label>
<asp:TextBox id=”TextBox2” width=”100” runat=”server” /></p>
set>). The most important parts of the code listing in Figure 3 for <p></p>
you to note are the IDs of my ASP.NET server-side controls. I use <fieldset>
<legend>Arithmentic Operation</legend>
default IDs Label (user prompt), TextBox and TextBox (input for <p><asp:RadioButton id=”RadioButton1” GroupName=”Operation”
two integers), RadioButton and RadioButton (choice of addition runat=”server”/>Addition</p>
<p><asp:RadioButton id=”RadioButton2” GroupName=”Operation”
or multiplication), Button (calculate), and TextBox (result). To runat=”server”/>Multiplication</p>
perform automated HTTP request-response testing for an ASP.NET <p></p>
</fieldset>
application, you must know the IDs of the application’s controls. In <p><asp:Button id=”Button1” runat=”server” text=” Calculate “
this situation, I have the source code available because I am creating onclick=”Button1_Click” /> </p>
<p><asp:TextBox id=”TextBox3” width=”120” runat=”server” /></p>
the application myself; but even if you are testing a Web applica- </form>
tion you didn’t write, you can always examine the application by </body>
</html>
using a Web browser’s View Source functionality.
msdnmagazine.com July 2009 73
 Notice that the action attribute of my <form> element is set to
Default.aspx. In other words, every time a user submits a request, the
same Default.aspx page code is executed. This gives my MiniCalc Web
application the feel of a single application rather than a sequence of
different Web pages. Because HTTP is a stateless protocol, ASP.NET
accomplishes the application effect by maintaining the Web appli-
cation’s state in a special hidden value type, called the ViewState. As
we’ll see shortly, dealing with an ASP.NET application’s ViewState is
the key to programmatically posting data to the application.
ASP.NET Request-Response Testing with F#
Now that we’ve seen the Web application under test, let’s go
over the F# test harness program that produced the screenshot
in Figure 2. F# is tentatively scheduled to ship with the next
version of Visual Studio. For this column, I decided to use the
September  Community Technical Preview (CTP) version of
F# and Visual Studio . By the time you read this column, you
may have other options for using F#. In any case, the CTP version
I used was extremely stable, and I installed it without any difficulty.
The F# installation process places everything you need to write F#
programs into Visual Studio.
I started by launching Visual Studio and then clicking File
| New | Project. On the New Project dialog, I selected the Visual
F# project type, then selected the F# Application template to
create a command-line application. I named my project, “Project.”
The project name will become the name of the resulting executable
(here, project.exe), so a more descriptive name, such as Request-
Response-Harness, might have been preferable. After specifying
a location for my F# project and clicking OK, I double-clicked on
file Program.fs in the Visual Studio Solution Explorer window to
open an editing window. The overall structure for my F# harness
is listed in Figure 4.
Figure 4 F# Test Harness Structure
#light
open System
open System.Text
open System.Net
open System.IO
open System.Web
printfn "\nBegin F# HTTP request-response test of MiniCalc Web App\n"
let url = "http://localhost:15900/MiniCalc/Default.aspx"
printfn "URL under test = %s \n" url
// define function to get ViewState & EventValidation
// set up test case data
try
// set numPass & numFail counters to 0
// iterate and process each test case
// display number pass & number fail
printfn "\nEnd F# test run"
Console.ReadLine() |> ignore
with
| :? System.OverflowException as e ->
printfn "Fatal overflow exception %s" e.Message
Console.ReadLine() |> ignore
| :? System.Exception as e ->
printfn "Fatal: %s" e.Message
Console.ReadLine() |> ignore
// end source
74 msdn magazine
The first line in my F# source code, #light, instructs the F# com-
piler to use lightweight syntax, where indentation and newlines
in part determine program structure. This is standard practice
for F# programs. I use the F# open keyword to bring the relevant
.NET namespaces into scope, similar to using keyword in C# or
the imports keyword in Visual Basic. Notice that because I am
using light syntax, I do not use an explicit statement terminator
such as the semicolon character used by C#, JavaScript, and other
C-related languages. I open System.Text in order to easily use the
Encoding class to convert text to bytes. The System.Net and System.
IO namespaces house the key classes needed to programmatically
post data to a Web application. The System.Web namespace is not
visible by default to an F# application, so I explicitly added that
namespace by right-clicking on the project name in Visual Studio
and then selecting the Add Reference option. I open System.Web
so that I can use the HttpUtility class to perform URL-encoding.
My next instruction is straightforward:
printfn "\nBegin F# HTTP request-response test of MiniCalc Web App\n"
The printfn() library function displays information to the
command shell as you’d expect. Strings in F# are delimited by
double-quotes and can contain embedded escape sequences such
as \n for a newline. One of the key characteristics of F# is that almost
everything revolves around functions, and most functions return
a value that must be explicitly dealt with. However, the printfn()
function does not return a value. Next I set my target URL:
let url = "http://localhost:15900/MiniCalc/Default.aspx"
I use the let keyword and the = operator to bind a string value to
an identifier named url. (Many members of the F# team prefer to
use the term symbol rather than identifier.) Notice the port num-
ber in the URL string. In this case, I do not specify the data type
for identifier url so the F# compiler will have to infer the type. I
could have explicitly typed identifier url as a string:
let url : string = " . . . "
Instead of hard-coding the URL into the F# source, I could fetch
it as a command-line argument using the built-in Sys.argv array:
let url = Sys.argv.[1]
Sys.argv.[] is the program name, .[] is the first argument, and
so on. Next I echo the target URL:
printfn "URL under test = %s \n" url
The printfn() function uses C-language style formatting, where %s
indicates a string. Other common specifiers include %d for integer,
%x for hexadecimal, %.f for floating point with two decimals, and
a generic %A for all types. F# supports exception handling using a
try-with construction. If an exception is thrown in the try block,
control will be transferred to the with block where the exception
will be handled. Notice that with light syntax I do not use curly
braces to define begin and end points for a code block. Instead, all
statements that are indented the same number of blank spaces (you
cannot use tab characters) are part of the same code block. The last
line in my try block is a call to ReadLine(), so that my harness will
pause execution and hold the command shell on the screen:
Console.ReadLine() |> ignore
ReadLine() returns a string, and in F#, the return value must be
accounted for or the compiler will generate an error. Here I use the
Test Run
 |> pipe operator to send the return value to the built-in ignore object.
As an alternative for discarding a return value in most situations,
you can use the special _ (underscore) identifier like this:
let _ = Console.ReadLine()
However, for subtle F# syntax reasons, this approach does not
work as the last statement of a code block. My exception handling
code uses an interesting F# construction:
| :? System.OverflowException as e ->
printfn "Fatal overflow exception %s" e.Message
| :? System.Exception as e ->
printfn "Fatal: %s" e.Message
You can interpret the first part of this code to mean, “If the
exception matches type System.OverflowException, then assign
the exception to an identifier named e, and then print a string
message that includes the exception Message text.” The | token is
the match operator. In other words, if an exception is thrown, my
program attempts to match the exception with two patterns. The
:? operator tests for types rather than values.
Harness Details
Now that I’ve explained the overall structure of my F# test harness,
let’s look at the details. If you refer to Figure 4, you’ll see that I define
a function that fetches ViewState and EventValidation information
from the MiniCalc application under test. In F#, you must define
functions in source code before you call them. As I described earlier,
because HTTP is a stateless protocol, ASP.NET uses a special ViewState
value to maintain state. A ViewState value is a Base-encoded string
that represents the state of the ASP.NET Web application after every
request-response round trip. An EventValidation value is somewhat
similar to a ViewState value, but is used for security purposes to
help prevent script-insertion attacks. As it turns out, if you want to
programmatically post to an ASP.NET Web application, you must
send the application’s current ViewState value and current Event-
Validation value. The code for the function that fetches ViewState
and EventValidation values is listed in Figure 5.
Notice that I use the let keyword and the = operator to define
an F# function. I name my function getVSandEV and specify a
single input parameter named url that has type string. My function
signature does not explicitly indicate the return type, but I could
have done so, as I’ll explain in a moment. My function begins by
instantiating a WebClient object:
let wc = new WebClient()
Figure 5 Function to Fetch ViewState and EventValidation
let getVSandEV (url : string) =
let wc = new WebClient()
let st = wc.OpenRead(url)
let sr = new StreamReader(st)
let res = sr.ReadToEnd()
sr.Close()
st.Close()
let startI = res.IndexOf("id=\"__VIEWSTATE\"", 0) + 24
let endI = res.IndexOf("\"", startI)
let viewState = res.Substring(startI, endI - startI)
let startI = res.IndexOf("id=\"__EVENTVALIDATION\"", 0) + 30
let endI = res.IndexOf("\"", startI)
let eventValidation = res.Substring(startI, endI - startI)
(viewState, eventValidation)
76 msdn magazine
Because I placed an open statement to the System.Net namespace
that houses the WebClient class, I do not need to fully qualify the
class name. Next, I send a priming request to the target URL:
let st = wc.OpenRead(url)
let sr = new StreamReader(st)
let res = sr.ReadToEnd()
I use the OpenRead() method, combined with a StreamReader object
and its ReadToEnd() method, to send a request to the target Web ap-
plication, grab the entire HTML source of the response as a string, and
bind that result to an identifier named res. In most cases, I suggest you
explicitly type F# identifiers, such as let res : string = sr.ReadToEnd(),
but in this situation, I let the F# compiler infer the type of identifier res.
At this point, I need to parse out the ViewState and EventValidation
values from the string value bound to the res identifier. The part of the
string value bound to res that has the ViewState value resembles:
<input type="hidden" name="__VIEWSTATE"
id="__VIEWSTATE" value="/wEPDwUK . . . Zmv==" />
First, I find the location of the beginning of the ViewState value
using the String.IndexOf() method:
let startI = res.IndexOf("id=\"__VIEWSTATE\"", 0) + 24
The  argument means begin searching res at index position ,
which is the beginning of the response string. Notice that because my
target string contains double-quote characters, I delimit the target
string by using an \” escape sequence. Once I find where my target
value begins, the actual ViewState value starts  characters from
that index. Note that “—VIEWSTATE” has two leading underscore
characters, not just one. This is a pretty crude way to parse for the
initial ViewState value and makes my code brittle. However, in this
situation, I am performing quick and easy test automation and I’m
willing to accept the possibility that my code may break. Now I find
the location within res where the ViewState value ends:
let endI = res.IndexOf("\"", startI)
I search for the first occurrence of any double-quote character
after the beginning of the ViewState value I just found (at startI)
and bind that location with identifier endI. Now that I know where
the ViewState value begins and ends within the response string res,
I can extract the value using the SubString method:
let viewState = res.Substring(startI, endI - startI)
The two arguments to the SubString() method are the index
within res to begin extracting from, and the number of characters
to extract (not the index to end extracting, which is a common
mistake). As always with indexing methods, you’ve got to be very
careful to avoid starting or ending one character too soon or too
late. The identifier viewState now holds the initial ViewState value
for the target ASP.NET Web application. Extracting the EventVali-
dation value follows the same pattern:
let startI = res.IndexOf("id=\"__EVENTVALIDATION\"", 0) + 30
let endI = res.IndexOf("\"", startI)
let eventValidation = res.Substring(startI, endI - startI)
Notice that I reuse my startI and endI identifiers and bind them
to new values. This is legal in F# when the code is inside a method
definition, as it is here, but not legal in top-level code outside of a
method. At this point, I have my two values bound to identifiers
ViewState and EventValidation. I use a neat F# feature to effectively
return both values simultaneously:
(viewState, eventValidation)
Test Run
 I do not use an explicit return keyword; the last line of an F#
function automatically represents the return value. Here I use
parentheses to construct an F# tuple, which you can think of as
a set of values. As I mentioned above, I could have defined my
getVSandEV() function in a way that explicitly indicates the
return value:
let getVSandEV (url : string) : (string * string) = . . .
The (string * string) notation means my function returns a tuple
of two strings. Now that I’ve defined my helper function, I set up
my test case data:
let testCases =
[| "001,TextBox1=5&TextBox2=3&Operation=RadioButton1" +
"&Button1=clicked,value=\"8.0000\",Add 5 and 3"
"002,TextBox1=5&TextBox2=3&Operation=RadioButton2" +
"&Button1=clicked,value=\"15.0000\",Multiply 5 and 3"
"003,TextBox1=0&TextBox2=0&Operation=RadioButton1" +
"&Button1=clicked,value=\"0.0000\",Add 0 and 0"
|]
Here I create an immutable F# array named testCases that con-
tains three strings. The [| . . . |] notation is used by F# to delimit
an array. Because my three strings are quite long, I break each
string into two parts and use the + string concatenation opera-
tor to stitch them back together. F# also accepts the ^ character
for string concatenation. The first part of the first string in array
testCases, , is a test case ID. After a comma delimiter, I have
TextBox=&TextBoxt= that, when posted to the MiniCalc Web
application, will simulate a user typing these values. The third name-
value pair (Operation=RadioButton) is a way to simulate a user
selecting a RadioButton control item—in this case, the RadioButton
that corresponds to addition. You might have incorrectly guessed
(as I originally did) at something like RadioButton=checked.
However, RadioButton is a value of the Operation control, not
a control itself. The fourth name-value pair (Button=clicked)
is somewhat misleading. I need to supply a value for Button to
simulate that it has been clicked by a user, but any value will work.
So, I could have used “Button=yadda” or even just “Button=” if I
had wanted to. But “Button=clicked” is more descriptive. The next
field (value=“.”) in my test case data is an expected value in
the form of a string that I’ll look for in the HTML response stream.
The final field (Add  and ) is a simple comment.
Using an F# array to store my test case data is perhaps the sim-
plest approach, but there are several alternatives. I could have
replaced the [| . . . |] delimiters with plain square brackets such as:
let testCases = [ “ . . .” ] to create an F# List. Lists are common
and thematic with older functional programming languages such
as LISP and Prolog, but in this situation, I’d gain no advantage
by using a List. Alternatively, I could have created an F# mutable
array like this:
let testCases = Array.create 3 ""
testCases.[0] <- "001,. . ."
testCases.[1] <- "002,. . ."
testCases.[2] <- "003,. . ."
The use of mutable arrays is quite rare in F# and, again, I’d
gain no advantage by using one here; I mention the possibility
mostly to show you mutable array syntax. If you refer back to
the overall test harness structure shown in Figure 3, you can see
that I am now ready to start processing each test case. I begin by
msdnmagazine.com
setting up counter identifiers to store the number of test cases
that pass and fail:
let numPass = ref 0
let numFail = ref 0
In most cases, I’d simply bind these identifiers to , for example,
“let numPass = ”. However, I need to initialize the counters out-
side a function and increment each counter inside the function (as
we’ll see shortly), but print the final values outside the function.
This causes a minor problem, because of scope visibility issues. In
In awkward situations like this,
one approach is to use the ref
keyword as I’ve done here.
awkward situations like this, one approach is to use the ref key-
word as I’ve done here. I’ll explain how to work with ref identifiers
shortly. Now comes the trickiest syntax part of my F# test harness.
I process each test case:
testCases |>
Seq.iter(fun (testCase : string) ->
// parse current test case
// get ViewState and EventValidation
// send HTTP request and get response
// check response for expected value
// print pass or fail
)
I use the |> pipe operator to send my testCases array into the Seq.iter()
method, which will process each test case item in the array. Seq.iter()
expects an argument that is a function that will be applied to every
item in the sequence. I could write a function explicitly, but a thematic
F# approach is to define an anonymous function on the fly using
the “fun” keyword. My anonymous function accepts a single-string
parameter named testCase, which will be bound to each item in turn
in the testCases array. Here, the parameter testCase must be type
string because each item in the array testCases is a string, so I could
have omitted the explicit typing for testCase. Inside my anonymous
function, I parse out the values in the current test case:
let delimits = [|',';'~'|];
let tokens = testCase.Split(delimits)
let caseID = tokens.[0]
let input = tokens.[1]
let expected = tokens.[2]
let comment = tokens.[3]
Notice I use the F# [| . . |] syntax with a semicolon delimiter to
specify an array of characters as an argument for the String.Split()
method. Next, I call the getVSandEV() function I defined earlier:
let (vs, ev) = getVSandEV url
Recall that getVSandEV() accepts a single-string argument
and returns a tuple of two strings. I use parentheses to capture
the tuple, deconstruct the tuple values, and bind them to identi-
fiers vs and ev. Notice that in F#, I do not need to use parenthe-
ses when calling a program-defined function. Next, I build up my
actual POST data:
let data = input +
"&__VIEWSTATE=" + HttpUtility.UrlEncode(vs) +
"&__EVENTVALIDATION=" + HttpUtility.UrlEncode(ev)
let buffer = Encoding.ASCII.GetBytes(data)
July 2009 77
 I take the value bound to identifier input and concatenate the
required ViewState and EventValidation values. Because ViewState
and EventValidation values are Base encoded, they may contain
characters that are not valid in an HTTP POST request (in par-
ticular, = padding characters), so I use the UrlEncode() method
in the System.Web namespace to convert any such troublesome
characters into an escape sequence such as %D. I use the Get-
Bytes() method to convert my string into an array of bytes. Now
I can create an HTTP request object:
let req = WebRequest.Create(url) :?> HttpWebRequest
req.Method <- "POST"
req.ContentType <- "application/x-www-form-urlencoded"
req.ContentLength <- int64 buffer.Length
I instantiate an HttpWebRequest object using a factory mecha-
nism of the WebRequest class. I must cast the return value of the
Create() method, so I use the downcast :?> operator, which you can
interpret to mean “and cast as type xxx”. Because the properties of
my .NET object are mutable, I use the <- operator to assign values of
“POST”, “application/x-www-form-urlencoded”, and buffer.Length
to the Method, ContentType, and ContentLength properties of the
request object. Notice that to cast the Length property of identifier
buffer as int, I use syntax similar to C-based languages rather
than using the :?> operator. In F#, you use C-style cast syntax with
.NET value types, such as int, and use :?> with reference types,
such as HttpWebRequest. With the request object created, I can
fire it off to the Web application under test:
let reqSt = req.GetRequestStream()
reqSt.Write(buffer, 0, buffer.Length)
reqSt.Flush()
reqSt.Close()
The Write() method does not actually write its byte array argu-
ment, so I explicitly call the Flush() method to do so. Now I can fetch
the HTTP response and bind it to an identifier named html:
let res = req.GetResponse() :?> HttpWebResponse
let resSt = res.GetResponseStream()
let sr = new StreamReader(resSt)
let html = sr.ReadToEnd()
In F#, when you call a .NET method that accepts only a single
argument, you can omit the parentheses in the call. However, .NET
methods with no arguments, those with two or more arguments,
and constructor calls all require parentheses. Therefore, the F# team
suggests always using parentheses when calling .NET methods.
Now I display my test case input:
printfn "============================"
printfn "Test case: %s" caseID
printfn "Comment : %s" comment
printfn "Input : %s" input
printfn "Expected : %s" expected
And then I examine the HTML response to look for the
expected string:
if html.IndexOf(expected) >= 0 then
printfn "Pass"
numPass := !numPass + 1
else
printfn " ** FAIL **"
numFail := !numFail + 1
I use the String.IndexOf() method, which returns - if its string
argument is not found, or the index location of the argument if the
argument is found. Notice that in F#, if . . then syntax uses an explicit
then keyword. Recall that I declared my two counter identifiers using
78 msdn magazine
the ref keyword. We’ve seen that F# uses = to bind an initial value
to an identifier, and the <- operator to update a mutable identifier.
This code shows that F# uses the := operator to change the value
referenced by an identifier. Notice, too, that because I am working
with ref objects, I use the ! operator to dereference and get the value
associated with the ref object. After each test case has been processed,
I pause for a key-press and then delay execution for  second:
let _ = Console.ReadLine()
System.Threading.Thread.Sleep(1000)
) // end anonymous function
Here I use the common F# idiom to discard the return value of
Console.ReadLine() by assigning the return to the special_identifier.
Instead, I could have piped the return to “ignore”, as I explained
earlier. Notice that because I did not open namespace System.Thread-
ing, I must fully qualify my call to the Thread.Sleep() method. After
all test case input in the array testCase has been processed by the
anonymous function in Seq.iter(), control is transferred to the end
of the F# harness and I can print summary results:
printfn "Number pass = %d" !numPass
printfn "Number fail = %d" !numFail
printfn "\nEnd F# test run"
Now my harness is ready to run. Once I make sure the Visual
Studio development Web server is running, I can execute my har-
ness from a command shell, as shown in Figure 2.
Wrap Up
The example F# harness I’ve presented here should give you a solid
base to create a test harness that meets your own particular testing situ-
ation. In general, the most difficult problem you’ll face is determining
what data to post to your Web application under test. One good way
to do this is to manually exercise your Web application and capture
HTTP request data with a sniffer tool to see what information is be-
ing sent to the Web server that is hosting the application. There are
many such tools available on the Internet as free downloads.
Let me address why you might want to investigate the F# lan-
guage. After all, learning any new programming language requires
a significant investment of time. Learning F# will require some
effort, especially if you are new to functional programming. Here
are four reasons I decided to learn F#. First, F# has gotten very good
informal technical reviews from several of my colleagues whose
opinions I respect. Second, it never hurts to add a new technology
to your toolset and resume. Third, I believe that learning a new pro-
gramming language helps you understand other languages better
and use them more effectively. Fourth, I’m finding the F# language
interesting and just plain enjoyable to learn.
Acknowledgement: My thanks to Tim Ng, a senior development
lead on the F# team, who provided much technical advice for this
article. „
DR. JAMES MCCAFFREY works for Volt Information Sciences, Inc., where he man-
ages technical training for software engineers working at Microsoft’s Redmond,
Washington campus. He has worked on several Microsoft products including
Internet Explorer and MSN Search. James is the author of “.NET Test Automa-
tion Recipes” (Apress, ). James can be reached at jmccaffrey@volt.com or
v-jammc@microsoft.com.
Test Run
JON FLANDERS
More on REST
In the last two columns, I’ve described the basics of REST and
talked about exposing and consuming Web feeds. In this column,
I’ll answer a number of questions that often come up when I make
presentations or conduct training sessions on using REST to build
service-based applications.
Which is better, REST or SOAP?
This is one of the most common questions I get about REST, and
it is probably the least fair. Both REST and SOAP are often termed
“Web services,” and one is often used in place of the other, but they
are totally different approaches. REST is an architectural style for
building client-server applications. SOAP is a protocol specifica-
tion for exchanging data between two endpoints.
Because REST relies on the
semantics of HTTP, requests for
data can be cached.
Comparing REST with the remote procedure call (RPC) style of
building client-server applications would be more accurate. RPC is
a style (rather than a protocol, which is what SOAP is) of building
client-server applications in which a proxy (generally generated from
metadata) is used in the client’s address space to communicate with
the server and the proxy’s interface mimics the server’s interface.
Although SOAP doesn’t require the RPC style, most modern SOAP
toolkits are geared toward (at least they default to) using RPC.
In contrast to RPC, REST lacks the metadata-generated proxy
(see the next question for more information), which means that
the client is less coupled to the service. Also, because REST relies
on the semantics of HTTP, requests for data (GET requests) can be
cached. RPC systems generally have no such infrastructure (and even
when performing RPC using SOAP over HTTP, SOAP responses
can’t be cached because SOAP uses the HTTP POST verb, which is
considered unsafe). SOAP intentionally eschews HTTP, specifically
to allow SOAP to work over other protocols, so it’s actually a little
disingenuous to call SOAP-based services Web services.
My perspective is that both REST and SOAP can be used to
implement similar functionality, but in general SOAP should be
SERVICE STATION
used when a particular feature of SOAP is needed, and the advan-
tages of REST make it generally the best option otherwise.
What about security? Isn’t SOAP
more secure than REST?
This question touches one of my pet peeves because the answer
is clearly no. It is just as easy to make a RESTful service secure as
it is to make a SOAP-based service secure. In the majority of cases
involving either REST or SOAP, the security system is the same:
some form of HTTP-based authentication plus Secure Sockets
Layer (SSL). Although technically the technology for secure con-
versations over HTTP is now called Transport Layer Security (TLS),
SSL is still the name most commonly used.
What is true is that a SOAP-based service, because of the extra
protocols specified in the various WS-* specifications, does support
end-to-end message security. This means that if you pass SOAP
messages from endpoint to endpoint to endpoint, over the same or
different protocols, the message is secure. If your application needs
this particular feature, SOAP plus WS-* is definitely the way to go.
REST probably wouldn’t be an option here because of its dependence
on HTTP, and inherently you’d be designing a multiprotocol applica-
tion. I believe that the fact that SOAP with WS-* enables end-to-end
message-level security is the source of the misconception that SOAP-
based services are more secure than RESTful services.
Another area in which the WS-* folks have spent a lot of time
and effort recently is federated security. The simple idea behind
federated identity is to create trust between two companies, where
authenticated users from one company can be trusted and considered
authenticated by another company without the second company
having to maintain the authentication information (username
and password, typically). The various WS-* specifications have
implementations from all the major vendors, and Microsoft is in-
tegrating the ideas into Active Directory through Active Directory
Federation Services (ADFS).
In the realm of federated security, the WS-* arena certainly has
more standards than the RESTful arena (and this will probably
always continue to be the case), but there are efforts to support
federated security in the world of REST. OpenID is one such effort.
The .NET Service Bus (part of Windows Azure) also contains a
Send your questions and comments to sstation@microsoft.com.
July 2009 79
 DevConnections ...
Providing the vision

One Place, One Time ...

BONUS PRODUCT GIVEAWAY

>> The first 400 paid attendees will be mailed SQL Server 2008 standard with one CAL

DEVCONNECTIONS ROCKS the technology industry as the LARGEST and

most EXCITING event focused on MICROSOFT TECHNOLOGY and YOUR needs.

Scott Guthrie Thomas Rizzo Steve Riley Quentin Clark Dave Mendlen
Microsoft Microsoft Microsoft Microsoft Microsoft
Corporate Vice Director, Senior Security General Manager Director of
President, .NET SharePoint Group Strategist of Database Developer
Developer Division Engine Group Marketing

Technology+Solutions=Impact
 Enter:
MSDN
intelligence into the online
discount code when
to keep you and your company registering online
competitive in today’s market! before August 1st to
receive a $200
discount!

DevConnections Fall ‘09

Make CONNECTIONS the CONFERENCE
you bring your whole team to this year!

NOVEMBER 9-12, 2009

LAS VEGAS, NEVADA
MANDALAY BAY RESORT & CASINO

I 125+ MICROSOFT AND

Exciting Announcements: INDUSTRY EXPERTS

I 200+ IN-DEPTH SESSIONS
Be among the first to get the BONUS:
I UNPARALLELED WORKSHOPS Book 3 nights
insiders scoop on the products
I EXCITING ANNOUNCEMENTS by August 1st at
and technology you rely on! Mandalay Bay
Hot Trends in Software and receive a
As a DevConnections attendee, you and $100 Mandalay
I CLOUD COMPUTING
Bay certificate!
your colleagues can attend all of the
I SILVERLIGHT (based on a 3-night
Connections shows, and cross between minimum stay)
I BONUS MOBILE TRACK
all of the sessions, at the same time for
I WINDOWS 7
the same price.
I ENERGYNET

* REGISTER BY AUGUST 1ST to receive the “special” room rate of $149 @ MANDALAY BAY

CHECK WEBSITE FOR DESCRIPTIONS OF SESSIONS AND WORKSHOPS

www.DevConnections.com • 800.438.6720 • 203.268.3204 • Register Today!

 federated identity service, which works just as well with HTTP (and
therefore REST) as it does with SOAP-based services.
What about transactions?
Here is another area in which SOAP and WS-* have explicit
support for an “advanced” feature and REST has none. WS-Atomic
Transactions supports distributed, two-phase commit transactional
semantics over SOAP-based services. REST has no support for
distributed transactions.
Generally speaking, if you want something like transactions in a
RESTful system, you create a new resource. (Creating a new resource
whenever you run into a problem with a RESTful system generally
solves most problems.) You can have a resource called Transaction.
When your client needs to do something transactional (such as
transferring money between two bank accounts), the client cre-
ates a Transaction resource that specifies all the correct resources
affected (in my example, the two bank accounts) by doing a POST
to the Transaction factory URI. The client can then perform updates
by sending a PUT to the transaction URI and close the transaction
by sending a DELETE to the URI.
This, of course, requires some amount of hand-coding and explicit
control over your system, whereas the WS-Atomic Transactions system
is more automatic because (in the case of Windows Communication
Foundation) it is tied to your runtime’s plumbing.
In terms of platforms, REST has
the advantage because all you
need to use REST is an HTTP stack
(either on the client or the server).
If your system absolutely needs atomic transactional semantics
across diverse systems, WS-Atomic Transactions is probably the
way to go. Using distributed transactions in this way may or may not
be smart because it increases the coupling between the two systems
and creates potential problems if you aren’t controlling the code on
both ends. But the most important thing is to use the right tool for
the right job (once you’ve figure out what the right job is).
In defense of REST, I think it is fair to say that given today’s
distributed, service-oriented architectures, coupling two endpoints
so tightly using a distributed transaction may not be the best design.
On the other hand, some situations call for this type of functionality,
and if you need it, use SOAP and WS-Atomic Transactions.
What about interoperability? Isn’t SOAP supposed
to be about interoperability? Isn’t SOAP more
interoperable than REST?
If you define interoperability as the technical ability to commu-
nicate between two divergent endpoints, I assert that REST wins
the interoperability battle hands down.
82 msdn magazine
Since one of the driving points behind creating the SOAP
specification was to create an interoperable way to communicate
between different platforms and different languages, many people
are surprised by this assertion. But a funny thing happened on the
way to widespread interoperability: the WS-* specifications (and
vendors’ implementations of said specifications) made SOAP services
less interoperable rather than more interoperable.
The problem in the SOAP and WS-* arena is the large number
of different standards (and versions of each of those standards) to
choose from. And when a particular vendor chooses to implement
a particular standard, that vendor often provides an implemen-
tation that is just slightly different from another vendor’s (or all
others). This leads to problems whenever you have to cross vendor
boundaries (languages and operating system).
Of course, even to use SOAP you need a SOAP toolkit on your
platform, which most (but not all) platforms have today. And then
you have to deal with myriad WS-* specifications and figure out
which to use (or not to use) and how that affects interoperability.
To be honest, it’s kind of a mess out there.
In terms of platforms, REST has the advantage because all you
need to use REST is an HTTP stack (either on the client or the
server). Since almost every platform and device has that today, I
would argue that REST has the widest interoperability. Given that
mobile devices, household devices, POS devices, DVD players, and
TVs all have Internet connectivity, there are more and more plat-
forms for which having a full SOAP toolkit is impossible or unlikely.
And even if you do have a SOAP toolkit for a particular platform,
the chance of it working with another platform’s implementation
is not %.
But what about metadata? So what if REST is so
interoperable—there’s no WSDL with REST, and
without WSDL, I can’t generate a client-side proxy
to call a service. REST is hard to use.
It’s true that in the world of REST, there is no direct support for
generating a client from server-side-generated metadata, as there
is in the world of SOAP with Web Service Description Language
(WSDL). A couple of efforts are being made to get such support
into REST, one being a parallel specification, known as WADL
(Web Application Description Language). The other is a push to use
WSDL . to describe RESTful endpoints. I often say that REST is
simple, but simple doesn’t always mean easy. SOAP is easy (because
of WSDL), but easy doesn’t always mean simple.
Yes, using WSDL makes generating a proxy for a SOAP-based
service easier than writing the code to call a RESTful service. But
once you generate that proxy, you still have to learn the API. Noth-
ing in the WSDL tells you which method to call first or second or
whether you need to call the methods in any particular order at all.
These are all things you need to figure out after you generate the
proxy and are prototyping the code to use the service.
Building a client against a RESTful service means you are learn-
ing the service and how it works as you build the client. Once
you have finished, you have a complete understanding of the
Service Station
service, its resources, and the interaction you can have with those
resources. To me, this is a big benefit. Since RESTful services follow
the constraints of REST (at least they are supposed to), there is a
convention that you can easily follow as you determine the different
parts of the service.
Also, out in the wilds of developer-land, most services are wrapped
in something often called a "service agent," which is another layer
of indirection to protect clients from changes in the service layer.
This may be needed in either REST or SOAP.
Another point is that metadata-generated proxies are part of
what SOAP was meant to get away from in the RPC era, namely
local-remote transparency. The concept of having an API on the
client that matches the API on the server was considered to be a bad
idea, but that’s exactly what happens in most SOAP-based services.
Having a metadata-generated proxy in REST also reduces the chances
of taking advantage of hyperlinking. Using hypertext as the engine
of application state (HATEOAS) is one of the constraints of REST,
and using it requires a more loosely coupled client API.
The last point I’ll make is that as support for REST becomes
more ubiquitous, building clients will get easier and easier. If
you look at the Windows Communication Foundation (WCF)
REST starter kit ( codeplex.com/aspnet/Wiki/View.aspx?title=WCF%20
REST), it includes facilities that head in this direction. The new
HttpClient API makes using HTTP much easier than using the
.NET WebRequest/WebResponse API. Also, there is a new Paste
as XML Serializable tool, which allows you to copy a piece of XML
(say from the documentation of a RESTful endpoint) and generate
a .NET type that can represent that XML instance in your appli-
cation. This is similar to what the WCF tools do automatically
for the whole service with WSDL. Over time, these tools will
become much more sophisticated, further simplifying the client
experience in WCF when using RESTful services.
What if I want to use a transport other than HTTP?
The common (somewhat sarcastic) answer from the REST
community here is, “Go ahead, there isn’t anything stopping you.”
Realistically, however, REST is currently tied to HTTP, if only
because most developers and teams of developers do not have the
time for the engineering effort necessary to get the semantics of
REST to work over, say, TCP/IP.
The common answer is technically correct, because nothing is
stopping you from implementing the concepts of REST over other
protocols, but until vendors add support for this, I find it a dubious
proposition for most.
After all that information, aren’t you telling me
that REST is good for Internet-facing applications,
and SOAP for enterprise applications?
If you’ve read the rest of this column, you can probably imagine
that I think this statement is generalized and false. Often I hear this
sentiment after discussing the lack of explicit distributed transac-
tion support in REST versus the explicit support in WS-Atomic
Transactions. My retort is generally something like "Well, ASP.NET
msdnmagazine.com
doesn’t have support for distributed transactions, but does that
mean ASP.NET isn’t useful for enterprises?"
My point is that not every technology solves every problem,
and there are plenty of technologies that don’t support the typical
features people think of when they think of enterprises but that are
incredibly helpful for enterprises nonetheless.
Having a metadata-generated
proxy in REST also reduces the
chances of taking advantage of
hyperlinking. Using hypertext as
the engine of application state is
one of the constraints of REST.
In fact, when I think of enterprise applications, I often think of
speed and scalability—scalability being one of the main differences
between REST and SOAP. SOAP services are much harder to scale
than RESTful services, which is, of course, one of the reasons that
REST is often chosen as the architecture for services that are exposed
via the Internet (like Facebook, MySpace, Twitter, and so on).
Inside enterprises, applications also often need to scale as well.
Using REST means that you can take advantage of HTTP caching
and other features, like Conditional GET, that aid in scaling services.
Many of these techniques can’t be used with SOAP because SOAP
uses POST only over HTTP.
Bottom Line
I hope that after you read this column, you’ll think that the
answer to “Which is better, REST or SOAP?” is “It depends.” Both
the REST architectural style and SOAP and the WS-* protocols
have advantages and disadvantages when it comes to building
services. Those of us in the RESTafarian camp (yes, I must give
full disclosure here: I am definitely in that camp) believe that for
most service situations, REST provides more benefits than SOAP
or WS-*. On the other hand, SOAP and WS-* have some features
that are easy (and possible) to implement using REST. When you
need those specific features, you definitely want to use runtimes
and toolkits that can provide those features. Although this col-
umn wasn’t specifically about WCF, one nice feature of adopting
WCF is that it supports both REST and SOAP/WS-*. Moving back
and forth between the two worlds becomes easier if you have one
programming and runtime model to learn. „
JON FLANDERS is an independent consultant, speaker, and trainer for Pluralsight.
He specializes in BizTalk Server, Windows Workflow Foundation, and Windows
Communication Foundation. You can contact Jon at masteringbiztalk.com/
blogs/jon.
July 2009 83
NEED TO HIRE DEVELOPERS?

WE HAVE OVER 6 MILLION OF THEM.

JOBS.CODEPROJECT.COM
Posting your job vacancies on jobs.codeproject.com
is the most cost effective way of reaching millions
of skilled developers, managers, and architects.
Try us today and get results.
Post your job descriptions now.
jobs.codeproject.com

New: product catalog, code-signing certificates!

K. SCOTT ALLEN
Guiding Principles for Your
ASP.NET MVC Applications
Although the release of Microsoft ASP.NET MVC
. is relatively recent, many of the patterns and
These principles
principles surrounding the framework have been
around for a long time. The Model View Controller
are not rules,
(MVC) pattern itself was passed down by Smalltalk
developers from the s, and is in use in a variety
but ideals and
of frameworks and across a wide range of languages
and diverse platforms. Thus, we can learn a lot about
values that help
how to make the best use of the framework just by
looking around our software ecosystem.
you build great
In this article, I want to lay out some principles you
should follow when working with the ASP.NET MVC
ASP.NET MVC
framework. These principles are not rules, but ideals
and values you should cherish and keep in the forefront
applications.
of your mind when building ASP.NET MVC applica-
tions that need to survive and evolve beyond a single release.
Simplicity Through Separation
When I was a young boy, I used to love jigsaw puzzles. It was
a marvelous feeling to build simple scenes, like the picture of an
apple, from a collection of complex and irregularly shaped puzzle
pieces. This love of complexity is a virus I fight on a daily basis as
a software developer.
As developers, we want to work in the opposite direction of the
jigsaw puzzle. Instead of making the simple things complex, we
should strive to make complex things simple. Many of the tech-
nologies around us are in place to help us move toward simplicity;
we just have to make effective use of the technologies.
Let’s take CSS and HTML as examples, because these are two
technologies that every Web developer should be familiar with. If
I want to draw a user’s attention to required questions they failed
to answer on my Web pages, then I might change the background
color of the failed questions to red. I could do this by specifying
the color red as a style on each failed question, or I could create
a CSS rule specifying the color red and point any failed question
elements to this style rule.
Although the CSS solution might require a little more work–
because I write both CSS and HTML instead of just HTML–in
the end it will prove itself a simpler solution. Using a CSS rule
removes duplicate style information from my application, and I
can easily change the color of all failed questions by modifying a
single style rule. The CSS approach also allows me to create a rule
EXTREME ASP.NET
whose name reveals its intended usage, e.g., failed-
Validation is a piece of code that gives me more in-
formation than reading #FF. These qualities
of the CSS approach make the application easier to
maintain and change, which is the simplicity we are
striving to achieve.
Using CSS in combination with HTML exhibits
another characteristic of simplicity, which is how CSS
and HTML can have separate and distinct respon-
sibilities. HTML becomes responsible for only the
structure of a Web page, and CSS becomes respon-
sible for the look of a Web page. This separation of
responsibilities, or “separation of concerns,” is an im-
mensely powerful weapon in the battle against soft-
ware complexity. Have you ever gone in to modify
an object that represents a Web page only to find it is responsible
for data access, data binding, business rule validation and coloring
the background of a failed input field red? Was it easy to modify
the object? Was it easy to focus on the one change request you had
to implement inside this complex puzzle of logic?
The MVC design pattern has proved itself successful over time in
part because the pattern forces a separation of responsibilities. This
allows us to focus on specific tasks, hide our implementation details
and make changes that don’t interfere with other components. In
MVC, for example, the view component is only responsible for pre-
senting data. When inside the view, we can focus on presentation
and not worry about where data originates. We can make changes
to the view without worrying about data access code.
With the goal of simplicity through separation in mind, let’s
look at specific guidance on each of the three components in the
model-view-controller pattern.
Trouble-Free Controllers
In an MVC pattern, controllers are in the middle of the action.
Controllers handle incoming requests, interact with the model and
select views for rendering. Because of their position, controllers
can be difficult to implement while maintaining a separation of
concerns. You have to remain diligent and not let your controllers
become the centerpieces of your application logic.
Send your questions and comments to xtrmasp@microsoft.com
July 2009 85
 As an example, I want to call out a contrast in two different ver-
sions of Oxite. Oxite is an open source content management sys-
tem and blog engine built with the ASP.NET MVC framework and
hosted on CodePlex at codeplex.com/oxite/. In an early version of Oxite
(circa December ), the controller action responsible for saving
a blog post was  lines of C# code. The action was responsible for
validating the post, managing the relationship between a post and
its tags, managing the relationship between a post and its parent,
deciding if a post is new or an edited version of an existing post
and saving the post to a repository. Contrast your mental image of
this code with the current version, as shown in Figure 1.
It is obvious that the Oxite team has spent some time refactor-
ing this controller action. All of the validation logic and relation-
ship management hides behind an IPostService object, leaving the
controller free to focus on its role as a mediator in the request. A
good rule of thumb for a controller action is that once an action
method exceeds  to  lines of code, you should consider refac-
toring to produce a simpler action method. You’ll often find that
the extra lines of code in the action represent business logic that
would lead a happier life inside your business objects.
Controllers and Security
While our primary focus is on simplicity, I’d be amiss if I didn’t
introduce some important security-related principles for con-
trollers. First, the controller must play a role in avoiding a Cross-
site Request Forgery (CSRF). Phil Haack, program manager of
the ASP.NET team, recently blogged on this topic at haacked.com/
archive/2009/04/02/anatomy-of-csrf-attack.aspx. He detailed how the con-
troller and view can work together to avoid an attack. To summarize
Phil’s post: Whenever you have actions that authenticated users can
invoke, then you should have the view render an antiforgery token
to the client, and have the controller action validate this token by
applying the ValidateAntiForgeryToken attribute. This solution is
simple to implement, but you have to remember to put these safe-
guards in place.
Second, controllers should make use of the AcceptVerbs attri-
bute to restrict certain actions to the operations of HTTP POST.
A controller action that modifies data, like ultimately deleting an
Order from the Orders table, should allow itself to execute only
Figure 1 Controller Action
[ActionName("ItemEdit"), AcceptVerbs(HttpVerbs.Post)]
public virtual object SaveEdit(PostAddress postAddress, Post postInput)
{ HTML Helpers
Post post = postService.GetPost(postAddress);
ValidationStateDictionary validationState;
postService.EditPost(post, postInput, out validationState);
if (!validationState.IsValid)
{
ModelState.AddModelErrors(validationState);
return Edit(postAddress);
}
return Redirect(Url.Post(postInput));
}
86 msdn magazine
during an HTTP POST operation and never during an HTTP
GET operation. With an HTTP GET operation, the parameters
required for the action live in the URL. This means that a mali-
cious user could send you an e-mail with an image, and point the
source of the image to a URL that can delete records. You don’t
need to push any buttons. You only have to view the image to de-
lete a record. Stephen Walther includes some more details on this
scenario in his blog post, “Don’t use Delete Links because they cre-
ate Security Holes” (stephenwalther.com/blog/archive/2009/01/21/asp.net-
mvc-tip-46-ndash-donrsquot-use-delete-links-because.aspx).
Plain Views
Views have a clear role when using the MVC design pattern on
the Web. They present the model to the user. However, what does
“present” mean in this context? Presentation could involve HTML,
JavaScript, CSS, JSON, XML, and a heavy dose of server-side
code. Views run the risk of becoming complicated with the many
modes of presentation. Your job is to keep the views as simple as
possible–not only because the view will be easier to maintain, but
also because it is the hardest component to test. One of the biggest
complexity risks in a view is to turn it into “tag soup.”
“Tag soup” is a programmer’s term for HTML that is difficult for
the programmer to read and maintain, and possibly even difficult
for the Web browser to parse. You look at the source code and it
looks like soup–the chef stirred all the ingredients together into
an illegible sea of broth.
Avoiding tag soup can be as easy as making sure the HTML in
a Web form view is both well formed and well formatted. Both of
these steps are easy to achieve in Microsoft Visual Studio, which
highlights malformed HTML and gives you the option to format
HTML (Ctrl K + Ctrl +D is the shortcut to format an entire docu-
ment). However, there are additional challenges in Web form views,
as demonstrated in the code below.
<% if ((bool)ViewData["isLoggedIn"])
{ %>
<img src="<%= ViewData["loggedInImage"] %>" />
<% }
else
{%>
<img src="<%= ViewData["anonymousImage"] %>"
onclick="login();" />
<% }%>
This code is an ugly amalgamation of HTML, C#, JavaScript and
string literals. There are, however, a few guidelines we can follow
to avoid such code.
HTML helpers are extension methods that you can use inside a
view to encapsulate the creation of HTML and hide some simple
presentation logic. In the above code, we have an IF condition that
complicates the view. We also have image tags that are complicated
by including server-side code inside the attributes. Rob Conery
of Microsoft lives by a rule that he explains in his post, “ASP.NET
MVC: Avoiding Tag Soup” (blog.wekeroad.com/blog/asp-net-mvc-avoiding-
tag-soup/). His rule is, “If there’s an IF, make a Helper.” He then goes
on to show the implementation of an HTML helper to build for a
pager that displays links to navigate a paged list of items.
Extreme ASP.NET
 HTML helpers can also help you avoid the ugly intermixing of
server-side code and HTML. Fortunately, the MVC framework
includes a number of helpers. You can find more of them in the
MVC Futures project (codeplex.com/aspnet/) and in the MVC Con-
trib project (MVCContrib.org). Make sure to download both to look
at the helpers available in these libraries. Some of them are spe-
cifically designed to work with strongly typed models, which is
our next topic.
Strong Typing
You can put views into one of two categories: those that use the
ViewData dictionary and those that use strong typing. Views that
use the ViewData dictionary derive from System.Web.Mvc.View-
Page. Our tag soup example uses this approach. Strongly typed
view pages derive from System.Web.Mvc.ViewPage<T>, where T
is a generic parameter to specify the type of the model. I recom-
mend you use strong typing.
Strong typing means your view knows exactly the type of model
you expect it to work with. You don’t have to guess at the magic string
required to pull a particular piece of information from the ViewData
$(function() {
$("#loginImage").click(login);
}
Partial Views
Another technique you can use to manage the complexity of
views is partial views. Partial views in the Web forms view engine
are user control files with a .ascx extension. Just like in ASP.NET
Web forms, we can use partial views to encapsulate HTML and
code that we might want to reuse across multiple views (like a log-
in display). We can also use partials to break down a complicated
view into smaller pieces.
We can strongly type partial views by deriving from System.Web.
Mvc.ViewUserControl<T>. The add new view wizard in an MVC
application allows you to select a checkbox to choose between a
view and a partial view, and also allows you to select the strongly
typed model (see Figure 2). There is also an HTML helper avail-
able (RenderPartial) in the framework to make the job of using a
partial view easy:
<% Html.RenderPartial("_LoginStatus"); %>
Views and Logic

dictionary. Instead, you can just use code like Model.Username
and have IntelliSense aid you in the quest for data. In addition,
by running the aspnet_compiler, you can catch any errors that
you might have made when accessing the model. When you add
a new view to an MVC project, the add view wizard makes it easy
to select a strongly typed model, so you shouldn’t have problems
in the setup. In general, you’ll find that removing magic string lit-
erals and relying on strongly typed views will help you maintain
your software in the long run.
To paraphrase Albert Einstein, views should be as simple as pos-
sible, but not simpler. Views that contain any business logic or data
access logic violate the spirit of the MVC design pattern and the
principle of least surprise. No one familiar with the MVC pattern
will expect to find business logic lurking inside a view.
Although the Web forms view engine allows you to create an
associated code-behind file for a view, doing so will reduce any
benefits you might have otherwise obtained by using MVC. Code-
behind can only encourage the practice of putting more logic into a

Unobtrusive JavaScript
We know that CSS and HTML can work together to separate the
structure of a view from the visual presentation of the view in the
browser. I strongly encourage you to use CSS as a tool to maintain
this separation. However, modern Web pages have three primary
concerns: structure, presentation and behavior. JavaScript imple-
ments this behavior. Including JavaScript in your view can be just
as disruptive as including excessive amounts of style information
and server-side code. Pages rich with JavaScript behavior demand
a separation of structure from behavior so you can focus on the
pieces independently.
Unobtrusive JavaScript is the practice of removing all signs of
JavaScript from a view and placing any JavaScript you need into
an external .js file. Unobtrusive JavaScript means you do not have
any JavaScript functions defined in the view, and you do not have
any on-click attributes, including JavaScript code in your HTML.
Libraries like jQuery and Microsoft’s ASP.NET AJAX libraries make
it easy to reach into a page and wire up your events from the out-
side. All you need to do is add a <link> tag in your view to include
the external .js file with your view behaviors.
As an example, the following jQuery code will run after the view
renders on the client to wire up the click event of an element with an
ID of “loginImage” to a JavaScript function by the name of “login.”
No on-click attribute required! Figure 2 Add View Wizard
msdnmagazine.com July 2009 87
 view and, even worse, can introduce the traditional ASP.NET page
life-cycle events to a view. Page life-cycle events are one feature of
ASP.NET that the MVC framework tries very hard to hide.
Views and Security
One word on security for views: Make sure you protect your
application from cross-site scripting attacks (XSS) by HTML
encoding output in a view. XSS attacks are enormously popular
these days because they are relatively easy to execute. Although
not all output technically needs encoding, I suggest you err on the
side of safety and encode everything by default. Fortunately, there
is already an HTML helper available for HTML encoding:
<%= Html.Encode(Model.Message) %>
In addition, ASP.NET will validate incoming requests by default.
This request validation feature will look for requests containing un-
encoded HTML input. If ASP.NET finds such a request, it will throw
an exception before the request reaches a controller. In some cases,
you may find you need to turn this feature off so you can accept
HTML from the user. You can turn it off on a controller action by
using the ValidateRequest attribute, but be careful with the input
that arrives. The people behind XSS attacks have become excep-
tionally clever at hiding malicious input inside of requests.
Big Models
At last we’ve reached a place where we aren’t building simple
pieces of software, right? Doesn’t the model represent our business
logic with rich behaviors and complex rules?
It depends.
Technically, the model that the controller hands over to a view
doesn’t need any behavior or rules, because the view shouldn’t be
using any of these rules or behaviors in the model, if they exist.
The view only wants to pick out data from the model to present
to the user. Thus, even though you can use your business objects
as the models for your views, many developers follow the guid-
ance of creating view-specific models. We also call these types of
models ViewModels.
ViewModels are simple data transfer objects–they contain
all state but no behavior of any significance. In other words,
you’ll implement lots of properties on your ViewModels but no
methods. ViewModels have the pleasant effect of giving a view
exactly the data that it needs to present–no more and no less.
While you optimize the design of your business objects for your
business logic, you optimize the design of your ViewModels for
your views.
Even when you do want to consume business objects from your
view, many times you will struggle to introduce functionality that
your business layer doesn’t require. For example, suppose you need to
88 msdn magazine
list the patients in a hospital and include some aggregate calculations
on their length of stay, such as minimums, maximums, averages and
standard deviations. If your business logic never makes use of this
information, you’ll find it only clutters your logic with complexity.
Remember, our goal is simplicity through separation.
ViewModels help you gain
simplicity through separation.
ViewModels are the ideal abstraction to separate and isolate the
model that your view requires from the model that your business
requires. ViewModels introduce some additional work into your
project, because you’ll need to define additional classes to repre-
sent the ViewModels and map information into the ViewModel
properties. However, this additional work can reap tremendous
benefits because you are free to change your business logic without
breaking the presentation layer, and vice versa. Also, you don’t nec-
essarily need a ViewModel class for each view. It’s quite common
to share a ViewModel class among related views.
Unit Tests
In this article, we’ve stressed simplicity. The MVC design pattern
can guide us toward simplicity, but we still need to follow some prin-
ciples. We also need to keep an eye out for places where complexity
is creeping into our software. A good technique to discover com-
plexity is to write unit tests. Unit tests not only help you maintain
the quality of your software, but can also help you spot problems
in a design (see Jeremy Miller’s article on designing for testability
at msdn.microsoft.com/en-us/magazine/dd263069.aspx).
Perhaps you’ve been reading this article as a longtime Web
forms programmer who never felt comfortable writing unit tests.
It’s possible you found unit tests too difficult to implement in the
ASP.NET Web forms environment. This is your chance to start!
The ASP.NET MVC team designed the framework with testabil-
ity in mind. Start simple and let your unit testing experience grow.
Eventually, you should find that unit tests are yet another weapon
in the battle against the ever-growing complexity of software. „
K. SCOTT ALLEN is a member of the Pluralsight technical staff and founder of
OdeToCode. You can reach Scott at scott@OdeToCode.com or read his blog at
odetocode.com/blogs/scott.
Extreme ASP.NET
 WICKED CODE
Taking Silverlight Deep Zoom
to the Next Level
After Silverlight Deep Zoom was introduced to the world at MIX
, the buzz surrounding it persisted for weeks. An outgrowth of
the Seadragon project at Microsoft Live Labs (livelabs.com/seadragon),
Deep Zoom is a Silverlight adaptation of a technology for presenting
vast amounts of pictorial data to users in a highly bandwidth-efficient
manner. Sister adaptations that target Windows Mobile and AJAX
are available and serve to increase the reach of the platform.
If you haven’t seen Deep Zoom before, drop what you’re doing
and visit the canonical Deep Zoom site at memorabilia.hardrock.com.
Use the mouse to pan around in the scene and the mouse wheel to
zoom in and out. Thanks to Deep Zoom, you don’t have to down-
load gigabytes (or terabytes) of imagery to browse the Hard Rock
Café’s vast memorabilia collection. Deep Zoom downloads only
the pixels it needs at the resolution it needs, and in Silverlight, the
complexity of Deep Zoom is masked behind a remarkable control
named MultiScaleImage. Once a Deep Zoom scene is composed
(typically with Deep Zoom Composer, which you can download
for free from go.microsoft.com/fwlink/?LinkId=148861), presenting the
scene in a browser requires little more than declaring a Multi-
ScaleImage control and pointing the control’s Source property to
Deep Zoom Composer’s output. Supporting interactive panning
and zooming requires a little mouse-handling code that interacts
with the control, but these days Deep Zoom Composer will even
provide that for you.
Despite the ease with which a basic Deep Zoom application can
be built, you’re missing out on the true richness of Deep Zoom
if you go no further than Deep Zoom Composer takes you. Did
you know, for example, that you can programmatically manipu-
late the images in a Deep Zoom scene, that you can create meta-
data and associate it with each image, or that Deep Zoom images
can come from a database or be composed on the fly? Some of
the truly remarkable Deep Zoom applications out there rely on a
little-known feature of Deep Zoom that adds a whole new dimen-
sion to the platform.
If you care to take Silverlight Deep Zoom to the next level, here
are three ways to do just that.
Fixing Composer’s Panning Logic
First things first: if you want to get more out of Deep Zoom,
the first thing you should know is not to trust the mouse-han-
dling code emitted by Deep Zoom Composer. The code that pans
around the scene in response to MouseMove events “loses” the
90 msdn magazine
JEFF PROSISE
mouse if you pan too quickly. Try it. Take any Deep Zoom app
created by Deep Zoom Composer and position the mouse cur-
sor over an identifiable point or pixel in the scene. Then move
the mouse quickly back and forth and up and down a few times.
Observe that when you stop and the scene springs back to the
cursor position, the cursor is no longer located at the point it was
when you started. The more and faster you move, the greater the
difference. It’s not a deal breaker, but try the same experiment on
the Hard Rock Memorabilia site and you’ll find that the scene
reliably snaps back to the original cursor position no matter how
hard you try to fool it.
Figure 1 shows how to modify Deep Zoom Composer’s code to
fix the problem. First, declare two new fields named lastViewpor-
tOrigin and lastMousePosition in the Page class in Page.xaml.cs.
(While you’re at it, delete the fields named dragOffset and current-
Position, because they’re not needed.) Then rewrite the MouseLeft-
ButtonDown and MouseMove handlers as shown. You’ll find that
Figure 1 Fixing Deep Zoom Composer’s Panning Code
Point lastViewportOrigin;
Point lastMousePosition;
...
this.MouseLeftButtonDown += delegate(object sender, MouseButtonEventArgs
e)
{
mouseButtonPressed = true;
mouseIsDragging = false;
lastViewportOrigin = msi.ViewportOrigin;
lastMousePosition = e.GetPosition(msi);
};
this.MouseMove += delegate(object sender, MouseEventArgs e)
{
if (mouseIsDragging)
{
Point pos = e.GetPosition(msi);
Point origin = lastViewportOrigin;
origin.X += (lastMousePosition.X - pos.X) /
msi.ActualWidth * msi.ViewportWidth;
origin.Y += (lastMousePosition.Y - pos.Y) /
msi.ActualWidth * msi.ViewportWidth;
msi.ViewportOrigin = lastViewportOrigin = origin;
lastMousePosition = pos;
}
};
Send your questions and comments for Jeff to wicked@microsoft.com.
Code download available at code.msdn.microsoft.com/mag200907DeepZoom.
the scene snaps back to precisely the original cursor position when
you stop moving the mouse, and if you’re as fastidious as I am about
these things, you’ll be able to sleep at night once more.
Accessing Sub-Images and Metadata
You may have noticed that when you export a project from
Deep Zoom Composer, you’re offered the choice of exporting as
a composition or as a collection The latter option comes with one
very desirable benefit: rather than exporting a Deep Zoom scene
containing all the images you added lumped together into one
monolithic image, it exports a scene containing individually ad-
dressable sub-images. The sub-images are exposed through the
MultiScaleImage control’s SubImages property, and because they
are individually addressable objects, the sub-images can be ma-
nipulated, animated, and fumigated (just kidding!) to add sparkle
and interactivity to Deep Zoom applications.
Each item in the SubImages collection is an instance of Multi-
ScaleSubImage, which derives from DependencyObject and includes
the properties AspectRatio, Opacity, ZIndex, ViewportOrigin, and
ViewportWidth. The latter two combine to determine a sub-image’s
size and position in a Deep Zoom scene. Be aware that when a
MultiScaleImage control first loads, its SubImages property is empty.
Your first opportunity to iterate over the sub-images is when the
control fires its ImageOpenSucceeded event.
One use for the SubImages property is to hit-test individual
images in order to display metadata—titles, descriptions, and so
forth—in response to clicks or mouseovers. Another use for it is
to programmatically rearrange the images in a Deep Zoom scene.
The DeepZoomTravelDemo application shown in Figure 2 dem-
onstrates how to do both. When you position the mouse over one
of the images in the scene, a partially transparent information panel
appears on the right containing an image title and description. And
when you click the Shuffle button in the upper left corner, the im-
ages rearrange themselves in random order.
Figure 2 DeepZoomTravelDemo
msdnmagazine.com
The nine images featured in DeepZoomTravelDemo are photos I
snapped on some of my overseas trips. I imported them into Deep
Zoom Composer, arranged them in a grid, and exported the scene
(making sure to select “Export as Collection”). Then I imported the
output from Deep Zoom Composer into a Silverlight project and
added zooming and panning logic similar to that in the preced-
ing section. To keep the download size manageable (MB versus
MB), I deleted the bottom two layers of the image pyramid
that Composer generated before I uploaded the app to the MSDN
Code Gallery. The version that you download works just fine, but
when you zoom, the images get grainy a lot quicker than they do
in the original version.
Displaying image metadata as DeepZoomTravelDemo does pres-
ents two challenges to the developer. First, where do you store the
metadata, and how do you associate it with images in the scene?
Second, how do you correlate the items in the MultiScaleImage
control’s SubImages collection with images in the scene since
the MultiScaleSubImage class provides no information relating
the two?
The first task—storing the metadata—is accomplished by enter-
ing a text string into the Tag box displayed in the lower right cor-
ner of Deep Zoom Composer when an image is selected. I used it
to store each image’s title and description, separated by plus signs.
Composer writes the tags to the Metadata.xml file created when
you export the project. Each image in the scene is represented by
an <Image> element in Metadata.xml, and each <Image> element
contains a sub-element named <Tag> that contains the correspond-
ing tag. Figure 3 shows the <Image> element written into Metadata.
xml for the image in the upper left corner of the scene. Composer’s
tag editing interface is somewhat clumsy since the Tag box is so
small, but you can always edit the Metadata.xml file manually as I
did to tag each image with a title and description.
It would be great if the MultiScaleSubImage class had a Tag
property that was automatically initialized with the content of the
<Tag> element; but it doesn’t, so you have to improvise. First, you
can write a bit of code that downloads Metadata.xml and parses
the tags from it. Second, you can use the <ZOrder> elements in
Metadata.xml to correlate <Image> elements with images in the
Figure 3 An <Image> Element in Metadata.xml
<Image>
<FileName>
C:\Users\Jeff\Documents\Expression\Deep Zoom Composer
Projects\DeepZoomTravelDemo\source images\great wall of china.jpg
</FileName>
<x>0</x>
<y>0</y>
<Width>0.316957210776545</Width>
<Height>0.313807531380753</Height>
<ZOrder>1</ZOrder>
<Tag>
Great Wall of China+The Great Wall of China near Badaling, about an
hour
north of Beijing. This portion of the Great Wall has been restored
and
offers outstanding views of the surrounding mountains.
</Tag>
</Image>
July 2009 91
 Deep Zoom scene. If the scene contains nine images (and the
MultiScaleImage control’s SubImages collection therefore contains
nine MultiScaleSubImage objects), SubImages[] corresponds to
the image whose <ZOrder> is , SubImages[] corresponds to the
image whose <ZOrder> is , and so on.
DeepZoomTravelDemo uses this correlation to store image titles
and descriptions. At startup, the Page constructor uses a WebCli-
ent object to initiate an asynchronous download of Metadata.xml
from the server’s ClientBin folder (see Figure 4). When the down-
load is complete, the WebClient_OpenReadCompleted method
parses the downloaded XML with an XmlReader and initializes
the field named _Metadata with an array of SubImageInfo objects
containing information about the images in the scene, including
titles and descriptions. The class is shown here:
public class SubImageInfo
{
public string Caption { get; set; }
public string Description { get; set; }
public int Index { get; set; }
} order since the final sub-image in the MultiScaleimage control’s
The <ZOrder> values read from Metadata.xml are used to or-
der the SubImageInfo objects in the _Metadata array, ensuring
that the order of the items in the _Metadata array is identical to
the order of the items in MultiScaleImage’s SubImages collection.
In other words, _Metadata[] contains the title and description
for SubImages[], _Metadata[] contains the title and descrip-
tion for SubImages[], and so on. Incidentally, I used XmlReader
rather than LINQ to XML to avoid increasing the size of the XAP
Figure 4 Downloading Metadata.xml and Correlating Metadata with Sub-Images
private SubImageInfo[] _Metadata;
...
public Page()
{ reader.Name == "Image ")
InitializeComponent();
// Register mousewheel event handler
HtmlPage.Window.AttachEvent("DOMMouseScroll ", OnMouseWheelTurned);
HtmlPage.Window.AttachEvent( "onmousewheel ", OnMouseWheelTurned);
HtmlPage.Document.AttachEvent( "onmousewheel ", OnMouseWheelTurned);
// Fetch Metadata.xml from the server
WebClient wc = new WebClient();
wc.OpenReadCompleted += new
OpenReadCompletedEventHandler(WebClient_OpenReadCompleted);
wc.OpenReadAsync(new Uri( "Metadata.xml ", UriKind.Relative));
} else
private void WebClient_OpenReadCompleted(object sender,
OpenReadCompletedEventArgs e)
{ reader.Name == "Image ")
if (e.Error != null)
{ }
MessageBox.Show( "Unable to load XML metadata ");
return;
} {
// Create a collection of SubImageInfo objects from Metadata.xml
List<SubImageInfo> images = new List<SubImageInfo>();
try
{
XmlReader reader = XmlReader.Create(e.Result);
SubImageInfo info = null;
92 msdn magazine
file by introducing an extra assembly required by LINQ to XML
(System.Xml.Linq.dll).
Now that _Metadata is initialized with SubImageInfo objects
containing titles and descriptions, the next step is to write the code
to display the titles and descriptions. That happens in Figure 5.
The MouseMove handler that pans the Deep Zoom scene if the left
mouse button is down behaves differently if the left mouse button
is up: it hit-tests the scene to determine whether the cursor is cur-
rently over one of the sub-images. Hit testing is performed by the
helper method named GetSubImageIndex, which returns - if the
cursor isn’t over a sub-image or a -based image index if it is. That
index identifies both a sub-image in MutliScaleImage.SubImages
and a SubImageInfo object in _Metadata. A few lines of code cop-
ies the title and description from the SubImageInfo object to a pair
of TextBlocks and one more line of code triggers an animation that
displays the information panel if it’s not already displayed. Note
that GetSubImageIndex checks the sub-images for hits in reverse
SubImages collection is highest in the Z-order, the next-to-last
sub-image is second highest in the Z-order, and so on.
In addition to supporting mouseovers, DeepZoomTravel-
Demo lets you rearrange the images in the scene. If you haven’t
already, try clicking the Shuffle button in the upper left corner of
the scene. (In fact, click it several times; the images will assume a
different order each time.) The rearranging is performed by the
Shuffle method in Figure 6, which creates an array containing all
while (reader.Read())
{
if (reader.NodeType == XmlNodeType.Element &&
info = new SubImageInfo();
else if (reader.NodeType == XmlNodeType.Element &&
reader.Name == "ZOrder ")
info.Index = reader.ReadElementContentAsInt();
else if (reader.NodeType == XmlNodeType.Element &&
reader.Name == "Tag ")
{
string[] substrings =
reader.ReadElementContentAsString().Split(‘+');
info.Caption = substrings[0];
if (substrings.Length > 1)
info.Description = substrings[1];
info.Description = String.Empty;
}
else if (reader.NodeType == XmlNodeType.EndElement &&
images.Add(info);
}
catch (XmlException)
MessageBox.Show( "Error parsing XML metadata ");
}
// Populate the _Metadata array with ordered data
_Metadata = new SubImageInfo[images.Count];
foreach (SubImageInfo image in images)
_Metadata[image.Index - 1] = image;
}
Wicked Code
IMAGINE.
EVERYTHING
EVERYTHHIN
NG DEVELOPERS
DEVE
ELOP
PERS NEED
NE
EED
IN ONE ONLINE RESOURCE.

Introducing TotalDevPro.com
SEARCH our extensive library of products and services.
FIND everything you need for your next purchasing decision.
RANK content and join our community.

IMAGINE.
TotalDevPro.com
SEARCH. FIND. RANK.
EVERYTHING MICROSOFT DEVELOPER.

www.TotalDevPro.com SEARCH. FIND. RANK. EVERYTHING MICROSOFT DEVELOPER.

 Figure 5 Hit-Testing the Sub-Images
private int _LastIndex = -1; }
...
private void MSI_MouseMove(object sender, MouseEventArgs e) private int GetSubImageIndex(Point point)
{ {
if (_Dragging) // Hit-test each sub-image in the MultiScaleImage control to
{ determine
// If the left mouse button is down, pan the Deep Zoom scene // whether "point " lies within a sub-image
... for (int i = MSI.SubImages.Count - 1; i >= 0; i--)
} {
else MultiScaleSubImage image = MSI.SubImages[i];
{ double width = MSI.ActualWidth /
// If the left mouse button isn't down, update the infobar (MSI.ViewportWidth * image.ViewportWidth);
if (_Metadata != null) double height = MSI.ActualWidth /
{ (MSI.ViewportWidth * image.ViewportWidth * image.
int index = GetSubImageIndex(e.GetPosition(MSI)); AspectRatio);

if (index != _LastIndex) Point pos = MSI.LogicalToElementPoint(new Point(

{ -image.ViewportOrigin.X / image.ViewportWidth,
_LastIndex = index; -image.ViewportOrigin.Y / image.ViewportWidth)
);
if (index != -1) Rect rect = new Rect(pos.X, pos.Y, width, height);
{
Caption.Text = _Metadata[index].Caption;
Description.Text = _Metadata[index].Description; if (rect.Contains(point))
FadeIn.Begin(); {
} // Return the image index
else return i;
{ }
FadeOut.Begin(); }
}
} // No corresponding sub-image
} return -1;
} }

the images’ ViewportOrigins, reorders the array using a random-

number generator, and then creates a Storyboard and a series of
PointAnimations to move the sub-images to the positions con-
Figure 6 Shuffling the Sub-Images tained in the reordered array. The key here is that the MultiScalei-
private void Shuffle() mage control’s SubImages property exposes the sub-images to your
{ code, and you can modify a sub-image’s ViewportOrigin property
// Create a randomly ordered list of sub-image viewport origins
List<Point> origins = new List<Point>(); to change its position in the scene.
foreach (MultiScaleSubImage image in MSI.SubImages)
As I researched this column, I found several blog entries that
origins.Add(image.ViewportOrigin); provided helpful information. One was Jaime Rodriquez’s “Working
Random rand = new Random();
with Collections in Deep Zoom” (go.microsoft.com/fwlink/?LinkId=148862).
int count = origins.Count; Another was “Deep Zoom Composer—Filtering by Tag Sample”
for (int i = 0; i < count; i++)
(blog.kirupa.com/?p=212), which was written by a member of the Ex-
{ pression Blend team and presents a technique for filtering Deep
Point origin = origins[i];
origins.RemoveAt(i);
Zoom images based on image tags. Implementing mouseovers,
origins.Insert(rand.Next(count), origin); rearranging the images in a scene, and filtering images based on
}
tag data are but a few of the features made possible by the ability
// Create a Storyboard and animations for shuffling to address the individual sub-images in a Deep Zoom scene and
Storyboard sb = new Storyboard();
associate metadata with them.
for (int i = 0; i < count; i++)
{
PointAnimation animation = new PointAnimation();
Dynamic Deep Zoom: Supplying
animation.Duration = TimeSpan.FromMilliseconds(250); Image Pixels at Run Time
animation.To = origins[i];
Storyboard.SetTarget(animation, MSI.SubImages[i]); Deep Zoom Composer’s export feature generates all the data
Storyboard.SetTargetProperty(animation, needed by a MultiScaleImage control. That data includes an XML
new PropertyPath( "ViewportOrigin "));
sb.Children.Add(animation); file (dzc_output.xml) that references other XML files, which in
} turn reference the individual images in the scene. Composer’s
// Run the animations output also includes hundreds (sometimes thousands) of image
sb.Begin(); tiles generated from those images. The tiles form an image pyra-
}
mid, with each level of the pyramid containing a tiled version of
94 msdn magazine Wicked Code
the original image, and each level representing a different reso-
lution. The level at the top of the pyramid, for example, might
contain a single tile with a x rendition of the image. The
next level down would contain four x tiles which, put to-
gether, form a x version of the image. The next level down
would contain sixteen x tiles representing different parts
of a ,x, image, and so on. Deep Zoom Composer gener-
ates as many levels as necessary to depict the original image in
its native resolution. As a user zooms and pans in a Deep Zoom
Scene, the MultiScaleImage control is constantly firing off HTTP
requests to the server to fetch image tiles at the proper resolution.
It also does some slick blending work to smooth the transition
from one level to another.
What you probably don’t realize about the MultiScaleImage con-
trol is that it doesn’t require Deep Zoom Composer. Composer is
really just a tool for quickly and easily creating Deep Zoom projects
that incorporate scenes built from static images. As an alternative
to providing MultiScaleImage with static content, you can generate
content at run time in response to requests from MultiScaleImage
and download that content to the client.
Why would you ever need to generate Deep Zoom content at
run time? Developers ask me how to do this all the time. “Is it pos-
sible to supply image data to Deep Zoom dynamically?” Th e rea-
son is that it enables a whole new genre of Deep Zoom applications
that fetch image tiles from databases and that generate image tiles
on the fly.
Want an example? Check out the Deep Earth project at
codeplex.com/deepearth and an example of Deep Earth at work at
deepearth.soulsolutions.com.au/. Deep Earth is referred to as a mapping
control powered by the combination of Microsoft’s Silverlight 
platform and the DeepZoom (MultiScaleImage) control. In other
words, it’s a control you can drop into a Silverlight application to
expose the vast amount of geographic data available from Microsoft
Virtual Earth through a Deep Zoom front end. You can start in
outer space and zoom all the way down to your front lawn. And the
zooming is amazingly smooth, thanks to the work done behind the
scenes by MultiScaleImage and the Deep Zoom runtime.
Deep Earth isn’t driven by a bunch of XML files and image tiles
output by Deep Zoom Composer; it supplies image tiles to the
MultiScaleImage control dynamically, and it fetches image tiles
from Virtual Earth. Users of Deep Earth refer to this as “dynamic
Deep Zoom.”
Figure 7 Two Views of the Mandelbrot Set
msdnmagazine.com
The application depicted in Figure 7 demonstrates the basics
of dynamic Deep Zoom. MandelbrotDemo provides a Deep
Zoom window into the Mandelbrot set—probably the most fa-
mous fractal in the world. The Mandelbrot set is infinitely com-
plex, which means that you can zoom in forever and the level of
You can start in outer space
and zoom all the way down to
your front lawn.
detail will never decrease. Mandelbrot viewers are common in
the software world, but few are as slick as the one that uses Deep
Zoom. Try it; run MandelbrotDemo and zoom in on some of the
swirling regions at the edge of the Mandelbrot set (at the bound-
ary between black and bright colors). You can’t zoom in forever
because even a dynamic Deep Zoom scene has a finite width and
height, but the scene’s dimensions can be very, very large (up to
 pixels per side).
The first step in implementing dynamic Deep Zoom is to de-
rive from Silverlight’s MultiScaleTileSource class, which is found
in the System.Windows.Media namespace of System.Windows.
dll, and override the GetTileLayers method. Each time the Multi-
ScaleImage control needs a tile, it calls GetTileLayers. Your job is
to create an image tile and return it to the MultiScaleImage con-
trol by adding it to the IList passed in GetTileLayers’ parameter
list. Other parameters input to GetTileLayers specify the zoom
level (literally, the level of the image pyramid from which tiles are
being requested) and the X and Y position within that level of the
pyramid of the tile that is being requested. Just as X, Y, and Z val-
ues are sufficient to identify a point in D coordinate space, an
Figure 8 MultiScaleTileSource Derivative
public class MandelbrotTileSource : MultiScaleTileSource
{
private int _width; // Tile width
private int _height; // Tile height
public MandelbrotTileSource(int imageWidth, int imageHeight,
int tileWidth, int tileHeight) :
base(imageWidth, imageHeight, tileWidth, tileHeight, 0)
{
_width = tileWidth;
_height = tileHeight;
}
protected override void GetTileLayers(int level, int posx, int posy,
IList<object> sources)
{
string source = string.Format(
"http://localhost:50216/MandelbrotImageGenerator.ashx? " +
"level={0}&x={1}&y={2}&width={3}&height={4} ",
level, posx, posy, _width, _height);
sources.Add(new Uri(source, UriKind.Absolute));
}
}
July 2009 95
 Figure 9 Registering a Deep Zoom Tile Source
public Page()
{ key statement is the one that creates a MandelbrotTileSource ob-
InitializeComponent();
// Point MultiScaleImage control to dynamic tile source
MSI.Source = new MandelbrotTileSource((int)Math.Pow(2, 30),
(int)Math.Pow(2, 30), 128, 128);
// Register mousewheel event handler
HtmlPage.Window.AttachEvent( "DOMMouseScroll ", OnMouseWheelTurned);
HtmlPage.Window.AttachEvent( "onmousewheel ", OnMouseWheelTurned);
HtmlPage.Document.AttachEvent( "onmousewheel ", OnMouseWheelTurned);
}
X value, a Y value, and a level, uniquely identify an image tile in a
Deep Zoom image pyramid.
Figure 8 shows the MultiScaleTileSource-derived class featured in
MandelbrotDemo. The GetTileLayers override does little more than
submit an HTTP request for the image tile to the server. The endpoint
for the request is an HTTP handler named MandelbrotImageGenera-
tor.ashx. Before we examine the handler, however, let’s see how Man-
delbrotTileSource is wired up to a MultiScaleImage control.
Figure 9 shows an excerpt from MandelbrotDemo’s Page.xaml.cs
file—specifically, the XAML code-behind class’s constructor. The
ject and assigns a reference to it to the MultiScaleImage control’s
Source property. For static Deep Zoom, you set Source to the
URI of dzc_output.xml. For dynamic Deep Zoom, you point it
to a MultiScaleTileSource object instead. Th e MandelbrotTile-
Source object created here specifies that the image being served
up measures  pixels on each side and is divided into x-
pixel tiles.
The work of generating the image tiles is performed by Mandel-
brotImageGenerator.ashx back on the server (see Figure 10). Af-
ter retrieving input parameters from the query string, it creates a
bitmap depicting the requested tile and writes the image bits into
the HTTP response. DrawMandelbrotTile does the pixel genera-
tion. When called, it converts the X-Y-level value identifying the
image tile that was requested into coordinates in the complex plane
(a mathematical plane in which real numbers are graphed along
the X axis and imaginary numbers—numbers that incorporate the
square root of -—are graphed along the Y axis). Then it iterates

Figure 10 HTTP Handler for Generating Deep Zoom Image Tiles

public class MandelbrotImageGenerator : IHttpHandler double i0 = -1.5 + (3.0 * posy / cy);
{
private const int _max = 128; // Maximum number of iterations // Compute increments for real and imaginary components
private const double _escape = 4; // Escape value squared double dr = (3.0 / cx) / (width - 1);
double di = (3.0 / cy) / (height - 1);
public void ProcessRequest(HttpContext context)
{ // Iterate by row and column checking each pixel for
// Grab input parameters // inclusion in the Mandelbrot set
int level = Int32.Parse(context.Request[ "level "]); for (int x = 0; x < width; x++)
int x = Int32.Parse(context.Request[ "x "]); {
int y = Int32.Parse(context.Request[ "y "]); double cr = r0 + (x * dr);
int width = Int32.Parse(context.Request[ "width "]);
int height = Int32.Parse(context.Request[ "height "]); for (int y = 0; y < height; y++)
{
// Generate the bitmap double ci = i0 + (y * di);
Bitmap bitmap = DrawMandelbrotTile(level, x, y, width, height); double zr = cr;
double zi = ci;
// Set the response's content type to image/jpeg int count = 0;
context.Response.ContentType = "image/jpeg ";
while (count < _max)
// Write the image to the HTTP response {
bitmap.Save(context.Response.OutputStream, ImageFormat.Jpeg); double zr2 = zr * zr;
double zi2 = zi * zi;
// Clean up and return
bitmap.Dispose (); if (zr2 + zi2 > _escape)
} {
tile.SetPixel(x, y,
public bool IsReusable ColorMapper.GetColor(count, _max));
{ break;
get { return true; } }
}
zi = ci + (2.0 * zr * zi);
private Bitmap DrawMandelbrotTile(int level, int posx, int posy, zr = cr + zr2 - zi2;
int width, int height) count++;
{ }
// Create a bitmap to represent the requested tile
Bitmap tile = new Bitmap(width, height); if (count == _max)
tile.SetPixel(x, y, Color.Black);
// Compute the number of tiles in each direction at this level }
int cx = Math.Max(1, (int)Math.Pow(2, level) / width); }
int cy = Math.Max(1, (int)Math.Pow(2, level) / height);
// Return the bitmap
// Compute starting values for real and imaginary components return tile;
// (from -2.0 - 1.5i to 1.0 + 1.5i) }
double r0 = -2.0 + (3.0 * posx / cx); }

96 msdn magazine Wicked Code

Making Dynamic Deep Zoom Even Better
I have been fascinated by fractals ever since I dis-
covered them some 20 years ago. I wrote my first Mandel-
brot viewer in the early 1990s, if memory serves me correctly.
My bookshelf of oldie-but-goodie computer books still con-
tains a pristine copy of a book titled Fractal Image Compression
by Barnsley and Hurd that I used in a research project on data
compression in the mid-90s. And one of my favorite books of all
time is Chaos by James Gleick (Penguin, 2008).
Building an interactive and visually compelling Mandelbrot view-
er for browsers is something I’ve wanted to do since the first day I
laid eyes on Silverlight. Dynamic Deep Zoom made it possible. The
downside, of course, is that the images are generated on the serv-
er and downloaded to the client, leading to unwanted latency and
through all the points in the complex plane that correspond to
pixels in the image tile, checking each point to determine whether
it belongs to the Mandelbrot set and assigning the corresponding
pixel a color representing its relationship to the Mandelbrot set
(more on this in a moment).
In theory, you could use
DeepZoomTools to build
composition tools of your own.
Sadly, there is virtually no documentation on Silverlight’s
MultiScaleTileSource class. Lest you think I’m a genius for fig-
uring all this out (anyone that knows me will attest that I am
not), let me give credit where credit is due. As I wrestled with the
meaning of the input parameters and how to map Deep Zoom
X-Y-level values to the complex plane, I found an excellent blog
post by Mike Ormond at go.microsoft.com/fwlink/?LinkId=148863. His
post provided key insights into dynamic Deep Zoom and also
referenced another blog post at warp.povusers.org/Mandelbrot/ that
describes an efficient approach to computing the Mandelbrot
set. My work was probably halved by work others had done
before me.
Figure 11 ColorMapper Class
public class ColorMapper
{ tation. Find out more about DeepZoomTools.dll at go.microsoft.com/
public static Color GetColor(int count, int max)
{
int h = max >> 1; // Divide max by 2
int q = max >> 2; // Divide max by 4
int r = (count * 255) / max;
int g = ((count % h) * 255) / h;
int b = ((count % q) * 255) / q;
return Color.FromArgb(r, g, b);
}
}
msdnmagazine.com
also increasing the load on the server.
Silverlight 2 doesn’t include an API for generating bit-
maps on the client, but you can generate them anyway us-
ing Joe Stegman’s Silverlight PNG encoder (from his blog at
go.microsoft.com/fwlink/?LinkId=148864). Minh Nguyen used
it to build Mandelbrot Explorer, which you can read all about at
his blog at
go.microsoft.com/fwlink/?LinkId=148865. Silverlight 3, which will be
in beta by the time you read this, has a bitmap API, but the problem
remains that Deep Zoom wants to pull images from the server. It is
unclear at the moment whether the next version of Deep Zoom will
have a client-side story, but if it does, you can bet that I’ll be revising
MandelbrotDemo for Silverlight 3 to work entirely on the client.
One final note on my implementation: virtually every ap-
plication that renders the Mandelbrot set uses a different
color scheme. I chose a scheme that assigns pixels represent-
ing coordinates that belong to the Mandelbrot set black, and
pixels representing coordinates outside the Mandelbrot set
RGB colors. The further a coordinate lies from the Mandel-
brot set, the “cooler” or bluer the color; the closer it lies to
the Mandelbrot set, the “hotter” the color. Distance from the
Mandelbrot set is determined by how rapidly the point escapes
to infinity. In the code here, this is the number of iterations
it takes DrawMandelbrotTile’s while loop to determine that
the point is not part of the Mandelbrot set. The fewer the it-
erations, the further the point lies from the set of points that
make up the Mandelbrot set. I factored the code that gener-
ates an RGB color value from the iteration count into a sep-
arate class named ColorMapper ( Figure 11 ). If you want to
experiment with different color schemes, simply modify the
GetColor method. You can see the results of the gray-scale
rendering by doing the following:
int val = (count * 255) / max;
return Color.FromArgb(val, val, val);
DeepZoomTools.dll
A final tidbit of information regarding Deep Zoom that you
might find useful involves an assembly named DeepZoomTools.
dll. Deep Zoom Composer uses this assembly to generate tiled im-
ages and metadata from the scenes that you build. In theory, you
could use it to build composition tools of your own. I say “in the-
ory” because there’s precious little out there in terms of documen-
fwlink/?LinkId=148866. And shoot me an e-mail if you come up with
some unique, creative uses for Deep Zoom but aren’t quite sure
how to make it do what you want it to do. „
JEFF PROSISE is a contributing editor to MSDN Magazine and the author of sev-
eral books, including Programming Microsoft .NET (Microsoft Press, ).
He’s also cofounder of Wintellect (www.wintellect.com), a software consulting
and education firm that specializes in Microsoft .NET. Have a comment on this
column? Contact Jeff at wicked@microsoft.com.
July 2009 97
 Providing the vision and
intelligence to keep you and
your company competitive
in today’s market!

Technology+Solutions=Impact

Enter:
MSDN
into the online
DevConnections Fall ‘09
discount code when
registering online NOVEMBER 9-12, 2009
before August 1st to
receive a $200 LAS VEGAS, NV • Mandalay Bay Resort & Casino
discount!

>> The first 400 paid attendees will be mailed SQL Server 2008 standard with one CAL

Exciting Announcements Be among the first to get the insiders scoop

on the products and technology you rely on!
As a DevConnections attendee,
you and your colleagues can
BONUS:
attend all of the Connections Book 3 nights
shows, and cross between all by August 1st at
of the sessions, at the same Mandalay Bay
and receive a
time for the same price. Scott Guthrie Dave Mendlen Thomas Rizzo
Microsoft Microsoft Microsoft $100 Mandalay
I 125+ MICROSOFT AND Bay certificate!
Corporate Vice Director of Director,
INDUSTRY EXPERTS President, .NET Developer SharePoint Group (based on a 3-night
minimum stay)
I 200+ IN-DEPTH SESSIONS Developer Division Marketing

* REGISTER BY AUGUST 1ST to receive the “special” room rate of $149 @ MANDALAY BAY

CHECK WEB SITE FOR DESCRIPTIONS OF SESSIONS AND WORKSHOPS

www.DevConnections.com • 800.438.6720 • 203.268.3204 • Register Today!

MyDevConnections
JUVAL LOWY FOUNDATIONS

Securing the .NET Service Bus

In my April  column, I presented the .NET Services Bus and
described how you can utilize relay bindings to connect your ap-
plication and customers across almost all network boundaries.
However, if just anyone were allowed to relay messages to your
service, or if any service could receive your client calls, the relay
service would be a dangerous proposition. You need to protect
the transfer of the message from the client to the service via the
relay service. In this column, I show you how to secure the .NET
Services Bus and also provide some helper classes and utilities to
automate many of the details.
The .NET Services Bus mandates that the service must always
authenticate itself to receive relayed messages. Clients, on the other
hand, may or may not authenticate themselves. Typically (and by
default), clients do authenticate, but the relayed service may decide
to waive the client’s .NET Services Bus authentication.
The .NET Services Bus offers three different authentication
mechanisms—CardSpace, password, or certificate—and it is up
to the solution administrator to associate these using the solution
page shown in Figure 1.
A single solution can support multiple authentication options, and
for each option the administrator can add multiple credentials. For
example, the administrator might configure three passwords, two
cards, and a single certificate. Presenting any one of these credentials
is enough to authenticate against the relay service. Also, the service
and the client can use different authentication methods. For example,
the service can use a password, and the client a certificate.
Using an endpoint behavior (as opposed to a service behavior)
provides two advantages. First, a service host can choose a dif-
ferent authentication mechanism for each endpoint. Second,
an endpoint behavior offers a unified programming model for
the client and the service because the client has only endpoint
behaviors.
CardSpace Authentication
CardSpace is the default credential type used by all relay bind-
ings. When the client or the host uses CardSpace authentication,
the user is prompted to provide a card on opening either the host
or the proxy. After the user provides the card, it is bundled in the
connection request message to the relay service. Obviously, such an
approach is best suited for interactive applications. These prompts,
however, will annoy the user if they occur every time the user opens
a new proxy or host. Fortunately, the credential is cached in the app
domain, and the user is not prompted again as long as he or she
accesses the same endpoint address.

Configuring Authentication
The enum TransportClientCredentialType, shown here, represents
the available credential options:
public enum TransportClientCredentialType
{
CardSpace,
UserNamePassword,
X509Certificate
Unauthenticated,
FederationViaCardSpace,
AutomaticRenewal
}
In TransportClientCredentialType, Client refers to a client of
the .NET Services Bus—that is, both the client and the relayed Figure 1 Configuring Solution Authentication Options
service.
The preferred authentication mechanism and the credentials Send your questions and comments to mmnet30@microsoft.com.
themselves are configured using an endpoint behavior called Code download available at code.msdn.microsoft.com/mag200907Foundations.
TransportClientEndpointBehavior, defined in Figure 2.
July 2009 99
 Figure 2 TransportClientEndpointBehavior
public class TransportClientEndpointBehavior : IEndpointBehavior
{ new TransportClientEndpointBehavior();
public TransportClientCredentials Credentials
{get;}
public TransportClientCredentialType CredentialType
{get;set;}
} MyContractClient proxy = new MyContractClient();
public class TransportClientCredentials
{
public X509CertificateCredential ClientCertificate
{get;}
public UserNamePasswordCredential UserName
{get;}
}
Password Authentication
Like CardSpace authentication, password authentication is
best suited for an interactive application, typically in conjunction
with a login dialog box. However, there is no need to prompt
the user to enter a user name because that is always the solution
name. After the user provides the password, you need to
programmatically provide the solution name and the password to the
TransportClientEndpointBehavior.
On the host side, you need to instantiate a new
TransportClientEndpointBehavior object and set the CredentialType
property to TransportClientCredentialType.UserNamePassword.
The credentials themselves are provided to the Credentials prop-
erty. You then add this behavior to every endpoint of the host that
uses the relay service, as shown in Figure 3.
You can encapsulate and automate the steps in Figure 3 by using
extension methods such as the SetServiceBusPassword methods
of my ServiceBusHelper static class, shown here:
public static class ServiceBusHelper
{
public static void SetServiceBusPassword(this ServiceHost host,
string password);
public static void SetServiceBusPassword(this ServiceHost host,
string solution,string password);
}
Using these extensions, Figure 3 is condensed to the
following:
ServiceHost host = new ServiceHost(typeof(MyService));
host.SetServiceBusPassword("MyPassword");
host.Open();
You can see an implementation of the SetServiceBusPassword
methods without error handling in the sample code that accom-
panies this article.
Figure 3 Providing the Host with the Solution Password
TransportClientEndpointBehavior behavior =
new TransportClientEndpointBehavior();
behavior.CredentialType = TransportClientCredentialType.UserNamePassword;
behavior.Credentials.UserName.UserName = "MySolution";
behavior.Credentials.UserName.Password = "MyPassword";
ServiceHost host = new ServiceHost(typeof(MyService));
foreach(ServiceEndpoint endpoint in host.Description.Endpoints)
{
endpoint.Behaviors.Add(behavior);
}
host.Open();
100 msdn magazine
Figure 4 Setting the Solution Password on the Proxy
TransportClientEndpointBehavior behavior =
behavior.CredentialType = TransportClientCredentialType.UserNamePassword;
behavior.CredentialType = TransportClientCredentialType.UserNamePassword;
behavior.Credentials.UserName.UserName = "MySolution";
behavior.Credentials.UserName.Password = "MyPassword";
proxy.Endpoint.Behaviors.Add(behavior);
proxy.MyMethod();
proxy.Close();
ServiceBusHelper defines the helper private method
SetBehavior, which accepts a collection of endpoints and assigns
a provided TransportClientEndpointBehavior object to all end-
points in the collection. The private SetServiceBusPassword helper
methods accept a collection of endpoints, the solution password,
and optionally the solution name. If the solution name is not
specified, SetServiceBusPassword extracts it from the address of
the first endpoint. SetServiceBusPassword then creates a Trans-
portClientEndpointBehavior, configures it to use the password,
and calls SetBehavior. The public SetServiceBusPassword meth-
ods simply call the private ones with the collection of endpoints
of the host.
The client needs to follow similar steps, except there is only one
endpoint to configure—the one the proxy is using, as shown in
Figure 4.
Again, you should encapsulate this repetitive code with extension
methods and offer similar support for working with class factories.
Using these extensions, Figure 4 is condensed to this code:
MyContractClient proxy = new MyContractClient();
proxy.SetServiceBusPassword("MyPassword");
proxy.MyMethod();
proxy.Close();
Figure 5 shows the implementation of two of the client-side
SetServiceBusPassword<T> extensions. Note the use of the
Figure 5 Implementing SetServiceBusPassword<T>
public static class ServiceBusHelper
{
public static void SetServiceBusPassword<T>(this ClientBase<T> proxy,
string password) where T : class
{
if(proxy.State == CommunicationState.Opened)
{
throw new InvalidOperationException("Proxy is already opened");
}
proxy.ChannelFactory.SetServiceBusPassword(password);
}
public static void SetServiceBusPassword<T>(this ChannelFactory<T> factory,
string password) where T : class
{
if(factory.State == CommunicationState.Opened)
{
throw new InvalidOperationException("Factory is already opened");
}
Collection<ServiceEndpoint> endpoints =
new Collection<ServiceEndpoint>();
endpoints.Add(factory.Endpoint);
SetServiceBusPassword(endpoints,password);
}
//More members
}
Foundations
SetServiceBusPassword helper methods by wrapping the single
endpoint the proxy has with a collection of endpoints.
Because TransportClientEndpointBehavior is just another end-
point behavior, you can also configure it in the config file. Storing
the password in a text config file, however, is highly inadvisable.
Certificate Authentication
Using a certificate to authenticate against the .NET Service Bus
is the best option for noninteractive applications, and you can set
the certificate both programmatically and in the config file.
The main hurdle in using certificates is that the certificate must
contain a private key, which entails an elaborate setup sequence by
the solution administrator. However, once the solution is configured
to use the certificate, the rest of the work is straightforward.
Both the client and the service host use identical configuration
entries, as shown in Figure 6.
To programmatically provide the certificate on the host side,
you need to follow steps similar to those shown earlier in Figure 3.
Besides setting the credentials type to TransportClientCredential-
Type.XCertificate, you need to use the SetCertificate method of
the ClientCertificate property on Credentials. Here again, you can
streamline it using host extension methods, as shown here:
public static class ServiceBusHelper
{
public static void SetServiceBusCertificate(this ServiceHost host);
public static void SetServiceBusCertificate(this ServiceHost host,
string subjectName);
public static void SetServiceBusCertificate(this ServiceHost host,
object findValue,StoreLocation location,
StoreName storeName,X509FindType findType);
//More members
} access by the client, both the service and the client must explicitly
For example:
ServiceHost host = new ServiceHost(typeof(MyService));
host.SetServiceBusCertificate("MyRelayCert");
host.Open();
SetServiceBusCertificate defaults the store to MyComputer
and the location to My, and it looks up the certificate by name.
SetServiceBusCertificate also extracts the solution name from
the host endpoints.
Figure 6 Solution Certificate in Config
<endpoint behaviorConfiguration = "RelayCert"
...
/>
...
<behaviors>
<endpointBehaviors>
<behavior name = "RelayCert">
<transportClientEndpointBehavior credentialType =
"X509Certificate">
<clientCredentials>
<clientCertificate
findValue = "MyRelayCert"
storeLocation = "LocalMachine"
storeName = "My"
x509FindType = "FindBySubjectName"
/>
</clientCredentials>
</transportClientEndpointBehavior>
</behavior>
</endpointBehaviors>
</behaviors>
msdnmagazine.com
The client can also programmatically provide the certificate to
use to the proxy by following steps similar to Figure 4, and you
can automate this by using these extension methods, which follow
the same default values discussed for the host:
public static class ServiceBusHelper
{
public static void SetServiceBusCertificate<T>(this ClientBase<T> proxy)
where T : class;
public static void SetServiceBusCertificate<T>(this ClientBase<T> proxy,
string subjectName) where T : class;
public static void SetServiceBusCertificate<T>(this ClientBase<T> proxy,
object findValue,StoreLocation location,StoreName
storeName,X509FindType findType) where T : class;
//Similar methods for a channel factory
}
Using the extensions on the client side yields this code:
MyContractClient proxy = new MyContractClient();
proxy.SetServiceBusCertificate("MyRelayCert");
proxy.MyMethod();
proxy.Close();
No Authentication
Although the service must always authenticate against the
service bus, you might decide to exempt the client and allow
it unauthenticated access to the relay service. In that case,
the client must set TransportClientEndpointBehavior to
TransportClientCredentialType.Unauthenticated. When the clients
are not authenticated by the relay service, it is now up to the relayed
service to authenticate the clients. The downside is that the service
is now less shielded than when the relay service authenticated cli-
ents. In addition, you must use message security to transfer the
client credentials (as discussed later). To enable unauthenticated
allow it by configuring the relay binding to not authenticate, using
the enum RelayClientAuthenticationType, shown here:
public enum RelayClientAuthenticationType
{
RelayAccessToken, //Default
None
}
You assign that enum via the Security property.
Transfer Security
The next crucial aspect of security is how to securely transfer the
message through the relay to the service. In addition to message
transfer security, another important design decision is which client
credentials (if any) the message should contain. Transfer security
is independent of how the client or the service authenticates itself
against the .NET Service Bus.
The .NET Services Bus offers four options for transfer security,
represented by the enum EndToEndSecurityMode:
public enum EndToEndSecurityMode
{
None,
Transport,
Message,
TransportWithMessageCredential //Mixed
}
The four options are None, Transport, Message, and Mixed.
None means just that—the message is not secured at all. Trans-
port uses SSL or HTTPS to secure the message transfer. Message
security encrypts the body of the message so that it can be sent over
July 2009 101
 GD97=5@
DF=79.
)-"-)

H\YZi``mgYUfW\UV`Y8f"8cVVÇg8YjY`cdYf@]VfUfm
8J8]bW`iXYg.

™ '&nZVghd[9g#9dWWÈh?djgcVa
™ &%nZVghd[I]ZEZga?djgcVa B9K
Hnh 6Yb^c
BV\Vo^cZ
™ &*nZVghd[Hnh6Yb^cBV\Vo^cZ Ã Wcad`YhY UfW\]jY Â
]bW`iX]b[ gcifWY
i]ZWZhi^cEZgaVcYA^cjmXdkZgV\Z
WcXY

™ &) nZVghd[8$8 JhZgh?djgcVa

™ )nZVghd[9g#9dWWÈhHdjgXZWdd`
™ 9dlcadVYVWaZVjY^dedYXVhihdc
ZkZgni]^c\[gdb#C:IYZkZadebZci
idWj^aY^c\G^X]>ciZgcZi6eea^XVi^dch

™ 6cYK>9:DH AZVgci]Z^chVcYdjih
d[L^cYdlhegd\gVbb^c\l^i]
HXdiiHl^\VgiÈhVlVgY"l^cc^c\
k^YZdhZg^Zh

»5@@CB5G=B;@98J8

CfXYf Bck kkk"XX^"Wca#WXfca

8jhidbZghl]d]VkZegZk^djhanejgX]VhZY9g#9dWWÈh9K9GZaZVhZ&!'!(VcY$dg)
VgZfjVa^[^ZYidejgX]VhZi]^h9K9ViVheZX^Vaje\gVYZeg^XZd['.#.*

H]^ee^c\VcY]VcYa^c\X]Vg\Zd[,#%%Veea^Zh[dgdgYZghYZa^kZgZYl^i]^ci]ZJ#H#:migVX]Vg\Zh[dgbjai^eaZXden
dgYZgh!gVe^Y YZa^kZgn!VcYYZa^kZgndjih^YZi]ZJ#H#l^aaVeean0ZmVXiX]Vg\Zhl^aaVeeZVgl]Zcdca^cZdgYZg^heaVXZY#
 Index to Advertisers
Access all of these companies from MSDN Magazine online ad index at: msdn.microsoft.com/msdnmag
Advertiser Phone URL Page Advertiser Phone URL Page
(ISC)2 Inc. 866-462-4777 www.isc2.org/csslp 61 Intersoft Solutions www.intersoftpt.com/WebUIStudio/Silverlight 31

(ISC)2 Inc. 866-462-4777 www.msdnmagresources.com 107 Lead Technologies Inc. 800-637-1840 www.leadtools.com/msdn 55

/n Software 800-225-4190 www.nsoftware.com 15 Microsoft www.buildabetterapp.com 46-47

Accusoft-Pegasus 800-875-7009 www.accusoft.com 39 Pearson Education 317-428-3000 www.informIT.com 20

Acresso Software Inc. www.msdnmagresources.com 107 Programmers Paradise 800-445-7899 www.programmersparadise.com 5

Alexsys Corporation 781-279-0170 www.alexcorp.com 89 SAP AG 888-333-6007 www.sap.com/crystalreports/dev 9

Aspose PTY LTD. www.aspose.com 65 Scaleout Software 503-643-3422 www.saleoutsoftware.com 25

AVIcode www.msdnmagresources.com 107 Seapine Software Inc. 888-683-6456 www.seapine.com 75

ceTe Software 800-631-5006 www.dynamicPDF.com 53 Software FX 561-999-8888 wwwsoftwarefx.com 32-33

CodeBetter www.CodeBetter.com 13 SpreadsheetGear 888-774-3273 www.spreadsheetgear.com 51

ComponentArt 416-622-2923 www.componentart.com 6-7 Steema Software 34-972-21-87-97 www.steema.com 23

ComponentOne 800-858-2739 www.componentone.com 36-37, 67 Syncfusion 888-9DOTNET www.syncfusion.com 2-3

ComponentSource 888-850-9911 www.componentsource.com 29 Tech Conferences 800-438-6720 www.DevConnections.com 80-81, 98

Construx Software 866-296-6300 www.msdnmagresources.com 107 Telerik Corporation 888-365-2779 www.telerik.com/salesdashboard 18-19

dtSearch 800-IT-FINDS www.dtsearch.com 4 Telerik Corporation 888-365-2779 www.telerik.com/reporting 58-59

Dr. Dobb’s CD Rom www.ddj.com/cdrom 102 Telerik Corporation 888-365-2779 www.telerik.com 71

Dundas 800-463-1492 www.dundas.com C4 The Code Project 877-504-5214 www.codeproject.com 84

Far Point Technologies 800-645-5913 www.fpoint.com C3 TotalDevPro.com www.TotalDevPro.com 93

GrapeCity Inc. 425-828-4400 www.datadynamics.com 69 Wintellect 877-968-5528 www.wintellect.com 43

Infragistics 800-231-8588 www.infragistics.com C2-1 Xceed Software www.xceed.com 26-27, 105

Intel Corporation www.intel.com 10

SALES REPRESENTATIVES
■ Michele Hurabiell Strategic Accounts Manager
(415) 378-3540 mhurabiell@techweb.com
■ Ed Day Regional Account Manager-West/South
USA & APAC
(785) 838-7547 eday@techweb.com
■ Brenner Fuller Strategic Account Manager-West/South
USA & APAC
(603) 746-3057 bfuller@techweb.com
■ Jonathan Hampson Regional Account Director-Northeast
USA & EMEA
(603) 924-8500 jhampson@techweb.com
■ Julie Thibault Strategic Account Manager-Northeast
USA & EMEA
(603) 924-8400 jthibault@techweb.com
The index on this page is provided as a service to our readers. The publisher does not assume any liability for errors or omissions.
 Figure 7 Binding and Transfer Security
Binding None Transport Message Mixed
TCP (Relayed) + + + +
TCP (Direct/Hybrid) + - + -
WS + + + +
One-Way + + + -
nonsecured transports. Mixed uses message security to contain the
client’s credentials but transfers the message over a secured trans-
port. Figure 7 shows the way the relay binding supports the vari-
ous transfer security modes and their default values. A bold plus
sign (+) marks defaults.
You configure transfer security in the binding. Although the
relay bindings use different default values, all the relay bindings
offer at least one constructor that takes EndToEndSecurityMode
as a construction parameter. You can also configure transfer se-
curity after construction by accessing the Security property and
its Mode property.
Transport Security
When it comes to transfer security, transport security is the sim-
plest to set up and configure. When using transport security, all cli-
ent calls are anonymous—the client messages do not contain any
client credentials. While transport security is the easiest to use, it
does not provide end-to-end security. It secures only the transfer
of the message to the relay service and from the relay service. The
journey inside the relay service is not secured.
This means that in theory, the relay service can eavesdrop on
the communication between the client and the service and even
tamper with the messages. However, I believe that in practice this
is impractical given the volume of traffic to the .NET Services Bus.
Simply put, this kind of subversion cannot be performed as an aside
and requires dedicated resources, planning, staff, and technology. In
addition, Microsoft has proven over the years that it has the highest
integrity and respect for its customers’ privacy, and it has many other
areas it could have abused if it were indeed malicious.
Message Security
Message security encrypts the body of the message using a ser-
vice-provided certificate. Because the message itself is protected
rather than the transport, the journey inside the relay is protect-
ed as well. The downside to message security is that it requires
additional setup steps.
While I think that in practice transport security is enough, it is
vital to assure customers and users of the presence of end-to-end
privacy and integrity and to guard against even theoretical compro-
mises. I therefore recommend always relying on message security
for all relayed communication, which will also provide additional
benefits, such as direct connection and the availability of security
call context to the service.
Unlike in transport security, in message security the message might
contain the client’s credentials. The primary use of client credentials
by the service is for local authorization of the call to establish some
104 msdn magazine
role-based security policy. Whenever the message contains creden-
tials, the service must also authenticate them (even if all it wants is
to authorize the client). Note that such authentication is on top of
the authentication the relay service has already performed. If the
relay service has already authenticated the client, authenticating the
call again by the service does not add much in the way of security,
yet it burdens the service with managing the client’s credentials.
If the relay service is not authenticating the client, the service will
be subjected to all the unwanted traffic of unauthenticated clients,
which could have severe IT operations implications.
For these reasons, I find that the best practice is for the relay ser-
vice to authenticate the client and to avoid having the service do it
again. You should also design your service so that it has no need for
the client’s credentials. Such a design is aligned with the chain-of-
trust design pattern that works well in a layered architecture. Th at
said, there are cases when the service needs the client credentials
for a local use other than authorization, such as personalization,
auditing, or proprietary integration with legacy systems.
TCP Relay Binding and Transfer Security
The TCP relay binding defaults to transport security, and no spe-
cial configuration steps are required. It simply uses SSL over port
. When using transport security, however, you can only use the
TCP relay binding connection mode of TcpRelayConnectionMode.
Relayed.
Because the call is anonymous, on the service side Windows
Communication Foundation (WCF) attaches a generic princi-
pal with a blank identity to the thread executing the call, and the
ServiceSecurityContext is null.
To protect the transfer of the message, you must configure the
service host with a certificate. The client will by default negotiate
the certificate (obtain its public key), so there is no need to explicitly
list the certificate in the client’s config file. However, the client still
needs to validate the negotiated certificate. As with regular WCF
and message security, the best practice is to validate the certificate
using peer-trust, which means installing the certificate beforehand
in the client’s Trusted People folder. Besides providing true end-
to-end transfer security over the relay, using message security also
enables the use of the direct and hybrid connection modes.
As discussed previously, the message might or might not con-
tain the client’s credentials. If you avoid sending the credentials
in the message, WCF will attach to the thread executing the call
a Windows principal with a blank identity, which does not make
much sense. When using message security without credentials,
you should also set the host PrincipalPermissionMode to None
to get the same principal as with transport security. To configure
the binding for message security with anonymous calls, use Mes-
sageCredentialType.None and assign that value to the ClientCre-
dentialType property of MessageSecurityOverRelayConnection,
available in the Message property of NetTcpRelaySecurity. Figure 8
shows code that demonstrates this.
Figure 9 shows the required host-side config file.
On the client side, you must include the service certificate name
in the address identity of the endpoint because that name does not
Foundations
Figure 8 Configuring a Binding for Message Security with
Anonymous Calls
public sealed class NetTcpRelaySecurity
{
public EndToEndSecurityMode Mode
{get;set;}
public MessageSecurityOverRelayConnection Message
{get;}
//More members
}
public sealed class MessageSecurityOverRelayConnection
{
public MessageCredentialType ClientCredentialType
{get;set;}
//More members
}

match the relay service domain. Figure 10 shows the required

config file.
If you want to include the client credentials in the message, the
service must also authenticate those credentials, using the same
setting as with regular TCP calls. In that case, the service princi-
pal and primary identity will both have an identity matching those
credentials. The credential can be a user name and password, a cer-
tificate, or an issued token. You must indicate to both the host and
the client in the binding which credential types you expect. For
example, for user name credentials, use the following:
<bindings>
<netTcpRelayBinding>
<binding name = "MessageSecurity">
<security mode = "Message">
<message clientCredentialType = "UserName"/>
</security>
</binding>
</netTcpRelayBinding>
</bindings>

Figure 9 Configuring the Host for Message Security

<service name = "..." behaviorConfiguration = "MessageSecurity">
<endpoint
...
binding = "netTcpRelayBinding"
bindingConfiguration = "MessageSecurity"
/>
</service>
...
<serviceBehaviors>
<behavior name = "MessageSecurity">
<serviceCredentials>
<serviceCertificate
findValue = "MyServiceCert"
storeLocation = "LocalMachine"
storeName = "My"
x509FindType = "FindBySubjectName"
/>
</serviceCredentials>
<serviceAuthorization principalPermissionMode ="None"/>
</behavior>
</serviceBehaviors>
<bindings>
<netTcpRelayBinding>
<binding name = "MessageSecurity">
<security mode = "Message">
<message clientCredentialType = "None"/>
</security>
</binding>
</netTcpRelayBinding>
</bindings>

msdnmagazine.com July 2009 105

 Figure 10 Configuring the Client for Message Security Figure 11 Configuring for Mixed Security
<client> <endpoint
<endpoint behaviorConfiguration = "ServiceCertificate" binding = "netTcpRelayBinding"
binding = "netTcpRelayBinding" bindingConfiguration = "MixedSecurity"
bindingConfiguration = "MessageSecurity" ...
<identity> />
<dns value = "MyServiceCert"/> ...
</identity> <bindings>
... <netTcpRelayBinding>
</endpoint> <binding name = "MixedSecurity">
</client> <security mode = "TransportWithMessageCredential"/>
<bindings> </binding>
<netTcpRelayBinding> </netTcpRelayBinding>
<binding name = "MessageSecurity"> </bindings>
<security mode = "Message">
<message clientCredentialType = "None"/>
</security>
</binding> Figure 11 shows how to configure either the service or the client
</netTcpRelayBinding>
</bindings> for mixed security.
<behaviors> After the messages are received by the service, the host must
<endpointBehaviors>
<behavior name = "ServiceCertificate"> authenticate the calls as with regular TCP. Once authenticated, the
<clientCredentials> service call will have a principal object matching the credentials
<serviceCertificate>
<authentication certificateValidationMode= "PeerTrust"/> provided and a security call context.
</serviceCertificate>
</clientCredentials>
</behavior> WS Relay Binding and Transfer Security
</endpointBehaviors> Combining the WS binding with transport security is as easy as
</behaviors>
changing the address schema from HTTP to HTTPS and setting
the binding to use transport security, as shown in Figure 12.
On the host side, if the credentials are user name and password, Note that the WS relay binding defaults to using message security
you must also configure, using behaviors, how to authenticate and for transfer security. Since message security requires additional
authorize the credentials. The default will be Windows credentials, configuration steps, the WS relay binding does not work as-is out
but the more common choice would be using some credentials of the box, and all calls will fail. However, configuring the WS relay
store such as the ASP.NET providers: binding to use message (or mixed) security is identical to config-
<service name = "..." behaviorConfiguration = "CustomCreds">
uring the TCP relay binding.
...
</service>
...
One-Way Relay Binding and Transfer Security
<serviceBehaviors> The one-way relay binding (and its subclasses) is the only bind-
<behavior name = "CustomCreds"> ing that defaults to having no transfer security at all. In addition,
<serviceCredentials>
<userNameAuthentication it does not support mixed transfer security. Configuring it to use
userNamePasswordValidationMode = "MembershipProvider" transport security is the same as with the TCP and WS relay bind-
/>
</serviceCredentials> ings. Configuring it to use message security is similar but with one
<serviceAuthorization principalPermissionMode = "UseAspNetRoles"/> important difference—the one-way relay binding cannot negoti-
</behavior>
</serviceBehaviors> ate the service certificate because there may not even be a service,
The client has to populate the proxy with the credentials. When and no direct interaction with the service takes place. When us-
using a username and password, the client code would be insert ing message security on the client, you must explicitly specify the
like this: service certificate, as shown in Figure 13.
MyContractClient proxy = new MyContractClient();
proxy.ClientCredentials.UserName.UserName = "MyUserName";
proxy.ClientCredentials.UserName.Password = "MyPassword"; Figure 12 WS Relay Binding with Transport Security
proxy.MyMethod(); <endpoint
address = "https://MySolution.servicebus.windows.net/..."
proxy.Close(); binding = "wsHttpRelayBinding"
The client has no way of knowing if the credentials it provides bindingConfiguration = "TransportSecurity"
...
are authenticated on the service side as Windows or custom />
credentials.
<bindings>
Mixed transfer security is the only way to avoid anonymous calls <wsHttpRelayBinding>
over transport security. Since transport security cannot pass cre- <binding name = "TransportSecurity">
<security mode = "Transport"/>
dentials, you pass the credentials using message security, hence the </binding>
term mixed. When using mixed transfer security over the TCP relay </wsHttpRelayBinding>
</bindings>
binding you are restricted to using only relayed connections.
106 msdn magazine Foundations
Figure 13 One-Way Relay Binding with Message Security Streamlining Transfer Security
<client> While transfer security offers a slew of details and intricate op-
<endpoint behaviorConfiguration = "ServiceCertificate" tions, you can and should streamline and automate most of these
...
</endpoint> security configuration decisions. To encapsulate it on the host side,
</client> use my ServiceBusHost class, defined as insert the following:
public class ServiceBusHost : ServiceHost
<behaviors>
{
<endpointBehaviors>
public ServiceBusHost(object singletonInstance,
<behavior name = "ServiceCertificate">
params Uri[] baseAddresses);
<clientCredentials>
public ServiceBusHost(Type serviceType,params Uri[] baseAddresses);
<serviceCertificate>
<scopedCertificates> public void ConfigureAnonymousMessageSecurity(string serviceCert);
<add targetUri = "sb://MySolution.servicebus..." public void ConfigureAnonymousMessageSecurity(string serviceCert,
findValue = "MyServiceCert" StoreLocation location,StoreName storeName);
storeLocation = "LocalMachine" public void ConfigureAnonymousMessageSecurity(StoreLocation location,
storeName = "My" StoreName storeName,X509FindType findType,object findValue);
x509FindType = "FindBySubjectName"
/> //More members
</scopedCertificates> }
</serviceCertificate>
</clientCredentials> When using ServiceBusHost, no other setting in config or
</behavior> in code is required. Per my recommendation, you can use the
</endpointBehaviors>
</behaviors> ConfigureAnonymousMessageSecurity method to enable anony-
mous calls over message security. All you need to provide it is the
certificate name to use:
ServiceBusHost host = new ServiceBusHost(typeof(MyService));
Another important distinction between the one-way relay bind- host.ConfigureAnonymousMessageSecurity("MyServiceCert");
ing and the other relay bindings is that if the call is anonymous, host.Open();
with either transport or message security, the call has a security ConfigureAnonymousMessageSecurity will default the certifi-
call context whose primary identity is cate location to the local machine and the certificate store to My,
service bus certificate CN=servicebus.windows.net. and it will look up the certificate by its common name. If you do

Resource Partners

N E W W H I T E PA P E R S

Get Windows Installer t ips from t he installat ion experts.

Learn how to:
AVIcode: The leading provider of r$WKNFWRITCFGHTKGPFN[/5+U
.NET application monitoring solutions r&GUKIPWRITCFGRCEMCIGU
r9QTMYKV JEWUVQOCEV KQPU
DOWNLOAD YOUR FREE Download t hem NOW
WHITEPAPER TODAY! www.acresso.com/whitepapers

$180 billion a year.

That's what the holes in
software development are costing us.

msdnmagazine.com Read more at July 2009 107

www.isc2.org/csslp-whitepapers
 not call ConfigureAnonymousMessageSecurity, ServiceBusHost {
public MyContractClient()
will default to using anonymous message security with the solution {}
name for the certificate name: public void MyMethod()
{
ServiceBusHost host = new ServiceBusHost(typeof(MyService));
Channel.MyMethod();
host.Open();
}
You can also use the overloaded versions that let you explicitly }
specify some or all of the certificate details. The sample code download includes the full implementation of
ServiceBusHost makes use of the ConfigureBinding method of ServiceBusClientBase<T>. ServiceBusClientBase<T> uses peer-
ServiceBusHelper. ConfigureBinding defaults to anonymous calls. If trust to validate the service certificate. The bulk of the work is
the calls are to have credentials, ConfigureBinding always uses user- done by passing the endpoint binding to ServiceBusHelper.Con-
name credentials. With the TCP relay binding, ConfigureBinding figureBinding.
uses the hybrid connection mode. ConfigureBinding also always The one remaining sore point is the one-way relay binding,
enables reliable messages. with its lack of certificate negotiation. To alleviate that, I wrote
ServiceBusHost also supports message security with credentials OneWayClientBase<T>:
via the ConfigureMessageSecurity methods: public abstract class OneWayClientBase<T> : ServiceBusClientBase<T>
public class ServiceBusHost : ServiceHost where T : class
{ {
public void ConfigureMessageSecurity(); //Same constructors as ServiceBusClientBase<T>
public void ConfigureMessageSecurity(string serviceCert);
public void ConfigureMessageSecurity(string serviceCert, public void SetServiceCertificate(string serviceCert);
string applicationName); public void SetServiceCertificate(string serviceCert,
public void ConfigureMessageSecurity(string serviceCert, StoreLocation location,
bool useProviders, StoreName storeName);
string applicationName); public void SetServiceCertificate(object findValue,
//More members StoreLocation location,StoreName storeName,X509FindType findType);
} }

ConfigureMessageSecurity defaults to using the ASP.NET OneWayClientBase<T> derives from ServiceBusClientBase<T>

membership providers, but it can be instructed to use Windows and adds the SetServiceCertificate methods. If you never call
accounts as well. The implementation of ConfigureMessageSecurity SetServiceCertificate, OneWayClientBase<T> simply looks up the
is similar to that of ConfigureAnonymousMessageSecurity. service certificate from config. SetServiceCertificate offers a simple
You can provide clients with an easy way of configuring message programmatic way of avoiding the config altogether. It even sets
security with my ServiceBusClientBase<T>, defined as the identity tag of the endpoint address. SetServiceCertificate uses
public abstract class ServiceBusClientBase<T> : ClientBase<T> the same defaults as ServiceBusHost, including using the solution
where T : class name for the certificate name if no certificate is provided. Here’s
{
public ServiceBusClientBase(); how you use OneWayClientBase<T> :
public ServiceBusClientBase(string endpointName); class MyContractClient : OneWayClientBase<IMyContract>,IMyContract
public ServiceBusClientBase(Binding binding, {
EndpointAddress remoteAddress); public MyContractClient()
public ServiceBusClientBase(string username,string password); {}
public void MyMethod()
public ServiceBusClientBase(string endpointName, {
string username,string password); Channel.MyMethod();
public ServiceBusClientBase(Binding binding,EndpointAddress address, }
string username,string password); }
MyContractClient proxy = new MyContractClient();
protected virtual void ConfigureForServiceBus();
proxy.SetServiceCertificate("MyServiceCert");
protected virtual void ConfigureForServiceBus(string username,
string password); proxy.MyMethod();
proxy.Close();
}
As you can see, using OneWayClientBase<T> is straightforward. „
ServiceBusClientBase<T> offers two sets of constructors.
The constructors that merely take the endpoint parameters all
default to using message security with anonymous calls. You
can also use the constructors that accept the username and
password credentials. If no endpoint address identity is provid-
ed, ServiceBusClientBase<T> defaults it to the solution name.
You use ServiceBusClientBase<T> like the WCF-provided
ClientBase<T>:
[ServiceContract]
interface IMyContract
{ JUVAL LOWY a software architect with IDesign providing WCF training and
[OperationContract]
void MyMethod();
architecture consulting. His recent book is Programming WCF Services nd
} Edition (O’Reilly, ). He is also the Microsoft Regional Director for the Silicon
class MyContractClient : ServiceBusClientBase<IMyContract>,IMyContract Valley. Contact Juval at www.idesign.net.
108 msdn magazine Foundations