MVC 3, WIF & Security

I have recently been working with ASP.NET MVC 3 and Windows Identity Foundation. Most of the pages in the application require that the user be logged in and everything was working fine with the [Authorize] attribute applied to the controllers and action methods.

Recently, we needed to add a couple of new pages that could be accessed without being logged in (anonymously). So we created a new Controller without applying the [Authorize] attribute but we weren't able to access any of the new pages without being forced to log in.

We thought that we might have needed to add a <location path="..."> exception in web.config for the new pages, but this has no effect in MVC applications; only traditional ASP.NET. After lots of attempts at fixes, we discovered that at some point in the past, the <authorization> node in web.config contained the following (single) line... <deny users="?">.

This had the effect that the entire web application was protected behind a login session. Once we changed it to <allow users="?">, then all of the [Authorize] attributes kicked in and did their job admirably.

It's almost always something simple yet it takes a few hours to find out.

'Demo' Visual Studio Instance

Recently, I have been giving more presentations and talks to people that don't involve PowerPoint for most of the presentation. It's been development level talks and demos that involve Visual Studio the majority of the time. A problem that I, and many others, have is that Visual Studio is currently configured to be productive for me; not everyone in the audience. I have ReSharper installed, toolbar buttons trimmed to only the essentials (things I haven't memorized the keyboard shortcuts to), tool/output windows moved around, font/colors changed, etc. All of these things make it hard for others to follow what I am doing.

One solution a lot of people have been using is to create a separate user account on their machine and give their demos from that. It works, but you have to keep switching user accounts. After a while, these gets tedious.

Another approach is to export your daily development settings into a Visual Studio settings file (ie daily.vssettings), make the changes to the settings you want for giving demos, and then export those settings into another settings file (demos.vssettings). You could then just import the settings for whatever 'mode' you will be working in. Again, a little tedious, but at least you didn't have to go so far as creating a new user account.

A nice alternative that sits somewhere in the middle is to use the Experimental Instance of  Visual Studio. The details can be found in this blog post:  http://codermike.com/vs2010-demo-instance

Just create a shortcut on your desktop ('Visual Studio 2010 Demo') that starts Visual Studio in a 'Experimental' instance and there you go! Much easier!  :)

Amazon Kindle & Mixed Wi-Fi Security

Recently, my Father-in-law bought a Kindle for my Mother-in-law. He brought it home, read the instructions, and tried to get it it set-up to use his wireless network at home. He logged into his wireless router and got the security key, but when he entered it on the Kindle and tried to connect it would fail. He tried several times, even manually configuring the connection, but nothing seemed to work.

Wanting to determine if he had a defective unit (unlikely), he took it to a local McDonalds and tried connecting to the free Wi-Fi provided by AT&T… Success!

At this point, he called me to help him figure out what he was doing wrong since it seemed to work everywhere but home. I walked him through a few things over the phone before logging into his computer remotely and looking at the settings on the wireless router myself. The settings on his fairly new Belkin router were configured to use WPA/WPA2 for security. I had him try to manually set the Kindle to use first WPA2 and then WPA without success.

At this point, I changed the security settings on the router to be just WPA2 (not WPA/WPA2) and then had him try connecting the Kindle again… Bingo!

Apparently, the Kindle doesn’t like wireless routers that are set to use mixed mode Wi-Fi security settings. Since the only other device that he has to connect to his wireless network is his laptop, we can safely use the latest/strongest setting of WPA2 without worrying about older devices not being able to connect.

Hope this helps someone else out there!

MonoDroid Licensing

I have been playing around with MonoDroid for the past few weeks, mostly keeping an eye on how the betas have been progressing. I am very intrigued by the fact that I can use my normal development tools and language (Visual Studio 2010 & C#), even re-use existing libraries, to create a application that runs on Android.

However, while monitoring the mailing lists someone posed the question of licensing costs for MonoDroid once it reaches 1.0. Being that Mono is an open source project, I had assumed that there wouldn’t be a licensing cost… wrong. According the to the MonoDroid FAQ, while licensing hasn’t been finalized yet it will most likely follow a similar structure to MonoTouch (iOS version of Mono) and cost about $400 USD for an individual user and $1,000 USD for enterprise users.

Sorry, but as an individual user $400 USD seems a little steep for any small applications to be built using it. Even if I get 400 people to use my app and I only charge $0.99, I still won’t break even unless the application is a huge success. Then again, since C# and Java are so similar and Eclipse and the Android SDK are free, I could write core logic for the application in C# as a Web Service and then just building the UI in Java with Eclipse. No $400 USD entrance fee needed.

Would have been nice though… a WPF, Silverlight/Windows Phone 7, MVC, and Android app… all from the (mostly) same code base. Alas.

Upcoming Silverlight Firestarter Events

Jim O’Neil, Northeast Developer Evangelist for Microsoft, recently blogged about the upcoming Silverlight Firestarter series. It just so happens that I have been investigating using Silverlight 4 for an upcoming project re-write and there just happens to be an event date here in Rochester! What Luck!

You can get the details at Jim’s blog (http://blogs.msdn.com/b/jimoneil/archive/2010/12/23/firestarter-silverlight-for-windows-7.aspx) and follow the link there to register for yourself!

Hope to see you there!

Securing Corporate data on your laptop?

There has been a lot of talk lately about traveling internationally and potentially having your laptop confiscated by the U.S. Department of Homeland Security without cause or suspicion (example). They can also share the contents of your laptop with any other agency they like, without consent, and without a guarantee that they won’t further distribute or retain that data.

I’ll focus here on the business implications of this and not tread into the murkier issues of personal privacy. Suffice it to say, if you’ve done something illegal, you reap what you sow (but there should at least be reasonable suspicion).

Almost all business users have corporate documents on their machine (sales presentations, financials, etc.) unless your using a Content Management System (CMS) like SharePoint. What would happen if your upcoming Quarterly Earnings Report was on your confiscated machine and it got leaked early?

An easy way to protect this data is with encryption. Nobody can look at the data without your consent because you would need to provide the password to decrypt the file. Problem is, they can still see the files and force you to decrypt them.

Enter TrueCrypt. With TrueCrypt, you can create an encrypted volume that is nothing more than a file on your machine that you can name whatever you want (“foo.dat” for instance). After creating the encrypted volume, you can mount it as a regular drive letter on your machine and any program can access it as usual. All encryption/decryption happens on the fly in memory, so the data is constantly protected and leaves no traces in temporary files anywhere.

If you are really paranoid, you can create a hidden partition within the encrypted volume. That way, even if you are forced to reveal your password to the main volume (where you stored some innocent/random files) they won’t be able to tell that there was an inner encrypted volume that had the real data on it.

Of course, if you have a laptop, you need to dismount any TrueCrypt volumes before suspending/hibernating or else anyone who forces you to unlock your computer will immediately have access to the encrypted volumes.

Safe Travels!

Moving a TFS Source Controlled Project

Recently, I needed to reorganize the folder that contained all of the projects under source control for a solution. The solution was started several years ago and the number of projects has steadily grown over the years and started polluting the root solution directory. I wanted to clean this up and move projects into sub-folders for their functional area, such as plug-ins, data/business, and common.

This seemed like a fairly trivial thing to do, but I quickly ran into problems. Most of these problems seemed to be related to the fact that the projects were under source control with TFS. After some trial an error, I came up with the following process:

• Load the solution that contains the projects that are moving.
• Remove the Source Control Bindings for any of the projects that are going to move. This can be accomplished by going to File > Source Control > Change Source Control. In the resulting window, select the projects that are going to move and click the “Unbind” button in the toolbar. This will update the solution file.
• Close the solution.
• Open the Source Control Explorer and navigate to the parent folder that contains the project to be moved.
• Right-click on the project folder and select “Move…”. In the resulting window, browse to the new location for the project.
• Navigate into the new project file location and checkout the “{projectName}.vspscc” file. If you don’t do this now, you will receive an error when you re-add the source control bindings later.
• Close Visual Studio.
• Using Windows Explorer, navigate to the root folder for the solution and delete the “{solutionName}.suo” file. This prevents Visual Studio from getting confused the next time you open the solution.
• Edit the “{solutionName}.sln” file and update the path to the new project file location. Just search for the project name and the update the portion of the line the points to the “*.*proj” file.
• Open the solution. At this point, any projects that reference the moved projects will be updated (checked out) to reflect the new location.
• Update the Source Control Bindings to rebind the projects that were removed at the beginning of the process (the unbound projects will be located at the bottom of the list) by selecting the project and clicking the “bind” button in the toolbar.
• At this point, the project will be highlighted with a red underline stating that there is an issue. This is because we haven’t checked our changes in yet so the server path doesn’t exist. This will be corrected soon.
• Rebuild your solution to make sure there are no side-effects. When I did this, I had to update a few references to shared DLL’s in the moved projects because the reference path was no longer valid.
• Commit your changes.

That’s it. Simple, right? ;)

There are some things you could do differently. For instance, instead of editing the solution file by hand, you could remove the project from the solution, perform the TFS move, then re-add the project to the solution. However, you will need to re-add the reference to the moved project in any projects that depended on it originally. For me, it was faster to just edit the solution file manually because this doesn’t remove project references and Visual Studio will update the dependant projects for me.

Happy Coding!