Greg Reinacker’s Weblog

Clemens Vasters announced the newtelligence Web Service Extensions for ASP.NET. From the announcement: “…experimental implementation for WS-Security’s Kerberos and Username Authentication”. [Peter Drayton's Radio Weblog]

Hey, this is very cool.  I’ve been toying with the idea of writing a WS-Security implementation, but it just hasn’t bubbled up the list of things to do…and it never made it to the “really fun” things to do list.  ;-)  Now maybe I won’t have to!

A Santa Monica elementary school principal recently banned tag, saying the game can only be played under the strict supervision of physical education teachers and not at all during the lunch hour recess. That’s due to: one, the risk of injury; and two, a “self-esteem issue,” because whoever is “it” could be considered a “victim.” [ESPN.com]

Whew!  Thank heavens.  After 100 years of obviously damaged children, they’ve finally found the culprit.  On a similar note, a few weeks ago an elementary school suspended a kid for making a “gun” with his fingers (you know, “cowboys and indians” style).  Close call there, too… I mean, it’s inevitable that after pointing your finger at someone on the playground, San Quentin is the next step.

Does anyone live in the real world anymore?  Hello?

After my recent post on X++, I got a reply from Kimanzi Mati (the author of X++) with some interesting comments.  I have posted this reply in its entirety here, and I wanted to address a couple of the items here.

Right now, all the XML data is public to the non-XML process that uses the XML data.  This is a problem, I think, which needs to be addressed.  This is where x++ objects come in as they will encapsulate the data within XML itself.  The other thing is of course that the objects can be sent via HTTP to remote machines and used there; all the while preserving the access security of the data.

Well, I’m not sure it is a “problem” - it depends what you’re using the data for.  For example, in a document-based SOAP message, the payload is thought of as a XML document in and of itself, rather than as a representation of other data (such as in RPC endoded messages).  You’re also not necessarily preserving access security of the data, because as you say, all of the data is being transmitted to the remote process.  At best, the embedded x++ code is a recommendation of access; not a requirement.

Some would say that this is mish-mashing code and data together in a bad way.  I would say no: XML is the format.  All objects in all object oriented systems encapsulate data within them.  In addition, of course, they have methods to implement behaviour.

In terms of traditional OO thinking, you’re right - objects encapsulate data and behavior.  However, in modern transactional and message-driven systems, the data and behavior are becoming somewhat separated by necessity.

In a nutshell, my thought is this: why can there not be a full programming language based on XML?  There is no reason, which is of course one of the reasons why I set out to invent x++.

I totally agree, and never meant to imply that there could not be a XML-based programming language.  I’m just trying to explore the possible uses for such a language, and how they might fit into modern transactional and service-based architectures.

I do find the idea of shipping an object, encapsulating both state and behavior, described in XML, via SOAP, to be interesting…

Good news for WS_SECURITY. Sun switches gears on security. Microsoft, IBM and VeriSign submit a security specification for Web services to an industry standards body, a move that has won the backing of an unlikely supporter: Sun. [CNET News.com] [Sam Gentile's Radio Weblog]

This is great news.  I’m still skeptical about Sun’s commitment to playing with everyone else in the web services space, but this news is the most promising thing I’ve seen from them yet.

A while ago I preached a bit about using transport-based authentication with web services, rather than custom header-based mechanisms.  Well, after a number of requests, I’ve posted a sample of using HTTP Basic authentication with web services, without using the built-in IIS support for Basic with Active Directory.  The sample is a .NET HTTP Module, which handles the authentication against a custom data store (a XML file in the sample, easy to change to a database or whatever you need).  It will also work in shared hosting environments where you can’t even think about ISAPI filters.

I have a working HTTP Digest sample about 80% complete; if there’s enough interest I’ll finish it up and post it.

.NET HTTP Module - sample code

In my last mini-article on web services security, I talked a bit about using HTTP authentication mechanisms for web services.  I pointed out that it is not necessary to use Active Directory for this, and mentioned that the required code was not all that difficult.  I got a number of e-mails from people asking for examples; so in response, here is a fully working sample in 100% managed code demonstrating the use of HTTP Basic authentication, using a separate credential store (in this case, a XML file, although this would be easy to change to a database or LDAP store).

Note - an ISAPI filter is an equally effective way to implement this; however, many people have hosting arrangements set up such that they cannot install filters.  The code here will work in even a very restrictive shared hosting environment.

The implementation was designed with web services in mind, but it will work equally well with any .NET web application.  Also, the user credentials are stored in a XML file (users.xml by default).  In a real application, you will probably want to change this to access a database, or wherever else you store user information.

A link to download the code is at the end of this article.  Rather than walk through all of the code (it’s pretty self-explanatory, download it and take a look), I will walk through here how to set it up and get it running.

To set up:

1. Build BasicAuthMod.dll, and copy it to your web application’s bin directory on your server.

2. Make the following changes to your web.config file (in the <system.web> section):

• Change authentication line to: <authentication mode=”None” />.  We need to disable the built-in ASP.NET authentication.
• Add an authorization section if you wish, such as

     <authorization>
  <deny users=”?” />
  </authorization>
  
  If you use BasicAuthMod to authenticate, you can still leverage the built-in ASP.NET authorization capabilities.

• Add the following lines to wire the BasicAuthMod.dll into the ASP.NET pipeline.

     <httpModules>
  <add name=”BasicAuthenticationModule”
  type=”Rassoc.Samples.BasicAuthenticationModule,BasicAuthMod” />
  </httpModules>

3. Make the following changes to your web.config file (in the <configuration> section), and edit appropriately:

<appSettings>
<add key=”Rassoc.Samples.BasicAuthenticationModule_Realm”
value=”RassocBasicSample” />
<add key=”Rassoc.Samples.BasicAuthenticationModule_UserFileVpath”
value=”~/users.xml” />
</appSettings>

4. Copy the sample users.xml file into your virtual directory.

The last thing you need to do is make sure all IIS authentication mechanisms (Basic, Integrated, and Digest) are turned off, and only anonymous is enabled.  You can do this within the IIS Manager, or typically hosting providers will provide a way to make sure that Basic is turned off for your hosted sites/virtual directories.

That’s all there is to it; just copy the code, and make some web.config changes.  If you have any questions, please feel free to contact me at gregr@rassoc.com.

Greg Reinacker

BasicAuthMod code

Sample web service

[related: Digest authentication sample]

x++: The World’s First Full XML-Based Programming Language Released!. Top XML Jun 24 2002 5:37PM ET [Moreover - XML and metadata news]

It is…well…something I would never have suspected seeing.  [Justin Rudd's Radio Weblog]

I’ll second that!  This is interesting…although I’m not completely sure I understand the point.  I do disagree with the scenario he lays out, though:

“Everything is going fine and dandy when one day, the source company is forced through circumstances to change their [XML] data format.  [...]  In the x++ case, the entire x++ object with the data is shipped off and the destination company’s XML client code can access the methods of the object and get the data– without caring what the actual data format is lexically!”

In my experience, the lexical format isn’t always what causes problems in the interop case.  If the source vendor adds a new data field, the client vendor has to modify his code to take advantage of the new data in a meaningful way.  So even if operations are packaged with the code (as in x++), the client must still change to deal with data additions/deletions.  The obvious exception is if the data is purely reorganized, in which case the above scenario is valid; but I think this is not the most common case.

And one other thought…in transaction- and service-oriented architectures, we have taught ourselves to separate data from actions; separate nouns from verbs.  X++ thrives on the merging of code and data.  Interesting.

The Big Secret. “An exclusive first look at Microsoft’s ambitious-and risky-plan to remake the personal computer to ensure security, privacy and intellectual property rights. Will you buy it?”
By Steven Levy, Newsweek [sellsbrothers.com: Windows Developer News]

It’s interesting to think about this in the context of a few of our states’ opinion that Microsoft is a monopoly.  From this article, it sounds like they are talking about new features in Windows (and source code as a basis for other implementations), and new functions in hardware to implement some of the necessary features.  It’s easy to believe that this is progress, and that things are moving in a good direction (who doesn’t want better security?).

I believe, however, that the only way this could happen is for a company like Microsoft (market-share speaking) to drive it.  If tomorrow the open source community suddenly had an idea like this, and they built an implementation for Linux, do you think Intel and AMD would step up to the plate and design new silicon?  Do you think Dell and Compaq would build new boxes?  I don’t think so - it’s all about market share.  And Microsoft is one of the few that can deliver the numbers necessary to make it profitable for the hardware vendors.

So…the question is, could innovation like this happen without large companies like Microsoft driving it?  Is it Microsoft’s near-monopolistic hold on the desktop that makes this possible?

A Rant on the .NET Certification Guides. I thought Microsoft wanted more people to pass their MCSD .NET certification exams. Apparently not, when you look at their .NET certification guide books. [Sam Gentile's Radio Weblog]

I have mixed feelings about “certification guides” like the ones talked about in the article above.  I strongly feel that certification should reflect experience with a technology; not just that you studied very hard and passed a test.

Back when I was teaching a Microsoft MFC class, I met a guy who took the certification test something like 6 times and finally passed it.  He then went to a customer to teach the class, and they threw him out on the first day for an obvious lack of experience. 

Certification should mean something…and something more than “hey, I bought the book, and I remember every page.”

SOAP Faults with Headers

Thanks again Greg for spurring the old brain juices.  [Justin Rudd's Radio Weblog]

Glad I could help!