Friday, December 31, 2004

p&p Data Access Application Block - Review

Almost all the sites will be portraying the salient benefits of this application block (AB), so I decided my review to hint on the issues {my perception} and enhancements needed. Year back I did a feature analysis with Ver 1.0 of the AB. After a year I decided to look back into this AB to see if there are any major improvements or feature additions. For this I used both the Ver 2.0 release from Microsoft and Ver 3.1 release from GotDotNet (GDN) workspace. There were few enhancements in GDN version, but it is anyone’s guess why Microsoft hasn’t take clue from GDN version.

I list out what i feel some of the missing features:
Critical
Resource clean-up
        This one is very severe, there are many places where and object is created and not cleaned up properly, for example a SQLConnection object is created and some command is executed, but there is no clean-up of connection when there is an exception. A SQLCommand object created is not cleaned up anywhere. I still see lot of open issues in GDN bug tracker.
Command time-out
        Though looks like a simple feature, this actually helps the system scalability. Nobody would like to end up figuring out long running queries and to fix scalability issue at a fag end of a project. Rather this should be configurable from application and also a way to set configurable max limit for each connection.
Logging execution information
        It is critical for any data access layer to log the excution information like executing query, parameters and exception. This should be configurable for a connection both from application and externally, also it should be having multiple levels like TraceSwitch.
Support and Extensibility to any data store
        Microsoft version is written very specific to SQLServer and designed with very less flexibility to extensions to other data store. GDN version has taken the first step in this by using an abstract ADOHelper.cs, but there is a long way to go.
Abstraction of ADO.Net implementation
        I would still like to see more abstraction from ADO.net workings. Still developers need to work with connection and parameter objects in many situations. I would like to see helper methods for parameter creation that hides ADO.net implementations.

Non-Critical
Single store for connection string information

        I learnt this from a client I worked with, the concept of having a logical data source and maintaining connection information for that in an external store {registry, xml config} is advantageous in many facets. First an application will not be able to arbitrarily connect to any data store. You can enforce constraints for a logical data source, like max command time out, you will be happy to see that you are not allowing a command to run for hours against a real-time db. Without any code/config changes, we can point an application to appropriate environments like dev/qa/prod.
Design flexibility & extensibility
        The static nature of the design might suit very well for some situations.But I often end up in situation where I needed to store information specific to a connection like a transaction object, thus I feel an object would be more convenient for a data access block. But looking at all other application blocks, it seems obvious that Microsoft wants to go all out static design. Also the extension for other data store is not easy with the existing design.
Application configuration file issues in COM+ environment
        GDN version is now using app.config for storing provider information. Having app.config for server-activated serviced component assembly means managing the app.config is going to be complex. With SOA wave all around us, this issue is now needs more attention. COM+ 1.5 provides an option of having an individual app.config for each server application package, better than a single app.config for all server-activated serviced components. But still managing these app.config files is still going to be tough; it’s not anymore a just XCOPY.

        Existing feature’s of runtime discovery of stored procedure parameters, I would not recommend unless there is a very strong reasons to use this. Idea of parameter cache looks good, but practically I haven’t had a chance to use this feature, that too with help of OpenXML that use looks remote to me.

        Everyone should agree that p&p application blocks are designed to be extensible and hence all of the missing features mentioned can be included by customizing the block. But the question is how much customization you need. I neither offend nor defend the usage of this application block; it depends on the architectural requirement. More than anything this component is an integral part of your enterprise architecture.

Monday, December 27, 2004

SE Asian Tsunami & Bonehead Indian Television Channels

http://news.google.com/news?q=asian%20tsunami&hl=en&lr=&safe=off&sa=N&tab=wn

Deepeset condolences to all those who lost their lives & dear ones.

0100 GMT :The 8.9 magnitude quake occurs under the sea near Aceh in northern Indonesia, generating a wall of water that speeds across thousands of kilometres of sea
0130 GMT :Eyewitnesses on Phuket island's main beach experience a series of towering waves which hit the coast around this time
0430 GMT : Reports emerge that tidal waves have flooded southern and eastern areas of Sri Lanka, 1,600km (1,000 miles) from the epicentre
0540 GMT : Reports from the southern Indian city of Madras say tidal waves have claimed lives

My father lives in Madras, India, one of the city affected by Tsunami. I learned from him that there was atleast 1 to 11/2 hrs time between the tremor and tsunami effect. And WORST part is none of the TV channels had a foresight of letting people know the Tsunami effect and warning them.

Yeah i know word "Tsunami" is new for billions of people who live in india, but don't we have even a handful of knowledgable person, can't this big TV giants catch hold of them and get some insight of the after effects of the quake.

My sole reason to blame TV is, only known mass communication that we have there is TV & Radio. I came to know there were usual (and useless) movies & cine songs were being aired at that time. And i am a strong believer that it is impossible for the indian govt wheel to up and run in this short period of time.

All said and done, i pray for those soles who lost thier life. Sadly my belief in Lemuria continent and Kaveripoompattinam is more stronger than ever.

Tuesday, December 21, 2004

Power of CSS attack.

When i came to know about the Cross Site Script (CSS) attack long time back, i thought how good an attack can it be, if the script is running in a client browser and that too in a controlled execution environment provided by many modern browsers.

I found that someone can inject a script to refresh the page in some shorter interval of time and can effectively bring down the web server with lot of load from just a fraction of legitimate users.
DOS. My intial (illiterate) assumption was some hacker has to control a large no. of zombie clients to use this techinique, that was totally busted with a simple CSS.

A lesson to all those who believe world is so NICE!!!

Monday, December 20, 2004

Quantum Cryptography -

EinsteinEncryption
"Cryptographic key communication can be guaranteed absolutely secure, even over completely unsecured lines."

Hits me like anything, but it looks like its practically possible (though with some practical limitations that needs to be overcome) with quantum physics.

I luv google caching

Personally to me this doesn't mean end of mathmatical cryptography. As this looks like half of the security, just securing data communication. I am not aware of any usage of this priniciple for securing stored data. I believe this one should also have overhead as we do have in asymm crypto but more secure than that. Hopefully this could be useful for securing communication of symm keys. I am sure first practical install will be a "secure proton tunnel" between Pentagon and WhiteHouse or Camp David.

"I think I can safely say that nobody understands quantum mechanics."
- Richard P. Feynman

Saturday, December 18, 2004

70-340 .net security

After long thoughts decided 70-340: Implementing Security for Applications with Microsoft Visual C# .NET should be the next exam.

70-229 and 70-230 should be out soon with a new exam for new products Yukon and BizTalk 2004.

Before .net, i was one of the strong believer Security and Microsoft doesn't go well together. With the amount of intrest/efforts MS is putting for the security, this exam deserves a credit.
Started reading the following books, i hope it helps.
MCAD/MCSD Self-Paced Training Kit: Implementing Security for Applications with Microsoft VISUAL BASIC.NET & VISUAL C#.NET Writing Secure Code, Second Edition

Whatever should get MCSD.net certified, before the certified counts jumps to 5 digits.
http://www.microsoft.com/learning/mcp/certified.asp (As of now nudjing close to the 10K)

Friday, December 17, 2004

MSF,ORM,.. @#@#$@%$

070-300: Analyzing Requirements and Defining Microsoft .NET Solution Architectures

Boy this one was tough, i believe i cleared with some amount of luck, 3/4 case studies are web app scenario and looked like i got some simple comprehension questions too. Anyhow that takes me close to MCSD.net, just 1 more to go.

I never used an MSF model in any of the project {though i should agree that it is better than what i do today, especially change management} . But it seems i always had a slight leaning towards XP practices and some of the MSF resembles XP. ORM was really another interesting topic to learn. I wonder why i didn’t hear this jargon till date, may be 'coz this one really works ;-)

I had only the MSF material and codeclinic links, and looked both of them are not good for the exams. If some one has good theoretical/practical experience in architecting solutions can clear the exam without any preparation.

Need to decide what should be next exam 70-229, 70-230 or 70-340?

Thursday, December 16, 2004

Digital Signature Simplified

I was hit on this concept when i am working in customization of Configuration Management Application Block. Though, initially it didn't strike me, how best this can be leveraged in an application architecture. Later i realized how simple and effective this technique can be used to tamper-proof content delivery. If used along with a public/private key encryption, this can prove to be very effective in verifying authenticity of content.

Enough of my blabber, how D-S works:

Content author, uses a hash algorithm and gets a hash of the message {AKA message digest}, he then encrypts the hash using the private key. The "encrypted hash" is the D-S of the content. Usually delivered along with the orginal message/content.

Content consumer, uses the same hash algorithm to generate the hash and decrypts the signature using the public key. If hash matches, vola the receiver can be sure of the sender's identity and that the message arrived intact.

Looks solid and simple techinique for me. If needed we can also add "salting" techinique. I believe there is no perfect security, it's always 1 layer up and make sure we aren't hit by performance.

To end with an conspiracy theory, i am one of those, who strongly believes that some tactical project could be nudging closer to techinique of inverting {so called} trap door one-way function, its a TWILIGHT ZONE.

Ignorance is NO bliss in world of digial security!

Monday, December 13, 2004

OpenXML limitation - row based operation

I needed to insert a bulk of data into a table and designed to use OpenXML and there is a biz reqt to compute (Max+1) for the vdrNum column.

CREATE TABLE OpenXMLTest2
(
vdrNum INT NOT NULL,
vdrType CHAR(1) NOT NULL,
vdrName CHAR(10)
)
GO
ALTER TABLE OpenXMLTest2
ADD CONSTRAINT PK_OpenXMLTest2 PRIMARY KEY CLUSTERED
(
vdrNum,
vdrType
) WITH FILLFACTOR = 90 ON [PRIMARY]
GO

DECLARE @hDoc INT

EXEC sp_xml_preparedocument @hDoc OUTPUT,
'<ROOT><OpenXMLTest2 vdrName="Vend1" /><OpenXMLTest2 vdrName="Vend2" /></ROOT>'


INSERT INTO OpenXMLTest2 (vdrNum,vdrType,vdrName)
SELECT
(SELECT ISNULL(MAX(vdrNum),0)+1 FROM OpenXMLTest2 WHERE vdrType = 'x' )
,'x',vdrName
FROM OPENXML (&hDoc, 'ROOT/OpenXMLTest2',1) WITH (vdrName CHAR(10))

Looks good, but later found that this actually gives a primary key violation as vdrNum computed is always the same intial value and hence OpenXML doesn't work like what i expected. Workaround for the above code is


DECLARE @hDoc INT, @Val int

SELECT @Val = ISNULL(MAX(vdrNum),0)+1
FROM OpenXMLTest2 WHERE vdrType = 'x'

EXEC sp_xml_preparedocument @hDoc OUTPUT,
'<ROOT><OpenXMLTest2 vdrName="Vend1" vdrNum="1" /><OpenXMLTest2 vdrName="Vend2" vdrNum="2" /></ROOT>'

INSERT INTO OpenXMLTest2 (vdrNum,vdrType,vdrName)
SELECT vdrNum+1,'x',vdrName
FROM OPENXML (&hDoc, 'ROOT/OpenXMLTest2',1)
WITH (vdrName CHAR(10), vdrNum INT)

This reminds me an intresting problem, one of my coworker had with OpenXML, he had to delete some rows whose primary key columns values are available. Tricky part was, that table had a forignkey constraint that refered to itself (kind of hierarchical organization structure). Though he had the XML created in the correct order so that it doesn't make any foriegn key violation while deleting a row, it always throwed an foriegn key violation error. Later it was found that OpenXML doesn't actually didn't delete the rows as in the order in the XML and most probably spawned into multiple threads internal to SQLServer and hence tried to delete a parent row while its child row is still not deleted. Later when XML was dumped into a temp table and looped that to to delete in correct order as expected.


Friday, December 10, 2004

throw; vs throw e;

throw; is better choice than throw exception. {The stack trace is maintained in previous}

private void Test() {
    Test2();
}
private void Test2() {
try {
    Test3();
}
catch(Exception e){
    //some cleanup code
    throw;
    // throw e; //This will lose the stack trace.
}
}
private void Test3(){
    //some logic
    throw new Exception("abcd");
}

Monday, December 06, 2004

MCAD.net !!!

070-320: Developing XML Web Services and Server Components with Microsoft Visual C# .NET and the Microsoft .NET Framework

Yup now i am one of those MCAD.net. Strange i don't feel anything special after this certification.
Good thing i had a chance to work on samples like
Remoting sink chain, http://www.codeproject.com/csharp/customsinks.asp
Soap extensions, http://www.gotdotnet.com/team/rhoward/EncryptionExtension.zip
Custom SOAP authentication, http://www.codeguru.com/Csharp/Csharp/
cs_webservices/security/article.php/c5479/

Should i go for MCSD.net???

Sunday, December 05, 2004

RadioButton in ASP.NET DataGrid

This one is really tricky. Today i was developing an asp.net datagrid and need to have a radiobutton for each row in datagrid, so the user can select a single row. It seems we can't group the radiobuttons even with GroupName property :-( And all my googling went into vain as it seems there is awful lot of code out there to fix this.

I fixed the issue with the following cool and simple code (Thanks Njeri). In the aspx page i used the following code

<input type="radio" id="RadioButtonCountry" name="RadioButtonCountry" value="<%#((System.Data.DataRowView)Container.DataItem)["Country"] %>" >