Tuesday, May 30, 2006

The world's most misunderstood programming language

I really enjoyed reading this post by Douglas Crockford, 'The world's most misunderstood programming language'. I have always dismissed JavaScript as a kind of toy language that I've more suffered than enjoyed working with. I never realised it was so powerfull, probably for all the reasons that Mr Crockford enumerates in his article. I've been very interested in object oriented programming for a long time now, but I'd never heard of stuff like 'closures', 'lamda expressions' or 'functional programming' until recently. JavaScript it turns out is like 'Lisp in C syntax' with all those cool features. I guess this is all bourne out by the current interest in AJAX and more powerfull browser based apps.

Wednesday, May 24, 2006

Making raw web service calls with the HttpWebRequest class

Sometimes it's really nice to be able to make a raw call to a web service by manaully putting together your own SOAP envelope. The System.Net.HttpWebRequest class makes it really easy. There are a number of good reasons to do this. Maybe you want to call a web service without having to create a proxy class with wsdl.exe, or maybe you want to have more control over the creation of the SOAP envelope or you don't want to have to rely on the XmlSerializer. Maybe you want to create the xml by doing xslt transforms rather than serializing a .net type. First you need to create the envelope xml, this function takes a string of xml data as the content and inserts it into a soap envelope. Just open your web service in IE by typing the url into the Address bar to see what the structure of the soap:Body should be.
    static string _soapEnvelope =
@"<soap:Envelope
    xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
    xmlns:xsd='http://www.w3.org/2001/XMLSchema'
    xmlns:soap='http://schemas.xmlsoap.org/soap/envelope/'>
<soap:Body></soap:Body></soap:Envelope>";

    private static XmlDocument CreateSoapEnvelope(string content)
    {
        StringBuilder sb = new StringBuilder(_soapEnvelope);
        sb.Insert(sb.ToString().IndexOf("</soap:Body>"), content);

        // create an empty soap envelope
        XmlDocument soapEnvelopeXml = new XmlDocument();
        soapEnvelopeXml.LoadXml(sb.ToString());

        return soapEnvelopeXml;
    }
Next you create the HttpWebRequest object. The url is the url of the .aspx file and the action is your namespace plus the web method, e.g: 'mikehadlow.com/adder'.
    private static HttpWebRequest CreateWebRequest(string url, string action)
    {
        HttpWebRequest webRequest = (HttpWebRequest)WebRequest.Create(url);
        webRequest.Headers.Add("SOAPAction", action);
        webRequest.ContentType = "text/xml;charset=\"utf-8\"";
        webRequest.Accept = "text/xml";
        webRequest.Method = "POST";
        return webRequest;
    }
Insert the envelope into the web request.
    private static void InsertSoapEnvelopeIntoWebRequest(XmlDocument soapEnvelopeXml, HttpWebRequest webRequest)
    {
        using (Stream stream = webRequest.GetRequestStream())
        {
            soapEnvelopeXml.Save(stream);
        }
    }
Then you can call .GetResponse on the HttpWebRequest object to call the web service. You get the response back by getting the response stream with the GetResponseStream method of the webResponse object. Here's it all put together:
    static string _url = "http://mikehadlow.com/myService.asmx";
    static string _action = "http://mikehadlow.com/myWebMethod";
    static string _inputPath = @"C:\mike\Play\input.xml";
    static string _outputPath = @"C:\mike\Play\output.xml";

    static void Main(string[] args)
    {
        string content = File.ReadAllText(_inputPath);
        XmlDocument soapEnvelopeXml = CreateSoapEnvelope(content);
        HttpWebRequest webRequest = CreateWebRequest(_url, _action);
        InsertSoapEnvelopeIntoWebRequest(soapEnvelopeXml, webRequest);

        // begin async call to web request.
        IAsyncResult asyncResult = webRequest.BeginGetResponse(null, null);

        // suspend this thread until call is complete. You might want to
        // do something usefull here like update your UI.
        asyncResult.AsyncWaitHandle.WaitOne();

        // get the response from the completed web request.
        string soapResult;
        using (WebResponse webResponse = webRequest.EndGetResponse(asyncResult))
        using (StreamReader rd = new StreamReader(webResponse.GetResponseStream()))
        {
            soapResult = rd.ReadToEnd();
        }
        File.WriteAllText(_outputPath, FormatDocument(soapResult));
    }

Tuesday, May 23, 2006

Intellisense isn't always right

I've found myself becoming almost too reliant on intellisense in VS2005. I almost didn't do the obvious thing today, just because intellisense didn't understand it. I wanted to increment the last two digits of a reference string. It's looks something like: "UKDRNY500011106" and I needed to change it to: "UKDRNY500011107" so I wanted to write this
return policyRef.Substring(0, 12) + (int.Parse(policyRef.Substring(12, 2)) + 1).ToString("00");
If you try and type that line of code into VS, when you get to the '.' before ToString, intellisense doesn't suggest 'ToString' or anything. It doesn't recognise that the expression in brackets is an integer value. But if you type it anyway, it compiles and runs just fine. The silly thing is that I almost didn't write it because intellisense didn't suggest it.

Thursday, May 04, 2006

Where do role-based security checks go in my Application?

I recently had to help a team who had problems with their role based security implementation. They weren’t sure where to locate role based security checks in their application. Their current design wasn't working. They held users, roles, use cases and method names in a database. The method names described web service methods and they mapped onto particular use cases that applied to particular roles. Each user was assigned a role. This way they could do a lookup as each method was called and find out if the logged on user was allowed to run it. If they weren't, the web service threw an exception, which the application caught and used to alert the user that they were doing something illegal. Of course, it's better to enforce role-based rules at the UI. A button that the user isn't allowed to click should be invisible to them, or disabled, rather than allowing them to click it and get an error message. To that end, the other part of their security mechanism linked use-cases to control names, so that controls could be enabled or disabled depending on whether the user belonged to a role assigned to that control's use case. There were several problems with this model. The first and most obvious one was that there were two different mechanisms to do the same thing; the method access based checks and the control-based checks. Both enforced access rules to certain bits of functionality, but had two different implementations and two different schemas in their security database. There was ample opportunity for support people to configure conflicting rules for the UI and the web services. The second problem, and probably a more fundamental one was the assumption that use cases mapped exactly to web service method calls. For example, my method call, 'Save Customer', would map to a particular use case. But what if one use case said that only an admin person could change a customer's credit status, while another one said that a clerical user could change a customer's address. Does it make sense in our application design to split Save Customer into several use case based calls? Probably not. There was a real danger that the security design would have driven out a very awkward physical implementation. A further assumption was that they wouldn't have data related security requirements. For example, say that the accounts department could only update one type of customer, but another type could only be updated by the call center. The customer type is defined by a property of customer, but of course they both use the same Save Customer call. And imagine the customer types can be user defined, there's no way you can implement that with a static security model. I think the fundamental problem with the whole approach was not seeing role based security roles for what they are: business rules. Just like a customer's credit limit, whether a user of a particular role can edit a customer is a business rule. Like all business rules in our Domain Driven application design, the role based security checks should be implemented in our Business Entities (Business Objects, or whatever you call them). If the rules are expressed as properties of our domain entities, Customer.CanEdit, for example, you can both bind them to the UI, by binding the CanEdit property to the Save button's Enabled property, and apply them at lower levels of the application architecture. You could query Customer.CanEdit in your Data Access Layer before running the customer update, or query the same property in your web service. Putting rule based security checks in your domain objects also makes sense from the point of view of application design. Since they are business rules they sit nicely alongside the other rules that apply to a particular entity and can interact with them if need be. You can code rules that maybe intersect a user rule, a property of the entity and another entity. Best of all you can do it all in the same place.