They’re Drinking Our Beer Here

Well not exactly drinking our beer, but certainly making use of my beer-fridge.

 

The beer-fridge was surplus-to-requirements in our flat, and taking up space in the spare room.  Through my involvement with the Breadline Group I managed to find a needy family on the other side of the city that had never had a fridge!  So we took it over there and plugged it in for them.  The father of the house had a Persian name, so I rather doubt that he will be using it to store beer in..

Anyhow, it was a chance for me to check out how Singapore’s poor live, and I have to say that I am very impressed.  Singapore (or I guess more correctly I should say the People’s Action Party (PAP) ), is socialist in housing, though clearly not in a number of other arenas.  Ninety percent of Singaporeans live in an HDB.  HDB stands for Housing Development Board.  That would be around 3.6 million people.  The government owns all the land, builds all the buildings, and leases or rents them to the population for a reasonable, subsidised, amount.  I would happily live in an HDB, and if I was a citizen of Singapore then I would qualify for the subsidised rent.  Unfortunately I am not a citizen.

I have been in a few HDBs now.  They are spacious, they all have tiled floors, and they have these wide windows that you can slide all the way across so that the wind blows through and keeps things cool without the need for air-conditioning. 

According to history books, before PAP started it’s building programme in the ‘50s, the entire island was one huge Asian slum, without water reticulation, power, sewage, or street-lighting.  You can still find these places on the outskirts of Jakarta, Kuala Lumpur and Bangkok, but you won’t find anything like that in Singapore!

It was difficult to tell that I was in a poor part of town.  Everyone was smartly dressed, and the housing and amenities are the same everywhere in the country.  No litter. No graffiti.  No drugs.  No violence.  No crime.  A safe environment.  The only clues were a few more old people, a few more unemployed people wandering around, and a bit of street-hawker activity.  Apart from that everything was orderly and peaceful and smart.  So I was pretty impressed really.  If that’s as bad as it gets, then I would happily live there.

Even in the pleuty suburb of Albert Park, Melbourne, my local shop-keeper was out once a month painting the graffiti off his shop walls, and there were a couple of smash-and-grab raids for cigarettes every year.  In Remuera when I lived there (the top suburb in NZ), the local TAB was knocked over in an armed stick-up, and women in Mt. Eden said they wouldn't wander around by themselves.  Singapore is so safe that none of those things are much of a consideration here.  I still find it a bit odd to see a gaggle of schoolgirls in their uniforms wander through Clarke Quay after dark, past all the restaurants and bars.  But my guess is that there is absolutely no danger.  It is just such a safe city, and that is a fantastic thing!

.NET WebRequest.PreAuthenticate – not quite what it sounds like

I’ve run into the  problem a few times now: How to pre-authenticate .NET WebRequest calls doing an HTTP call to the server – essentially send authentication credentials on the very first request instead of waiting for a server challenge first? At first glance this sound like it should be easy: The .NET WebRequest object has a PreAuthenticate property which sounds like it should force authentication credentials to be sent on the first request. Looking at the MSDN example certainly looks like it does:

http://msdn.microsoft.com/en-us/library/system.net.webrequest.preauthenticate.aspx

Unfortunately the MSDN sample is wrong. As is the text of the Help topic which incorrectly leads you to believe that PreAuthenticate… wait for it - pre-authenticates. But it doesn’t allow you to set credentials that are sent on the first request.

What this property actually does is quite different. It doesn’t send credentials on the first request but rather caches the credentials ONCE you have already authenticated once. Http Authentication is based on a challenge response mechanism typically where the client sends a request and the server responds with a 401 header requesting authentication.

So the client sends a request like this:

GET /wconnect/admin/wc.wc?_maintain~ShowStatus HTTP/1.1
Host: rasnote
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,de;q=0.7,en-us;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive

and the server responds with:

HTTP/1.1 401 Unauthorized
Cache-Control: private
Content-Type: text/html; charset=utf-8
Server: Microsoft-IIS/7.5
WWW-Authenticate: basic realm=rasnote"
X-AspNet-Version: 2.0.50727
WWW-Authenticate: Negotiate
WWW-Authenticate: NTLM
WWW-Authenticate: Basic realm="rasnote"
X-Powered-By: ASP.NET
Date: Tue, 27 Oct 2009 00:58:20 GMT
Content-Length: 5163

plus the actual error message body.

The client then is responsible for re-sending the current request with the authentication token information provided (in this case Basic Auth):

GET /wconnect/admin/wc.wc?_maintain~ShowStatus HTTP/1.1
Host: rasnote
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en,de;q=0.7,en-us;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: TimeTrakker=2HJ1998WH06696; WebLogCommentUser=Rick Strahl|http://www.west-wind.com/|rstrahl@west-wind.com; WebStoreUser=b8bd0ed9
Authorization: Basic cgsf12aDpkc2ZhZG1zMA==

Once the authorization info is sent the server responds with the actual page result.

Now if you use WebRequest (or WebClient) the default behavior is to re-authenticate on every request that requires authorization. This means if you look in  Fiddler or some other HTTP client Proxy that captures requests you’ll see that each request re-authenticates: Here are two requests fired back to back:

and you can see the 401 challenge, the 200 response for both requests.

If you watch this same conversation between a browser and a server you’ll notice that the first 401 is also there but the subsequent 401 requests are not present.

WebRequest.PreAuthenticate

And this is precisely what the WebRequest.PreAuthenticate property does: It’s a caching mechanism that caches the connection credentials for a given domain in the active process and resends it on subsequent requests. It does not send credentials on the first request but it will cache credentials on subsequent requests after authentication has succeeded:

string url = "http://rasnote/wconnect/admin/wc.wc?_maintain~ShowStatus";
HttpWebRequest req = HttpWebRequest.Create(url) as HttpWebRequest;
req.PreAuthenticate = true;
req.Credentials = new NetworkCredential("rick", "secret", "rasnote");
req.AuthenticationLevel = System.Net.Security.AuthenticationLevel.MutualAuthRequested;
req.UserAgent = ": Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)";
WebResponse resp = req.GetResponse();
resp.Close();

req = HttpWebRequest.Create(url) as HttpWebRequest;
req.PreAuthenticate = true;
req.Credentials = new NetworkCredential("rstrahl", "secret", "rasnote");
req.AuthenticationLevel = System.Net.Security.AuthenticationLevel.MutualAuthRequested;
req.UserAgent = ": Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)";
resp = req.GetResponse();

which results in the desired sequence:

where only the first request doesn’t send credentials.

This is quite useful as it saves quite a few round trips to the server – bascially it saves one auth request request for every authenticated request you make. In most scenarios I think you’d want to send these credentials this way but one downside to this is that there’s no way to log out the client. Since the client always sends the credentials once authenticated only an explicit operation ON THE SERVER can undo the credentials by forcing another login explicitly (ie. re-challenging with a forced 401 request).

Forcing Basic Authentication Credentials on the first Request

On a few occasions I’ve needed to send credentials on a first request – mainly to some oddball third party Web Services (why you’d want to use Basic Auth on a Web Service is beyond me – don’t ask but it’s not uncommon in my experience). This is true of certain services that are using Basic Authentication (especially some Apache based Web Services) and REQUIRE that the authentication is sent right from the first request. No challenge first. Ugly but there it is.

Now the following works only with Basic Authentication because it’s pretty straight forward to create the Basic Authorization ‘token’ in code since it’s just an unencrypted encoding of the user name and password into base64. As you might guess this is totally unsecure and should only be used when using HTTPS/SSL connections (i’m not in this example so I can capture the Fiddler trace and my local machine doesn’t have a cert installed, but for production apps ALWAYS use SSL with basic auth).

The idea is that you simply add the required Authorization header to the request on your own along with the authorization string that encodes the username and password:

string url = "http://rasnote/wconnect/admin/wc.wc?_maintain~ShowStatus";
HttpWebRequest req = HttpWebRequest.Create(url) as HttpWebRequest;

string user = "rick";
string pwd = "secret";
string domain = "www.west-wind.com";

string auth = "Basic " + Convert.ToBase64String(System.Text.Encoding.Default.GetBytes(user + ":" + pwd));
req.PreAuthenticate = true;
req.AuthenticationLevel = System.Net.Security.AuthenticationLevel.MutualAuthRequested;
req.Headers.Add("Authorization", auth); 

req.UserAgent = ": Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)";
WebResponse resp = req.GetResponse();
resp.Close();

This works and causes the request to immediately send auth information to the server. However, this only works with Basic Auth because you can actually create the authentication credentials easily on the client because it’s essentially clear text. The same doesn’t work for Windows or Digest authentication since you can’t easily create the authentication token on the client and send it to the server.

Another issue with this approach is that PreAuthenticate has no effect when you manually force the authentication. As far as Web Request is concerned it never sent the authentication information so it’s not actually caching the value any longer. If you run 3 requests in a row like this:

        string url = "http://rasnote/wconnect/admin/wc.wc?_maintain~ShowStatus";
        HttpWebRequest req = HttpWebRequest.Create(url) as HttpWebRequest;

        string user = "ricks";
        string pwd = "secret";
        string domain = "www.west-wind.com";

        string auth = "Basic " + Convert.ToBase64String(System.Text.Encoding.Default.GetBytes(user + ":" + pwd));
        req.PreAuthenticate = true;
        req.Headers.Add("Authorization", auth);
        req.UserAgent = ": Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)";
        WebResponse resp = req.GetResponse();
        resp.Close();


        req = HttpWebRequest.Create(url) as HttpWebRequest;
        req.PreAuthenticate = true;
        req.Credentials = new NetworkCredential(user, pwd, domain);
        req.UserAgent = ": Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)";
        resp = req.GetResponse();
        resp.Close();

        req = HttpWebRequest.Create(url) as HttpWebRequest;
        req.PreAuthenticate = true;
        req.Credentials = new NetworkCredential(user, pwd, domain);
        req.UserAgent = ": Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 4.0.20506)";
        resp = req.GetResponse();

you’ll find the trace looking like this:

where the first request (the one we explicitly add the header to) authenticates, the second challenges, and any subsequent ones then use the PreAuthenticate credential caching. In effect you’ll end up with one extra 401 request in this scenario, which is still better than 401 challenges on each request.

Getting Access to WebRequest in Classic .NET Web Service Clients

If you’re running a classic .NET Web Service client (non-WCF) one issue with the above is how do you get access to the WebRequest to actually add the custom headers to do the custom Authentication described above? One easy way is to implement a partial class that allows you add headers with something like this:

public partial class TaxService 
{                   
     protected NameValueCollection Headers = new NameValueCollection();      
     
     public void AddHttpHeader(string key, string value)
     {            
         this.Headers.Add(key,value);
     }
     public void ClearHttpHeaders()
     {
         this.Headers.Clear();
     }

     protected override WebRequest GetWebRequest(Uri uri)
     {
         HttpWebRequest request = (HttpWebRequest) base.GetWebRequest(uri);
         request.Headers.Add(this.Headers);
         return request;   
     }        

}

where TaxService is the name of the .NET generated proxy class. In code you can then call AddHttpHeader() anywhere to add additional headers which are sent as part of the GetWebRequest override. Nice and simple once you know where to hook it.

For WCF there’s a bit more work involved by creating a message extension as described here: http://weblogs.asp.net/avnerk/archive/2006/04/26/Adding-custom-headers-to-every-WCF-call-_2D00_-a-solution.aspx.

FWIW, I think that HTTP header manipulation should be readily available on any HTTP based Web Service client DIRECTLY without having to subclass or implement a special interface hook. But alas a little extra work is required in .NET to make this happen

Not a Common Problem, but when it happens…

This has been one of those issues that is really rare, but it’s bitten me on several occasions when dealing with oddball Web services – a couple of times in my own work interacting with various Web Services and a few times on customer projects that required interaction with credentials-first services. Since the servers determine the protocol, we don’t have a choice but to follow the protocol. Lovely following standards that implementers decide to ignore, isn’t it? :-}

Tell me about your services…

My team has been doing a little thinking recently about the “services” space.  Basically I have been trying to figure out how folks think about accessing data and business logic across tiers.  What are the types of development projects are services the core thing they are building and for what types of development projects are services simply pluming for getting the job done?

I’d love to have you folks chime into this conversation.   For starters, I have posted a very simple\quick survey.    Please take 30 secs and fill it out.

What statement best describes the type of work you typically do? (check all that apply)

1 - I write applications that happen to span across multiple tiers. My code runs on the web server and I also own the client.
2- I write servers that expose data that third-party developers will consume.
3- I write clients that consume data from third-party data sources.

Fill out the survey

Readify Silverlight Training Course – March 10-12 2010, Sydney
Next week I am running the Readify Silverlight training course in Sydney from March 10 to 12. The three day course takes you right through Silverlight from the basics right up to advanced topics. Head over to http://readify.net/training-and-events/professional-series/professional-silverlight-workshop/ for more information! Cheers, Jordan.

WPF and Text Blurriness, now with complete Clarity

Silverlight Testing Tools

Tim Heuer’s got a great blog post on Silverlight testing tools at http://timheuer.com/blog/archive/2009/02/26/silverlight-testing-frameworks.aspx.

He’s provides a quick overview of 3 different options:

• Microsoft Silverlight Unit Test Framework
• SilverUnit
• Selenium

Definitely worth checking out!

Thanks for checking out this post!

Cheers,

Murray Gordon ISV Architect Evangelist Microsoft Corporation  MurrayGordon.com US ISV Team Blog

Does MR have some catching up to do?
Browsing a couple of ad agency bloggers, and came across a couple of interesting pieces. This deck uploaded by Jason Oke demonstrates the issues with connections planning: Connections Planningness View more documents from Jason Oke. If agencies are moving towards a new understanding of what people do, and how they use media; and towards identifying people’s real problems. [...]

Knee Jerks
There was a fight on the roller hockey rink this morning. Anaheim bumped into Philadelphia at speed and Philly didn't like that so he elbowed Anaheim in the chest -- hard. Anaheim pushed back, shoving Philly into the goal where...

iPhone Love
A couple of months ago now I finally jumped in and bought an iPhone 3G S.  I love it!  I’m definitely a gadget-y kinda guy but this device is one of my favourite purchases ever. The iPhone. Photographed in a rare moment when we were separated. Some history. I’d had my Nokia 8210 since first year uni – [...]

Displaying Multimedia Content In A Floating Window Using FancyBox

While surfing the web you may have come across websites with images and other multimedia content that, when clicked, were displayed in a floating window that hovered above the web page. Perhaps it was a page that showed a series of thumbnail images of products for sale, where clicking on a thumbnail displayed the full sized image in a floating window, dimming out the web page behind it. Have you ever wondered how this was accomplished or whether you could add such functionality to your ASP.NET website?

In years past, adding such rich client-side functionality to a website required a solid understanding of JavaScript and the "eccentricities" of various web browsers. Today, thanks to powerful JavaScript libraries like jQuery, along with an active developer community creating plugins and tools that integrate with jQuery, it's possible to add snazzy client-side behaviors without being a JavaScript whiz.

This article shows how to display text, images, and other multimedia content in a floating window using FancyBox, a free client-side library. You'll learn how it works, see what steps to take to get started using it, and explore a number of FancyBox demos. There's also a demo available for download that shows using FancyBox to display both text and images in a floating window in an ASP.NET website. Read on to learn more!
Read More >

Review – London Assurance, National Theatre
As Phil arrived at the National Theatre for the preview of London Assurance on Monday night Andrew appeared to be intoning a new mantra. “Boo-see-co, boo-see-co, boo-see-co,” he muttered smugly, trying each permutation on for size to see which would sound most impressive. It transpired that Andrew had for once been swatting up: delving into the programme [...]

Flash and Standards: The Cold War of the Web
You’ve probably heard that Apple recently released the iPad. The absence of Flash Player on the device seems to have awakened the HTML5 vs. Flash debate. Apparently, it’s the final nail in the coffin for Flash. Either that, or the HTML5 community is overhyping its still nascent markup language update. The arguments run wide, strong, and legitimate on both sides. Yet both sides might also be wrong. Designer/developer Dan Mall is equally adept at web standards and Flash; what matters, he says, isn't technology, but people.

Accessing and Updating Data in ASP.NET: Filtering Data Using a CheckBoxList
With a little bit of effort it is possible to filter data based on the end user's selections in a CheckBoxList control. This article starts with a look at how to get SQL to filter data based on a user-supplied, comma-delimited list of values. Next, it shows how to programmatically construct a comma-delimited list that represents the selected CheckBoxList values and pass that list into the SQL query. Finally, we'll explore creating a custom parameter control to handle this logic declaratively.

Beta of VS Team Explorer with Cross Platform Support

Last November, I posted about our acquisition of the assets of Teamprise, a partner who provides access to Team Foundation Server from Eclipse and non-Windows platforms. 

 

The Teamprise products have been very popular with TFS customers who were developing applications across Microsoft and non-Microsoft platforms.  Often customers want to standardize on a single enterprise-wide solution for Application Lifecycle Management because of the cost savings and increased transparency this provides. The Teamprise technology is key in enabling cross platform TFS access.

 

Since welcoming the Teamprise technology and the development team into Microsoft, we’ve been hard at work introducing the essential features of TFS 2010 and working towards a high quality release. 

 

Today we are announcing a broadly available beta of Microsoft Visual Studio Team Explorer 2010.  This release includes the Team Foundation Server Plugin for Eclipse as well as the Team Foundation Server Cross Platform Command Line Client.  It works on Windows, Mac, Linux, and multiple flavors of UNIX, providing access to the same source control, work item tracking, build automation, and reporting features that Visual Studio customers have benefitted from.

 

Below, you can see a TFS user story work item in Eclipse.  The story’s implementation is described by a set of child tasks that are linked to that story.  It also shows the Pending Changes view with two source files checked out, the Team Explorer view with a set of work item queries organized into folders and the Eclipse import wizard connecting to TFS to import Java source into the Package Explorer. 

 

You can download the beta of Microsoft Visual Studio Team Explorer 2010 here, and as always you can provide feedback through the Microsoft Connect site.

Namaste!