Friday 16 October 2009

Using RPX with ASP.NET

RPX is a technology provided by a company called Janrain, allowing users to log into your web application using their existing Facebook, Twitter, Hotmail, Open ID or Google account (plus many more). The benefit to the user is that they don't have to divulge their details to yet another website and the benefits to developers are:
  1. You can achieve all this with only a small amount of development effort.
  2. You don't have to write mundane user management and authentication code for your application, allowing you to focus on your application's features and get to market quicker.
  3. People will be more likely to use to your application or website because they can log in with their existing credentials and don't have to register.
This article is intended for experienced ASP.NET developers and explains how to use RPX from ASP.NET without the need for a custom MembershipProvider.

Before getting started you will have to register for an RPX developer account, which only takes a few minutes. Once you've registered you will be given a secret API key for your application, which must be used in all communications with the RPX server. You should also take a look at the QuickStart Guide they provide before you continue reading.

Now that you have registered for RPX and read the QuickStart guide, you are ready to start cutting the code, so create a new ASP.NET project in Visual Studio and follow these steps:

Create a Login.aspx page in your ASP.NET project and add the following Hyperlink control:

<asp:HyperLink ID="lnkSignIn" runat="server" CssClass="rpxnow" onclick="return false;" Text="Sign In" />

Add this mark-up to the very end of your page, after the </html> tag:

<script src="https://rpxnow.com/openid/v2/widget" type="text/javascript"></script>

<script type="text/javascript">
RPXNOW.overlay = true;
RPXNOW.language_preference = 'en';
</script>

In the page load event of your Login.aspx page, add the following code, which sets the Navigation URL of the Hyperlink control you've just added to point to the RPX authentication service:

this.lnkSignIn.NavigateUrl = "https://[Your RPX Realm].rpxnow.com/openid/v2/signin?token_url=http://" + Request.Url.Authority + "/RpxResponse.aspx";

NOTE: The RPX Realm value is assigned by RPX to your application and can be found in your application's setting page, above the secret API key.

When the user clicks the Login hyperlink they will be taken to the authentication provider's website where they can log in securely. This also proves to the user that your website isn't phishing for their details and should make them feel more confident that their password won't be divulged.

The link you set in the code above tells the RPX service to redirect the user back to a page called RpxResponse.aspx, which is in the root folder of your website, so add a new ASP page to your project called RpxResponse.aspx and then add the following method in the code behind:

using System.Xml;
using System.Web.Security;

private void loginUser(XmlElement authInfo)
{
// Get the user's unique identifier (this will ALWAYS be returned regardless of the login provider
string userProvidersUniqueID = authInfo.GetElementsByTagName("identifier")[0].InnerText;

// See if the user's display name is provided (not supplied by some providers
XmlNodeList displayNameNodeList = authInfo.GetElementsByTagName("displayName");
string displayName = null;
if (displayNameNodeList != null && displayNameNodeList.Count > 0)
{
// Got a display name
displayName = displayNameNodeList[0].InnerText;
}
else
{
// No display name
}
// See if the user's email address is provided (not supplied by some providers)
XmlNodeList emailAddressNodeList = authInfo.GetElementsByTagName("email");

string emailAddress = null;

if (emailAddressNodeList != null && emailAddressNodeList.Count > 0)
{
// Got an email address
emailAddress = emailAddressNodeList[0].InnerText;
}
else
{
// No email address
}
// Set the authentication cookie and go back to the home page
FormsAuthentication.SetAuthCookie(userProvidersUniqueID, false);
Response.Redirect("~/Default.aspx");
}

Each authentication provider returns a different set of data about the user, for example, Facebook and Twitter do not return the user's email address, but every provider will supply their unique user ID in the identifier element returned in the RPX auth_info xml document passed back from the RPX authentication service.

The RPX web services uses HTTP POSTs to perform actions and send the results back in XML as a HttpWebResponse (there is also a JSON interface but I won't be covering that here). In order to hide the complexity of these operations you can download a wrapper class from the RPX website, which you should also add to your ASP.NET project.

Now add the following code to the page_load event of your RpxResponse.aspx page:

const string apiKey = "[Your secret API key goes here]";
const string paramToken = "token";

// Get the login token passed back from the RPX authentication service
string loginToken = Request.Form[paramToken];

// Create an RPX wrapper to get the user's data
Rpx rpx = new Rpx(apiKey, "https://[Your RPX Realm].rpxnow.com/");

// Get the user's details
XmlElement authInfo = rpx.AuthInfo(loginToken);

// Log the user in
this.loginUser(authInfo);

And that's all there is to it. You now have access to the user's ID from the Page.User.Identity.Name property until they log out.

Copyright © 2009 Software Nation

Tuesday 21 April 2009

Dynamic WHERE conditions in Sql Server queries

During development you will often come across the need to write several stored procedures that each return the same columns, but where the number of records returned varies depending on the arguments supplied to the WHERE clause.

For example, say you had a document management system and you wanted the ability to return all documents in a given folder, as well as the need to return an individual document. This would normally require two seperate stored procedures:

    sp_GetDocumentsInFolder @folderId int

and

    sp_GetDocument @docId int

Whilst effective, this approach means that if the query changes in one stored procedure, you will also have to update the corresponding stored procedure to ensure that they both continue to return the same columns. The difficulty of this change is directly proportional to the complexity of the underlying query.

Another approach is to have one stored procedure that generates a dynamic SQL statement as a string variable that is passed to the sp_execute system stored procedure. This approach is even more cumbersome because it involves concatenating strings and you lose all the performance benefits of a stored procedures this way too, because the query plan cannot be cached by the database engine; it potentially leaves you open to SQL injection attacks also.

Wouldn't it be better if you could write the query once and only include conditions in the WHERE clause if necessary? Well, you can do just that using the following technique:

   DECLARE @docId int, @folderId int

   SET @docId = null
   SET @folderId = 100

   SELECT  ID,
           Name,
           FolderID
   FROM    Documents
   WHERE   (@docId IS NULL OR ID = @docId)
   AND     (@folderId IS NULL OR FolderID = @folderId)


In the example above, two variables are defined: one to hold the ID of the required document and the other to hold the ID of the folder whose documents are required. The WHERE condition includes logic to omit a condition if the corresponding variable is set to NULL, and in this example, the document ID is ignored because it is set to NULL and only documents in folder ID 100 will be returned.

To return a single document instead, we simply set the @docID variable to the primary key ID of the required document and set the @folderId to NULL, as follows:

    SET @docId = 5
    SET @folderId = null

You could of course set the @folderId value as well to only return the document if it existed in the specified folder.

Likewise, if you set both variables to NULL, all documents would be returned regardless of their ID or Folder ID values.

This query can be used in a stored procedure as follows:

    sp_GetDocumentDetails @folderID int, @docId int

Passing a value to the first argument and NULL to the second argument will result in all documents in that folder being returned. Passing NULL to the first argument and a value to the second argument results in only a single document being returned (if a matching ID was found of course). And finally, passing NULL to both arguments will return all documents.

Using this approach, the query to return document details only ever needs to be maintained in one place and the results from the stored procedure varies depending on the values passed in to the arguments. You also get all of the speed and security benefits of using stored procedures.

Copyright © 2009 Software Nation

Tuesday 3 February 2009

Use LINQ to extract objects from a collection by type

Language INtegrated Query (LINQ) was introduced to the .NET Framework in version 3.5, which allows the developer to perform SQL-like queries against collections of objects in their code.

LINQ includes a method called OfType that allows you to return objects of a given type from a collection.  For example, say you wanted to disable all text boxes in your Windows Forms application.  The pre-LINQ way would require you to iterate through all of the items in the Form object's Controls collection, setting the Enabled property of each text box as you go.  Obviously, if your form contains lots of different controls this can be very inefficient, but now with LINQ you can do the following in C#:

using System.Linq;

// Use the LINQ OfType method to extract all text boxes from the form's Controls collection
IEnumerable<TextBox> textBoxes = this.Controls.OfType<TextBox>();
            
foreach (TextBox tb in textBoxes)
{
    // Disable this text box
    tb.Enabled = false;

Thursday 29 January 2009

Passing XML as arguments to a Sql Server stored procedure

Since the release of Sql Server 2005, Microsoft added a whole raft of features for storing, reading and manipulating XML data to their enterprise database platform.

If you are writing a stored procedure and want to pass a collection of data as an argument, one way to achieve this is to pass the data in as an XML string, whose contents can then be parsed into a rowset, like so:

DECLARE @xmlData XML

SET @xmlData = '<root><data id="1" text="Dave"/><data id="2" text="Neil"/><data id="3" text="Anthony"/></root>'

SELECT    ParamValues.myData.value('./@id','int') as ID, 
          ParamValues.myData.value('./@text','nvarchar(50)') as [Text] 
FROM     @xmlData.nodes('/root/data') as ParamValues(myData) 
ORDER BY [Text]

This results in the following output:

3 Anthony
1 Dave
2 Neil

The resultant rowset can be used as part of an IN clause or can be iterated through via a cursor or as part of an INSERT...SELECT statement, for example.

This approach can also be used in Sql Server 2008.

Tuesday 27 January 2009

The Importance of "Flow"

“Flow” is a term used in psychological circles to describe a human state of high concentration, which most people refer to as being “in the zone.” Whenever a person is engrossed by a task they become immersed in a state of flow and are oblivious to the passage of time, whilst experiencing a mild state of euphoria.

Effective creative workers enter a state of flow for several hours, during which time their productivity skyrockets, but flow requires silence to be achieved and cannot be switched on and off like a tap. The average person takes around 15 minutes to start flowing, whilst it only takes a matter of seconds to be distracted and thus removed from flow.

Software developers must enter a state of flow on a regular basis in order to write code that solves a specific problem. Roughly half of a developer’s working day involves solving problems on their own and as such they need to work in an environment that encourages and sustains flow. The remainder of their day is spent communicating with one of more people, either collaborating or attending meetings etc.

Consider that it takes 15 minutes for a developer to enter a state of flow.  If you were to interrupt a developer to ask a question and it takes five minutes for them to answer, it will take a further 15 minutes for them to regain that state of flow, resulting in a 20 minute loss of productivity. Clearly, if a developer is prevented from flowing several times during the day their work rate declines substantially. 

Such interruptions needn’t be direct communication with a developer and can result from ambient noise levels, such as people talking to each other at elevated volume, a fire alarm test, a shredder or photocopier, the sound from a colleague's PC or the constant ringing of an un-answered phone. A noisy environment is a sure fire way to disrupt flow, which is why the large open plan office is the scourge of creativity and why a lot of developers wear headphones. Listening to music uses a different part of the brain than that required to solve problems and can be used to filter out ambient noise.

A minority of creative professionals are oblivious to their surroundings and cannot easily be distracted once in a state of flow, but the majority need a quiet and calm environment in which to prosper.  Extreme concentration almost always requires complete silence. 

The cost of office space can be very high and companies try to make the best use of their available room by putting as many people as possible into the same office. Whilst this approach may seem fiscally sensible it actually has a negative impact on creative thinking and probably costs more in terms of lost productivity and delayed projects due to innumerable daily disturbances.

© 2009 Software Nation

Monday 26 January 2009

Overview of Software as a Service (SaaS)

Software as a Service is a software delivery model that could actually be called “Software as a Subscription” because it basically means paying for software on a recurring basis, as opposed to the traditional model of commodity software, when a customer pays once and has the software for life, or pays an additional fee to upgrade to a new version in the future.

Hosted software applications are typically accessed via a web browser over the Internet, but this needn’t be the case. A user could install a SaaS application on their PC in the traditional manner, but it will only operate as long as they have a valid subscription.

Benefits of SaaS

Customer Benefits

A customer may baulk at the idea of paying a subscription for software because it breaks away from “the norm” when procuring software; however the benefits are legion:

Low initial capital outlay = low risk

Normally when implementing a software application the customer must pay large fees upfront for software licences and pay specialist consultants pots of money to install and configure the software at their premises; they also have to provision suitable hardware on which to run the new software, which can add massively to the total cost.

With SaaS the potential customer can try the software free of charge before making a decision whether to buy. If the application runs in a web browser there is no additional software to install so they can be up and running in minutes. If they decide to buy, there may be a set up or administration fee in the hundreds or thousands of pounds, rather than the tens of thousands, after which they pay a set fee for the duration of their service agreement, either monthly, quarterly, bi-annually or annually, for example.

No special hardware requirements

With hosted SaaS applications the vendor takes responsibility for hosting the application and the storage of all data. As such the customer doesn’t have to pay for expensive hardware infrastructure to host the application themselves.

No more backups

Because a SaaS application vendor looks after the customer’s data they do not have to worry about scheduling regular backups, disaster recovery, business continuity or physical access to data by unauthorised people.

Regular updates and bug fixes

Normally a user can wait several months or years to receive bug fixes or feature enhancements to their installed software applications. With browser-based SaaS applications there is normally nothing special to install, so regular updates to fix any bugs, add new functionality and improve existing functionality are easy to deploy. Best of all, no effort is required by the customer when a new release is made; they simply log into the new release of the application in the exact same manner as before.

Access the application anywhere in the world

With installed software you can only access the application on PCs where it has been physically installed. With the hosted SaaS model a user can access their applications anywhere in the world with an Internet connection: from the office, from home, an Internet café on holiday or an Internet terminal in their hotel lobby when away on business, even from their seat on a plane that has in-flight Internet connectivity.

Vendor Benefits

As software vendors, there are many benefits to developing hosted SaaS applications. So much so that Microsoft and other big software companies are trying desperately to move from installed software to a SaaS model for these reasons:

No piracy concerns

With hosted software, application files are never released to the outside world so they can never be copied or used illegally. Therefore the vendor doesn't have to waste valuable resources developing and testing anti-piracy measures that can take a lot of time, whilst providing no benefit to the end user whatsoever.

No need to write installers

As surprising as it may seem, creating the simple setup.exe installer program used to install software on a PC is a project in itself and can take many months to develop and test, directly proportional the complexity of the application associated. With the hosted SaaS model the customer never has to install the software so the vendor never has to write an installer for it.

There is only ever one version – the current version

A big problem for software companies is providing support for historical versions of each of their applications. For example, Microsoft Support staff must provide assistance for Office 2007, 2003, 2000 and so on until an old version is retired. A lot of support time can be spent simply trying to determine what version of the application the user is running before actually finding a solution to their problem.

With the hosted SaaS model every user accesses the most recent release of the application, meaning support staff can concentrate on finding a solution to the problem, rather than discovering the application version involved.

Recurring revenue

For software companies the nirvana is the ability to generate recurring revenues from their applications in the form of regular automated subscription payments. Before the ubiquity of the Internet, such subscription models were not really feasible without the installation of specialised communications hardware on the client's premises. Now, with almost every PC in the civilised world having a high-speed Internet connection, accessing a server via the Internet, either to look at a website, download a file or access a hosted software application is easy.

With SaaS, the recurring revenue model allows the vendor to continually improve their software in accordance with their clients’ needs and to continually re-invest in their hosting facilities to increase performance. It also goes towards the research and development of new applications and in bolstering technical support capabilities for improved customer service.

Easy releases

When a new release of a hosted SaaS application is ready for launch it is very easy to deploy it for public consumption with minimal or no downtime whatsoever. The release process is completely invisible to the user and they get all of the benefits of the new release with no effort on their part whatsoever.

Multiple language support

A software vendor with an international customer base must create a separate version of their installed applications for each language they support. With the hosted SaaS approach this overhead is not required, and as such different languages can be supported by simply providing a dictionary of terms used by the application in the required language.

No manufacturing and distribution costs

Because hosted SaaS applications are accessed over the Internet there is no need to produce boxed software containing installation discs or costly printed manuals that must be shipped around the world and sold through traditional retail channels.

Disadvantages of SaaS

Of course, no technical paradigm is perfect, but with the hosted SaaS model the perceived disadvantages are few and far between:

Customer Disadvantages

Where is my data?

Potential users of SaaS applications will almost always ask “where is my data and is it safe?” Clients are used to installing software and keeping their sensitive data onsite under their jurisdiction. With the hosted SaaS model all customer data is stored on shared centralralised servers and naturally this can raise concerns about the security of data and whether it can be accessed by others or copied to disc and lost in the post, for example.

This fear is usually allayed once the customer is made aware of the security precautions undertaken at the hosting company’s premises where their data is physically located, which can put some military bunkers to shame. Oftentimes the security of a dedicated hosted environment
will be far greater than that of a locked server room in the customer’s building.

A customer's service level agreement (SLA) with a SaaS vendor should always include security guarantees and the customer must also have the ability to obtain a copy of their data should they terminate the agreement further down the line. The SLA should also include measures to prevent the vendor from ramping the price up too high at contract renewal time, once the application becomes a vital part of the customer's day-to-day operations.

Application availability concerns

With hosted SaaS software the vendor should endeavour to make their applications available 24x7x365; however no hosting environment is 100% downtime free. Every server needs regular software patching to keep it secure and all hardware is susceptible to failure; while the former is an unavoidable necessity, the latter can be mitigated by building hardware redundancy into the server infrastructure. This basically means “at least two of everything”: two power supplies; two internet connections; at least two hard drives etc, etc. This way, if one power supply fails the other will take over, or if one internet provider loses connectivity the other provider will continue service as normal, often with no perceptible impact on the user.

With traditional installed software, the client can schedule maintenance and downtime to suit their own schedule, but with hosted SaaS the vendor must ensure to notify all customers of planned downtime well in advance so that they can either object strongly or work around it.

Again, all of this will be covered in the service level agreement between the customer and the vendor.

Vendor Disadvantages

For a hosted SaaS vendor, the following disadvantages are far outweighed by the benefits:

Building software that is secure and scalable

All customers access their hosted applications on the same server(s) and their data will typically be stored alongside each others’ in the same database – an approach known as single instance, multi-tenancy, meaning a single installation (instance) of the software serves many users (tenants).

This approach presents a unique set of challenges when designing applications that scale to serve many hundreds or thousands of concurrent users efficiently, whilst enforcing a strong security
mandate. These challenges are not insurmountable but they do require a different mindset from creating standalone applications that are installed on a PC and have access to powerful dedicated resources, such as a local hard disk drive, a powerful graphics card and the latest multi-code processor – all for just one user. A SaaS application on the other hand must use a server’s precious (and expensive) finite hardware resources judiciously whilst handling many users at the same time.

Hardware and hosting costs

The investment in server hardware for a hosted SaaS vendor is substantial, especially when you factor in the need for redundancy, meaning a server must contain “at least two of everything”, as discussed earlier.

Furthermore, the cost of hosting the server infrastructure is considerable because vendors have to effectively rent floor space at the hosting company’s secure premises where their server hardware will sit. They then have to rent power usage and pay for the bandwidth consumed by their customers. Of course, if a SaaS vendor has the resources they can build and operate their own hosting environment, but it's not unusual for vendors to outsource this part of their business, leaving them to concentrate on building, selling and supporting their applications.

All of these costs are recouped by the licence fee income and vendors can even charge customers extra when they exceed the monthly bandwidth allowance in their SLA, but if they were to skimp on the infrastructure customers would soon go elsewhere when performance drops and availability is reduced because the servers are overburdened by traffic.

None of the above is cheap.

Recruitment

It is hard to find talented technical people who understand SaaS, such as developers, testers and systems engineers. Designing, building, testing and hosting SaaS applications is different from standalone software and requires a certain mindset and technical skills. There is a scarcity of such people in the marketplace at any given time, so recruiting is a never-ending task.

Providing customer support that is second to none

When a client is paying for software on a subscription basis they expect to receive an excellent level of service in correlation to their subscription fees. When they need to call for telephone support they expect to get through quickly, not sit on hold for hours and when they do speak to someone they expect them to be knowledgeable and expedient. As with hardware, this requires significant investment to recruit, train and retain remarkable support personnel.

Summary

SaaS is being embraced the world over by IT executives who are looking to reduce risk and overhead by allowing software vendors to host their applications and look after their data. Dramatic savings can be made in terms of salary and hardware costs when comparing a SaaS application subscription to the ongoing costs involved with in-house developed and hosted software.

Of course, not all software benefits from the SaaS model, but there are an increasing number of useful applications out there today for those of us that follow the edict of "buy rather than build".

Copyright © 2009 Software Nation