Adnan Masood's Weblog! عدنان مسعود

Document Literal vs. RPC Encoding is the big endian-little endian of connected systems. There has been a lot said about the differences (see reference section for details) however this post is about how elegant it looks in WCF. Traditionally we had two ways to represent them;

As a web method

[WebMethod] public int Add(int p1, int p2) { return p1+p2; }

[WebMethod] [SoapRpcMethod] public int Add(int p1, int p2) { return p1+p2; }

Or as a SoapDocumentMethod

SoapDocumentMethod( "http://www.dotnetsmith.com/DocumentLiteral", RequestNamespace="http://www.dotnetsmith.com", ResponseNamespace="http://www.dotnetsmith.com", Use=SoapBindingUse.Literal)] public string DocumentLiteral(Address1 address, bool useZipPlus4) {

[SoapDocumentMethod( "http://www.dotnetsmith.com/DocumentEncoded", RequestNamespace="http://www.dotnetsmith.com", ResponseNamespace="http://www.dotnetsmith.com", Use=SoapBindingUse.Encoded)] public string DocumentEncoded(Address address, bool useZipPlus4) {

With WCF's seperation of Data and Service Contracts, it has become much more cleaner and clear.

[ServiceContract] [DataContractFormat(Style=OperationFormatStyle.Document)] //Or Rpc public interface IOrderEntry {...}

[ServiceContract] [XmlSerializerFormat(Style=OperationFormatStyle.Document, Use=OperationFormatUse.Literal)] //Or Encoded public interface IOrderEntry {...}

and the one way attribute as an operation contract.

public interface IOrderEntry
{
[OperationContract(IsOneWay = true)]
void PlaceOrder(PurchaseOrder order);
}

Remember that RPC/encoded is not WS-I compliant!

Following is difference in the output from the two different

References

• RPC/Literal and Freedom of Choice (MSDN)
• Web Services Encoding and More (MSDN)
• Which style of WSDL should I use?
• Patterns and Strategies for Building Document-Based Web Services
• wsdl:binding "style", "use", and message format
• Understanding WSDL
• Doc/Literal/Bare
  

Yes, the secret they would never tell you, it's actually just good old DOS ... see the screenshot below.

MS-DOS resident in high memory area! Haven't seen this one since I last wrote in Dos4GW.

Joking aside, Powershell an excellent and must have tool. Now you can have man-* and loads of command lets. Write your .NET code or WMI management code in it, as good as any *ix shell I've used if not better.

Here is a good step by step introduction to powershell by Dr Tobias Weltner (Powershell MVP) Mastering PowerShell in your Lunch Break -

• Powershell Live 
• PowerScripting Podcast
  

Now this is my idea for summer fun! Too bad its far far away from sunny California else I'd be right there.

Machine Learning Summer School

August 20-31, 2007, Max Planck Campus, Tübingen, Germany

Machine Learning is a foundational discipline of the Information Sciences. It combines theory from areas as diverse as Statistics, Mathematics, Engineering, and Information Technology with many practical and relevant real life applications. The aim of the summer school is to cover the entire spectrum from theory to practice. It is mainly targeted at research students, academics, and IT professionals from all over the world.

The program will feature introductory courses at the beginning to provide basic working knowledge of Machine Learning. Building on this  introductory material, advanced topics will be covered progressively over the duration of the school. Subjects will be covered both in lectures (4-6 per topic) and in practical courses (where students will have the chance to implement methods for themselves); and are taught by world experts in their fields.

This school is suited to PhD and Masters students, as well as advanced undergraduates. Material is directed both at participants without previous knowledge in Machine Learning, and at those wishing to broaden their expertise in this area. The MLSS also provides an excellent opportunity for interaction with top researchers in a broad cross-section of machine learning disciplines.

Read More

Yesterday's ISSA (Information Systems Security Association) LA chapter's monthly member meeting was highlighted by Jeremiah Grossman's presentation on Hacking Intranet Websites from the Outside and Best Practice Security Measures . Stan Stahl of Citadel information security group and president of ISSA-LA chapter invited us to this lunch meeting which was very informative from development and architectural perspective. I along with a few work colleagues attended and immsensely enjoyed it.

Jeremiah is CTO of white hat security and a security enthusiast. In a brief conversation with him about CAPTCHA's effectiveness, he summarized it as "bad guys are winning". By using promiscuous websites as CAPTCHA validation engines, they have created a mechanical turk to avoid the bot detection; and of course the OCR's are getting better and better too. In response to another question about blocking IP's for suspicious activity, he mentioned that intelligence based on IP is not a bad solution but in presence of anonymity engines like Tor, its not quite deterministic and should be used with care. The CTO of White hat security mentioned Cross-site request forgery as one of the biggest up coming threats which is getting more and more press.

The presenter listed the following as his top 10 web 2.0 vulnerabilities list and provided samples during his demo about each of these. Here is an excerpt from his blog. Check out the fill list on his blog.

1. Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model)
2. Internet Explorer 7 "mhtml:" Redirection Information Disclosure (PATCHED)
3. Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
4. Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images)
   
5. Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3's)
6. Forging HTTP request headers with Flash
7. Exponential XSS (Multi-site propogation)
8. Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
   
9. Web Worms - (MySpace, Xanga)
   
10. Hacking RSS Feeds

Here is a link to his earlier talk this year. From a .NET developer's point of view, effective usage of framework features to avoid XSS was highly recommended. Most of these issues would be covered by following the OWASP top 10 list best practices however web developers should also be at least aware of exploits which are beyond their control and are more browser/platform dependent (item 3, 4, 5 and 6 on the list) so they will be able to respond with a contigency plan in case of any such compromises.

With Ajax talking directly to web services, the risk of attack is on the rise. Here are multiple videos about Ajax Hacking (and prevention using ASP.NET)

References:

ha.ckers.org web application security lab

This blog title is surely oxymoron-ish but hold your opinions before you read it completely!

If you are a .NET developer and have

1. Tried building Java Apps for interop/proof of concept/fun/prototyping and the weird class paths have repeatedly failed you.
2. Tried eclipse and netbeans and were scared of their bloat/complexity/usability!
3. Given up on the professor who would not buy into .NET and force you to do all the coursework in Java...

IntelliJ Idea is for you. No, the manufacturer didn't pay me anything to write this but you have to try it to believe. Its by the same company which brought us re-sharper.

The usability of the IDE is excellent and for some reason it seems to be geared towards Visual Studio users since the short cuts etc are similar. Smaller footprint (compared to other monstrosities) and easy to use.

and yes, I'll always be wondering where did tek-tools Kawa go?

This blog entry is based on a conversation with Michelle Bustamante at the SoCal Code Camp.  She has announced doing a 15 part series of web casts on WCF. All the links are on her blog WCF Webcast Series

Michelle has raised an important concern about web service software factory; Why Web Service software factory? For someone who is skeptical of tools and believes in the raw power of framework and associated IDE, this is a genuine point of unease. Why use a fancy new piece of software which creates some arbitrary code and projects while you can start from scratch in your favorite IDE and do it all by yourself? What is the architectural and development advantage of the prior approach?

Web Service Software factory is an integrated collection of tools, best practices, design patterns, sample source code and guidance. Following are the five key reasons I recommend usage of Web Service Software Factory in the enterprise development.

1. Service Orientation Comes Standard
2. Executable Architectural Guidance
3. Service Targeted Code Analysis
4. UI Consoles for Housekeeping Chores
5. Project Template – Avoid the blank page syndrome
   

 
1. Service Orientation Comes Standard

The templates generated by WSSF are built with SOA tenants in mind. The template comes with separate projects and folders dedicated to project entities such as business logic, resources, data access, service interfaces, data, fault and service contracts, service host and client for self hosting. This enforces the SOA design practices such as type separation, having contracts and interfaces, separate service policy from implementation, keeping boundaries explicit and schema enforcement. As a result, this becomes a better overall design resulting in better compatibility and interoperability when the service is published or modified at a later date.

Figure: Solution interactively creates the business logic and service interfaces.

Figure: The Project Structure after a solution is created.

 

2. Executable Architectural Guidance

In contemporary development, we developers heavily rely on intellisense. We like IDE’s to do little syntax corrections for us and  press F1 to see a new class’s syntax; Wouldn’t it be nice if one can see step by step instructions for basic things like “How to create a Message contract” or for relatively advance things such as “Decorate type as DataContract”. How about if you can “run a recipe” i.e. have a built-in macro which would do all the underlying work for you. Sounds interesting? WSSF provides both the documentation style and executable guidance for Web Service developers. See it for yourself.

 

Figure: The architecutral guidance in the IDE. Click on the picture to enlarge.

3. Service Targeted Code Analysis

I’m sure you use FxCop as part of your daily continuous integration process? No? ok, I didn’t hear that. Seriously, what is the better way to enforce enterprise level coding conventions, security rules et al. Web Services software factory comes with WCF Semantic code analyzer which uses the FxCop engine to perform the semantic rules check and provide necessary recommendations. Using service factory, you can easily create a code analysis rule that will inspect service contract code and check code compliance with WCF service model. See chapter 13 of hands on labs for further details.

 

Figure: Showing the code analysis engine. 

4. UI Consoles for Housekeeping Chores

This is your first WCF service and you want to expose it to the world. What is the first error you get when you run it?

Metadata publishing for this service is currently disabled

Now you have to copy and paste few behavior attribute lines to the web.config. No big deal but how about if you want to tweak with interop and communication? Would it be easy if all these are part of a management console? Service factory team heard you. These and many more attributes are now part of context menus for each and every project. You can right click on the project and see how you can do general maintenance tasks by few mouse clicks.

Figure: Context menu for exposing the service

 Figure: The dialog for exposing the meta-data extension and the service interop.

5. Project Template – Avoid the blank page syndrome

Being an architect you want your development team to follow an enterprise template for service orientation; They are free to innovate but within boundaries so no one starts writing their ADO.NET code inside the web service class file. Makes sense? Now apart from visual studio.NET enterprise templates, you can do it now with service factory templates to enforce the coding standards and provide a good starting point for your developers.

 

Figure: Context menu for exposing the project template.

Figure: Template Export Dialog

Like WCF itself, the service factory also greatly helps developer to stay focused on business logic programming, service versioning, service, data and message contracts, the core concepts instead of doing the repetitive tasks and plumbing work. I’m not sure how many would actually buy into it but for what it’s worth, treating WSSF even as an SOA learning tool would be quite effective.
 

Happy 4^th of July; now I’m going out to enjoy some fireworks.

As I was driving down to work this morning trying to catch up on .NET Rocks, I started listening to ASP.NET Scalability Panel Tech-Ed 2007 show. This is an excellent panel discussion; highly recommended to anyone who writes an ASP.NET web application. The panelists include Stephen Forte, Kent Alstad and Rob Howard who talked about caching, SQL Profiler, non reproducible timeouts, web server optimization and the business case for performance etc; you surely don’t want to miss it.

Also during the SoCal Code Camp I attended a talk by Richard Campbell on ASP.NET scalability (also dubbed as “Killing web servers for fun and profit”) and there was a equation he mentioned during the presentation which is also available as part of Stephen Forte’s PDC slides. The equation goes as

R ≈ (Payload / Bandwidth ) + AppTurns(RTT) + Cs + Cc

Where

AppTurns is the turn count required to generate a user response

Bandwidth is the minimal bandwidth (bits per second) across all the network links between the user and the application server.

Cc (Compute Client) is the total processing time (seconds) required by the client device.

Cs (Compute Server) is the total processing time (seconds) required by the server(s).

Payload is information content (bytes) that must be delivered to/from the user’s device.

R is the response time, which is the elapsed time (seconds) between a user action and the system response (client, network, server),

RTT is the round-trip-time (seconds) between the user and the application server.

Aside from figuring out the weakest link in your system using the above equation, you should definitely check out the following resources if interesting in making your website more “responsive” and effective. Feel free to drop me a line (adnanmasood at gmail dot com) if you have any interesting problems in this area and I’d love to assist.

References

• Web Page Analyzer
• Speed Test
• .NET Rocks Show - ASP.NET Scalability Panel
• Red gate ANTS tool
• Strangeloop Networks
• Scaleout Software
• Akamai: Web Application Acceleration and Performance
• Improving .NET Application Performance and Scalability (Patterns & Practices)

Assiduus usus uni rei deditus et ingenium et artem saepe vincit.
Constant practice devoted to one subject often outdoes both intelligence and skill.

So after grueling 18 months, I've just graduated with degree of Masters in Computer Science from Graduate School of Computer and Information Sciences, Nova Southestern University.

I've taken the following courses taught by these fine individuals; have learned a lot and can't thank them enough for their time and dedication.

CISC 0670 - Artificial Intelligence - Dr. James Cannady
CISC 0680 - Software Engineering - Frank Mitropoulos, Ph.D.
CISC 0647 - Advanced Computer Architecture- Dr. Jerry A. Smith
CISC 0685 - Human-Computer Interaction - Dr. Maxine S. Cohen
CISC 0630 - Compiler Design Theory- Dr. Amon Seagull
CISC 0660 - Database Management Systems Dr. Junping Sun - Compiler Design Theory
CISC 0615 - Design & Anal. of Algorithm - Dr. Jerry Smith -
CISC 0620 - Modeling And Simulation - Dr. Jeffrey D Kane
CISC 0640 - Operating Systems - Dr. Greg Simco
CISC 0681 - Computer Graphics - Dr. Michael Laszlo
CISC 0650 - Computer Networks - Dr. Wei Li
CISC 0610 - Programming Languages - Frank J. Mitropoulos, Ph.D.

Now I'm applying for doctoral studies in Dept. of Computer Science from University of Idaho as well as GSCIS Nova. I'll be starting PhD in Jan 2008 إن شاء الله

Many thanks for my family and friends for their support during this time. Thanks for my wife for the surpirse party, my parents for the call and my in-laws and Ken Nign for the gift card to the lovely place that is Borders where you can read books and drink coffee, my two favourite things to do.

And here is Zakariya with his glasses :)

Following are some of the interesting quotes from Dot Net Rock’s infamous Richard Campbell’s SQL Query optimization session at code camp; Excellent talk, informative and entertaining. And yes, he is officially the 5th person who laughed at the autobahn joke, that’s pre-explanation!

Heisenberg uncertainty principle of SQL profiler “If you have measured it, you just modified it”

“We have the best query processor in the business”
-Speaking  about the SQL server 2005 query plans

“uh oh” is as informative as many database errors we get.

“There is no reason why we can’t do it that way, I’m just lazier”
-Answering an attendee on alternate query plan.

“You are the guy who told me that numbers start at 0 not 1, and 1 is the second number, why are you arguing with me?”
-On speaking with the dba on indices

“Consulting is con-game and intelligence”

“Computers are merely amplifiers; they amplify intelligence or amplify stupidity.”

“Anything which is worth doing is worth doing excessively.”

“If you do your job flawlessly, no one sees you anymore.”
-On IT guys being unappreciated for system uptime.

"Triggers are voodoo"