Botsikas' Blog

Debugging a node.js app in windows (no eclipse)

2011-12-16T00:21:00.001+02:00

If you don’t want to install eclipse and google dev tools to debug your node.js app you may use node inspector which is a node.js app that resembles google chrome’s dev tools. You start your node app passing the –debug-brk (or –debug if you don’t care about the first lines of code) and then fire up node inspector and debug the app. I actually have node inspector running all the time and I simply refresh the webpage when I reload the application.

Happy debugging…

strcasecmp: identifier not found when porting from linux to windows

2011-12-15T23:51:00.001+02:00

Ever tried to port from linux to windows and got the :

error C3861: 'strcasecmp': identifier not found

The easiest workaround is to add a conditional define (visual studio add the –D _WIN32 or _WIN64 depending your OS) and define the following mappings:

#if defined(_WIN32) || defined(_WIN64)
#define snprintf _snprintf
#define vsnprintf _vsnprintf
#define strcasecmp _stricmp
#define strncasecmp _strnicmp
#endif

Another common missing identifier is the Uint which can be solved adding:

#define uint=unsigned int

Debugging native node modules loading failure on windows

2011-12-15T23:27:00.001+02:00

If you ever need to build a module that requires another library (e.g. openssl, ict, expat etc) you may receive an “Out of memory” error when you require the file. This is unfortunately a generic error on windows but you can fire up visual studio and debug node (attaching to a process) and you can can see there the exact system error number (sys_errno) by adding a breakpoint in deps\uv\src\win\error.c when uv translates the error code (uv_translate_sys_error).

In my case I was receiving the 126 error code which I looked up at http://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx and then I figured that I hadn’t restarted the console after I added the referring dll file path in my enviroment PATH variable… I opened a new console, verified that the dll’s path is in my PATH variable and the module loaded just fine…

Hope this helps a bit when you try to debug weird loading errors.

Node.js modules cross platform compilation using gyp

2011-12-14T08:37:00.001+02:00

Update: I have made a pull request where you can find the updated tools discussed in this article, located here
Node.js has been using waf (node-waf) to configure and build modules up to version 0.4. From v0.6 and on, the team has moved on to gyp (Generate Your Projects) which seems to be a bit more promising when it comes to cross platform compilation. This post shows how to create a simply gyp file to build your own custom native node.js modules and provides some scripts to automate the project generation process.

A bit of history

Gyp is a google project that was created to support cross platform building of the opensource chromium project. The main target of this project is to “generate native Visual Studio, Xcode and SCons and/or make build files from a platform-independent input format”. The project is still on its very first steps and there is little documentation on how to use it. Moreover, up to this point, there are thousand of feature requests and the maintaining team seems to implement only those directly related to the chromium project, which makes it a bit hard to upstream any new feature unless you are persistent.
On the bright side, gyp works pretty well once you get a handle of it. If you read the gyp language specification and use the source as your guide (“may the source be with you”) you will be able to write your own gyp files for your personal cross platform projects in no time.

Node-waf vs gyp

Up to version 0.4 the node.js team offered node-waf (a waf 1.5.3 wrapper script) to configure and build modules for node.js. This was fine since in windows there was no native support and you had to use Cygwin to make your builds. From version 0.5 and on, there node supports native windows builds which brings visual studio in to play. The problem is that waf started supporting visual studio’s msbuild from version 1.6 and on and this was a major setback. In the meanwhile the node.js team decided to move on to gyp and abandoned the node-waf script. If you are tempted to create a node-waf wrapping waf 1.6, try to resist. A lot of things have changed in waf 1.6 and when I finished modifying the script, I still couldn’t generate proper windows builds (I would have to hardwire the linking arguments in order to link the object to node.lib just for windows). On the other hand, gyp supports custom arguments depending on the building platform which makes the gyp files easier to maintain.

Node Module’s gyp file

I have edited a simple gyp file (see the end of this post for source code) to compile the simple hello world native nodejs module I have used in my previous posts (here and here). This gyp files specifies a single target that uses the gyp variable module_name to set its name (using the <(variable_name) syntax). The target contains the basic and most common defines that are required for each node module and the include dirs that contain the node.h, v8.h and uv.h header files.
After that, I have added some conditional specification based on the compiling OS. For example, in windows, there is no uint type so I define it in the “defines” section. Moreover, I specify the node.lib file to which the final obj file will link to and I set the output directory using visual studio specific configuration options.
As for mac users, the linker should include the “-undefined dynamic_lookup” option which is set as a library because ldflags didn’t work as expected (at least for the version of gyp bundled with nodejs). Theoretically I should have specified:


'link_settings': {
            'ldflags': [
            ‘-undefined dynamic_lookup’,
        ],
},

but this didn’t work on my tests. Moreover, I didn’t go with xcode to provide the same building instructions for both linux and mac users.

The node-gyp scripts

In the provided gyp file (see the end of this post for source code) I am using the NODE_ROOT gyp variable which should point to the root of the nodejs source directory (as discussed in my previous posts). In order to pass that variable in gyp and in order to simplify the project generation process I have assembled two shell scripts (one for windows and one for linux and mac) in order to use the environment variable NODE_ROOT (using -DNODE_ROOT=%NODE_ROOT% for windows and -DNODE_ROOT=$NODE_ROOT for the rest of the OSs). Especially for windows, the module has to link to node.lib which is generated when you compile node. The “node-gyp.bat” script tries to locate that node.lib and sets the node_lib_folder gyp variable too.

Another feature of these scripts is that they try to locate a module.gyp file in case you haven’t specified an argument. I tried to resemble the use of node-waf that locates the wscript. This way, each module can have a module.gyp file in their root directory and the end users may run node-gyp to generate the Makefile or the Visual studio solution.
A final thing to note is that both scripts use the gyp that is bundled with node (in the tools\gyp folder). This version of gyp has an issue that requires you to specify the “--depth=.” option in order to work. This option is used as a bug fix and will be removed in future version of gyp (at least that’s what gyp says).

Source code and script

You may download and use the source code and the provided scripts from the following link:

Hope this helps!

Building a simple native nodejs module on windows from command line

2011-12-09T23:06:00.001+02:00

Setting up a visual studio project to just build a simple native hello world node module is an overkill and there is a simpler way to do that by using the visual studio command prompt directly. Here you may find the required commands you have to issue, plus a vcbuild.bat file that does the whole thing at once.

The basic idea is that if you fire up a visual studio command line (or execute the command call "%VS100COMNTOOLS%..\..\vc\vcvarsall.bat" on a regular command line) you get the cl compiler and the link linker tools and you may do the whole module compiling by issuing two commands. Note that VS100COMTOOLS environment variable is set automatically when you install visual studio 2010 (any edition, even the VC++ express one).

You will need the node source tree (see my previous post on how to do the building and what are the expected folders and files) in order to get access to the node.lib file where we shall link our obj file. To make it a bit generic, I have created an environment variable named “NODE_ROOT” to specify the path of node’s source dir.

Based on this NODE_ROOT and whether you built node on DEBUG or RELEASE, you may set a temporary environment variable named “nodelibpath” to either %NODE_ROOT%\Release or %NODE_ROOT%\Debug that will pinpoint the location of node.lib.

Having these variables, you may compile your module issuing:


@rem filename "don't strip comments" "no banner" "disable intrinsic functions" "no optimization" "calling conversion __cdecl" "no analysis" "the /I adds some folders in the include path" "no clr. This is deprecated and should be changed but I am working on a gyp file instead of this bat"
cl.exe helloworld.cpp /c /nologo /Oi- /Od /Gd /analyze- /I%NODE_ROOT%\src\ /I%NODE_ROOT%\deps\v8\include\ /I%NODE_ROOT%\deps\uv\include\ /clr:noAssembly

and then link it by issuing:


link helloworld.obj node.lib /OUT:"helloworld.dll" /NOLOGO /DLL /NOENTRY /MANIFEST:NO /TLBID:1 /DYNAMICBASE /NXCOMPAT /MACHINE:X86 /LIBPATH:%nodelibpath%

I have created a bat file that assumes that the NODE_ROOT is set (it actually checks to see if it is) and then compiles and links the HelloWorld.cpp module that I used in my earlier post.

You may download the cpp and the bat files from the following link:

Building native modules for nodeJs 0.6+ with visual studio

2011-12-09T21:33:00.001+02:00

Since version 0.6 node js supports windows native builds which allows the windows dev to use visual studio to build both nodejs and the modules. In order to make a simple node module in visual studio you will have to link the obj file with the node.lib file that is generated when you compile the nodejs on visual studio. Here is a detailed walkthrough on how to successfully build a native node module in visual studio 2010.

Building node (to get the node.lib file)

First and foremost you have to download the latest code from node’s git (or a stable one if you prefer) and run the vcbuild.bat file that is in the source. This bat will create a visual studio solution and build node using the msbuild tool chain. Watch out that by default this will build a Debug version of node and will fail (at least at the moment) to sign node.exe because it tries to locate node.exe in the Release folder. If you want to do it right (which is not required) you can either edit the vcbuild.bat file or run “vcbuild Release”. Either way, you will end up with a Release or a Debug folder which contains both node.exe and node.lib files. You will need that node.lib to link against it later on.

Writing the Helloworld.cpp

A lot of blog posts have been written on how to right a simple native Hello World node module so I will mention only the basics here.

Node uses the v8 engine to expose the native methods to javascript. This is why we have to include the v8.h file.
Modules usually inherit from the ObjectWrap class and this is why we need the fairly obvious node.h include file.
Each module has a constructor and a destructor where you can do your staff there but you must also specify an Init method to initialize the v8 bindings (expose the supported methods etc).
Moreover, you will have to create New method which will be called every time you create a new object in javascript.
Finally you must not forget to add the extern “C” declaration where you specify the init subroutine (which simply points to your modules init method) and call to NODE_MODULE where you specify the module name and the init method (which is written right above).

So here is the HelloWorld.cpp we will be compiling in the following sections:

Setting up the visual studio project

Start by creating an empty Visual C++ project.

Add the HelloWorld.cpp file you have downloaded from above (don’t expect me to believe that you wrote it) and add it in the Source Files virtual folder. You may optionally add the “node.h” file located in the node’s source directory under the folder src, in the header files to improve your development experience. The project structure should look like the following:

Open the project properties (right click properties on the project) and go to the Configuration Properties→General tab. There you may specify the output directory etc but you must make sure that you select a Dynamic Library (.dll) in the Configuration Type. You may also specify that the target extension is a .node file to avoid renaming the dll output to .node (nodejs requires modules to have a .node extension). My property page look like the following:

Move on to Configuration Properties→VC++ Directories tab. Here you will have to add the include directories for node.h, v8.h and uv.h files and the location of the node.lib in the library directories.

All files are located in the node source tree you have compiled earlier (from now on I will refer to that location as %NODE_ROOT%). In the “Include Directories” you must add the following:

%NODE_ROOT%\src\
%NODE_ROOT%\deps\v8\include\
%NODE_ROOT%\deps\uv\include\

In the “Library Directories” you must add either %NODE_ROOT%\Release\ or %NODE_ROOT%\Debug\ depending on the exact location of your node.lib file and whether you need the debug symbols that are exposed by node or not.

There is also an alternative to this step. You may specify the Include Directories in the Configuration Properties→C/C++→General tab under the “Additional Include Directories” field, illustrated bellow:

As for the Library Directories, you may specify the exact path of the node.lib in the Linker (as show on a later step).

Based on the reading I did on how to build a native module on nodejs, most of the tutorials mentioned that you should add the “BUILDING_NODE_EXTENSION 1” def into your modules. My personal experience says that this is not requires in node v0.6 but if you want, you may specify this def in the Configuration Properties→C/C++→Preprocessor tab as shown in the next picture:

The final step is to go to the Configuration Properties→Linker→Input tab where you need to specify the node.lib as an “Additional Dependency”. If you skipped the VC++ Directories setup mentioned above, you should specify the full path to the node.lib file, otherwise a simple node.lib is sufficient:

That’s all. You may now build the project and you should see the following output:

If you haven’t set the target extension to .node you will have to manually rename it from .dll to .node and you will be to load the module by posting the require(‘pathtomodule’) command

Watch out that in my HelloWorld.cpp I expose the Hello function as hello (note the small h) on purpose to demonstrate that it doesn't matter what’s the name of the method in you cpp file, but the name specified in the v8 engine. You may download a test.js file to test your newly created module here:

I hope that this article will give you a heads up on the native windows nodejs module building process! You may also check a simple bat script I have prepared to autocompile the node module.

Big blue button RSL Error 1 of 4 / Error #2032

2011-11-29T17:12:00.001+02:00

If you have this kind of problem you can read this article or simply:

cd /var/www/bigbluebutton/client/
sudo wget http://fpdownload.adobe.com/pub/swz/flex/4.5.0.20967/mx_4.5.0.20967.swz
sudo wget http://fpdownload.adobe.com/pub/swz/flex/4.5.0.20967/rpc_4.5.0.20967.swz
sudo wget http://fpdownload.adobe.com/pub/swz/tlf/2.0.0.232/textLayout_2.0.0.232.swz
sudo wget http://fpdownload.adobe.com/pub/swz/flex/4.5.0.20967/framework_4.5.0.20967.swz

This is a problem that may occur when the flash client tries to locate the RSL files (local intranet situations) and by downloading them in the bbb’s folder, the flash can safely failover to that location.

Create user and db in MySQL for various apps

2011-10-15T00:03:00.001+03:00

Working on a portal which requires the integration of various opensource applications, I had to install quite a few systems that require mysql databases. In order to keep a safe separation between these systems, one should create different users that will have access only to the specific database. This is a simple way to prevent losing all your databases in case of the mishap when an attack is successful on a system and sql commands pass directly to the database (sql injection etc). This is a how-to create the new user, the new database and set the requested permissions.

Open up a console (if you are not already on a terminal) and login to you mysql environment by posting the following command:


mysql -uROOT_USERNAME -p

where ROOT_USERNAME is a user that has create user and db permission (usually you will be using the ‘root’ user). This command will prompt you for the user password and after that you will get the mysql prompt:


mysql>

In this command prompt you will have to create a new user (with username ‘new_username’) that will be able to login using ‘new_user_password’ as password. Check out that this user is on the ‘localhost’ domain which is fine since it is a good practice to not allow connection directly to the database from outer sources. To create this user, you will have to post the following command:


create user ‘new_username’@'localhost' IDENTIFIED by 'new_user_password';

The next step is to create a new database named “new_database_name”:


create database new_database_name;

The final step is to set the required permissions in order to allow the user to operate on the database and create the schema. The most common set of permissions that is given to equivalent users (based on the drupal setup instructions) is the following:


GRANT SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER, LOCK TABLES, CREATE TEMPORARY TABLES ON new_database_name.* to 'new_username'@'localhost' identified by 'new_user_password';

In order to enable all the permissions you will also have to flush the privileges on the MySQL server by posting:


flush privileges;

After that you may exit the mysql prompt by posting the “quit” command. Don’t forget the ending semi columns on all the above mentioned commands because otherwise you will be getting a prompt to continue your command when you press enter.

That’s all folks. From this point on you may continue with your system installation providing the newly created credentials.

Reset mysql 5.1 root pass

2011-09-28T22:07:00.001+03:00

I had to install a couple of dbs on a mysql server which refused to recognize me as its root… I kept receiving the following not-so-friendly message:

ERROR 1045 (28000): Access denied for user 'root'@'localhost' (using password: YES)

As it turns out, something was messed up during the installation and mysql did not recognize the given root password (mistype perhaps?). Anyway, I had to reset the pass, and this is how I did it.

Stop the service:

sudo service mysql stop

Start on safe mode without permissions check:

sudo mysqld_safe --skip-grant-tables &

mysql -u root

Update the root user’s password in the corresponding table:

mysql> use mysql;
mysql> update user set password=PASSWORD("NEW-ROOT-PASSWORD") where User='root';
mysql> flush privileges;
mysql> quit

And then restart the mysql service...

Install bigbluebutton 0.8 (BBB) on Ubuntu 11.04

2011-09-28T16:03:00.000+03:00

I recently installed big blue button version 0.8 on Ubuntu 11.04 and I came up with some errors while installing. This post is the log of my actions that solved my problem.

I was getting the following error:
Unpacking bbb-client (from .../bbb-client_0.80ubuntu91_amd64.deb) ...
cp: cannot stat `/var/www/nginx-default/50x.html': No such file or directory
dpkg: error processing /var/cache/apt/archives/bbb-client_0.80ubuntu91_amd64.deb (--unpack):
subprocess new pre-installation script returned error exit status 1
Errors were encountered while processing:
/var/cache/apt/archives/bbb-client_0.80ubuntu91_amd64.deb
E: Sub-process /usr/bin/dpkg returned an error code (1)
The problem was that nginx didn’t create the web root folder in /var/www/ so I made a softlink by giving the following command: var/www$ sudo ln -s -d /usr/share/nginx/www/ nginx-default
Then I got the following error: Setting up bbb-record-core (0.80ubuntu87) ...
/etc/init.d/bbb-record-core: line 24: god: command not found
invoke-rc.d: initscript bbb-record-core, action "start" failed.
dpkg: error processing bbb-record-core (--configure):
subprocess installed post-installation script returned error exit status 127
Errors were encountered while processing:
bbb-record-core
E: Sub-process /usr/bin/dpkg returned an error code (1)
which seemed to be as easy as to link the ruby’s god exe in the local bin by posting the following command: sudo ln -s /var/lib/gems/1.8/bin/god /usr/local/bin
but unfortunately this gave me the following error: Setting up bbb-record-core (0.80ubuntu87) ...
Record and Playback monitoring started
sudo: bundle: command not found
dpkg: error processing bbb-record-core (--configure):
subprocess installed post-installation script returned error exit status 1
Errors were encountered while processing:
bbb-record-core
E: Sub-process /usr/bin/dpkg returned an error code (1)
which indicated that bbb also required the bundle gem. Fixed that also by posting the equivalent cmd: sudo ln -s /var/lib/gems/1.8/bin/bundle /usr/local/bin
And finally big blue button installed on my server… The last two links could be avoided if I had installed the RVM manager (or so it seems) but I didn’t have the time or the will to do so. If you want to get your hands into it, check out this blog post which seemed like a nice guide on installing ruby on ubuntu.

Word to CHM source code

2011-09-24T00:59:00.001+03:00

I have just finished updating an old buggy sourceforge project and decided to share code and binaries. More over, I have written a nice post on why I had to update the project and how to use it to convert word to mobi files for kindle but thanks to Windows Live Writer (which crashed :-( ) I lost it all!

Summary of previous (lost) post

Kindle (up to 3) doesn’t support word
I use calibre for file conversions (and ebook management)
word—> pdf—> mobi process is no good for technical reports with lots of images and diagrams (most of the pictures are displayed at random places)
word –> rft –>mobi is better but will not work on large files
word –>chm –>mobi pretty good results
The old project converted doc to html via office interops, cleared the html using HTMLTidy interop and saved a xhtml. The output was fed to Microsoft Help Compiler and voila the chm file.
The old project was buggy on a x64 platform (probably the dev had a x86 machine, used x86 interops, and forgot to change the compiler option from “AnyCPU” to x86)
The old project had an old HTMLTidy reference which I replace for the newer TidyManaged.

Source code:

Binaries:

Securing Asp.net applications by hidding response header

2011-06-10T09:44:00.025+03:00

Although it’s fairly obvious that a website is running asp.net (through session cookie and the viewstate) you may protect your server by removing a few response headers that advertise the iis and the asp.net version. The most common response headers you should remove are the following:

X-Powered-By:ASP.NET
X-AspNet-Version:*.*.*
Server:Microsoft-IIS/*.*

The X-Powered-By response header
This header is added by the iis and you may remove it via the “Http Response Headers” in the iis configuration tool as shown in the following images for iis 7+:

and for iis 6 you should check the following image:

The X-AspNet-Version response header

This is advertised by the .net framework. You may remove this by adding the following entry in your application’s web.config file:

httpRuntime is located at configuration\system.web
In the case of the MVC, you should also consider disabling the MvcResponseHeader setting the value of System.Web.Mvc.MvcHandler.DisableMvcResponseHeader to true in the gloabal.asax file when the application starts.

The Server response header

The hardest response header to remove is the Server one. Quoting the tip from serverfault.com:

For the Server header, on IIS6 you can use Microsoft's URLScan tool to remote that. For IIS7, there is a great article on using a custom module to modify the Server header.

URLScan tool is easy to install. Don’t forget to enable it by adding it in the ISAPI Filters (the dll is usually located at %windir%\system32\inetsrv\urlscan\urlscan.dll).

You should also make sure that you enable the RemoveServerHeader option in the UrlScan.ini file that is located next to the dll file by setting this options value to 1.

Silverlight 1.1 Alpha Refresh patch to run after expiration date

2011-02-27T20:13:00.003+02:00

Once upon a time I won a Silverlight coding competition by writing a simple game in Silverlight 1.1 Alpha Refresh. A few weeks ago a beta tester of my game requested to play with it, once more. Installing the redistributable (thanks god I keep an archive of these because I couldn’t find it on Microsoft’s site) I came up with a message box that said that this version has expired (the alpha version should expire on 1st nov 2007).

Thus, I tried the version 2.0 redistributable. To my disappointment, the Silverlight 2.0 that was released after the Silverlight 1.1 Alpha didn’t support the code I had written and I had to modify a couple of things to make it run under version 2.0.
In order to avoid editing the code I tried to “extend” the alpha expiration date. So I ended up installing a trial of IDA Pro 6 and checking the assembly of the “C:\Program Files\Microsoft Silverlight\npctrl.1.0.20816.0.dll” file. If you open up the file in a hex editor and go to the 00014EE5 address you will see the following hex values:

66 3D D8 07

66 3D is the CMP EAX operand. EAX contains the year (pushed there in the previous lines) and
D8 07 represents the hex number 7D8 which is 2008.

After that, there is the JBE (0F 86,Jump short if below or equal) operand that leads to the nasty message box.

Thus, there are two ways to achieve the desired “extension”. Either change D8 07 to 34 08 (which will lead to an expiration in the year 2101, when I will be long gone) or change the JBE to JG (0F 8F, Jump short if greater) which will allow the alpha version to run only if the year is greater than 2008.
Just in case you are too lazy to open the file in a hex editor, I have packed both the redistributable and the patched dll in a zip file which you can download from here:

Integrating WSS 3.0 Document Library into an existing asp.net application. Setting up the authentication.

2011-01-18T09:20:00.001+02:00

If you search around the net, you’ll most probably find a lot of articles discussing how to create windows sharepoint services (WSS) modules or even how to install WSS on top of existing web site. In my case, I have to create a document management system in an existing asp.net application. In order to do so, I will be using the office integration that is provided by the document library of WSS and will be writing custom forms to handle the rest of the gui.

My asp.net application uses a customasp.net membership provider in order to authenticate users. So, my first idea was to enable Form Based Authentication (FBA) on WSS and setup the custom membership provider to handle the requests. Well, although this worked concerning the security aspects of the integration, the user had to login once more in WSS whenever he was requesting something from sharepoint and moreover, the office integration of the document library didn’t work well. To be more precise, whenever the user requested a document from the sharepoint server, word fired up and tried to open the specified document. The problem is that word doesn’t have the browser’s authentication cookie, thus the resource is out of reach and sharepoint redirected to the login screen. Having searched the net, I found that there was an update for office 2007 that would make office FBA agnostic but my clients had older versions of office and I couldn’t find anything for them. Moreover, I have office 2010 which would load the authentication form and display it to me as the requested document.

So I had to solve two problems; single sign in for both my asp.net application and the sharepoint services, and make office integration work with any version of office. The first problem can be easily solved if you create an encrypted authentication cookie that is available to both the asp.net application and WSS. The second problem can be solved if you make that cookie persistent, thus making it available to the whole system and not just the browser that made the authentication request.

I have already posted another blog post on how to enable forms authentication sharing across asp.net applications which partially solves the first problem. In the case of WSS you’ll have to note a few things.

First and foremost, the default configuration in the WSS site (defined in the web.config that usually resides in C:\Inetpub\wwwroot\wss\VirtualDirectories\<PortNumber>\) sets both the validationKey and decryptionKey to something like the following:

<machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />

In that case you’ll have to copy this line and add it in your asp.net application’ web.config. That way, both applications will be able to verify the validity of the generated authentication cookie.

You’ll also have to set the timeout property of the configuration\system.web\authentication\forms node in the web.config to something high enough (30 or even more) in order to avoid any cookie expiration while working on an office document. If the cookie expires, the user will not be able to save his work and you’ll end up receiving technical support calls… Be advised that you’ll have to set the same timeout on all asp.net applications because otherwise the cookie is expected to expire in the shortest timeout specified among the asp.net applications.

Another thing we’ll have to take care of is the authentication process on sharepoint services. We shall not use the build in authentication form. Rather than that, we will be implementing a custom authentication HttpModule which will be redirecting any unauthenticated request to the asp.net application that we already have. In order to see how this is done, you may check my other blog post named “redirecting any unauthenticated requests to a login form located on another asp.net application”.

One final thing to do is to setup the same membership provider on both the asp.net website that will be authenticating the requests and the windows sharepoint services. As for the WSS, you should probably configure both the website and the management website (installed by default in port 2562) if you would like to manage the permission on the document library through the management site.

Hope this article helps a bit…

Redirecting any unauthenticated requests to a login form located on another asp.net application

2011-01-17T11:30:00.001+02:00

If you have configured forms authentication across multiple asp.net applications, you may want to force users to authenticate in a single signing form. To do so you may implement a simple HttpModule that will be handling the AuthenticateRequest and redirecting to the corresponding login form.

Custom configuration section

We shall create a configuration section in order to save the login form url. The configuration section in the web.config should look like the following:

<RedirectToLoginConfiguration> 
   <loginForm url="http://authenticationServer/login.aspx"/> 
</RedirectToLoginConfiguration>

To do so, we will write two classes; one inheriting from ConfigurationSection and another inheriting from ConfigurationElement. The code for those two classes is self-explaining (I hope):

/// <summary> 
/// This is the class that represents the web.config section for the RedirectToLogin module 
/// The following is a valid configuration section: 
/// <RedirectToLoginConfiguration> 
/// <loginForm url="http://authenticationServer/login.aspx"/> 
/// </RedirectToLoginConfiguration> 
/// Notes: The name of the section is declared inside the web.config under the configSections element. 
/// In the above example, I have named my section RedirectToLoginConfiguration. 
/// </summary> 
class RedirectToLoginConfigurationSection: ConfigurationSection 
{ 
  [ConfigurationProperty("loginForm", IsRequired = true)] 
  public LoginFormElement LoginForm { get { return (LoginFormElement)base["loginForm"]; } } 
}
/// <summary> 
/// This class will keep any configuration info needed by the RedirectToLogin module regarding the 
/// login form. 
/// </summary> 
class LoginFormElement: ConfigurationElement 
{ 
  [ConfigurationProperty("url",IsRequired=true)] 
  public string Url { get { return (string) base["url"]; } }
}

The IHttpModule

The module will implement the IHttpModule interface and will hook up on the HttpApplication’s AuthenticateRequest event.

Whenever the request is not authenticated (HttpContext.Current.Request.IsAuthenticated) we will be redirecting to the specified login form url adding the ReturnUrl querystring parameter in order to have the user redirected to the current path when he provides valid credentials.

You may download the commented source code for this module and its configuration classes from the following link:

Note that I have used the #if DEBUG declaration in order to provide logging when the dll is built in debug configuration. The logging mechanism is really simple and is not recommended (I could even characterize it as a very bad practice). If you want to implement robust logging, check out this ScottGu’s blogpost.

Setting up the asp.net applications

You must have at least an asp.net application with a login form that will be handling the authentication.

In the rest of the asp.net applications, in the web.config file you’ll have to setup the configuration section by adding the following line in the configuration\configSections section:

<section name="RedirectToLoginConfiguration" type="Abot.Security.RedirectToLoginConfigurationSection,Abot.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=69e32cb50fe06fd0"/>

And then by adding the configured section under the configuration node:

<RedirectToLoginConfiguration>
    <loginForm url="http://authenticationServer/login.aspx"/> 
</RedirectToLoginConfiguration>

Finally, you should enable the Http module by adding the following line in the system.web\ httpModules section:

<add name="RedirectToLoginScreen" type="Abot.Security.RedirectToLogin,Abot.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=69e32cb50fe06fd0"/>

Configuring forms authentication across asp.net applications

2011-01-17T11:03:00.001+02:00

In order to enable forms authentication across multiple asp.net application you will have to setup the forms authentication to specify the same name, protection and path among all the asp.net applications that will be collaborating.

The following is an example of the configuration\system.web\authentication node in the web.config of each asp.net application.

<authentication mode="Forms">

      <forms loginUrl="login.aspx"

        name=".ASPXFORMSAUTH" protection="All"

        path="/" timeout="30" />

</authentication>

Moreover, you will have to modify the MachineKey in the web.config (under the section configuration\system.web) of each application and remove the IsolateApps that is declared in the default machine.config.

If your applications are located on the same server or farm, then you may leave validationKey="AutoGenerate" and decryptionKey="AutoGenerate". Otherwise, you will have to specify a common validationKey and decryptionKey that will be shared among the asp.net applications. This way, each and every asp.net application will be able to validate the authentication cookie set during the authentication process.
One final thing to have in mind is that you’ll have to setup the same membership provider on all your asp.net applications in order to have access to the same users.


There is a very good article named “Configuring Forms Authentication Across Applications”  in msdn where you can see a full config example.

Asp.net HTTP module to force authenticate user via Basic WWW-Authenticate dialogue

2011-01-13T13:19:00.005+02:00

Playing around with the available authentication methods I came up with a simple Http module that forces the browser to display the build in credentials form and authenticates the user by simply adding a line in the web.config file.

This is actually a pretty simple class that inherits the IHttpModule interface and hooks up on the web application’s Authenticate request event in order to modify the response headers and reply with a 401 error code.
In order to dictate the browser in showing the build in login form, you’ll have to add the WWW-Authenticate header on the first unauthenticated call.

IE default "request for credentials" dialogue

When the user provides the requested credentials, the module parses the new request and tries to locate the “Authorization” header that should contain a value like the following:

Basic aGVsbG86bGw=

This string contains the username and the password in a username:password format that is provided in a Base64 encoding. To be more specific, aGVsbG86bGw= is the Base64 encoding of the UTF7 string “hello:ll” which means that the username is hello and the password is ll.

As you may understand there is a MAJOR security concern if you decide to adopt such an authentication mechanism. The attacker can sniff the credentials since they are provided in an almost clear text form. You should at least use an ssl to secure the connection between the client and the server.

The module continues with the user validation and then authenticates the user by creating a GenericPrincipal, which is assigned in the HttpContext.Current.User.
In order to activate the module you’ll have to declare it in the system.web/httpModules section of your web.config file by adding a line like the following (I have signed my dll and installed it in the GAC):

<add name="CustomAuthModule" type="Abot.Security.BasicAuthenticationModule, Abot.Security, Version=1.0.0.0, Culture=neutral, PublicKeyToken=69ab320f50ed06d0"/>

The commented source code of the above mentioned IHttpModule is available in the following link:

VCARD quoted-printable decoding and importing to outlook

2010-11-09T19:43:00.004+02:00

My father replaced an old LG KU380 and wanted to transfer his contacts to his new Ericson mobile phone. Unluckily for me, LG provided some software that was promising to synchronize the mobile phone with the outlook, but it wouldn’t stay connected with the phone for more than one minute. Thus, every 100 contacts it would stall and start over again. The next available option was to export the contacts in a vcf file from within the mobile phone and transfer the generated file via Bluetooth.

The file had the following format:

BEGIN:VCARD
VERSION:2.1
N;ENCODING=QUOTED-PRINTABLE;CHARSET=UTF-8:;=CE=91
TEL;HOME;CELL;CHARSET=UTF-8:123456789
REV:20141012T151100Z
END:VCARD
BEGIN:VCARD
VERSION:2.1
N;ENCODING=QUOTED-PRINTABLE;CHARSET=UTF-8:;=CE=91=CE=B1
TEL;HOME;CELL;CHARSET=UTF-8:6900000000
REV:20140313T085200Z
END:VCARD
...

which is an aggregation of multiple VCARDs (starting on BEGIN:VCARD up to END:VCARD) that contained the name of the contact (the lines that starts with N) and some telephones. The problem was that this file was encoded in QUOTED-PRINTABLE using UTF-8 character set and as you can see from the above sample, Greeks could not be decrypted (even from outlook and live mail). Moreover, LG didn’t support all Greek letters. The names were saved in a GSM 7-bit like format (where capital b is used instead of β etc).

Finally, I had to aggregate the phone numbers of each contact person into a single contact card (instead of having a different vcard for each and every number).

The resulted code (vb.net console application) is well commented and available in the following link:

Manual creation helpers

2010-10-10T20:56:00.002+03:00

Ever wanted to create a manual for you application? Well, instead of pressing the print screen button and then editing the captured screens you may use a few build-in tools of windows 7 to help you out. The first tool I would like to mention is the “Snipping Tool” (located in Accessories) which allows you to select the region you want to capture and then edit it. The second one is the amazing “Problem Steps Recorder” (psr.exe located in windows\system32 folder) which allows you to record the steps you do and writes a pretty nice tutorial for you. The only problem is that it takes full screen pictures, but you can always resize the screen resolution and hide the start menu bar.

Hope this will help save a few hours from the nasty manual making job!

Windows Indentity Foundation – Custom Security Token Service and the relying party configuration

2010-07-17T11:57:00.002+03:00

The last couple of days I’ve been coding with the Windows Identity Foundation (WIF) in order to create a WS Federation Security Token Service (STS) that provides the user authentication for multiple relying parties (RPs). I decided to write a small tutorial and a sample (full commented) project that describes the basic steps that are required in order to setup the authentication via passive federation.

First of all you should start by downloading the Windows Identity Foundation (aka WIF) from Microsoft. This download provides all the necessary dlls (including System.IdentityModel and Microsoft.IdentityModel) to build a WIF claim based application.

The second thing you have to do is download the Windows Identity Foundation SDK that integrates into visual studio and provides many helpful examples. This download provides the FedUtil.exe also known as Federation Utility that automatically configures the trust between an RP and an STS and also auto generates a custom STS based on your RP configuration file.

Having installed the two prerequisites, you may download the sample project I have created, from the following link, and look for the comments that start with “WIF Comment:” in order to locate the code that is WIF specific.

Project description

As I mentioned earlier I wanted to create a simple claim based web site application (see a couple of reasons on why you may need to create one on my previous post). In fact the downloaded solution contains two relying parties. One (RelyingParty) that was manually created from start to end (ok I admit that the design is created by vs) and another one (AutoconfiguredRelayingParty) that was configured almost entirely by the Federation Utility that comes with the WIF SDK. Let’s see the RelyingParty project first.

The RelyingParty (RP) web application

This is the default asp.net application that was created from the visual studio templates. I have stripped off the entire FormsAuthentication mechanism that comes with the original template (deleted the appropriate folder) and modified the web.config to enable the WS Federation Authentication.

One thing you should note is that we have completely disabled the asp.net’s build in authentication by setting the mode to None and on the other hand we have denied unauthenticated users by setting «deny users="?"». The next thing we did was to add the WS Federation httpmodules in the asp.net’s modules stack (under the httpModules for IIS6 and the webdev server visual studio runs and under system.webServer.Modules for IIS 7+). These modules will be handling the authentication requests of our application. In order to configure them we will have to introduce a new configuration section in our web.config file by adding the corresponding section declaration in the configSections region on the top of our configuration file. We added the microsoft.identityModel section which is heavily commented in the downloaded source code. The most important parts of this section are:

The applicationService\claimTypeRequired part where you specify the claims your application requests from the STS.
The passiveRedirectEnabled="true" set in the wsFederation section that enable the passive redirect to the STS whenever authentication is required

One more thing to note is that I have disabled all the certificate checks that are made by WIF in order to simplify the demo. Normally, the RP receives and installs in the computer it runs the STS’s certificate in order to verify each message it receives by checking the signature and STS installs the public key of RP in order to encrypt the authentication messages so as to ensure the trust between both parties. WIF supports a lot of certificate lookup mechanisms but it also requires valid certificates which are not easy to get your hands on. If on the other hand you want to play around with the certificates functionality, you may use the custom WIFCommonLibrary.Certificate.CustomX509CertificateValidator x509 certificate validator which reads the certificate from the embedded resources (thus you’ll not have to install your certificate in the machines certificate store). See the web.config comments on how to enable this functionality.

One final thing you should note in the web.config file is the requestValidationType="WIFCommonLibrary.Web.AllowWFClaimsRequestValidator" set in the httpRuntime. By overriding the request validation, we will be allowing the federation form requests that will be coming into our application. If you don’t do so, you will get a «A potentially dangerous Request.Form value was detected from the client (wresult="trust:RequestSecuri..."» error due to the default asp.net’s request validation that prevents suspicious requests.

On the Default page I have added the code to display the claims that are associated with the authenticated user. On the Site.Master page I have modified the logout functionality by tampering the asp:LoginStatus to redirect to the SignOut page and finally in the the SignOut page I have a simple call to Microsoft.IdentityModel.Web.FederatedAuthentication.WSFederationAuthenticationModule.SignOut which ensures that you log out the user. Note that you’ll have to redirect the user because the request is authenticated and the user will end up seeing the page. If you allow the user to see the page, on the next request, he will not pass the authentication stage and thus he will end up with the STS’s login screen (automatically driven there because we have enabled the passiveRedirectEnabled).

The SecurityTokenService (STS) web application

The STS consists of two web pages:

The default.aspx which will be creating the federating identity and
The login.aspx which will be authenticating the incoming users.

The STS is a simple web application (in a manner of speech). If you take a look in the web.config, perhaps you will be surprised to see that there is no identity configuration. It only contains a simple FormsAuthentication declaration. In order to keep the demo simple, I have decided to use asp.net’s default forms authentication in order to verify my users. This means that you can simply add your own membership provider and verify the users on any source you like. One more thing you have to note is that I don’t allow any unauthenticated user to see the default page (the one responsible for creating the federation token). This means that when the RP calls the STS for a security token, the request is automatically redirected to the STS’s login screen where the user has to present his credentials, and then he is redirected to the default page which redirects the user back to the RP passing the security token. This is depicted in the following sequence diagram:

The nice thing about WIF is that this is totally transparent to the end user. The regular end user will not even notice that he is redirected to another place (the STS).

The default page contains the code that handles the federation requests (signin and signout) and there are not many things you should modify in this page. The hard work of the STS is located in the folder SecurityTokenService where the customsecuritytokenservice is defined.

CustomSecurityTokenServiceConfiguration refers to the configuration of the STS and provides a single instance access of this configuration (thus you’ll not have to set the security token service’s configuration over and over again). Note that we initialize the STS’s certificate calling the CertificateUtil.GetCertificate() method which retrieves the certificate from the embedded resources. In the actual production STS you should retrieve the certificate from the computer’s certificate store!

CustomSecurityTokenService is the actual STS. It inherits Microsoft.IdentityModel.SecurityTokenService.SecurityTokenService, it handles the requests and provides the requested ClaimsIdentity based on the authenticated user’s properties. To keep this demo simple, I have hard coded the output claims, but you should probably add some database lookup mechanism in order to retrieve each user’s claims. The place to add this kind of mechanism is the overridden GetOutputClaimsIdentity method.

The last file you should probably see is \FederationMetadata\2007-06\FederationMetadata.xml which is a descriptive metadata file of the STS’s capabilities. It describes in the oasis standards what are the available claims, who is responsible for this STS, how can you access this STS and staff like that. In order to create these files please refer to the WIF Custom STS metadata file editor I have created in a previous post.

The AutoconfiguredRelayingParty (RP) web application

Having created the STS you may now have the Federation Utility (found in the WIF SDK) to automatically configure your RP. To demonstrate this functionality I have created another empty asp.net web application and used the tool to pair it with my new STS. To see how this is done, please refer to my older post found here.
The only thing you should note is that you’ll have to manually set the requestValidationType to allow the federation token form posts, as mentioned in the previous relying party (or you can see the web.config comments).

The WIFCommonLibrary library

This library contains some useful classes that I have gathered together in order to facilitate the development of custom STSs and RPs. They are only for developing and testing purposes and should never be used in the actual production applications. Both available classes are discussed in the previous sections of this article.

Hope this article and the source code will help you get started with the windows identity foundation!

How to associate a web application (RP) to an existing Security Token Service (STS) using Federation Utility (FedUtil.exe)

2010-06-09T15:46:00.006+03:00

Federation utility is a very nice little tool that can automatically configure your claim based web application (which is called Relying Party or RP in the Federation language) to trust an existing security token service (STS). It comes with WIF SDK available from Microsoft. This tool can also create a new STS based on your own claim based web application, but this is not on the scope of the current post.

In order to establish the trust you’ll have to do the following steps:

Right click on you project and select the “Add STS Reference…”. If you haven’t got the WIF SDK extensions installed on your computer, you may run the tool from C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\FedUtil.exe (removing the x86 on x32 operating systems).

Fill in your RP application info and click next.

On this stage you may face the following error (unless you have your website on a secure https layer):

Locate the STS’s Federation Metadata xml file (usually located on http://sts-address/FederationMetadata/2007-06/FederationMetadata.xml) and click next.

On this stage you may receive up to three warnings depending on your STS’s security settings.
The first one refers to the lack of digital sign on the federation metadata file.

The second one refers to the lack of an https endpoint on the service. If you want to avoid this message, then you should probably have an ssl installed in the hosting computer that serves the STS.

The third warning refers to the lack of valid certificate on the STS. If your server runs on a developing certificate, the tool will not be able to validate the certificate. That’s ok on dev environments but should not be the case in production level.

On the next screen you will be prompted to provide a certificate for your own claim based application. You may specify the certificate with which the STS will be encrypting the communication between the RP and the STS. The point of this certificate is to encrypt the messages in a way that only the requesting RP will be able to understand. If you leave this blank, then the messages will not be encrypted.

Clicking next you will see the available claims on the STS. Nothing to do here…

The final step is the overview.

Click finish and you are done.

Let us test the application. Clicking debug you will actually reach the STS, do the authentication and by the time you come back to your claim based application you receive an ugly message «A potentially dangerous Request.Form value was detected from the client (wresult=»

In order to fix this error you must modify the web.config and set an http runtime request validator that allows the federation messages to pass through. For example it would look like the following statement:

httpruntime requestvalidationtype="WIFCommonLibrary.Web.AllowWFClaimsRequestValidator"

(You may download the implementation of this custom Request Validator from this post)

That’s it, your RP is configured to trust the new STS. You may change the requested claims from your web.config file.

Happy federation!

Federation Metadata Editor on codeplex

2010-06-09T13:56:00.001+03:00

I have just opened a new project on codeplex to host the source code of the Federation Metadata Editor I mentioned on my previous post. Check it out at http://stsmetadataeditor.codeplex.com/

The need of claim based security model and identity federation

2010-06-08T18:47:00.000+03:00

The last couple of days I have been working on Windows Identity Foundation. In order to take advantage of this framework, you should start writing claim based application. Forget the old fashion role based and start demanding claims! Why to convert to claim based application you may wonder... There are many reasons why you should do that but the most appealing ones I can think of are the following:

Security granularity. You can demand specific claims from a user in order to do a specific action in your application. For example, imagine that you have a simple calendar application. You may demand a “read calendar” claim from the users in order to view the contents and request another “edit calendar entries” claim in order to edit the contents. By demanding claims, you don’t have to know the application’s roles a priory. You define the claims the user must have in order to access the specified code and when you finish, you may optionally associate the application roles to specific claims, thus enabling the role “managers” to have both the “read calendar” and “edit calendar entries” claims. You may specify as many claims as you like, thus enabling you to have total control on the access levels you may offer on your application.
No need to write the authentication mechanism and maintain user’s database. Although with the asp.net membership providers you may automatically create the users table in your database and not bother with the authentication mechanism, Federation provides you with the tools to trust others to authenticate users for you. You don’t even have to have a user’s table in your database. Someone else (an STS) will do the authentication for you and sent you the user’s security claims. This may not seem as a benefit in the beginning but if you see the bigger problem you will understand the importance of this feature. There are two benefits from authentication federation.
- It’s very common to have an intranet and have a couple of applications running inside it. These applications authenticate their users based on their own authentication mechanism, which means a lot of user tables on different databases. Having a single Security Token Service, you may have all your applications ask this STS for the user authentication which will centralize the users in one database, thus decreasing drastically your user administration efforts. In the best case scenario the intranet applications use windows authentication if there is an Active Directory (or another Kerberos authentication mechanism) in the domain. In this case, the Security Token Service comes as an intermediate security layer which abstracts the authentication mechanism by authenticating the users and providing the relying parties (your applications) an authenticated identity that has some claims. Thus your application doesn’t have to be tied up with an Active Directory and you may change the authentication method at any time (let’s say have smart card installed or issue certificates) without breaking your applications. The only thing you’ll have to do is reconfigure the STS to accept the new authentication method.
- The second benefit comes when you want to externalize an intranet application. In this case, you’ll be authenticating both your intranet users and some external users from another company (let’s name this other company Contoso). If you have a custom authentication, you’ll have to add the new users and send them their new credentials which mean that the users will have to remember a new set of credentials and you’ll have to keep track of the new users and remove them in case they leave Contoso. One think is for granted. The Contoso’s HR department will not call you if they fire a person and you’ll have to manually call and find the current employment status. If on the other hand you had simply trusted Contoso’s authentication mechanism and simply allow the specific users to access your externalized application, then all problems are solved. This is called identity federation (http://en.wikipedia.org/wiki/Federated_identity). Whenever a user from Contoso comes to your application, you ask the trusted Contoso’s STS to authenticate the user and have your STS to simply transform the claims to the ones that are recognized by your applications (if there claims mapping is needed).

Fill free to add as a comment any other reason you may think of...

Building openvpn 2.1.1 with enable-password-save on windows

2010-06-05T23:21:00.000+03:00

Lately I’ve been having some requests on how to build openvpn 2.1.1 with enable-password-save. The truth is that a few things have changed since my last post. In order to fill these requests I decided to write down a few things about the process. If you are intrested in downloading an allready compiled version or openvpn 2.1.1 with enable-password-save, check out this post.

Before you start, you should download the following source files from openvpn.net

2.1_rc22-prebuilt.tbz
openvpn-2.1.1.zip
openvpn_install_source-2.1beta7-gui-1.0.3.zip
openvpn-gui-1.0.3.zip

For the MinGW you should download

binutils-2.20-1-mingw32-bin.tar.gz
gcc-ada-3.4.5-20060117-3.tar.gz
gcc-core-3.4.5-20060117-3.tar.gz
gcc-g++-3.4.5-20060117-3.tar.gz
gcc-g77-3.4.5-20060117-3.tar.gz
gcc-java-3.4.5-20060117-3.tar.gz
gcc-objc-3.4.5-20060117-3.tar.gz
make-3.81-20090914-mingw32-bin.tar.gz
MinGW-5.1.6.exe
mingw.ini
mingwrt-3.17-mingw32-dev.tar.gz
mingwrt-3.17-mingw32-dll.tar.gz
w32api-3.14-mingw32-dev.tar.gz

and the following add-ons

autoconf2.5-2.64-1-mingw32-bin.tar.tar
automake-4-1-mingw32-bin.tar.tar
automake1.11-1.11-1-mingw32-bin.tar.tar
gettext-0.17-1-mingw32-bin.tar.tar
libcrypt-1.1_1-2-msys-1.0.11-dll-0.tar.tar
libgettextpo-0.17-1-mingw32-dll-0.tar.tar
libintl-0.17-1-mingw32-dll-8.tar.tar
m4-1.4.13-1-msys-1.0.11-bin.tar.tar
perl-5.6.1_2-1-msys-1.0.11-bin.tar.tar

The software I used during the development is the following:

MSYS-1.0.11.exe
nsis-2.46-setup.exe (NSIS by nullsoft)
npp.5.6.8.Installer.exe (Notepad++ a very nice light editor)
7z465.exe (7-zip for archive manipulation)

One final thing is that you should probably modify the install-win32\settings.in file and set the parameters there to reflect your files' location. For example, in order to use the prebuild driver you should uncomment the line that reads

;!define GENOUT_PREBUILT "../gen-prebuilt"

and add the required prebuild driver in that directory.

Hope that this update will help you build your own openvpn!

Asp.net 4.0 URL rewriting aka Routing

2010-06-05T22:51:00.001+03:00

Are you tired of having ugly urls in your website like product.aspx?product=1? Are you concerned about having a search engine optimized web site? Asp.net provides the mean to easily rewrite your urls via the System.Web.Routing namespace.

I have composed a simple asp.net website with lots of comments in it, that demonstrates this new (not so new actually because this mechanism exists since .net 3.5 sp1) mechanism.

Download the source from the link below:

The main benefits of this website are:

User friendly urls like /product/1/My_First_Item
Search engine optimization (no error in the SEO Toolkit)
Ease on url rewrite rules

Things you should see:
Global.asax.vb

During the startup of our application we define the routes. This means that whenever you change the routes, you should close the webdev server in order to reinitiate the application. In the Application_Start you will find the use of RouteTable.Routes.MapPageRoute and its overloads which provides an easy way to defines routes, while you will also find the use of the method RouteTable.Routes.Add which allows us to define our own RouteHandler.

Default.aspx(.vb)

This page demonstrates the simple use of the pages property RouteData which contains the routed data gathered by the url. Be sure to check out that we avoid rewriting the url for view1 in order to avoid any warning from the SEO toolkit (duplicate entry point of the same page, one with no arguments and /Home/1). In the aspx file you will also see the use of the new expression which gets the url by matching the used arguments to the routing rule.

ProductListing.aspx.vb

In this file you will see the use of RouteTable.Routes.GetVirtualPath which returns the link to the requested resource as it’s mapped via the defined rules.

Product.aspx.vb

In this file you’ll find two classes. The partial class of the corresponding page and ProductRoutingHandler which implements the IRouteHandler interface in order to provide a little bit more complex logic in the Routing. This handlers loads the data of the product (based on the url’s id) and returns the loaded web page or returns a ProductNotFound.aspx web page as the result of this request…

Since you are looking in that page, check out the new MetaDescription and MetaKeywords properties of the Page which allows us to easily manipulate those head meta tags (one of the best practices in SEO).

Hope this project gives you a kick start on routing!