Troy Goode: SquaredRoot

MVC Membership Starter Kit - 1.2

Troy Goode — Mon, 28 Apr 2008 17:22:04 -0400

This weekend I posted a new release of the MVC Membership Starter Kit. This release is an update to migrate the starter kit to the new interim release of the MVC framework. If you do not feel comfortable using the interim release, please continue using the 1.1 release and wait for Microsoft to release Preview 3; we will update the Starter Kit soon thereafter.

Changes in 1.2:

WindowsLive is now a supported authentication scenario (read Maarten's blog post on this).
Per Andrew Arnott's suggestion, the starter kit now uses the DotNetOpenId library rather than the code previously used (which was created by Mads Kristensen). This gives us a more robust and secure implementation that will develop and improve independently of this project.
All actions that previously expected a username in the route now expect the user's ProviderUserKey (a Guid) instead. This was done because users with OpenID urls as their username could not previously be accessed.
"Whitelist support" has been added to the OpenID implementation, allowing you to setup regular expressions that dictate which OpenID providers are allowed to be used when logging into your site. By default there is no whitelist, so all providers are allowed.
The starter kit now offers greater control over which authentication scenarios your site supports and which is the default. Out-of-the-box only FormsAuthentication is enabled and is obviously the default.

Massive BlogEngine.net Security Hole

Troy Goode — Sun, 13 Apr 2008 22:34:00 -0400

A massive security hole in BlogEngine.net was just revealed that allows anyone to see your passwords... Danny Douglass just added a post to his blog where he explains the issue and provides a patched BlogEngine.Core assembly to resolve the issue until the next release of BlogEngine is available.

I would advise anyone running BlogEngine.net to immediately go to Danny's blog and download & install the fix.

The faster we can get word out about this, the faster we can shut down this particular attack vector, so please try and get the word out to any BlogEngine.net users you are aware of and please kick Danny's post at DotNetKicks.

Thanks Danny!

MVC: New Membership Starter Kit Release

Troy Goode — Fri, 11 Apr 2008 12:19:21 -0400

The Starter Kit

If you haven't had a chance to read about the MVC Membership Starter Kit I've created, read this post first.

New Release

Since we first created the starter kit a week and a half ago, Maarten Balliauw and I have been hard at work fleshing out the implementation to provide as much functionality as possible. Last night we finished the last stretch of things we had identified for this release and have posted the code as a new release on CodePlex. Keep in mind you can also always download our latest builds from CodePlex as well without waiting for a new release.

New Features

OpenID

Mads Kristensen released a lightweight OpenID consumer earlier this year that I then proceeded to flesh out with a security patch. The reason I did so was so that I could include OpenID in this release of the Starter Kit.

Out of the box you can create a route to the OpenIDLogin action, which displays the following view:

Once the user has entered their OpenID url, the starter kit will take care of the rest for you, with one critical exception: you have to map the url to a user in your membership database. To do so, you simple override a virtual method and return a MembershipUser, like so:

   1: protected override MembershipUser AssociateOpenIDToMembershipUser( string identity, string name, string email )

   2: {

   3:     return Membership.GetUser(identity);

   4: }

View Plain | Copy To Clipboard

Note that the above implementation maps the OpenID url to a user's UserName, which may or may not be what you want for your application. Adjust accordingly.

Password Recovery Tools

Maarten did a great job providing users with a way to manage their passwords. While logged in they can change their password:

Or if they are having trouble logging in, they can submit their username...

...and then answer their password question (if the system is configured to require it)...

...and they will then receive their password via email (or a newly generated password -- depending on system configuration).

Client-Side Validation

All non-administrative forms now include basic client-side validation. The validations even change based upon your Membership settings.

For instance, by default the ASP.Net Membership provider requires passwords to contain at least 1 non-alphanumeric character. If a user entered a password of "password" they would see the following alert:

Components: Login & LoginStatus

Maarten created components that emulate the functionality of the old Login and LoginStatus controls. Now it is easy to have a Login box on every page.

Major Refactoring

Most of the controller and filter code has been broken out into a separate assembly.

Your FormsAuthentication and FormsAuthenticationAdministration controllers should now inherit from a base version of each. Maarten has created a boat load of virtual method hooks for each action (OnBeforeBlah, OnAfterBlah, OnErrorBlah) that provides you with easy extensibility points without needing to directly modify the starter kit base code.

Hopefully this refactoring will make it easy for you to upgrade to future versions of the starter kit's code as they become available.

The Future

Currently we've cleared our plate and have no more planned features to attend to. Does this mean that we are done? No. This is what you can expect to see us working on next:

Preview3 updates, whenever it becomes available.
Validations on the administrative side.
Bug fixes, of course. :-)
If you have suggestions for what you would like to see in the next release, please drop me a line and let me know!

You can download the new release from CodePlex.

OpenID Check_Authentication In C#

Troy Goode — Fri, 11 Apr 2008 00:01:03 -0400

Earlier this year Mads Krisensen (of BlogEngine.net fame) posted a lightweight implementation of OpenID using C#. In the comments on Mads' post, Andrew Arnott (a developer of the DotNetOpenId library) mentioned that the example Mads had posted could "be hacked with a single change of a word in the URL." This is what is technically referred to as a Very Bad Thing. Andrew and another poster named "neil" went on to elaborate that implementing OpenID's "check_authentication" algorithm would close this security hole. Unfortunately as of the writing of this article neither Mads nor any of the commentors have provided an implementation of check_authentication that works with the class Mads posted (bear in mind that Andrew only brought up this issue less than a week ago, so Mads may very well be working on it).

Fast forward to yesterday when I was researching my options for implementing OpenID for the next release of the ASP.Net MVC Membership Starter Kit. I liked Mads solution more than the other OpenID libraries that are current available because of its brevity and how easy it is to include it in a project without introducing an extra assembly dependency, so I decided to go ahead and add the check_authentication functionality. A quick read of that portion of the OpenID spec and a couple hours of coding/testing and I think I'm about finished.

Here is the method you need to add to Mads' class:

   1: private static bool CheckAuthentication( NameValueCollection query )

   2: {

3:

   4:     //### get data required for check_authentication

   5:     string mode = "check_authentication";

   6:     string handle = query["openid.assoc_handle"];

   7:     string signature = query["openid.sig"];

   8:     string signed = query["openid.signed"];

   9:     string extra = string.Empty;

10:

  11:     //### loop through fields required by "openid.signed" and retrieve that data

  12:     if( !string.IsNullOrEmpty(signed) )

  13:     {

  14:         string[] exemptions = { "mode", "assoc_handle", "sig", "signed" };

  15:         string[] fields = signed.Split(',');

  16:         foreach( string field in fields )

  17:         {

  18:             if( exemptions.Contains(field) ) continue;

  19:             extra += string.Format( "openid.{0}={1}&", field, HttpUtility.UrlEncode( query[ "openid." + field ] ) );

  20:         }

  21:         extra = "&" + extra.Substring( 0, extra.Length - 1 );

  22:     }

23:

  24:     //### combine all the data together to form the request

  25:     string post = string.Format( "openid.mode={0}&openid.assoc_handle={1}&openid.sig={2}&openid.signed={3}{4}",

  26:         mode,

  27:         HttpUtility.UrlEncode( handle ),

  28:         HttpUtility.UrlEncode( signature ),

  29:         HttpUtility.UrlEncode( signed ),

  30:         extra

  31:     );

32:

  33:     //### begin sending request

  34:     HttpWebRequest request = (HttpWebRequest)WebRequest.Create( query["openid.op_endpoint"] );

  35:     request.Method = "POST";

  36:     request.ContentType = "application/x-www-form-urlencoded";

  37:     request.ContentLength = post.Length;

38:

  39:     //### transmit POST data

  40:     using( StreamWriter sw = new StreamWriter(request.GetRequestStream()) )

  41:         sw.Write(post);

42:

  43:     //### get response

  44:     string html = "";

  45:     using( HttpWebResponse response = (HttpWebResponse)request.GetResponse() )

  46:         using( StreamReader sr = new StreamReader( response.GetResponseStream() ) )

  47:             html = sr.ReadToEnd();

48:

  49:     //### determine if check_authentication passed or not

  50:     if( string.IsNullOrEmpty(html) || !html.StartsWith( "is_valid:" ) || html.StartsWith( "is_valid:false" ) )

  51:         return false;

  52:     else if( html.StartsWith( "is_valid:true" ) )

  53:         return true;

  54:     else

  55:         throw new InvalidOperationException( "Unexpected return from OpenID check_authentication." );

56:

  57: }

View Plain | Copy To Clipboard

Now you need to make sure that method is called from somewhere. I chose to make the method private and just call it from inside the Authenticate method. Within the Authenticate method replace:

   1: // Make sure the incoming request's identity matches the one stored in session

   2: if( query["openid.claimed_id"] != data.Identity )

   3:     return data;

View Plain | Copy To Clipboard

... with...

   1: // Make sure the incoming request's identity matches the one stored in session

   2: if( query["openid.claimed_id"] != data.Identity )

   3:     return data;

   4: else if( !CheckAuthentication( query ) )

   5:     throw new UnauthorizedAccessException( "OpenID False Verification Detected" );

View Plain | Copy To Clipboard

And that's it!

If anyone with more experience than I in OpenID waters sees a problem with my implementation, let me know and I will try to get it fixed quickly.

NOTE: I am aware that Mads' implementation and the use of 'check_authentication' is considered an overly chatty use of OpenID. It seems to me that the extra complexity required to implement OpenID 2.0 protocol is just not worthwhile for most OpenID consumers. Feel free to let me know why this is a stupid position to take.

Rob Conery's PagedList Class (Updated)

Troy Goode — Tue, 08 Apr 2008 21:33:56 -0400

Robert Muehsig has posted a great user control for the MVC framework that adds pagination links to the bottom of a paged list. In it he used a slightly customized version of Rob Conery's PagedList class that Rob was kind enough to post way back when the first CTP was released. This reminded me that I should probably post the version I have customized, as I think it makes it a bit easier to use and maintain. I've included the code below.

   1: using System;

   2: using System.Linq;

3:

   4: namespace System.Collections.Generic

   5: {

6:

   7:     public interface IPagedList

   8:     {

   9:         int TotalPages { get; }

  10:         int TotalCount { get; }

  11:         int PageIndex { get; }

  12:         int PageSize { get; }

  13:         bool HasPreviousPage { get; }

  14:         bool HasNextPage { get; }

  15:         bool IsFirstPage { get; }

  16:         bool IsLastPage { get; }

  17:     }

18:

  19:     public class PagedList<T> : List<T>, IPagedList

  20:     {

21:

  22:         public PagedList( IEnumerable<T> source, int index, int pageSize )

  23:         {

24:

  25:             //### set source to blank list if source is null to prevent exceptions

  26:             if( source == null )

  27:                 source = new List<T>();

28:

  29:             //### set properties

  30:             this.TotalCount = source.Count();

  31:             this.PageSize = pageSize;

  32:             this.PageIndex = index;

  33:             if( this.TotalCount > 0 )

  34:                 this.TotalPages = (int)Math.Ceiling( (double)this.TotalCount / (double)this.PageSize );

  35:             else

  36:                 this.TotalPages = 0;

  37:             this.HasPreviousPage = ( this.PageIndex > 1 );

  38:             this.HasNextPage = ( this.PageIndex < this.TotalPages );

  39:             this.IsFirstPage = ( this.PageIndex == 1 );

  40:             this.IsLastPage = ( this.PageIndex == this.TotalPages );

41:

  42:             //### argument checking

  43:             if( index < 1 || index > this.TotalPages )

  44:                 throw new ArgumentOutOfRangeException( "PageIndex out of range." );

  45:             if( pageSize < 1 )

  46:                 throw new ArgumentOutOfRangeException( "PageSize cannot be less than 1." );

47:

  48:             //### add items to internal list

  49:             if( this.TotalCount > 0 )

  50:                 this.AddRange( source.Skip( ( index - 1 ) * pageSize ).Take( pageSize ).ToList() );

51:

  52:         }

53:

  54:         public int TotalPages { get; private set; }

  55:         public int TotalCount { get; private set; }

  56:         public int PageIndex { get; private set; }

  57:         public int PageSize { get; private set; }

  58:         public bool HasPreviousPage { get; private set; }

  59:         public bool HasNextPage { get; private set; }

  60:         public bool IsFirstPage { get; private set; }

  61:         public bool IsLastPage { get; private set; }

62:

  63:     }

64:

  65:     public static class Pagination

  66:     {

  67:         public static PagedList<T> ToPagedList<T>( this IEnumerable<T> source, int index, int pageSize )

  68:         {

  69:             return new PagedList<T>( source, index, pageSize );

  70:         }

  71:     }

72:

  73: }

View Plain | Copy To Clipboard

Changes from Rob's version:

Added a "TotalPages" property.
If you're going to loop through each of the pages to display page navigation, you'll obviously need this.
Changed "IsPreviousPage" to "HasPreviousPage".
It just sounds better.
Changed "IsNextPage" to "HasNextPage".
See above.
Added a "IsFirstPage" property.
The opposite way of using the above two properties. I prefer this way, but kept the original way for backwards compatibility (except the naming).
Added a "IsLastPage" property.
See above.
Changed the first constructor to accept IEnumerable<T> rather than IQueryable<T>.
I'm not exactly sure why Rob originally made it IQueryable. I'm aware that by passing an IQueryable (LINQ) object to this constructor you'll avoid retrieving the entire set (only taking the results needed), but since IQueryable inherits from IEnumerable everything should be hunky-dory. He probably had a reason and I'm going to wind up breaking all of my stuff, but IEnumerable is just so much handier. =)
Removed the second constructor.
The second constructor took List<T>, which is unnecessary after changing the first constructor to accept IEnumerable.
Cleaned up property declarations a bit.
Mainly to make the page a bit shorter, but also to prevent the multiple calculations that could happen in the original. Also the original allowed the changing of certain properties after an instance was created, which would put the instance into an inconsistent state.
Added argument checking and handled a few exception scenarios more gracefully.
Trying to make debugging a bit friendlier.
Removed the second extension method that didn't specify a pageSize.
I don't really think that baking in an extension method that sets pageSize to 10 is a good idea, I'd prefer pageSize to be explicitly set elsewhere by the calling code.
Moved the code to the "System.Collections.Generic" namespace.
I'm sure a lot of you are breaking out in a cold sweat to see me putting something into a System.* namespace, but I kind of feel like this is something that the .Net team just "forgot". =) Move it wherever makes you comfortable.

Please note that I took many of these ideas from the commentary below Rob's original post. I'm sure many of you are using something similar, but I thought it would be useful to get something posted online that is a bit more fleshed out than the original example.

Thanks for the great work Rob & Robert!

Review: Training With Stephen Walther

Troy Goode — Fri, 04 Apr 2008 15:06:17 -0400

I just finished a four day course on AJAX, LINQ, & MVC taught by Stephen Walther and wanted to let all of you know that if you are interested in training on any of these topics, I HIGHLY recommend Stephen.

You can learn more about the training options he offers by visiting his training website:
http://www.superexperttraining.com/

He also keeps a blog filled with incredibly information -- and long ;-) -- posts on various aspects of ASP.Net at:
http://weblogs.asp.net/StephenWalther/

Read on for more details about my experiences this week.

The Instructor

Stephen is a successful author, having literally "written the book" on ASP.Net (and even ASP Classic!). His book "ASP.NET 3.5 Unleashed" has received excellent reviews from Amazon and I look forward to reading it soon.

You can buy Stephen's book from Amazon here:

We all found Stephen to be very personable and he obviously has an excellent command on the language and tools available in the .Net ecosystem. Also, anyone that can put up with my constant interruptions and derails for four days in a windowless classroom is clearly a pro. =)

The Course

Danny Douglass originally contacted Stephen to request that he teach a class for seven of our developers at the organization we work for. Stephen was kind enough to then customize a course around the technologies we had requested, and that is how we ended up with a one day primer on LINQ & MVC followed by an in-depth training session on AJAX technologies and Microsoft's ASP.Net AJAX implementation specifically.

As anyone that reads my blog regularly knows, I am heavily invested in learning the MVC framework and was highly impressed by Stephens grasp on such a new technology. We may very well have been the first ASP.Net MVC class that anyone has taught anywhere and Stephen managed to teach it quickly and confidently. I was also impressed that he was teaching us things based upon the Preview 2 release of the MVC framework which has only been available publicly for 3 weeks rather than the older December CTP release.

As someone that considers himself a strong JavaScript developer (but weak at AJAX), I came into the class a little worried that the JavaScript explanation portions of the program would be more remedial than I wanted. I was wrong. Stephen led a thorough review over the advanced JavaScript features developers need to know to develop world-class AJAX libraries and did so while keeping the pace brisk and managing not to leave anyone in the room behind.

As I said above, I recommend Stephen's training courses to anyone organization interested in learning AJAX, JavaScript, MVC, LINQ, or ASP.Net in general. Thanks for the excellent class Stephen!

Disclaimer: I was not paid or compensated in any way for this endorsement.

MVC: Membership Starter Kit

Troy Goode — Wed, 02 Apr 2008 18:43:00 -0400

A newer version of the Membership Starter Kit is now available. Click here to see what has changed.

Introduction

One of my very first blog posts (and most definitely my most popular so far) revolved around how to integrate ASP.Net membership and forms authentication into the ASP.Net MVC framework which had just been released in it's December CTP flavor. It has remained popular to this day, but unfortunately the Preview 2 release of the MVC framework has caused much of the code I released in that article to no longer function correctly.

Even before the release of Preview 2, I had been planning to extend the samples I was providing to offer more useful features. I don't know about you, but nearly every website I ever create with ASP.Net requires some kind of security/membership system. My preference is to use the built-in system when possible (except for the horrible Profiles sub-system). This means creating login, logout, & registration functionality every time, as well as creating administrative screens for managing the users that enter your system.

WebForms provides some controls to help with the login and registration process, but user administration has always been delegated to either (a) the built-in tool that runs separately and doesn't work remotely or (b) rolling your own solution. The development of the MVC framework seems to me like a good time to resolve this scenario and provide the community with an array of pre-built tools to help boot-strap projects so that we can stop working on infrastructure and start working on the heart of the individual application.

With that in mind I have created a CodePlex project: the ASP.Net MVC Membership Starter Kit. It currently provides controllers and views for all of the common authentication and user administration needs, including:

Login/Logout
Registration
List of Registered Users
User Details / Administration
Role Management

A big thanks goes out to Rob Conery, as I borrowed his recent Authentication Filters and included those, along with my recently released Error Handling Filters.

Okay, enough wall o'text. Let's take a look at some screenshots:

Screenshot Tour

Here is the menu when you first log in:

The registration page:

The login page (note that the Administrator's credentials are displayed to make it easy to get started, you'll obviously want to change them and remove that note):

Having logged in, here is what the menu looks like now:

The current options upon clicking the Security tab:

Clicking "Manage Users" brings you to a list of all users currently registered:

Clicking on the user takes you to a form that allows you to view their details and edit a few aspects of their profile...

as well as view/change the roles they are in and help with password issues:

From the Security tab you can also go to a list of all the system's roles, from which you can add/delete roles as you need:

Clicking on a role from the roles list or the user profile allows you to view/modify the users in that role:

And finally, the Security tab offers a link to another registration form, geared toward Administrators:

NSFAQ (Not-So Frequently Asked Questions)

Q: Does this compete with MvcContrib?
A: No. MvcContrib is a great project that aims to features like alternate routing and view engines, and IoC integration. This project is simply a starter kit to help get membership-based applications off the ground a little quicker. There is no reason you could not use both projects together.

Q: What dependencies does using this starter kit saddle me with?
A: Ideally, none, other than the ASP.Net Membership API. Every measure will be taken to avoid using third party libraries, be it JavaScript or .Net. We will strive to separate the code and rely on default settings as much as possible to make it easy for you to customize your installation without anything in the starter kit getting in the way.

Q: Who is responsible for this?
A: Currently, only me, but I'd like that to change! I'm keenly interested in finding a few other developers that would like to contribute to enhancing the starter kit. Please contact me if you'd like to help!

What's Next?

There are a few features missing that I would like to include in the very short term. Primarily these are features for end-users, like Change Password and Forgot My Password (both of which are currently available on the administration side). Beyond that, visual cleanup of the forms (and separation of the style sheets) as well as a bit of AJAX-ification of the forms would be nice. If you use the starter kit and have suggestions or criticisms, please post to the Discussions forum or Issue Tracker!

You can download the latest release from the CodePlex project. I hope you all find it useful!