J.D. Meier's Blog : My Projects

My Projects on MSDN

J.D. Meier — Tue, 10 Feb 2009 22:51:14 GMT

This post is a simple way to browse the bulk of my patterns & practices work on MSDN and CodePlex. After I walk customers through things, the next question is usually, "OK, so where do we find this?" This is the link I'll be sharing.

Guides

Performance

Books / Guides

Methods

Guidelines

Checklists

Practices at a Glance

Performance Practices at a Glance

How Tos

Security

Guides

Methods

Threats and Countermeasures

Cheat Sheets

Guidelines

Checklists

Practices at a Glance

Questions and Answers

Explained

Application Scenarios

ASP.NET Security How Tos

WCF Security How Tos

Visual Studio Team System

Guides

Team Development with Visual Studio Team Foundation Server

Guidelines

Practices at a Glance

Questions and Answers

Source Control Practices at a Glance

How Tos

My Related Posts

patterns & practices Complete Catalog

New Release: patterns & practices App Arch Guide 2.0 Beta 1

J.D. Meier — Tue, 28 Oct 2008 01:24:23 GMT

Today we released our patterns & practices App Arch Guide 2.0 Beta 1. This is our guide to help solution architects and developers make the most of the Microsoft platform. It's a distillation of many lessons learned. It’s principle-based and pattern-oriented to provide a durable, evolvable backdrop for application architecture. It's a collaborative effort among product team members, field, industry experts, MVPs, and customers. Keep in mind it’s Beta so there’s still moving parts and we’re processing quite a bit of feedback across the guide. Now’s the time to bang on it.

5 Parts

Part I, “Fundamentals”
Part II, “Design”
Part III, “Layers”
Part IV, “Quality Attributes”
Part V, “Archetypes – Design and Patterns”

Chapters

Chapter 1 - Fundamentals of Application Architecture
Chapter 2 - .NET Platform Overview
Chapter 3 - Application Archetypes
Chapter 4 - Deployment Patterns
Chapter 5 - Arch Styles
Chapter 6 - Quality Attributes
Chapter 7 - Layers and Tiers
Chapter 8 - Designing Your Architecture
Chapter 9 - Architecture and Design Guidelines
Chapter 10 - Designing Services
Chapter 11 - Communication Guidelines
Chapter 12 - Presentation Layer Guidelines
Chapter 13 - Business Layer Guidelines
Chapter 14 - Data Access Layer Guidelines
Chapter 15 - Service Layer Guidelines
Chapter 16 - Performance Engineering
Chapter 17 - Security Engineering
Chapter 18 - Mobile Application
Chapter 19 - Office Business Application (OBA)
Chapter 20 - Rich Client Application
Chapter 21 - Rich Internet Application (RIA)
Chapter 22 - Service Archetype
Chapter 23 - SharePoint LOB Application
Chapter 24 - Web Application

Key Scenarios
The guide helps you address the following scenarios:

Choose the right architecture for your application.
Choose the right technologies
Make more effective choices for key engineering decisions.
Map appropriate strategies and patterns.
Map relevant patterns & practices solution assets.

Key Features

Canonical app frame - describes at a meta-level, the tiers and layers that an architect should consider. Each tier/layer is described in terms of its focus, function, capabilities, common design patterns and technologies.
App Types. Canonical application archetypes to illustrate common application types. Each archetype is described in terms of the target scenarios, technologies, patterns and infrastructure it contains. Each archetype will be mapped to the canonical app frame. They are illustrative of common app types and not comprehensive or definitive.
Arch Frame - a common set of categories for hot spots for key engineering decisions.
Quality Attributes - a set of qualities/abilities that shape your application architecture: performance, security, scalability, manageability, deployment, communication, etc.
Principles, patterns and practices - Using the frames as backdrops, the guide overlays relevant principles, patterns, and practices.
Technologies and capabilities - a description/overview of the Microsoft custom app dev platform and the main technologies and capabilities within it.

Conceptual Framework
At a high level, the guide is based on the following conceptual framework for application architecture:

Reference Application Architecture
We used the following reference application architecture as a backdrop for explaining how to design effective layers and components:

Key Links

Application Architecture Guide 2.0 – The Book (CodePlex)
Application Architecture Guide 2.0 – Knowledge Base (CodePlex)

Core Dev Team

J.D. Meier , Alex Homer, David Hill, Jason Taylor, Prashant Bansode , Lonnie Wall, Rob Boucher, Akshay Bogawat

Contributors / Reviewers

Test team: Rohit Sharma, Praveen Rangarajan
Edit team: Dennis Rea.
External Contributors/Reviewers. Adwait Ullal; Andy Eunson; Christian Weyer; David Guimbellot; David Weller; Derek Greer; Eduardo Jezierski; Evan Hoff; Gajapathi Kannan; Jeremy D. Miller; Kent Corley; Mark Baker; Paul Ballard; Norman Headlam; Ryan Plant; Sam Gentile; Udi Dahan
Microsoft Contributors / Reviewers. Ade Miller; Anoop Gupta; Bob Brumfield; Brad Abrams; Brian Cawelti; Bhushan Nene; Burley Kawasaki; Carl Perry; Chris Keyser; Chris Tavares; Clint Edmonson; David Hill; Denny Dayton; Diego Dagum; Dmitri Martynov; Dmitri Ossipov; Don Smith; Dragos Manolescu; Elisa Flasko; Eric Fleck; Erwin van der Valk; Faisal Mohamood; Francis Cheung; Gary Lewis; Glenn Block; Gregory Leake; Ilia Fortunov; J.R. Arredondo; John deVadoss; Joseph Hofstader; Koby Avital; Loke Uei Tan; Mehran Nikoo; Michael Puleio; Mike Walker; Mubarak Elamin; Nick Malik; Nobuyuki Akama; Ofer Ashkenazi; Pablo Castro; Pat Helland; Phil Haack; Reed Robison; Rob Tiffany; Ryno Rijnsburger; Scott Hanselman; Serena Yeoh; Srinath Vasireddy; Tom Hollander; Wojtek Kozaczynski

My Related Posts

patterns & practices App Arch Guide 2.0 Project

App Arch Guide 2.0 Overview Slides

Abstract for Application Architecture Guide 2.0

Layers and Components

Key Software Trends

Cheat Sheet: patterns & practices Catalog at a Glance Posted to CodePlex

Cheat Sheet: patterns & practices Pattern Catalog Posted to CodePlex

WCF Security Guide is Now Available in HTML

J.D. Meier — Thu, 19 Jun 2008 05:07:00 GMT

Our guide, patterns & practices Improving Web Services Security:Scenarios and Implementation Guidance for WCF is now available in HTML.

New Release: patterns & practices WCF Security Guide (BETA)

J.D. Meier — Wed, 04 Jun 2008 23:01:12 GMT

Today we released our WCF Security guide, patterns & practices Improving Web Services Security: Scenarios and Implementation Guidance for WCF. This is our Microsoft playbook for Windows Communication Foundation (WCF - "Indigo".) It shows you how to build secure Web services using WCF. It's a compendium of proven practices, product team recommendations and insights from the field.

Download the guide

Download the Guide

Contents at a Glance

Part I, "Security Fundamentals for Web Services"
Part II, "Fundamentals of WCF Security"
Part III, "Intranet Application Scenarios"
Part IV, "Internet Application Scenarios"

Chapters

Ch 01 - Security Fundamentals for Web Services
Ch 02 - Threats and Countermeasures for Web Services
Ch 03 - Security Design Guidelines for Web Services
Ch 04 - WCF Security Fundamentals
Ch 05 - Authentication, Authorization and Identities in WCF
Ch 06 - Impersonation and Delegation in WCF
Ch 07 - Message and Transport Security in WCF
Ch 08 - WCF Bindings Fundamentals
Ch 09 - Intranet – Web to Remote WCF Using Transport Security (Original Caller, TCP)
Ch 10 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem,HTTP)
Ch 11 - Intranet – Web to Remote WCF Using Transport Security (Trusted Subsystem TCP)
Ch 12 - Intranet – Windows Forms to Remote WCF Using Transport Security (Original Caller, TCP)
Ch 13 - Internet – WCF and ASMX Client to Remote WCF Using Transport Security (Trusted Subsystem, HTTP)
Ch 14 - Internet – Web to Remote WCF Using Transport Security (Trusted Subsystem, TCP)
Ch 15 - Internet – Windows Forms Client to Remote WCF Using Message Security (Original Caller, HTTP)

Reference

WCF Security Checklist
WCF Security Guidelines
WCF Security Practices at a Glance
WCF Questions and Answers (Q&A)
How Tos
WCF Security Resources

Contributors and Reviewers

External: Andy Eunson; Anil John; Anu Rajendra; Brandon Bohling; Chaitanya Bijwe; Daniel Root; David P. Romig, Sr.; Dennis Rea; Kevin Lam; Michele Bustamante; Parameswaran Vaideeswaran; Rockford Lotka; Rudolph Araujo; Santosh Bejugam
Microsoft: Alik Levin; Brandon Blazer; Brent Schmaltz; Curt Smith; David Bradley; Dmitri Ossipov; Don Smith; Jan Alexander; Jason Hogg; Jason Pang; John Steer; Marc Goodner; Mark Fussell; Martin Gudgin; Martin Petersen-Frey; Mike de Libero; Mohammad Al-Sabt; Nobuyuki Akama; Ralph Squillace; Richard Lewis; Rick Saling; Rohit Sharma; Scott Mason; Sidd Shenoy; Sidney Higa; Stuart Kwan; Suwat Chitphakdibodin; T.R. Vishwanath; Todd Kutzke; Todd West; Vijay Gajjala; Vittorio Bertocci; Wenlong Dong; Yann Christensen; Yavor Georgiev

patterns & practices WCF Security Practices at a Glance Now Available

J.D. Meier — Fri, 09 May 2008 23:53:27 GMT

For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF Security Practices at a Glance. Practices At a Glance gives you a bird's-eye view of how to perform common tasks. They are scannable and outcome-driven so that you can quickly browse the problem/solution pairs. Rather than a laundry list of granular tasks, we organize them by our Web Services Security frame (still evolving.)

Categories
Here's how we grouped our WCF Security Practices at a Glance so far:

Auditing and Logging
Authentication
Authorization
Configuration Management
Deployment Considerations
Exception Management
Hosting
Impersonation/Delegation
Input Validation
Message Security
Proxy Considerations
Sensitive Data
Transport Security

Here's a snapshot of the problems solved from our Practices At a Glance, but you can see our answers explained at our WCF Security Guidance project site.

Auditing and Logging

How to audit authentication events
How to audit authorization events
How to enable WCF message logging
How to enable WCF tracing
How to use Health Monitoring in WCF
How to view log information
How to view trace information
How to log traces to a WMI provider
How to turn off audit failure suppression

Authentication

How to authenticate users against the SQL Membership Provider
How to authenticate users against Active Directory
How to authenticate users against Active Directory without windows authentication
How to authenticate users with certificates
How to map certificates with windows accounts
How to authenticate users against a custom user store
How to authenticate users with Kerberos direct to support non-WCF clients with windows authentication

Authorization

How to authorize imperatively
How to authorize declaratively
How to authorize users against Windows groups
How to authorize users against Windows groups using the AspNetWindowsTokenRoleProvider
How to authorize users against the SQL Role Provider
How to authorize users against the ASP.Net Role Provider
How to assign the current principal with IAuthorizationPolicy to allow authorization using custom authentication

Configuration Management

How to encrypt sensitive data in your configuration files
How to run your service under a specific identity
How to create a service account for your WCF service
How to stop clients from referencing your service
How to protect against message replay attacks

Deployment Considerations

How to configure certificates to enable SSL in IIS
How to map Windows accounts with certificates
How to create a Service Principle Name (SPN)
How to configure WCF for NATs and Firewalls
How to create an X.509 certificate

Exception Management

How to shield exception information with fault contracts
How to create an error handler to log details of faults for auditing purposes
How to handle unhandled exceptions in downstream services
How to throw an exception with complex types or data contracts with a fault exception
How to handle unknown faults in a service
How to implement a data contract to propagate exception details for debugging purposes
How to implement fault contracts in call back functions

Hosting

How to host WCF in IIS
How to host WCF in a Windows service
How to self-host WCF
How to configure a least-privilege account to host your service

Impersonation/Delegation

How to choose between trusted subsystem and impersonation/delegation
How to impersonate the original caller when using Windows authentication
How to impersonate programmatically in WCF
How to impersonate declaratively in WCF
How to delegate the original caller to call backend services when using Windows authentication
How to impersonate the original caller without Windows authentication
How to impersonate the original caller using S4U Kerberos extensions.
How to delegate the original caller using S4U Kerberos extensions.
How to impersonate and delegate using LogonUser Windows API
How to flow the original caller from an ASP.NET client to WCF
How to control access to a remote resource based on the original callers identity.

Input Validation

How to protect your service from malicious messages
How to protect your service from malicious input
How to protect your service from denial of service attacks
How to validate parameters with parameter inspectors
How to validate parameters with message inspectors using schemas
How to validate data contracts with message inspectors using schemas
How to validate message contracts with message inspectors using schemas
How to use regular expressions validate format, range and length in schemas
How to validate inbound messages on a service
How to validate outbound messages on a service
How to validate outbound messages on the client
How to validate inbound messages on the client
How to validate input parameters
How to validate output parameters

Message Security

How to use message security
How to partially encrypt a message
How to use out-of-band credentials with message security

Proxy Considerations

How to avoid proxy spoofing
How to expose service metadata for your clients
How to create a proxy to a service hosted in IIS that requires certificate authentication and transport security

Sensitive Data

How to encrypt sensitive data in configuration files
How to protect sensitive data in memory
How to protect sensitive data on the network

Transport Security

How to use transport security
How to use secure conversations in WCF

X.509 Certificates

How to create a temporary X.509 certificate for transport security
How to create a temporary X.509 certificate for message security
How to create a temporary X.509 certificate for certificate authentication

My Related Posts

6 New patterns & practices WCF Security How Tos

J.D. Meier — Thu, 01 May 2008 23:12:44 GMT

We have 6 new How Tos for this week's release of our patterns & practices WCF Security Guidance Project.

WCF Security How Tos

My Related Posts

patterns & practices WCF Security Questions and Answers Now Available

J.D. Meier — Fri, 25 Apr 2008 05:13:59 GMT

What are your key security-related questions with WCF? More importantly, what are the answers? For this week's release of our WCF Security Guidance Project, we posted our WCF Security Q&A (Questions and Answers) to CodePlex.

To create the questions and answers set, we first gathered and organized recurring questions from our field, support, customers and forums. We then worked through to create precise answers. What you get is a browsable collection of questions and answers, organized by our security frame. The security frame maps to actionable categories of your application.

Here's a snapshot of the questions from our Q&A, but you can see our answers explained at our WCF Security Guidance project site.

Design Considerations

How do I decide on an authentication strategy?
How do I decide on an authorization strategy?
When should I use message security vs. transport security?
How do I use my existing Active Directory infrastructure?
What bindings should I use over the Internet?
What bindings should I use over the Intranet?
When should I use resource-based authorization vs. roles-based authorization?
When should I impersonate the original caller?
When should I flow the original caller’s identity to back-end resources?
How do I migrate to WCF from an ASMX web service?
How do I migrate to WCF from a COM application?
How do I migrate to WCF from a DCOM application?
How do I migrate to WCF from a WSE application?

Auditing and Logging

What WCF Service security events should be logged?
How do I enable logging and auditing in WCF?
How do I enable auditing in WCF?
How do I stop my service if there has been an auditing failure?
How do I log important business events in WCF?
How do I implement log throttling in WCF?
How do I use Health Monitoring Feature with WCF?
How do I protect my log files?
How to I pass user identity information in a message for auditing purpose?

Authentication

How do I decide on an authentication strategy in WCF?
When should I use brokered authentication?
When should I use the SQL Server Membership provider?
How do I authenticate against Active Directory?
How do I authenticate against a SQL store?
How do I authenticate against a custom store?
How do I protect passwords in my user store?
How do I use certificate authentication with X.509 certificates?
What is the most common authentication scenario for intranet applications?
What is the most common authentication scenario for internet applications?
How do I support authentication for multiple client types?
What is federated security?
How do I send credentials in the message when I am using transport security?
How do I avoid cleartext passwords?

Authorization

How do I decide on an authorization strategy in WCF?
What’s the difference between resource-based, roles-based and claims-based authorization?
How do I use Windows groups for role authorization in WCF?
How do I use the SQL Role provider for ASPNET role authorization in WCF?
How do I use the Windows Token role provider for ASPNET role authorization in WCF?
How do I use the Authorization Store role provider for ASPNET role authorization in WCF?
What’s the difference between declarative and imperative roles authorization?
How do I restrict access to WCF operations to specific Windows users?
How do I associate roles with a certificate?
What is a service principle name (SPN)?
How do I create a service principle name (SPN)?

Bindings

What is a binding?
What bindings are available?
Which bindings are best suited for the Internet?
Which bindings are best suited for the Intranet?
How do I choose an appropriate binding?
Configuration Management
How do I encrypt sensitive data in WCF configuration file?
How do I run a WCF Service with a particular identity?
How do I create a service account for running my WCF Service?
When should I use a configuration file versus the WCF object model?
What is a metadata exchange (MEX) binding?
How do I keep clients from referencing my service?

Exception Management

How do I implement a global exception handler?
What is a fault contract?
How do I define a fault contract?
How do I avoid sending exception details to the client?

Hosting

How do I configure a least privileged account to host my service?
When should I host my service in IIS?
When should I host my service in a Windows service?
When should I self-host my service?
Impersonation/Delegation
What are my impersonation options?
What is the difference between impersonation and delegation?
How do I impersonate the original caller for an operation call?
How do I temporarily impersonate the original caller in an operation call?
How do I impersonate a specific (fixed) identity?
What is constrained delegation?
What is protocol transition?
How do I flow original caller from ASP.NET client to WCF Service?
What is the difference between declarative and programmatic impersonation?
What is the trusted subsystem model?
When should I flow the original caller to back-end code?
How do I control access to a remote resource based on the original caller’s identity?

Input/Data Validation

How do I implement input and data validation in WCF?
What is schema validation?
What is parameter validation?
Should I validate before or after message serialization?
How do I protect my service from denial of service attacks?
How do I protect my service from malicious input attacks?
How do I protect my service from malformed messages?
Message Protection
When should I use message security?
When should I use transport security?
How do I protect my message when there are intermediaries routing my message?
How do I protect my message when there are multiple protocols used during message
transit?
How do I implement partial message encryption?

Proxy Considerations

When should I use a channel factory?
When do I need to expose a metadata exchange endpoint for my service?
How do I avoid proxy spoofing?

Sensitive Data

How do I protect sensitive data in configuration files?
How do I protect sensitive data in memory?
How do I protect my metadata?
How do I protect sensitive data from being read on the wire?
How do I protect sensitive data from being tampered with on the wire?
How do I authenticate a message was sent by the expected sender?
How do I encrypt data within my message?

X.509 Certificates

How do I create X.509 certificates?
Do I need to create a certificate signed by the root CA certificate?
How do I use X.509 certificate revocation?
How do I authenticate users with X.509 certificates, and then perform role-based access control using an Active Directory domain?

Deployment Considerations

What are the additional considerations for using WCF in a webfarm?
How do I configure WCF for NATs and Firewalls?
How do I configure Active Directory groups and accounts for role-based authorization checks?
How do I create an X.509 certificate?
When should I use a Service Principle Name (SPN)?
How do I configure a least privileged account for my service?

My Related Posts

patterns & practices WCF 3.5 Security Guidelines Now Available

J.D. Meier — Thu, 17 Apr 2008 18:38:33 GMT

For this week's release in our patterns & practices WCF Security Guidance project, we released our first version of our WCF 3.5 Security Guidelines. Each guideline is a nugget of what to do, why, and how. The goal of the guideline format is to take a lot of information, compress it down, and turn insight into action.

The downside is that it's tough to create prescriptive guidelines that are generic enough to be reusable, but specific enough to be helpful. The upside is that customers find the guidelines help them cut through a lot of information and take action. We contextualize the guidelines as much as we can, but ultimately you're in the best position to do the pattern matching to find which guidelines are relevant for your scenarios, and how you need to tailor them.

Here's a snapshot of the guidelines, but you can see our security guidelines explained at our WCF Security Guidance project site.

Categories
Our WCF Security guidelines are organized using the following buckets:

Auditing and Logging
Authentication
Authorization
Binding
Configuration Management
Exception Management
Hosting
Impersonation and Delegation
Input/Data Validation
Proxy Considerations
Deployment considerations

Auditing and Logging

Use WCF auditing to audit your service
If non-repudiation is important, consider setting SuppressAuditFailure property to false
Use message logging to log operations on your service
Instrument for user management events
Instrument for significant business operations
Protect log files from unauthorized access
Do not log sensitive information

Authentication

Know your authentication options
Use Windows Authentication when you can
If you support non-WCF clients using windows authentication and message security, consider using the Kerberos direct option
If your users are in AD, but you can’t use windows authentication, consider using username authentication
If your clients have certificates, consider using client certificate authentication
If you need to streamline certificate distribution to your clients for message encryption, consider using the negotiate credentials option
If your users are in a custom store, consider using username authentication with a custom validator
If your users are in a SQL membership store, use the SQL Membership Provider
If your partner applications need to be authenticated when calling WCF services, use client certificate authentication.
If you are using username authentication, use SQL Server Membership Provider instead of custom authentication
If you need to support intermediaries and a variety of transports between client and service, use message security to protect credentials
If you are using username authentication, validate user login information
Do not store passwords directly in the user store
Enforce strong passwords
Protect access to your credential store
If you are using Windows Forms to connect to WCF, do not cache credentials

Authorization

If you use ASP.NET roles, use the ASP.NET Role Provider
If you use windows groups for authorization, use ASP.NET Role Provider with AspNetWindowsTokenRoleProvider
If you store role information in SQL, consider using the SQL Server Role Provider for roles authorization
If you store role information in Windows Groups, consider using the WCF PrincipalPermissionAttribute class for roles authorization
If you need to authorize access to WCF operations, use declarative authorization
If you need to perform fine-grained authorization based on business logic, use imperative authorization

Binding

If you need to support clients over the internet, consider using wsHttpBinding.
If you need to expose your WCF service to legacy clients as an ASMX web service, use basicHttpBinding
If you need to support remote WCF clients within an intranet, consider using netTcpBinding.
If you need to support local WCF clients, consider using netNamedPipeBinding.
If you need to support disconnected queued calls, use netMsmqBinding.
If you need to support bidirectional communication between WCF Client and WCF service, use wsDualHttpBinding.

Configuration Management

Use Replay detection to protect against message replay attacks
If you host your service in a Windows service, expose a metadata exchange (mex) binding
If you don’t want to expose your WSDL, turn off HttpGetEnabled and metadata exchange (mex)
Manage bindings and endpoints in config not code
Associate names with the service configuration when you create service behavior, endpoint behavior, and binding configuration
Encrypt configuration sections that contain sensitive data

Exception Management

Use structured exception handling
Do not divulge exception details to clients in production
Use a fault contract to return error information to clients
Use a global exception handler to catch unhandled exceptions

Hosting

If you are hosting your service in a Windows Service, use a least privileged custom domain account
If you are hosting your service in IIS, use a least privileged service account
Use IIS to host your service unless you need to use a transport that IIS does not support

Impersonation and Delegation

Know the impersonation options
If you have to flow the original caller, use constrained delegation
Consider LogonUser when you need to impersonate but you don’t have trusted delegation
Consider S4U when you need a Windows token and you don’t have the original caller’s credentials
Use programmatic impersonation to impersonate based on business logic
When impersonating programmatically be sure to revert to original context
Only impersonate on operations that require it
Use OperationBehavior to impersonate declaratively

Input/Data Validation

If you need to validate parameters, use parameter inspectors
If your service has operations that accept message or data contracts, use schemas to validate your messages
If you need to do schema validation, use message inspectors
Validate operation parameters for length, range, format and type
Validate parameter input on the server
Validate service responses on the client
Do not rely on client-side validation
Avoid user-supplied file name and path input
Do not echo untrusted input

Proxy Considerations

Publish your metadata over HTTPS to protect your clients from proxy spoofing
If you turn off mutual authentication, be aware of service spoofing

Deployment considerations

Do not use temporary certificates in production
If you are using a custom domain account in the identity pool for your WCF application, create an SPN for Kerberos to authenticate the client.
If you are using a custom service account and need to use trusted for delegation, create an SPN
If you are hosting your service in a Windows Service, using a custom domain identity, and ASP.NET needs to use constrained trusted for delegation when calling the service, create an SPN
Use IIS to host your service unless you need to use a transport that IIS does not support
Use a least privileged account to run your WCF service
Protect sensitive data in your configuration files

My Related Posts

patterns & practices WCF Security Guidance: Updated Application Scenarios

J.D. Meier — Fri, 11 Apr 2008 06:32:00 GMT

For this week's release in our patterns & practices WCF Security Guidance project, we added new sections to our WCF Security Application Scenarios. We added sections for analysis, code and configuration examples. The analysis section explains the rationale behind some of the decisions.

The idea behind the application scenarios is to show you a before and after look of end-to-end solutions. Rather than a single solution, we give you a set of solutions to pick from. The main parameters that vary in each solution include: Intranet vs. Internet, ASP.NET client vs. Windows Forms clients, TCP vs. HTTP, impersonation/delegation vs. trusted subsystem, and AD (domain credentials) vs. a custom user store.

WCF Security Application Scenarios
Intranet

Internet

Note that if there's enough interest and time, we'll add a scenario that shows accessing an existing custom user store (i.e. you aren't using Membership.)

My Related Posts

patterns and practices WCF Security Guidance Now Available

J.D. Meier — Thu, 27 Mar 2008 19:04:00 GMT

Our patterns & practices WCF Security Guidance Project is in progress on CodePlex. This is our first release of prescriptive guidance modules for WCF Security.

How Tos
Our How Tos give you step by step instructions for performing key tasks:

Videos
Our videos step you visually through key guidance:

About WCF
Windows Communication Foundation (WCF) is a service-oriented platform for building and consuming secure, reliable, and transacted services. It unifies the programming models for ASMX, Enterprise services and .NET Remoting. It supports multiple protocols including named pipes, TCP, HTTP, and MSMQ. WCF promotes loose coupling, supports interoperability, and encapsulates the latest web service standards. With WCF, you get flexibility in choosing protocol, message encoding formats, and hosting. For more information, see the MSDN WCF Developer Center.

About the Project
WCF provides a lot of options and flexibility. The goal of our patterns & practices WCF Security Guidance Project is to find the key combinations of security practices for WCF that work for customers and share them more broadly. At a high-level, you can think of the project in terms of these main buckets:

Application Scenarios - These are whiteboard solutions for common end-to-end application scenarios.
How Tos - These are step-by-step instructions for performing key end-to-end tasks.
Building Codes - These are our sets of rules and practices. This includes Guidelines, Checklists, and Practices at a Glance.
Reference - This includes Explained, Cheat Sheets, and Q&A guidance.

The plan is to incrementally share our guidance modules on CodePlex as we go, then build a guide, then port the guidance to MSDN once it's baked.

Guidance Share Sweep

J.D. Meier — Wed, 02 Jan 2008 18:48:06 GMT

One of the most important things I did while I was on vacation was sweeping Guidance Share. Guidance Share is where I consolidate my body of software engineering guidance and test user experiences. I redesigned the home page for simpler browsing and findability. It was more pain than pleasure for me, but if it helps the broader community, that's my payback.

Here's a highlight of Guidance Share:

Browsable nuggets for software performance and security
Durable, evolvable frames for security and performance (think of these as maps)
How Tos, Guidelines, Checklists and more

Guidance Share gives me a unique vantage point that I haven't been able to get any other way. The act of building it and evolving it helps me make gain new insights. It also forces me to find ways to be extremely efficient. I then try to carry these lessons over to MSDN and to help shape patterns & practices information models. I don't own the MSDN experience, but I can give input. Guidance Share helps me solidify my recommendations with living proof. It's also let's me quickly experiment with new user experiences.

My biggest lesson learned is how difficult it is to integrate information and make it useful, even when you own it. It's one thing to have a snapshot of information that's useful for a given point in time; it's another to create a stable backdrop with a firm foundation that can evolve over time. The key is factoring volatile from stable information, and enabling them to play well together.

Note that Guidance Share is under construction and there are some obviously empty areas, but it's a work in progress. It's a living knowledge base for software engineering that I periodically sweep to share the best that I've learned.

Enjoy!

Now on Amazon: Performance Testing Guidance for Web Applications

J.D. Meier — Sat, 01 Dec 2007 03:15:07 GMT

Our patterns & practices Performance Testing Guidance for Web Applications book is now available on Amazon.

Now on Amazon: Team Development with Visual Studio Team Foundation Server

J.D. Meier — Sat, 01 Dec 2007 03:10:54 GMT

Our patterns & practices Team Development with Visual Studio Team Foundation Server book is now available on Amazon.

Now on MSDN: patterns & practices Performance Testing Guidance for Web Applications

J.D. Meier — Sat, 27 Oct 2007 09:59:00 GMT

You can now find our patterns & practices Performance Testing Guidance for Web Applications on MSDN in HTML. It's the same guidance we hosted on CodePlex. CodePlex was our channel for agile release of the guidance. Once we baked the guidance, we ported it to MSDN.

Contents at a Glance
Here's the

Chapters

Download
You can download the patterns & practices Performance Testing Guidance for Web Applications from CodePlex.

Guidance Explorer Scenario
If you want to tailor the guidance for your scenario, you can download Guidance Explorer from CodePlex. Using Guidance Explorer, you can create custom views by dragging and dropping the relevant guidance and then tailoring it as you see fit. You can then save your view or an item to Word or HTML

Now on MSDN: patterns & practices Team Development with Visual Studio Team Foundation Server Guide

J.D. Meier — Sat, 27 Oct 2007 01:22:00 GMT

You can now find our patterns & practices Team Development with Visual Studio Team Foundation Server guide on MSDN in HTML. It's the same guidance we hosted on CodePlex. CodePlex was our channel for agile release. Once we baked the guidance, we ported to MSDN. For some customers, MSDN is a trusted source, so being on MSDN is important. Additionally, MSDN provides some additional hooks and channels.

Contents At a Glance
Here's the guide at a glance

Chapters

Guidelines

Practices at a Glance

Questions and Answers

Questions and Answers: Source Control

How Tos

Download
You can download the Team Development with Visual Studio Team Foundation Server Guide from CodePlex.