While being here in Redmond with customers at our Lead Enterprise Architect Conference I realized that I still owe students from a lecture I gave last week the presentation and demo-downloads. Therefore I am catching up with this now;)

During the lecture I introduced ASP.NET foundational concepts such as the architecture of the runtime (Modules, Handlers...), Server Controls and the Web Forms programming model as well as ASP.NET AJAX and the latest release of the AJAX control toolkit.

You can download the presentation and the source code for this little sample application from the link below. For successfully testing the application you need the following bits installed on your machine:

• SQL Server 2008 (or 2005) Express Edition
• Visual Web Developer Express Edition
• ASP.NET AJAX Control Toolkit (open source)

That’s essentially it, after you’ve these running you need to execute the included database script (Database.sql creates the tables, only, Database_withData.sql creates the tables with some sample data), modify the connection strings in the web.config file to point to your SQL Server instance and database. If you have SQL Server Express Edition installed you can leave all settings in your web.config as they are because SQL Server Express Edition by default installs with the “(local)\SQLEXPRESS” instance name.

Click here to download the source code and presentation!

Have much fun, if you have any questions feel free getting in touch with me through this blog!

Mario

The .NET Client Profile is a very interesting extension made available with the release of .NET Framework 3.5. If you’re interested into more details, follow these link to the official documentation!

As a subset of the full .NET Framework package containing client-side functionality, only, it should make the deployment of the .NET Framework for client-only applications in corporate networks easier (30 MB are easier to deploy, maintain and patch than the full Framework with a footprint of more than 100 MB).

So far I was not really challenged with reasons for using the .NET Client Profile from customers – but now it has been the case three different times in series where the deployment of the full framework was a problem for client-only based applications.

Of course one of the first questions customers are asking is: “Which assemblies are included in the client profile and are therefore available for client developers?”

The answer: you can find a list of client-profile assemblies for each version, .NET 2.0, .NET 3.0 and .NET 3.5, in files called “Client.xml” in the following directories on your system:

%windir%\Microsoft.NET\Framework\v2.0.50727\SubsetList\Client.xml

%programfiles%\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\Client.xml

%programfiles%\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\Client.xml

Furthermore you can tell Visual Studio 2008 to check your project-references at compile-time by enabling the “Client-only Framework subset” option in the project-properties dialog. In that case Visual Studio comes up with a compiler warning for each assembly you’ve referenced that is not available in the client profile as you can see below:

To get more details on how-to deploy .NET Client Applications using the client-profile just take a closer look at this MSDN-documentation for the .NET Client Profile!

Hope that’s something useful…

Hint: technical presentations about this project as download in the link list at the end of this post!!

This year the Austrian medical association together with the medical associations of the different federal states in Austria as well as one of our Gold-certified partners, Anecon Software Design und Beratung GmbH., completed a project we (Microsoft Austria) started together on the country-wide management of data for medical practitioners and their ordinations.

The management of this data is prescribed by the Austrian law and is used for several scenarios such as sponsorships of medical practitioners, promotions, payments, traceability or even for support in lawsuits and is therefore mission-critical!

Attached to this blog-entry you will find two presentations with technical information on how we architected the solution. While the first presentation (Part1.pdf) contains shows some of the most important requirements within the environment, usage-scenarios of technologies as well as some really cool screen-shots of parts of the application, the second presentation (Part2.pdf) is based on an architectural specification I’ve written for the project on where and how-to apply which technologies of the .NET Framework 3.x in the application architecture.

Understanding the political and technical environment

Austria’s health care environment is one of the most complex political environments in Europe – and the most complex political environment in the country itself. The environment is organized in a federal way, that means each federal state of Austria (we have 9 of them) is treated as an autonomous unit.

Therefore each federal state has its own state-medical association with its own responsibilities and duties. Many of these responsibilities and duties are self-managed by these medical associations for a federal state, but on the other hand many of them are prescribed by a country-wide medical association which is the Austrian medical association.

Having these autonomous associations’ leads to the fact that each association manages both, a common set of information on medical practitioners which is prescribed by the Austrian medical association as well as its own, additional set of information they want to and need to manage for the federal state they’re acting in. That means that the application of discussion of this web blog as well as the attached presentations need to be deployed in each federal association with their own data storage, their own service instances and client applications while on the other hand they need to synchronize the common set of data between the federal associations to be able to manage and process data on medical practitioners having ordinations in multiple federal states.

Finally that means we are talking about federated data and federated services from a technical point-of-view with medical associations in the states within Austria as well as one overall organization which is the Austrian medical association. Technologies such as workflows for synchronization using SQL Server Service broker for data-synchronization transactions with “transformation”-rules in between are core in the application architecture.

The role of the medical association, Anecon and Microsoft in the project

Requirements as well as the underlying data model haven been defined by a working group defined by the Austrian medical association that consisted of several representatives of the different medical associations from the federal states. Our partner, Anecon, was responsible for the design, implementation and test of the overall solution based on latest Microsoft technologies. We from Microsoft acted as a trusted advisor for the Austrian Medical association: Robert John, our business development manager ensured getting the right support from the Area and Microsoft Corp. while I helped creating the overall architecture for the system together with Anecon and the representatives of the medical association.

Download the presentation

Requirements, usage-scenarios of technologies and screen-shots from Anecon

Core technical architecture recommendations from Microsoft / Mario Szpuszta

Involved technologies, links and further resources

.NET Framework 3.5 (incl. Service Pack 1)

Windows Presentation Foundation

Windows Workflow Foundation

Windows Communication Foundation

SQL Server 2005 and SQL Server 2008 (for newer deployments)

SQL Server Service Broker

Microsoft Patterns & Practices Home

Microsoft Patterns & Practices Application Architecture Blueprint

Yesterday Max and I had the last delivery of our .NET Web Developers Road Show. Again we applied our new concept of building a complete application in a whole day. This time we built the event management application using...

• a data access layer with the ADO.NET Entity Framework
• an ADO.NET Data Service for making the data available filtered through some simple business rules.
• ASP.NET for the web front facing application that allows users to search and register for events incl. ASP.NET AJAX.
• Silverlight for two separate use cases:
• a little Events-Photos RIA integrated into the ASP.NET web site
• and a full Silverlight application for viewing event statistics and timelines.

Again it was a great pleasure travelling with Max through our country and delivering these sessions together. You can download the complete solution from Codeplex at

http://webdevroadshow.codeplex.com/ 

including the source-code and the presentation material. Interesting that the presentation is much larger than the source code although we spend most of the time during the events in Visual Studio typing code:)

Have much fun with trying the application and analyzing the source code... but also note that this is a demo application, only, where we made some drawbacks and simplifications in the architecture, of course.

Mario

I am delighted to publish a whitepaper of one of the most interesting engagements I’ve been part of so far – together with Frequentis AG.

Together with the architects from Frequentis, Ulrich Hüttinger and Stefan Domnanovits, we’ve been writing this whitepaper I am publishing now with this blog-entry. In this paper you can read about some of the most important (not all!!) architectural approaches and design decisions Frequentis made for building always responsive clients and services in the mission critical area of ship-vessel traffic management.

Frequentis is building the newest applications in this area with .NET Framework 3.5 SP1, primarily Windows Presentation Foundation (WPF) and Windows Communication Foundation (WCF).

Topics we’ll cover in this paper are:

• Understanding the environment of the tracking and tracing solution and its technical requirements.
• Discussing some decisions Frequentis had to make on their message bus infrastructure based on these requirements.
• Implementing a reliable message bus infrastructure for smaller havens/ports and large havens/ports with WCF at the same time.
• Putting job-, queue- and command-patterns together for always responsive applications on clients and in services.
• Combining patterns such as the presentation model pattern on the front-end in WPF and understanding the communication-flow between the presentation model and the business logic that uses queues, commands and jobs on the backend.

I hope you find this paper interesting and the information in it useful!

Mario

Yesterday we had the last delivery of our BigDays road show for 2009. It was a pleasure participating for me being a part of this largest road show through Austria, again.

This year I delivered two sessions, one on Windows Communication Foundation and one on ASP.NET web development (the second one together with Alex Duggleby from Security Research). The presentations are available for download under the following two links:

• Session on Windows Communication Foundation
• Session on ASP.NET Web Development

Both sessions were part of an idea Max and I had on developing a complete scenario demo application through all sessions of the track.

Btw. Max delivered great sessions in all developer tracks around the conference - for details take a look at his blog entry;)

The Rent-A-Worker Demo Application

The demo-scenario application was the Rent-A-Worker demo application. We published the whole application as an open-source project on codeplex:

Click here to get to the Rent-A-Worker project!

It is supposed to be used for finding workers and machines and renting them for your own building projects. The application was architecturally built with the following layers in mind. Each session in the track was dedicated to a single layer of the application:

Which technologies did we use for implementing Rent-A-Worker?

This year's BigDays were - based on the feedback from customers last year - focused towards released technologies and not any future technologies. Therefore we built our demo scenario with .NET Framework 3.5 Service Pack 1 in all layers (released in 2008). Below you find the technologies incl. links to downloads for the pre-requisites you need to run, test and extend the Rent-A-Worker demo application:

Visual Studio 2008 Professional Edition or higher

Visual Studio 2008 Service Pack 1

.NET Framework 3.5 and .NET Framework 3.5 Service Pack 1

SQL Server 2008 Express Edition or higher

Microsoft ASP.NET AJAX Control Toolkit

Microsoft ASP.NET MVC (we did not present it, but we included parts)

Microsoft Silverlight Tools and Silverlight SDK

Microsoft Composite WPF Application Guidance

Feedback, Questions?

If you have any feedback to the track, to Rent-A-Worker or the content itself feel free getting in touch with Max and me through our blogs. We would be more than happy about feedback on the whole track, our sessions, demos, contents, about what we should keep doing and what we should stop doing etc.

Cheers
Mario

By "accident" I've found two older articles on some extensions and tools for Internet Information Services 7.0 and web developers in general that help improving security of web applications.

I was so amused and excited about these new modules that I thought I have to write a short entry this morning:) Also it really demonstrates, in my opinion, that the new modularized architecture of IIS 7.0 really rocks. That is really underpinned by the fact that you really find new modules and new functionality published either by the community through http://iis.net or by Microsoft itself in regular intervals.

The articles I've found aren't new, but I really love this kind of functionality - take a look at the following independent articles:

• Module for fighting against DoS attacks (click here)
• Analysis Tools for uncovering SQL Injection issues (click here)

I think, these tools are really useful helpers and they can provide an additional security gatekeeper in your security architecture - you should definitely take a look at them;)

Mario

In October I published a posting on Identity Interoperability based on a PoC I created of TechEd Europe Developers 2008 and our local DevCamp 2008 conference. The prototype was based on Codename "Zermatt" on the Microsoft-side and on NetBeans 6.5 Beta 2 as well as Metro 1.3 / WSIT Beta at this point of time... As I had to demonstrate the prototype within a customer engagement I updated the stuff to Microsoft Geneva Framework Beta 1, Netbeans 6.5 RTM and Metro 1.3 / WSIT RTW. Well, there have been some changes which essentially where driving me crazy... therefore I thought I'll give you an update and show, how you can make identity interoperability reality between those platforms with

• an active STS based on Geneva Framework Beta 1
• a .NET-based client using WCF of .NET Framework 3.5 SP1
• a Java-based relying party implemented with Netbeans 6.5 RTM and Metro 1.3 RTW

Again I will discuss all the necessary details for making my samples running on your machine...

Sample Downloads for this posting

First of all, download the samples for this posting which I've updated from Zermatt to Geneva Framework Beta 1 and from Netbeans Beta to Netbeans 6.5 release and Metro 1.3 / WSIT RTW here:

Pre-Requisites

Before you can begin with the action make sure you download and extract the following packages to your local machine. I use the directory "D:\IdentityInterop2008" as a base directory... when you see this in one of the screen-shots map to your local base directory!

• Microsoft-side
  • Visual Studio 2008 Professional with Service Pack 1
  • .NET Framework 3.5 with Service Pack 1
  • Microsoft Geneva Framework Beta 1
• Java-side
  • Java SDK (5 or 6)
  • Netbeans 6.5 RTM
  • Java Metro 1.3 RTM
  • Dom4J 1.x (I have used this one)
  • Jaxen (which is a pre-requisite for dom4j)
  • Java Cryptography Extensions with support for higher bit-rates

Code Changes from Zermatt to Geneva Beta 1

I had to update my code as there are some not very well documented changes from Zermatt to Geneva Framework Beta 1;) There are two cool blog postings by Yossi Dahan summarizing the breaking changes:

http://www.sabratech.co.uk/blogs/yossidahan/2008/11/from-to-framework.html

http://www.sabratech.co.uk/blogs/yossidahan/2008/11/from-to-framework-part-ii.html

The download of this post also contains the updates of my demos from TechEd Europe 2008 developers...

Installing the Pre-Requisites on Java

As for the .NET-side the installation-process is pretty straight-forward (install Visual Studio and it's SP1 which includes .NET and then install Geneva Framework and you're done;)) I just outline, what you have to do on the Java-side to make things working...

1. Install Netbeans and install all Netbeans updates. Very important: install Glassfish v2 with Netbeans as well.
2. Install the Java Cryptopraphy Extensions policy files. for this purpose extract the JCE download and copy it to the files to the following directories:
   C:\Program Files\Java\jre1.5.0_15\lib\security
   and C:\Program Files\Java\jdk1.5.0_15\jre\lib\security
   
3. Make sure that the Glassfish v2 server is configured within your Netbeans 6.5 IDE as outlined in my previous post on this topic.
4. TRICKY if you've been working with Netbeans beta or RC: in the beta or RC versions of netbeans, the option for selecting .NET 3.5 / Metro compatibility and therefore enforcing the correct WS-* standard versions for the messaging are simply not available... no update install, nothing worked. The reason is very simple: Netbeans pre-releases were shipping with Metro while the RTM of Netbeans 6.5 does not ship with Metro 1.3, anymore...
   
   As you can see, the interoperability option is disabled because Metro is not installed on my Glassfish instance. Therefore we need to install Metro. Unfortunately the documentation on how-to "install" Metro is pretty confusing. It tells to execute an ant-script that installs metro as you can see in the following screen-shot:
   
   That means in a command prompt where I have all the Java environment variables set I execute the following statement:
   <antdir>\ant <workdir>\metro\metro-on-glassfish.xml install
   After you've executed this command while neither Netbeans nor Glassfish is running and you restart Netbeans, the .NET compatibility option should be available as follows:
    

Make the .NET-side running on your machine

Now that we have anything installed on the machines we can start making things running on your machines. For the Microsoft-side the first step is installing the certificates in the localhost's certificate store. For this purpose follow these steps:

1. Start the Microsoft Management Console (Run -> mmc.exe)
2. Select "File -> Add/Remove Snap In..."
3. In the dialog that fires up select "Certificates" in the left list.
   
4. Select "Computer" and then "Local Computer" in the options for opening the local machine's certificate store.
5. Import the certificates "localhost.pfx" and "sts.pfx" into the Machines "My" store by right-clicking "Personal" and selecting "All Tasks -> Import". The password for the PFX-files in my pre-requisites folder is password.
   
6. After you've imported the certificates into the My-Store, your certificate store should look as follows:
   
7. Import both certificates into the "Trusted People"-store as well so that the certificate validation can succeed!
8. Now start Visual Studio 2008 as administrator (so that WCF can register all listeners while debugging) and open the solution <working-directory>\Simple STS For Active Clients\SimpleSTSForActiveClients-VS2008.sln
9. For verifying if the Microsoft-side is working, start the projects SimpleActiveSTS-VS2008, ClaimsAwareWebService-VS2008 and NET.TestClient for debugging (or without debugging).
10. In the Client enter "net" and press enter. Your screen with the running applications should look as follows:
    

Make the Java-side running on your machine

After you've setup the Java-configuration as outlined before, the only things left are (a) opening and configuring my web service project and (b) configuring the certificates of your Glassfish domain. For this purpose follow these steps to make things running:

1. For a default configuration of Netbeans 6.5 installations, the first step is taking a look at where your Glassfish personal domain is going to be executed. For this purpose open Netbeans, switch to the "Servers" tab in your solution explorer / project explorer and view the properties of Glassfish:
   
2. In the dialog appearing you see, where your personal domain is going to be executed. This is important because this directory contains the *.jks files which are the certificate storage in the Java-solutions:
   
   As you can see in the preceeding dialog, my example domain is running in the "D:\Data\.personalDomain" directory. There you will find two files, the  cacerts.jks file (trusted certificates) and the keystore.jks (server certificates).
3. Now that you know these stores, you need to import the STS' certifcate into the cacerts.jks store. For this purpose you import the STS certificate from the file I provide within the "pre-requisites\sts.cer" file as follows from a Java command prompt:
   
   keytool -import -alias sts -file sts.cer -keystore d:\data\.personalDomain\personalDomain\config\cacerts.jks
4. Next you need to export the Glassfish domain certificate from the keystore.jks file as follows:
   
   keytool -export -alias s1as -file s1as.cer -keystore "d:\Data\.personalDomain\personalDomain\config\keystore.jks" 
5. Finally the in step 4 exported certificate needs to be imported in the Windows certificate store, again into the Trusted People and the My store of the local machine. The following screen-shot shows the imported certificate in the Windows Certificate store highlighted - note that the certificate will be generated during the domain-creation / installation process and will have your machine-name in it's subject.
   
   The "vaiom" certificate is the "s1as.cer" file I previously exported from the keystore.jks Glassfish store. Note that I have imported it into both, the "Personal" and the "Trusted People" store!
6. Therefore the next step is modifying a line of code in my STS implementation to match the Glassfish' certificate name for encrypting the SAML token. The following screen-shot outlines the place where you need to do that.
   
   As the previous image shows, the string-constant javaGlassfishCertificateName needs to have the full machine-name in the first part of the common name (highlighted in the image). Note that if your machine is joined to a domain you need to enter the full domain name of the machine name as this is the way Glassfish generates the name for these certificates.
7. Now update the URL for your NET.TestClient project by opening the configuration "app.config" in the project and modifying the URL of the Java-Web service to match your machine-name and the ports used by Glassfish:
   
8. Now start the STS and the NET.TestClient from within Visual Studio (best without debugging by highlighting each of the projects and pressing CTRL-F5).
9. Next it's time to start the Netbeans IDE and open the project "<workingdir>\JavaNewService" that I am delivering in the downloads.
10. Verify the configuration by right-clicking the TestClaimsBased node in the Web Services node within Netbeans. The configuration should look as follows:
    
11. Now right-click the JavaNewService node in the proejct-explorer of Netbeans and select "Deploy". This should compile the project, start the Glassfish server and deploy the project. The output-window of Glassfish should show the URL where the project is running then as follows:
    
12. Now switch to the running NET.TestClient instance, enter Java and press enter (cross the fingers now;))
13. If your client's output looks as follows then you're fine, everything worked very well:
    
14. Switch to your Netbeans IDE and open the Glassfish output window. It should have all the claims extracted from the SAML-token in it's output window as follows:
    

Now you're done, everything is fine and the identity-interop experiment was successful... hope you enjoyed it and hope that this helps you in the future in your projects...

Have a nice weekend

Mario

Check out here - nothing to add, just that it is a cool blog posting from my architect peer in Spain;)

http://blogs.msdn.com/cesardelatorre/archive/2009/01/11/windows-7-natively-booting-from-a-vhd-virtual-pc-image-file.aspx

First of all I wish all the readers of my blog a happy new year 2009, good luck and especially healthiness (I think that's much more important than success;))...

As a stressful week (several customer briefings - one with a longer trip at the beginning of the week, a presentation at university on agile development and presentations on identity) are in front of me I started thinking a little bit about all these different things. I really realized during the Christmas days that I need to focus a little more on a few topics and stay with others in a broader (architectural-only;)) sense... And finally my thoughts for the core-topics I would like to stick with this year are the following as I strongly believe these are things that will move the market within the next couple of years more or less dramatically - and together with my peers, partners and friends I would like to be a part of these big changes within and without Microsoft (that doesn't finally matter:))

• Identity meta System, identity federation, claims-based security
  I strongly believe in the holistic overall story behind the concepts of the identity metasystem as outlined by Kim Cameron (http://identityblog.com). Although my experience is that getting this topic to the market is pretty hard todo as most people stick with classic, old, inflexible role/user-based security systems (which are a subset of the metasystem's concepts) for me that furthermore is a strong indicator that this is going to change the IT-industry within the next years more or less dramatically... Also there are some Austrian, local initiatives going on that I would like to support and be part of which definitely fit into the same area - Portal-Interconnection (Portalverbund), Citizen-Card etc. A perfect dream would be bringing those together... Technology-wise for me that means a focus on WCF, Cardspace and Geneva on the Microsoft-side and Eclipse Higgins, Sun Metro, Novell DigitalMe and some others on other platforms (whereas as Microsoftie my stronger focus will remain on the MS-part;)).
• Modeling-strategies, Software Factories and DSLs
  This is another topic of interest for me... During the presentation at the university in December I again saw that DSLs and factories are a powerful, very powerful instrument. I also believe that the strategy Microsoft is following now in this area by supporting DSLs and factories AND UML as general-purpose modeling toolset empowers a great combination of tools and paradigms for architects. Finally technology-wise that means a focus on DSL-toolkits, Microsoft Blueprints and Oslo as soon as it gets more concrete;) In this area I will stick at a theoretic and pratcial area within the Microsoft-world (as long as I am working for MS I will have to;)) and at the theoretic level in the Non-Microsoft world.
• Architectural Patterns and Paradigms and Strategic Thoughts in a Services World
  Well, as a solutions architect I will have to stick with this world in a broad fashion, right? More exactly I will try to combine these efforts here with the previous ones in connection with S+S, SOA and Composite Apps in general. This will involve some technology focus on Azure, Composite WPF, Composite Web, WCF and a little BizTalk (but not too much), but in general I will stick at the level of patterns, approaches, practices in this area.
• Driving the Microsoft Innovation Center Interoperability Initiative in Austria
  The last thing with which I will try to help the market is something I will setup very early this calendar year in Vienna... I have designed a complete concept for an initiative to help the Austrian market dealing with interoperability-challenges between Microsoft-technologies and other platforms. This is kind of an organizational work as by far I do not know anything from a technical side in this area - so content-wise I WILL need help to get this running... more details will follow;) My concept on the program nevertheless includes a council as a steering committee for the program, training and lab initiatives, university initiatives and good-old, well-known one-day events... Anyway - what's definitely true is that neither I nor Microsoft can deliver these workshops alone because "interoperability" is always a matter of building bridges... anyway... that's coming soon and you can keep an eye on my blog and our team-blog on getting news on this initiative... and of course feedback on anything I / we propose / do etc. so that we can adopt the initiative to the needs of our market...

For me that's a clear focus on some technologies more related to my core topics... I would be more than happy getting in touch with people with similar or same interests locally and internationally. So it would be great reaching out to me either through channels such as xing or facebook or directly through the blog for the sake of sharing experience, feedback and recommendations on all these initatives... at least locally I will give my best to incorporate all the possible;)

Cheers
Mario

Last week I did a presentation at the technical university of Vienna on Microsoft's strategies for modeling and Software Factories. It was a great pleasure and fun for me to deliver this presentation as we had really interesting discussions afterwards with students on these topics.

Below you can find the assets I produced for this presentation as downloads:

PowerPoint Presentation Download (as PDF)
Simple WCF Service Factory Demo
Simple Test DSL created with the VS 2008 SDK

Although I haven't been blogging a lot about this topic, yet, I strongly believe in this strategy. Especially since I attended the Strategic Architect Forum where Jack Greenfield clarified on some recent developments publicly announced at PDC 2008 last October. The key-questions Jack answered, are for me:

• UML and Microsoft - Why did Microsoft change it's perception according to UML and includes UML-diagrams with Visual Studio 2010 now while they were claiming it isn't a core strategy?
  Well, simple and pragmatic: my understanding is that we think you can boost your productivity for most software products with factories and DSLs for about 60-80% of the development. For many more "specialized" developments that weren't part of your product-variation planning for some reasons (e.g. ROI) you still need to have structured processes and ways for covering these parts. This is exactly where UML and other general-purpose modeling-approaches can help, definitely. And I think that besides of the fact that customers want us to support UML, that is the major reason for doing so.
• How does the future of DSL-Toolkit look like as Microsoft announced OSLO at PDC in October?
  I think the easiest way to answer these questions is taking a look at Jack Greenfields and Stuart Kents blog. Click one of the following links below:
• http://blogs.msdn.com/stuart_kent/archive/2008/11/07/dsl-tools-and-oslo.aspx
• http://blogs.msdn.com/stuart_kent/archive/2008/11/05/dsl-tools-in-visual-studio-2010.aspx
• http://blogs.msdn.com/softwarefactories/archive/2008/05/26/software-factories-2-0.aspx
• http://msdn.microsoft.com/en-us/architecture/blueprints.aspx

So the answer seems to be pretty simple according to these blog-postings: the much richer successor of GAX/GAT will be Microsoft Blueprints. For DSL Tools and Blueprints the product team wants to have a plan in place for smooth migration. But as I personally think that OSLO will take some more time to complete, I think we have some "time-buffer" here. In the meantime I think DSL-tools are a pretty good way to move on;) Currently I am thinking about creating a DSL for Composite WPF which might be a funny think... depends on how much time I have left in my vacation next week:))

Having that said I wish all of you a merry Christmas and a happy New Year;)

Mario

Right immediately after my previous post the next one is following;) Last week on Friday, December 12th, we had a great event together with David Chappell in our new conference center right above our M.I.C. in Vienna.

At this cloud computing day, David gave a great insight on the Cloud Computing market in general and, of course, especially on Microsoft's offerings around the Windows Azure Services platform. David did a great job in talking about the different flavors of platforms that are available on the market from a variety of vendors (especially Microsoft, Amazon, Google and Salesforce.com). Also David was great in explaining the core business and architectural concepts of our own cloud offerings around Azure.

In the second part of the conference day I had the pleasure to once again step up and do a deep-dive coding session (although I shouldn't as an architect... but I still love getting my hands dirty if the topic and the prototype is cool and interesting;)). You can download the demo I presented by clicking the link below. I'd recommend to further read this posting to get an understanding of what I did;)

So I decided to implement a complete scenario to demonstrate some of the core concepts of the Azure Services platform (not touching other parts of the platform such as .NET services, SQL Services or Live Serivces;)). With the scenario I tried to show the following concepts:

• Web Roles and Worker Roles and how-to use them.
• Queue-based storage and how-to leverage queues for asynchronous communication between web- and worker-roles.
• Finally the blob-storage as a means for storing binary data similar to file-systems in on-premise operating systems.

The scenario I decided to implement was a simple shop-application as you can see in the following graphics. The web-role was supposed to be the front-facing part of the shop while the worker-role was intended to process orders submitted through the shop in an asynchronous way. As a simple but nice example for order-processing I decided to use the Office Open XML APIs to generate a Microsoft Office Word 2007-based order-document that gets stored in the blob-storage and made accessible through the web role afterwards.

During the 90 min. demo I started building a simple ASP.NET application with no special things. I used the ASP.NET Session-object for storing my shopping based just for the sake of having a simple start-up for the demo-session without any new concepts. We then even deployed the session on the Azure online platform to demonstrate the admin-UI the current CTP is offering. We did that at the beginning as currently the deployment and configuration-update takes some time on the CTP (about 20 min. ... but unfortunately I then forgot to show the running application).

Hint about a question I got during the presentation on ASP.NET Session-State: of course the ASP.NET session state isn't persistent and therefore available across multiple instances of a web-role. For this purpose you would need to write your own session-state provider that leverages Azure-Table-Store or Blob-Store for getting persistent storage on sessions. There is actually an example of how-to do this for the session provider and even for other providers of ASP.NET such as Membership or Roles API!!! So that's the way of dealing with persistent sessions in Azure:) Hope that answered the question now:)

In the next step we created the Check-Out page that XML-serialized the contents of my Session-based shopping basked (which was a simple list of Product-items) and put it into an Azure Queue-Storage to make this stuff available for worker role instances that asynchronously processed the order (generated documents with Office Open XML APIs).

One question here was about scaling up worker-roles because I used "waiting loops" that where waiting for incoming messages on the loop with thread-sleeps of 10sec.. Of course that wasn't a very scalable approach, I tried to keep it simple. For scaling Worker Roles you have several but in my opinion very well-known approaches. Let me give you just a view of them: spawning threads whenever a new message was received or creating and running multiple instances of worker roles are ways for scaling out at this layer.

Then this brought up a second question - how is it about locking messages that are accessed from the Queue if multiple Worker Role instances (or threads) are running? And well, the answer is simpler than I thought (I didn't know that at the presentation). Actually the queue has mechanisms to avoid "parallel" access to the same message by multiple worker role instances. When you issue a GET-operation onto the queue, it makes (a) makes sure that the sender of the first GET-message that arrives for a message exclusively gets access to the message (we do not need to deal with that) and (b) you can add a HTTP header to your request where you can specify, for how long a message on the queue will be invisible to other requests for retrieving the message. The default-value here is 30 sec. and the max. value is 2 hours in the current CTP. If you just want to access the messages without making them invisible you can use a PEEK instead of a GET-request to the queue.

Afterwards the last question was whether there is a way for a worker role to be notified if a new message is available at the queue instead of querying the queue continuously as we did it in our example! Well, not really without using the .NET service bus and WCF here (I haven't found anything on this)... but the reason is pretty obvious for me, as well. Every storage-concept of the Azure services platform is accessed through REST-style APIs. That means whenever you want to get something from the storage you need to execute an HTTP request against the URL of your storage and that's it. For example, putting a message to a Queue is an HTTP post request with the XML-payload in the body to the Queue's URL. Retrieving a message from the queue and blocking it for a specified period of time is an HTTP GET request to the queue (the default-time is 30 sec. as outlined before) and retrieving a message without blocking it is an HTTP request with a custom verb (PEEK). So it always needs to be a pull-based access instead of being notified. Of course with a combination of using worker roles and WCF-services in the service bus you can "mimick" the behavior of being notified. I know this might be a weakness, but don't forget that we are (a) in an very early stage of the Azure platform and that (b) there are some more sophisticated aspects that allow you implementing more complex communication patterns such as the .NET service bus available which we didn't use at all in our demo.

In the next step we implemented the logic of the worker role that generated the document. We then finally stored the document in the Azure blob-storage which is a kind of a replacement of a file-system as we know it from on-premise operating systems. From this storage we accessed the documents in the last ASPX-page we created back in our worker role...

Well, and after that I was pretty tired because it was a long, hard and risky demo with these CTP-bits... but I am happy that anything worked out and I hope that you finally liked the presentation and the contents of this posting where I tried to also answer some of the questions I got during the demo-walk-through. For me it was great fun doing this in any case - it was a great day with David before lunch and it was so cool walking through this demo which I prepared until about 1 a.m. the evening before... cool stuff and I really believe in this kind of cloud-computing for many scenarios...

If you want to start working with these things, just try to request your access tokens (will take some time) through the following resources:

Azure Services Invitations on the Microsoft Connect platform (connect.microsoft.com) as mentioned during my session...

http://lx.azure.microsoft.com/ which is the official entry point for the Windows Azure serivces platform management console.

https://www.microsoft.com/azure/default.mspx which is Microsoft's official entry-point to the Azure services platform and information on the Azure services platform.

If you have any further feel free commenting on this blog post or contacting me through this blog here;) I'd be happy about any feedback from you:)

Cheers
Mario

A little late but nevertheless I managed to publish my demos from this year's TechEd Europe 2008 in Barcelona from my session on the identity meta system applied to real world projects in Austria.

As mentioned, the experience I summarized in the session comes from a project we've been driving in Austria in the electronic health care sector as outlined in issue 16 of the architecture journal in my article.

You can download the demo applications from my session at TechEd by clicking the link below:

Also here you can download the presentation material of my session by clicking below:

Essentially in my presentation I really focused on discussing four things where in my opinion the concepts from the identity meta system vision really helped us implementing our stuff:

• Clear separation of concerns
  Separation of where authentication happens from where authorization happens enables you switching authentication modes without affecting your back-end services. If authentication happens at all your services, you need to touch all the clients and services for doing so. If you separate authentication out into a Security Token Service you just need to touch your clients and the STS while the services at the back end can remain untouched. In the attached demos you need to work with the NET.SecondTestClient, the mszcool-ActiveSTS and the ClaimsAwareWebService-VS2008 projects to test out what I've shown in my session.
• Simplification through Claims
  Claims-based security helped us implementing the two-factor authentication that was a requirement for according to the strong data protection law. More on that later in this post.
• Building bridges between domains and/or platforms
  On the one hand side trust-chains between Security Token Services helped us separating out responsibilities and ownerships given based on political reasons while still remaining an easy possibility to change these responsibilities and ownerships by just merging or splitting STS'es if the political interests changed. On the other hand transformation of tokens from rather proprietary tokens to standardized tokens is another thing where the separation of concerns between authentication (STS) and authorization (Relying party service) really can help. In the attached demo you need to work with the JavaWebHostNew Netbeans 6.5 project as well as the NET.TestClient and the SimpleActiveSTS-VS2008 projects to try things I've shown in my session at TechEd.

Coming back to the second point I outlined above. If you're working with the NET.ThirdClient, the mszcool-activeSTS and the ClaimsSuperTokenService you can try out a simple implementation of our approach for making sure that only things are published into some e-health system if the patient explicitly agrees at leat two times. The model from a business point-of-view was the following:

• For getting read access, a patient needs to explicitly authenticate with his e-card when visiting a doctor for a medical treatment at the reception. For the time of the treatment the doctor got read-only access to documents published in a variety of e-health services. For this purpose, the e-card STS issues a standard-token with standard-claims based on the e-card authentication. e-health services do not allow to update any content with this standard-token because the STS does not add a what we called super-token-claim.
• For updating content in e-health services the patient needs to explicitly authenticate for each update-process in addition to the previously mentioned, first authentication step. During this authentication the client application sends the previously issued token as a means of authentication to the STS which leads the STS to add a super-token-claim to the issued token. Therefore e-health services detect the presence of the super-token-claim and allow writing / updating content to their storage.

Subsequent graphics should outline what's going on there. Take the first graphic as an example. Here the previously defined process is executed as needed. The client authenticated for read-stuff and gets a token for reading stuff without the super-token-claim. Later during the medical treatment the doctor wants to publish stuff and therefore the patient authenticates a second time. That second authentication includes the previously issued SAML token which leads the STS to include the super-token-claim in the newly issued token. With this newly issued token the client software of the doctor can issue an update on the back end e-health service of the current context.

If one of the authentication steps, either the first or the second one is missing, the STS won't issue a token with a super-token-claim. And therefore the e-health services should and can simply deny access to any updating operation - based on a simple query whether a claim has been added to the token issued by the STS or not. The following graphic demonstrates what happens if the client tries to update content in an e-health services without the first authentication-step so that you can better understand our selected approach and idea:

The neat thing is that the e-health services really just need to query the issued SAML-token from the STS for the super-token-claim. If it's there let updates happen, if not then not;) As simple as that. In classic scenarios they would need to manage sessions, state and all that stuff what is much more complicated.

In my opinion this really shows, how claims-based security (as a part of the concepts from the identity meta system vision) really simplifies complex processes in the security world by separating the responsibility of authentication from authorization and by making authorization as simple as querying standardized tokens for claims.

If you're interested in my approach for building bridges between platforms through the separation of concerns with STS'es and relying parties, just take a look at my previous posting which I created for TechEd 2008 and the local DevCamp conference here...

Any questions - feel free asking me through comments or the contact link here of the blogging-engine;)

Cheers
Mario

I am very proud that we were able to secure David Chappell for our half-day conference about cloud computing!

On December 12th, right before Christmas, David well join us in Austria, Vienna. He will talk about his view on cloud computing in general, about several cloud computing platforms including those from Microsoft, Amazon, Google & Co.

But more specific he will unveil many of the details about the architecture and the possibilities of the Windows Azure platform we recently announced at PDC in L.A. last week. In the second part one of my colleagues and I myself will unveil some more technical details of Azure by developing two simple sample applications based on the Azure-platform so that you will be able to understand what developing for Azure will mean and how much of your code you can re-use between the on-premise- and cloud-world.

If you are interested in our Cloud Computing day, you should check out more details about the event here and register ASAP on our event registration home-page.

I would be happy to meet you for this conference in Vienna;)

Mario

(Click here to download my Security-Interop-Sample)
(Click here for downloading the presentation)

While I am here at PDC studying the most exciting new stuff from Microsoft around Software+Services and much more interesting platform-enhancements (Dublin, Velocity, Geneva etc.) I promised about more than a week ago at the DevCamp 2008 conference in Vienna that I will publish some details about a demo on security I've shown in my session about applying concepts from the Identity Meta System Vision in the real world for heterogeneous environments.

The session itself was all about taking the separation of concerns in terms of authentication and authorization that is proposed by federated identity patterns. Furthermore it was about learning, how this SoC can help you solving real world problems when it comes down to implementing security in your solutions.

Click here for downloading the presentation. I'd strongly recommend you do this before moving on in this post!

In the last demo I've shown a Security Token Service (STS) written with Microsoft Codename "Zermatt" that authenticates requests coming from a .NET-based client application through Windows Authentication and transforms the (proprietary;)) Windows-token into a standards-based SAML-token. Why that? Well, non-Windows based platforms won't be able to deal with a proprietary Windows-token for authorizing requests - especially if they're not running on Windows. But they will be able to work with SAML as it is just a signed XML with information about an authenticated user proofed by an identity provider (the security token service). The following picture shows the scenario I've implemented:

In this post I give you a step-by-step guide how-to setup the samples which you find for download under the following link:

Click here to download my Security-Interop-Sample

In the following sections I summarized the pre-requisites and steps you need to complete for making the sample above work!

Installation Pre-Requisites

• Microsoft-Part of the Sample
• Visual Studio 2008 with SP1 installed
  (Service Pack 1 download here)
• .NET Framework 3.5 (with SP1 installed)
• Microsoft “Zermatt” (now Geneva Identity Framework) CTP
  (I have included the version of Zermatt-CTP that I've used for developing the sample in the download so that at later point of times you can try this in an isolated environment without bothering with some breaking changes in Zermatt at first place;))
• Java-Part of the Sample
• Java2 SDK 1.5.0 with Update 15
• Netbeans 6.5 Beta IDE with Glassfish v2
• JCE Policy Files installed
• Dom4j 1.6.1 and Jaxen 1.1.1 installed
• Appropriate Java environment variables set for command prompts. For this purpose I added a sample “Java Command Prompt” batch file to the download (located in the "Pre-Requisites\Java"-directory). You need to adopt it based on your installation-path values on your machine.

Steps to make the Microsoft / .NET Side running:

• Install the certificates using Zermatt Samples Utilities
  The necessary batch-files for doing so are located in the Zermatt Directory (typically “C:\Program Files\Microsoft Code Name Zermatt\Samples\Utilities”) – execute the SamplesPreReqSetup.bat in a Visual Studio Command Prompt as Administrator.
• Run Visual Studio 2008 as Administrator and open the SimpleSTSForActiveClients-VS2008.sln Visual Studio 2008 solution located in the “<your working folder>\DevCamp\Simple STS For Active Clients” directory. This is a modified and extended version of the standard Simple Active STS sample included with Microsoft Code Name “Zermatt”.
• Right-click the solution and configure the startup-projects so that the STS, the .NET-based test service and the test-client start-up as shown in the following screen-shot:
  
• Try the solution by pressing CTRL-F5 in Visual Studio to run everything without debugging. Important is that you follow the following steps in the running applications:
• In the “ClaimsAwareWebSErvice-VS2008”-project enter “1” to take the included simple active STS as a security token service.
• In the client application type in “net” to call the .NET-based service and verify whether the STS and the .NET-based service as well as the client are working properly on your machine!
  

Make the Java-Side working

Now, after the .NET-based solution is running, we can move forward by making the Java-version of our claims-based web service running. For that purpose follow the subsequent steps:

• First of all run Netbeans Developer studio as administrator and make sure that all application server references are registered with your IDE. With the Netbeans 6.5 beta I’ve installed, just Glassfish v3 was included in the server list. So you need to add Glassfish v2 (which is the one I’ve tested the service with) to your services list. For that purpose follow the next sub-steps but note that by default Netbeans should create a personal domain during the installation of the IDE:
• In the left panel switch to the services tab and open the “Servers” tree-view element.
• Right-click the “Servers”-node and select “Add Server”
• Select “Glassfish V2” from the list and leave the name below as it is.
  
• Create a personal domain for the application server that will install some configuration files in your local user profile. These files also will include the certificate store for your development instance of the app-server.
  
• Select a folder for the development domain where you would like to install the configuration files to as shown in the following screen (note that there it will be “D:\Data\.testDevDomain” which is what I will refer to later on, as well)
  
• Then you will have to select an administrator user name and a password and afterwards you will need to specify the ports on which the server is running. Make sure that nothing else runs on these ports and note the ports as you will need them later on.
• Then open the Java-project I’ve included in the samples-download. This project is located in the “<your working folder>\DevCamp\JavaWebHostNew” directory. Just let Netbeans point to that directory in the open-project dialog and it will detect that this is a Netbeans-project, automatically.
• You probably will need to update a few references to point to dom4j and Jaxen as I use these libraries for some XML processing in the test application. Netbeans will warn you if you need to update the references. If so, switch to the “Projects” tab in the panel on the left, navigate to your project “JavaWebHostNew” and within there on the libraries-node. Right-click the “Libraries”-node and select “Add Jar / Folder” from the context menu. Add the “dom4j-1.6.1.jar” and the “jaxen-1.1.1.jar” files as libraries this way to your project. I’ve included them in the download in the “<your working folder>\DevCamp\Pre-Requisites\Java” directory”. Also remove all broken references from the project by right-clicking the project and going to the properties:
  
• After all libraries and references are set-up correctly, you should be able to compile the solution using Netbeans, successfully. Next we can start configuring the application server appropriately to make this stuff running.
• Next we need to install the Java cryptography policy extensions (JCE) with Java to be able to work with our certificates. For this purpose copy all files from the “<your working folder>\ DevCamp\Pre-Requisites\Java\jce”-directory to the “C:\Program Files\Java\jdk1.5.0_15\jre\lib\security”-directory and overwrite all files.
• Now we need to install certificates for the two sides of the application – first the Java-service needs to be able to trust the STS and therefore it needs to have the STS’s public key in its trusted certificates store and second the .NET client and the STS need to have a way to trust the Java service and therefore we need to export the public key from the Java service’s certificate and import it into the Windows certificate store.
• To ensure, that the Java-service is able to trust and validate tokens issued by the STS, execute the following steps on your machine.
• Export the STS certificate from the Windows certificate store as DER-encoded file. Only export the public key. Store the file to a directory of your choice. The certificates are installed in the personal store of the local computer by the previously executed Microsoft Code Name Zermatt Samples Batch-file utilities when setting up the .NET based solution, before. You can get to the machine’s certificate store by starting a management console (mmc.exe) and selecting “File – Add / Remove Snap-In” and then select “Certificates” from the list, click the “Add >” button and then click okay. Make sure that you select “Computer Account” and “Local Computer” when adding the snap-in. You’ll find the certificate as shown in the following screen-shot:
  
• Import the STS-public key certificate in the trusted certificates store of your Glassfish personal domain by executing the following command (typically the password you have to enter is changeit by default):
  keytool -import -alias sts -file sts.cer -keystore "d:\Data\.testDevDomain\config\cacerts.jks"
  
• Next we need to ensure that the STS and the client can trust the Java service. For this purpose we need to export the Java service’s certificate and import it in the Windows certificate store. To do so, follow these steps:
• Execute the following command to export the default service certificate from glassfish with its public key. This certificate is typically called s1as.
  
• Now import the certificate in the personal store of the local computer of the Windows Certificate store. Also import the certificate into the trusted people store so that the validation of the certificate can succeed.
  
• Before we test the web service solution we need to make sure that the correct WS-Policy configuration is set for the Java Web Service. For this purpose open the “Web Services”-node in your Netbeans-project and double-click the “JavaTestService” Web Service in the project. In the designer then click the “Advanced…” button to open the web service configuration dialog and make sure that it looks as shown in the following two screen-shots:
  
• Finally you can un-deploy and deploy the new service to Glassfish as shown in the following screen-shot.
  
• It’s important that you note the URL on which your web service is listening depending on the ports you configured for your Glassfish application server instance and development-domain. Typically this should appear in the output-window within the Netbeans-IDE for Glassfish as shown in the following screen-shot:
  

Final steps and then running the application

After you have configured Glassfish, configured the Java Web Service and deployed it, successfully, you can try the interoperability solution between Java and .NET. For this purpose you need to update the .NET test-client’s configuration to point to your running Java web service and then run the application. The URL to the Java-service is configured in the client’s App.config (NET.TestClient in my sample solution) as shown in the following screen-shot:

Just one last step before running it – you need to update the STS so that it encrypts the SAML-token with the certificate of your Glassfish Java Web service. As these certificates are re-generated for each machine you need to update my code in the sample to make it work. Update the certificate-name in the project “SimpleActiveSTS-VS2008” of my solution in the file “MySecurityTokenService.cs” and change the common name of the certificate to yours (you should only need to replace the machine-name part of the common name which is “vaiom” in my sample and should be “yourmachinename” in your environment):

After you have updated this one you can try to run the solution and instead of calling the .NET-based service you can call the Java-service by entering “java” instead of “net” when the client asks you which web service it should call. The following screen-shot shows the resulting application in action.

In the console-windows you can see the .NET-based applications running: the claims-aware web service which is not called in this scenario, the security token service which issues a SAML-token based on the Windows identity the client authenticates with and the client itself that calls the Java service this time. In the background you can see the Netbeans IDE with the Glassfish output Window where clearly the Java application outputs the contents of the SAML token it gets passed from the STS. That SAML token just contains claims extracted from the Windows-token the client authenticated with against the STS. And that way we managed to make security-interoperability happen by transforming a proprietary Windows-token to a standardized SAML-token through an STS and give Java access to the contents of the Windows-token. Of course the Java-application could run on a Linux-box as well and still you would be able to use Windows and AD as the primary identity management system for managing users, groups etc. and include Java-services (or other services) running on any OS with your security-infrastructure as they don’t need to know about any details of the security infrastructure. The only thing they need to know is the Security Token Service which proofs the fact that the user has been authenticated successfully by passing a signed SAML-token through the client to the Java-service. In my opinion that shows one of the things that unveil the real power of a federated identity infrastructure based on the WS-* standards...

If you have any feedback or questions, feel free getting in touch with me through my blog;) ... of course I'd be happy about any feedback:)

Cheers
Mario