I wrote the blog post below about 6 months back and just realised that I never actually got around to posting it. I the spirit of 'better late than never' here it is ...
.NET Framework 3.5 - Client Application Services
In .NET Framework 3.5, ASP.NET provides built in Web Application Services that provide access to features such as forms authentication, roles, and profile properties. These services provide building blocks to enable super-common scenarios and as a result can provide significant productivity wins and time-savings for developers.
The Client Application Services feature enables the Client developers to seamlessly leverage these Web Application Services from within their Client Applications. The feature also supports Occasionally Connect scenarios, enabling connected client applications to continue working even on loss of connectivity.
Consider the following scenario facilitated by this feature …
An enterprise leverages .NET 3.5 and exposes Authentication, Roles and Profile Application Services from their existing web servers. The enterprise has a mixture of Ajax, Silverlight and Rich Client applications, all of which are used by a typical employee on daily basis. The employee can now use one set of credentials to logon to all these applications and any preferences/settings modified at one location are reflects for all applications. When the employee is away from the corporate network, say on a flight, she can still continues to use her Client Application by logging on in the offline mode using the same credentials. Also, say an employee gets promoted to be a manager, all the enterprise needs to do is add her to the manager role on the server and now managerial data is available to her across all her web and client applications.
The heavy lifting involved in enabling the scenario above today lies in the underlying plumbing code; With Client Application Services in .NET 3.5 this plumbing is now taken care of by the framework itself, significantly boosting developer productivity.
Let’s walk through a scenario and see how easy it is to now add Web Settings support to your application -
Part 1: Create the web site –
1. In Orcas Beta2, Create a new ASP.NET Web Application
2. Set the authentication mode to Windows Authentication
<authentication mode="windows"/>
3. Fill in the profile section of the web.config.
<profile enabled="true">
<properties>
<add name="Text" type="string" readOnly="false" defaultValue="DefaultText" serializeAs="String" allowAnonymous="false"/>
<add name="Color" type="string" readOnly="false" defaultValue="white" serializeAs="String" allowAnonymous="false" />
</properties>
</profile>
4. Enable this property to be accessed via web services by adding this section to Web Config
<system.web.extensions>
<scripting>
<webServices>
<profileService enabled="true" readAccessProperties="Text, Color" writeAccessProperties="Text, Color"/>
Part 2: Create the Client Application –
1. Right click on the solution and add a new project (works the same for WPF or WinForms)
2. Right click on the new client project and select properties
3. In the Services tab, enable application services, select windows auth and fill in the services url for the Web Settings Service. For now it is the development server URL, in production this would be your ASP.NET web site.
4. In the settings tab, click on “Load Web Settings” ... this will pull down all the metadata for the profile properties defined on the server for the Windows User you are currently working as. ( If you were using Forms Authentication in your Application you would be prompted by the designer to enter you Forms Credentials before being able to download the settings meta data)
We are now ready to go! We can have strongly typed, async read-write access to your Web settings. These settings will stay in sync no matter where you change them (WinForms/WPF/Asp.Net/AJAX/Silverlight Application), they are reflected everywhere!
Examples:
Windows Forms code –
private void Form1_Load(object sender, EventArgs e)
{
BackColor = Color.FromName(Properties.Settings.Default.Color);
}
private void button1_Click(object sender, EventArgs e)
{
Properties.Settings.Default.Color = this.textBox1.Text;
BackColor = Color.FromName(Properties.Settings.Default.Color);
Properties.Settings.Default.Save();
}
ASP.NET Server side code –
function loadColor()
{
Sys.Services.ProfileService.load(["Color"], loadCompleteCallback, loadSaveFailed, "");
}
function btnSaveColor()
{
Sys.Services.ProfileService.properties["Color"] = document.form1.theColor.value;
Sys.Services.ProfileService.save(null, saveCompleteCallback, loadSaveFailed, "");
}
Source Code:
The attached sample code contains the above Client scenario enabled with additional Forms Authentication (Login/Logout), Roles and Offline support.
It also contains a Web Site with using the same Authentication and Profile service.
Additional Resources:
Web Application Services Overview …
http://msdn2.microsoft.com/en-us/library/bb547119(VS.90).aspx#Examples
Client Application Services Overview …
http://msdn2.microsoft.com/en-us/library/bb384339(VS.90).aspx
Client Application Services end to end walkthrough …
http://blogs.msdn.com/winformsue/archive/2007/05/20/client-application-services-in-windows-forms-end-to-end-walkthrough-available.aspx
Later today, I present @ VS Live the following talk ...
Building Rich Internet Application using Microsoft Silverlight 2.0
In this session, we will build a Video Search Web Site using Silverlight 2.0. The session will demo – how to use Visual Studio to create a Sliverlight applications, how to create UI using XAML markup and code, how to retrieve data from a web service, how to manipulate data with XML and LINQ, how to persist user settings using local storage, how to interact with browser using HTML DOM, how to use the SL OpenFile dialog etc …
Attached are the Source code/Presentaion/DemoScript for the talk .
Guthrie’s Silverlight Tips, Tricks, Tutorials and Links Page are available here.
The MIX sessions I referred to are available online here.
In particular, the talk above was modeled after Joe Stegman and Mike Harsh's MIX 08 session of the same name, the code for which is availabe here.
The UX Skin that I demoed was created by Corrina and she has bloged about it here.
The page demoing the Silverlight 2 Beta 1 controls is available here
Enjoy !!!
I am presenting at the Avanade Tech Summit in Seattle today on "Building a Rich Internet Application using Silverlight 2.0". Slides for the presentaion are attached to this post ...
The App I plan to build on stage is the same one Joe Stegman and Mike Harsh built during their MIX 08 session of the same name, and the code for which is availabe here.
Am presenting the following talk at DevConnections today -
VMS311: Smart Clients: What's New in Visual Studio "Orcas"?
Saurabh Pant
Visual Studio "Orcas" is about making the rapid application development experience even easier. In this overview we will introduce new features that allow Smart Clients to go where they never have before: including Occasionally Connected Systems, SQL Server Compact Edition, Client App Services, N-Tier Data, ClickOnce Deployment enhancements, as well as out-of-the-box ways to future proof your existing applications: including Windows Forms / WPF Integration, and Vista enhancements. Add to that the designer productivity enhancements and see an exciting new wave of smart client development.
If you were at the session the side deck is attached to this post as promised.
As always feedback/thoughts are welcome. Feel free to contact me through this blog is you would like additional information on any of the technologies discussed.
[Update]
My introductory post to Client Application Services is available here http://blogs.msdn.com/saurabh/archive/2008/05/16/net-framework-3-5-client-application-services.aspx
[Original Post]
Continuing further along in with our "Live from Redmond" series I shall be presenting the following talk on Nov 27th ...
Have attached the slide deck from the talk. The actual presentation can be viewed online at any time through the registration link below.
Live From Redmond: Client Application Services in Orcas
27th Nov 2006 [Click here to register]
Client Application Services are a new set of features in Orcas that enable application to authenticate users, get roles for the user and persisting user settings on a server. These Client Application Services work in conjugation with the Web Application Services for Authentication, Roles and Profiles also new in Orcas. Additionally these Client Application Services support Occasionally Connected Applications by supporting offline Authenticatoin, Roles and Profiles, where they work against a local cache instead of an online server.
This webcast will provide an introduction Client Application Services as well as examples of how to use the services in you own applications.
[Update 11/27]
The talk is now available online here [Click here for zipped download]
[Update 11/07]
Attaching the Slide Deck from the presentation to the post.
[Original Post]
Continuing with our highly popular "Live from Redmond" series I shall be presenting the following ClickOnce talk on Nov 7th ...
Live From Redmond: Configuring ClickOnce to best work for your deployment scenario
7th Nov 2006 [Click here to register]
The “ClickOnce” feature in .Net 2.0 brings the ease of web deployment and update to Smart Client Applications in an enterprise.
Are you an enterprise developing Line Of Business applications inhouse and want to know how best to deploy them internally using ClickOnce?
Are you a vendor and want to know how best to package your applications using ClickOnce so that they can be deployed by multiple enterprises?
Is the cross browser support important to your application and you want to know what ClickOnce offers in this space?
This webcast will discuss recommendations from the ClickOnce team on how ot best leverage ClickOnce for common deployment scenarios like above.
It will discuss the options available with the current release of ClickOnce and how these scenarios are even better enabled in Orcas.
An Overview of Windows Forms in Microsoft Visual Studio 2005
For all the folks that logged into my MSDN talk today morning here is the slide deck from the talk. The talk being demo intensive the deck might not be super helpful but it does have the resources slide which will direct you to where you can get the samples I displayed during the talk.
I'll also update this post as soon as we have the talk posted online ...
As part of the Live From Redmond Series of talks I shall be presenting a talk on Aug 23rd -
"An Overview of Windows Forms in Microsoft Visual Studio 2005".
Windows Forms application development takes a giant step forward in Visual Studio 2005. This session provides an overview of the new Windows Forms feature set, as well as explores the RAD development environment. See how ClickOnce deployment technology brings the ease of Web deployment to Windows Forms applications. See demonstrations of how Windows Forms and Visual Studio 2005 make it easy to build professional looking applications. Walk through improvements to the Windows Forms designers, including demonstrations of snap lines and smart tags. This session also give a quick high level demonstration of how easy it is to build Office applications that use Windows Forms components.
For client developers here is a list of all upcoming webcasts (see left pane of the Windows Forms website here for the more detailed list):
|
Date |
Title |
Speaker |
Registration URL |
|
16-Aug |
Smart Client: Offline Data Synchronization and Caching for Smart Clients |
Steve Lasker |
Click here |
|
23-Aug |
Windows Forms: An Overview of Windows Forms in Microsoft Visual Studio 2005 |
Saurabh Pant |
Click here |
|
30-Aug |
Visual Studio: Developing Local and Mobile Data Solutions with SQL Server Everywhere |
Steve Lasker |
Click here |
|
13-Sep |
(WinFX) Windows Forms: How to Leverage Windows Forms and Windows Presentation Foundation in a Single Hybrid Application |
Scott Morrison |
Click here |
|
20-Sep |
Windows Forms: Solutions to the Most Common Windows Forms Development Challenges |
Scott Morrison |
Click here |
[Update]
Have attached the TechEd Slide Deck. The resources section for the deck will alos direct you to the sample code that I demoed during the presentation.
[Original Post]
Am in Boston this week for TechEd ... and just got done with my talk titled "Windows Forms in Visual Studio 2005: An Overview".
I had planned to post the slide deck, demos, resources from the talk posted on my blog but have been having connectivity issues getting to WindowsForms.net server that hosts by blog files. Will have them uploaded by end of week at the latest ...
Also I will be at the Technical Learning Centre - Dev Discussion Area on Wednesday 12:00-3:00 and Friday 9:00-4:00. If you happen to be at TechEd and have WindowsForms/ClickOnce questions feel free to stop by.
Jay Allen of the Windows Forms User Education team has some good coverage of ClickOnce issues on their team blog. Definately worth checking out ...
http://blogs.msdn.com/winformsue/archive/category/11821.aspx
Firstly sorry for the delay in this messaging from ClickOnce. Judging by the passionate opinions I have heard around the community on this issue, this is a blog we should have posted a while back.
[Hanselman's Blog - http://www.hanselman.com/blog/PermaLink.aspx?guid=7ce42ccd-e531-4d43-a93f-73483c0afd3d]
[Sven Groot's Blog - http://channel9.msdn.com/ShowPost.aspx?PostID=138273]
[Lady bug - http://lab.msdn.microsoft.com/productfeedback/viewfeedback.aspx?feedbackid=5b309bf8-370d-4571-8ce2-aaebb525488b ]
Geting to business; In the V2.0 release of the Framework, ClickOnce does not have support for FireFox.
- I do discuss later in this post how application publishers can use the ClickOnce shortcut files to allow FireFox users to install Clickonce applications.
ClickOnce does work on machines where FireFox is the default browser, if the user clicks on the deployment manifest in IE.
- There is an issues users hit here if their application carries a bootstrapper package, again a workaround is mentioned later in the post.
And yes we are actively looking into remedying this in the next release of the Framework.
What happens when I click on a ClickOnce deployment in FireFox?
ClickOnce provides an implemention of the IE mime handler interface for the mime type application/x-ms-application which is associated with .application files on servers hosting ClickOnce application. Hence when a user clicks on a .application in IE our mime handler is invoked which downlods the .application file and fires up the ClickOnce install.
When a user clicks on a .application in FireFox the FireFox equivalent of the Open/Save dialog comes up. Once the .application file is downloaded to the local macine (to the FireFox cache on Open and to a user specified location on Save) it is run form there firing up ClickOnce. ClickOnce now parses the locally downloaded .application and tries to download the actual application manifest it refers to. If the .application contains a relative path to the application manifest ClickOnce will try to find it relative to the .application in the FireFox temp folder and fail. If it is a full Url to the application manifest ClickOnce fails anyway, this time due to a security check we have that does not allow the .application and the corresponding application bits to be in different security zones.
There have been Plugins written by the FireFox community
[e.g. http://www.softwarepunk.com/cohelper/] where they parse the application after it has been downloaded and read the deploymentProvider Url from it. They then use the undocumented Apis for invoking ClickOnce with the URL as a parameter [rundll32 dfshim.dll,ShOpenVerbApplication URL ]. I have never tried the approach above, but would believe it works.
From the ClickOnce teams perspective we would advise users against parsing the ClickOnce manifest and relying on its format for we could inadvertently break you in future manifest updates. Also since the <deploymentProvider> tag is only needed in Shell Visible installed ClickOnce applications this solution does not work for Online ClickOnce Apps.
For out next release we are looking into what we can do to provide a simple public way for the FireFox community to build plugins for ClickOnce support. Stay tuned ...
How do ClickOnce Shortcuts help me get ClickOnce support on FireFox?
Anytime a shell visible installed ClickOnce App is downloaded to a machine, we create a ClickOnce shortcut (.AppRef-MS) for the application under Progrmas->Publisher->Product.AppRef-MS.
The contents of this shortcut file look something like this -http://Foo/Bar/Dummy.Application#Dummy.app, Culture=neutral, PublicKeyToken=XXXXXXXXXXXX, processorArchitecture=msil
As you can see it contains the Url to the .application and the identity of the deployment manifest modulo version.
These ClickOnce shortcuts are designed so that they can be emailed to people and when ckicked on, on a machine which does not have the corrsponding application already installed they cause the application to be installed and launched.
Now asuming you have an ClickOnce application (Shell Visible Installed App - Not an Online App) you want to publish to your clients who use FireFox, all you need to do is generate the shortcut file and publish it on your server (If you have both IE and FireFox users you could have a seperate link saying "FireFox users click here" so that IE users still get the default behavior). Once the user click on an .appref-MS in FireFox the Open/Save dialog comes up. Once the .appref-MS has been downloaded to the local machine and run it will invoke ClickOnce, which in turn will download the .application from the URL specified in the shortcut and install the App.
This solution works with out any FireFox changes. Remember though that .appref-MS files can only be generated for Shell Visible Installed ClickOnce Apps.
What about client machines where FireFox is the default browser but the user clicks on the .application in IE?
This scenario just works.
There is one caveat though. If your Application carries a bootstrapper along with it to install prerequisites before the actual ClickOnce install, then your scenario might be broken. The bootstrapper after it has installed the prerequisites starts the actual ClickOnce install by launching the .application URL in the default browser (in this case FireFox) even if the user had originally clicked on an IE session to launch the bootstrapper.
There however is a easy workaround for this [http://channel9.msdn.com/ShowPost.aspx?PostID=138879] which I have recommended to users earlier with good success.
Again in closing let me reitterate, we are actively working on having a better XBrowser story for our next release.
Comments are welcome as usual.
The Decision -
With the .Net Framework V2.0 release of ClickOnce, any ClickOnce App deployed from the internet zone can prompt the user for permission elevation.
For the earlier Beta2 release of ClickOnce, prompting had been explicitly disabled for internet applications that were not Authenticode signed. We consciously reversed this decision for the final release.
This decision of Microsoft has been questioned by a few in the ClickOnce/Security community. Though they do not agree with our decision, most of these blogs do try to be balanced and put forth both sides of the argument. However reading through a few community posts generated by these blogs, I did get a sense that there was a perception that this was a change pushed into the release by Microsoft at the last minute due to pressure from a few large customers.
I plan to articulate out here more clearly our thinking behind this change and hopefully debunk this perception.
The Thinking Behind It -
Non authenticode signed Internet ClickOnce applications were prevented from elevating in Beta2 with the primary goal to get user feedback on this decision so we could make a more informed decision for the final release.
The Beta2 feedback helped us realize that it was important to have a consisitent IE security model for Managed and UnManaged exes, diverging in the model was confusing and muddled our security messaging.
We also got a strong push to enable this scenario from hobbyist/non commercial/community/open source App developers who wanted to deploy their applications using ClickOnce but could not afford (both in terms of time and money) to get an Authenticode certificate.
Let's consider the scenario below ...
Jen is a .Net entusiast and a golf fanatic. She writes a .Net Golf Handicap calculator that unfortuantely needs Intranet (Not Internet) zone permissions to run. Jen wants to share this App on her homepage with her golfing friends and would also like them to get updates as she adds new functionality to her program; ClickOnce is the ideal choice of deployment technology for her.
If ClickOnce forced Jen to have an Authenticode certificate before she could share her App she would soon be looking at other deployment options. She could decide to just write the App in native code and share the exe. The native exe (even a Managed exe for that matter) would now be downloaded and run with Fulltrust on local machine, not a big security win.
Today instead Jen can use ClickOnce to downloaded her App and run in the Intranet sandbox. She also gets to keep her app current with ClickOnce and potentially push down required updates for issues she wants patched immediately.
If we flipped the scenario around to where Jen was the author of a malicious Addware App and wanted to prompt the user from the internet zone she can very easily do it today. ClickOnce has not opened up a new security hole here. We just extent the current IE security model. There are no default scenarios where you can cause a user prompt to come up using ClickOnce where you couldn't for unmanaged Exes.
Also there have been comparisions of ClickOnce with ActiveX in the past and the fact that unsigned ActiveX controls from the internet zone are now blocked by IE has been used as an argument for pushing for similar behavior in Clickonce. ClickOnce and ActiveX are naturally two totally independent technologies, but if parallels have to be drawn we see ourselves closer to exes than ActiveX, and hence as discussed above have tried to maintain the same security expereince that currently exists for exes.
Configuring Prompting -
The current ClickOnce prompting model is highly configurable.
Enterprises can also specifically disable prompting for particular zones or they can use the trusted publisher list to whitelist their ClickOnce applications to run without prompting and disable all prompting.
[MSDN - http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnwinforms/html/clickoncetrustpub.asp]
While upgrading from v1.0 to v2.0 of an ClickOnce application, files/assemblies that have remained unchanged (have the same hash) across the update are not redownloaded from the server. Instead they are just copied over locally in the Clickonce store from the v1.0 to v2.0 app folder. This is totally transparent to the user except for the Dowload Progress Bar moving much quicker due to the local copy.
Keep in mind file patching is only across two versions of the same application i.e. the Deployment Manifest of the two applications has to have the same identity, modulo version.
Also the patching is at file level not the binary level, hence if only a few bits in a dll have changed Clickonce will still download the entire dll.
File Patching also works for assemblies downloaded using the DownloadFileGroup() APIs.
File Patching does NOT work currently for Data files (writeableType="applicationData").
Know Issue -
Our FilePatching model for assemblies (even strong assemblies) is based entirely on file hash.
Projects when rebuilt in VS often cause the same assemblies (exacly same source) to have different hashes. Hence if you are rebuilding your entire v2.0 solution its possible that assemblies that have not changed in terms of functionality will still have a different hash and hence be redownloaded by ClickOnce instaed of being copied locally.
The ClickOnce team now has a team blog at http://blogs.msdn.com/clickonce
Keep checking it out for tips and tricks, announcamants and other information on the ClickOnce technology and team.
Had Sunday brunch with a friend of mine, Arpan, a Product Manager with the SharePoint team.
The discussion turned to Presentation tips and techniques, resulting in this blog -
http://blogs.msdn.com/arpans/archive/2005/12/04/499944.aspx
