Search Results

Search found 1685 results on 68 pages for 'andrew farrell'.

Page 60/68 | < Previous Page | 56 57 58 59 60 61 62 63 64 65 66 67  | Next Page >

  • What's the format of Real World Performance Day?

    - by william.hardie
    A question that has cropped a lot of late is "what's the format of Real World Performance Day?" Not an unreasonable question you might think. Sure enough, a quick check of the Independent Oracle User Group's website tells us a bit about the Real World Performance Day event, but no formal agenda? This was one of the questions I posed to Tom Kyte (one of the main presenters) in our recent podcast. Tom tells us that this isn't your traditional event where one speaker follows another with loads of slides. In fact, the Real World Performance Day features Tom and fellow Oracle performance experts - Andrew Holdsworth and Graham Wood - continuously on stage throughout the day. All three will be discussing database performance challenges and solutions from development, architectural design and management perspectives. There's going to be multi-terabyte demos on show, less of the traditional slides, and more interactive debate and discussion going on. Tune-in and hear what else Tom has to say about this fairly unique event!

    Read the article

  • Oracle Application Express Webcast -Wednesday

    - by Alex Blyth
    Hi AllHere are the details for Wednesday's (26th May 2010) webcast on "Oracle Application Express - one of our best kept secrets" beginning at 1.30pm (Sydney, Australia Time). Speaking this week - Andrew Clarke:Webcast is at http://strtc.oracle.com (IE6, 7 & 8 supported only)Conference ID for the webcast is 6690675Conference Key: apexEnrollment is required. Please click here to enroll.Please use your real name in the name field (just makes it easier for us to help you out if we can't answer your questions on the call)Audio details:NZ Toll Free - 0800 888 157 orAU Toll Free - 1800420354 (or +61 2 8064 0613)Meeting ID: 7914841Meeting Passcode: 26052010Talk to you all WednesdayAlex

    Read the article

  • [News] Repenser les IDE avec l'interface Code Bubbles

    Andrew Bragdon, ?tudiant surdou? d'une universit? am?ricaine, a repens? les interfaces graphiques des IDE pour remplacer les fen?tres par des bulles communicantes. Une id?e farfelue ? Pas du tout, la d?mo (ou plut?t la vid?o) est bluffante : "A bubble is a fully editable and interactive view of a fragment such as a method or collection of member variables. Bubbles, in contrast to windows, have minimal border decoration, avoid clipping their contents by using automatic code reflow and elision, and do not overlap but instead push each other out of the way". A d?couvrir absolument, c'est un concept d'avenir...

    Read the article

  • NGN/NLUUG conferentie vj2012: Operating Systems

    - by nospam(at)example.com (Joerg Moellenkamp)
    On April 11th, 2012 the Spring 2012 conference with the topic overarching topic "Operating Systems" takes place in Nieuwegein near Utrecht. Besides talks about Linux, Windows and AIX, there will be a track about Solaris. I will be the first speaker in the Solaris track and giving an overview about Solaris 11 and how features interact. Later on renowned experts like Detlef Drewanz ("Lifecycle Management with Oracle Solaris 11"), Andrew Gabriel ("Solaris 11 Networking - Crossbow Project"), Darren Moffat ("ZFS: Data integrity and Security") and Casper Dik ("Solaris 11 Zones and Immutable Zones") will take over. Finally Patrick Ale of UPC Broadband talks about his experiences with Solaris 11. When you want more information about this conference or register for it, you will find the webpage of the event at the NLUUG site.

    Read the article

  • VBUG Spring Conference, 28th and 29th March in Reading

    - by Eric Nelson
    I presented at VBUG last year and can confirm that they put on a really good event. This year I stood aside for my “replacement” Steve Plank to work his magic. Worth checking out… VBUG SPRING CONFERENCE 28/29 March 2011 Wokefield Park, Mortimer, Reading RG7 3AH Day One (Mon 28 March): Developing SharePoint 2010 with Visual Studio 2010 - Dave McMahon Cache Out with Windows Server AppFabric – Phil Pursglove Extending your Corporate Network in to the Windows Azure Data Centre with Windows Azure Connect – Steve Plank Silverlight Development on Windows Phone 7 - Andy Wigley Day Two (Tues 29 March): Self Service BI for your users, but what does that mean for you? - Andrew Fryer Design Patterns – Compare and Contrast – Gary Short Projecting your corporate identity to the cloud – Steve Plank May the Silverlight 4 be with you – Richard Costall The Step up to ALM – an Introduction to Visual Studio 2010 TFS for the Visual Sourcesafe User - Richard Fennell For more information go to http://cms.vbug.net (It isn’t free but it is high quality)

    Read the article

  • Google I/O 2012 - Developing for a Global Audience: Tools for Localization and Internationalization

    Google I/O 2012 - Developing for a Global Audience: Tools for Localization and Internationalization C. Andrew Warren, Manish Bhargava As internet and mobile penetration continue to rise, developers face a unique and challenging opportunity: billions of new users speaking dozens of distinct languages. English has often been considered a lingua franca for apps and websites, but fewer than half of the current online population now speaks it - success in the global web will require a more nimble approach. This tech talk will explore some of the tips, tricks, and tools that can make internationalization (i18n) and localization (L10n) simpler for web and mobile app developers (with a focus on Chrome, Android, and App Engine apps). For all I/O 2012 sessions, go to developers.google.com From: GoogleDevelopers Views: 9 0 ratings Time: 50:24 More in Science & Technology

    Read the article

  • How to disable DisplayInfo for Intel i810 when there is no xorg.conf

    - by user86954
    I'm testing Ubuntu 12.04 on an office desktop. This machine has an integrated Intel i810. This very machine used to run Ubuntu (or kubuntu) quite well, until the natty narwhal release, when the xserver started freezing. This seems to be caused by an issue with a call to the video bios, which can be circumvented by disabling the option DisplayInfo. I tried creating an xorg.conf by using Xorg -configure, but it produced an error after trying to make a file. I did have a file, and I put it in /etc/X11 with DisplayInfo false (maybe it wants "disabled"?), but it wouldn't boot at all until I removed that xorg.conf. There is no 10-monitor.conf file either. All I want to do is set the appropriate option so that my intel display doesn't freeze. Is there any other way I can disable the DisplayInfo? Andrew

    Read the article

  • GRUB is not Booting Correctly

    - by msknapp
    I have a PC with three hard disks. Windows 7 is installed on the first, Ubuntu 14.04 is installed on the third. After I re-booted, it went straight to Windows 7. So I tried explicitly telling my PC to boot using the third hard disk, but that just takes me to the grub rescue prompt. I followed Scott Severence's instructions here to try and recover. Essentially, I updated grub, reinstalled grub, and then updated it again. After re-booting, absolutely nothing had changed. So instead I tried using the boot-repair tool. In the past it had failed for me, saying that I had programs running and it could not unmount drives, when I was running nothing. I never figured out how to solve that problem, but it went away when I bought another hard drive and used that for my Ubuntu installation, I don't know why. In any case, I ran the boot-repair tool and this time it said it was successful. First time for everything right? I re-booted, only to be taken straight to the grub rescue prompt. So I changed my BIOS settings to use the third hard disk for boot start up. That is the same hard drive where I have Ubuntu and grub installed, and the same one that the grub-repair tool told me to use. It still took me straight to the grub rescue prompt. So I went from not being able to boot Ubuntu, to not being able to boot either OS installed on my system. Thanks boot-repair! Boot repair gave me this URL for future troubleshooting: http://paste.ubuntu.com/8131669 When I try to boot from the third hard disk, this is my console: Loading Operating System ... error: attempt to read or write outside of disk 'hd0'. Entering rescue mode... grub rescue> grub rescue> set cmdpath=(hd0) prefix=(hd0,gpt2)/boot/grub root=hd0,gpt2 grub rescue> ls (hd0) (hd0,gpt3) (hd0,gpt2) (hd0,gpt1) (hd1) (hd2) (hd2,gpt2) (hd2,gpt1) (hd3) Those values look correct to me. I have also experimented with changing some of those values, but 'insmod normal' always throws the same error. Somebody please tell me how to fix this. I have tried everything, reinstalling grub, and running boot-repair. =========================== Update: I think the problem might be that the ubuntu installer did not partition my hard disk correctly. I booted from live USB and then launched gparted and looked at how it partitioned things. This is what gparted says: Partition, File System, Size, Used, Unused, Flags /dev/sda1 (!), unknown, 1.00 MiB, ---, ---, bios_grub /dev/sda2, ext4, 2.71 TiB, 47.30 GiB, 2.67 TiB, /dev/sda3, linux-swap, 16.00 GiB, 0.00 B, 16.00 GiB, So that first line looks problematic. It is supposed to be the /boot partition. However, it was given only 1 MiB? I am assuming that MiB is actually supposed to mean megabyte, no idea why that 'i' is there. It also says the file system is unknown. I read the answer by andrew here, and he says he had to do a custom install, explicitly configuring the boot partition. So I think that maybe Ubuntu's installer has a bug in it, where it does not set up the boot partition correctly if you are not installing on the first hard disk in your computer. I am going to try reinstalling with a custom partition scheme. I read elsewhere (askubuntu won't let me post another link) that I don't even need a /boot partition any more. So instead of following Andrew's instructions ver batim, I'm first going to try having just two partitions: one for /, and another for my 16GB swap space. Both as primary partitions. The first will be formatted as ext4. If that doesn't work, I may try again using /boot. ======================== So I did my custom install with no /boot partition, and it did not work. When I rebooted, I had an error message saying that some address did not exist. So for the hundredth time, I booted from the live USB, and ran boot-repair. Now I get this message GPT detected. Please create a BIOS-Boot partition (>1MB, unformatted filesystem, bios_grub flag). This can be performed via tools such as Gparted. Then try again. I feel like I'm running in circles and nobody will help me.

    Read the article

  • Being hire-able [closed]

    - by RealityDysfunction
    Hello fellow developers, I am in my last year of Undergrad (Applied Math). I have discovered my passion for programming after taking a programming course (required by program), it was a basic Java course but I loved it! So I picked up an Apress C# Pro by Andrew Troelsen book. My degree is not in CompSci and I have under a year left to graduation. How do I prove myself as a programmer? What would you recommend I do in order to become hire-able?

    Read the article

  • Any ideas on a WCF Interceptor for a REST WebGet request to change the Url/Querystring parameters

    - by REA_ANDREW
    Does any one know of a way I can intercept a REST Get request inside WCF, so for example I could change the value of any of the querystring parameters. So I need to have some code run, prior to WCF Evaluating the UriTemplate of the WebGet attribute and be able to edit it, before returning the value which it will use to continue processing the request. Any help would be greatly appreciated Andrew

    Read the article

  • How to handle JSON response using SBJSON iPhone?

    - by Jay Mehta
    I am receiving the below response from my web service? Can any one has idea how to handle it using SBJSON? { "match_details" : { "score" : 86-1 "over" : 1.1 "runrate" : 73.71 "team_name" : England "short_name" : ENG "extra_run" : 50 } "players" : { "key_0" : { "is_out" : 2 "runs" : 4 "balls" : 2 "four" : 1 "six" : 0 "batsman_name" : Ajmal Shahzad * "wicket_info" : not out } "key_1" : { "is_out" : 1 "runs" : 12 "balls" : 6 "four" : 2 "six" : 0 "batsman_name" : Andrew Strauss "wicket_info" : c. Kevin b.Kevin } "key_2" : { "is_out" : 2 "runs" : 20 "balls" : 7 "four" : 4 "six" : 0 "batsman_name" : Chris Tremlett * "wicket_info" : not out } } "fow" : { "0" : 40-1 } } I have done something like this:

    Read the article

  • Is there any way to sync the scrollbars in a JavaFX 1.2 ListView?

    - by Xystus7777
    I have multiple listviews sidebyside. I have a way to make sure the "selectedIndex" is the same on all of them, but is there a way to make it so the scrollbar's are ALWAYS synchronized? It seems that the scrollbars WILL be synced as long as the user uses the ARROW KEYS when navigating down the listview, however, if the user HOLDS DOWN the key, OR USES THE MOUSE WHEEL, they will not be synchronized at all. Thanks in advance! Andrew Davis NASA - Kennedy Space Center

    Read the article

  • m4 - executing a shell command

    - by ajwood
    Hi, I'm new to m4 and am trying to set up a macro which allows the user to specify the location of a library at configure-time ./configure --with-mylib=/path/to/lib.so. In the m4 macro using AC_ARG_WITH, I'll check that the given file actually exists, and then store the path to said lib. MYLIB_PATH=esyscmd([dirname $withval]). This produces the error: dirname: missing operand The shell doesn't seem to know about $withval. How do I get it through to execute this command? Thanks, Andrew

    Read the article

  • MS Stack web host with HIPAA expertice?

    - by AndrewCr
    I'm a consultant, helping a provider of small medical practice management software move to the web. We're looking for a host that has experience with HIPAA-compliance, and supports the MS Web stack (IIS / .net / SQL Server) Can anyone here provide a recommendation of such a hosting company? Thanks, Andrew

    Read the article

  • Python combinations no repeat by constraint

    - by user2758113
    I have a tuple of tuples (Name, val 1, val 2, Class) tuple = (("Jackson",10,12,"A"), ("Ryan",10,20,"A"), ("Michael",10,12,"B"), ("Andrew",10,20,"B"), ("McKensie",10,12,"C"), ("Alex",10,20,"D")) I need to return all combinations using itertools combinations that do not repeat classes. How can I return combinations that dont repeat classes. For example, the first returned statement would be: tuple0, tuple2, tuple4, tuple5 and so on.

    Read the article

  • Disable Spring URL resource loading in context file

    - by drewzilla
    I have the need to specify a URL in a Spring context file but don't want Spring to turn it into a resource, i.e. I want the URL to be passed as a String to the bean that I'm creating in the context file rather than it being converted into a Resource object. How can I avoid Spring creating a Resource? Thanks, Andrew

    Read the article

  • Has anyone had trouble with Intellisense in Visual Studio when using UltraVNC?

    - by mullala
    Hi, a colleague and I are trying pair programming for the first time. We both remote into a development machine; I'm using RemoteDesktop and my colleague is using UltraVNC. This works great except that he can't see the Intellisense dropdown in Visual Studio 2008. According to online posts, this may be something to do with DirectDraw, but I don't see much by way of a workaround. Has anyone else experienced this? Thanks, Andrew

    Read the article

  • asp.net c# online documentation generator

    - by morcovar
    We are developing a very complex eCommerce portal using asp.net c# and the client asked us to make the documentation very similar (look & feel) with ebay api documentation http://developer.ebay.com/DevZone/shopping/docs/CallRef/GetSingleItem.html Do you have any idea what kind of tool they are using and if not do you know anything that can be configured to produce a similar result ? Thank you in advance ! Andrew

    Read the article

  • Spring.Net how does WebApplicationContext.GetObject handle concurrent requests?

    - by Alfamale
    Apologies if I have missed something obvious here but having gone through the documentation, forums and googled for a number of hours, I just can't find a definitive answer to the following questions: How does the WebApplicationContext.GetObject() method handle concurrent requests? Are the requests serialized or executed in parallel? Is there any performance data available to demonstrate how it behaves under load? Thanks in advance for your help, Andrew

    Read the article

  • Standards Corner: Preventing Pervasive Monitoring

    - by independentid
     Phil Hunt is an active member of multiple industry standards groups and committees and has spearheaded discussions, creation and ratifications of industry standards including the Kantara Identity Governance Framework, among others. Being an active voice in the industry standards development world, we have invited him to share his discussions, thoughts, news & updates, and discuss use cases, implementation success stories (and even failures) around industry standards on this monthly column. Author: Phil Hunt On Wednesday night, I watched NBC’s interview of Edward Snowden. The past year has been tumultuous one in the IT security industry. There has been some amazing revelations about the activities of governments around the world; and, we have had several instances of major security bugs in key security libraries: Apple's ‘gotofail’ bug  the OpenSSL Heartbleed bug, not to mention Java’s zero day bug, and others. Snowden’s information showed the IT industry has been underestimating the need for security, and highlighted a general trend of lax use of TLS and poorly implemented security on the Internet. This did not go unnoticed in the standards community and in particular the IETF. Last November, the IETF (Internet Engineering Task Force) met in Vancouver Canada, where the issue of “Internet Hardening” was discussed in a plenary session. Presentations were given by Bruce Schneier, Brian Carpenter,  and Stephen Farrell describing the problem, the work done so far, and potential IETF activities to address the problem pervasive monitoring. At the end of the presentation, the IETF called for consensus on the issue. If you know engineers, you know that it takes a while for a large group to arrive at a consensus and this group numbered approximately 3000. When asked if the IETF should respond to pervasive surveillance attacks? There was an overwhelming response for ‘Yes'. When it came to 'No', the room echoed in silence. This was just the first of several consensus questions that were each overwhelmingly in favour of response. This is the equivalent of a unanimous opinion for the IETF. Since the meeting, the IETF has followed through with the recent publication of a new “best practices” document on Pervasive Monitoring (RFC 7258). This document is extremely sensitive in its approach and separates the politics of monitoring from the technical ones. Pervasive Monitoring (PM) is widespread (and often covert) surveillance through intrusive gathering of protocol artefacts, including application content, or protocol metadata such as headers. Active or passive wiretaps and traffic analysis, (e.g., correlation, timing or measuring packet sizes), or subverting the cryptographic keys used to secure protocols can also be used as part of pervasive monitoring. PM is distinguished by being indiscriminate and very large scale, rather than by introducing new types of technical compromise. The IETF community's technical assessment is that PM is an attack on the privacy of Internet users and organisations. The IETF community has expressed strong agreement that PM is an attack that needs to be mitigated where possible, via the design of protocols that make PM significantly more expensive or infeasible. Pervasive monitoring was discussed at the technical plenary of the November 2013 IETF meeting [IETF88Plenary] and then through extensive exchanges on IETF mailing lists. This document records the IETF community's consensus and establishes the technical nature of PM. The draft goes on to further qualify what it means by “attack”, clarifying that  The term is used here to refer to behavior that subverts the intent of communicating parties without the agreement of those parties. An attack may change the content of the communication, record the content or external characteristics of the communication, or through correlation with other communication events, reveal information the parties did not intend to be revealed. It may also have other effects that similarly subvert the intent of a communicator.  The past year has shown that Internet specification authors need to put more emphasis into information security and integrity. The year also showed that specifications are not good enough. The implementations of security and protocol specifications have to be of high quality and superior testing. I’m proud to say Oracle has been a strong proponent of this, having already established its own secure coding practices. 

    Read the article

  • AutoMapper MappingFunction from Source Type of NameValueCollection

    - by REA_ANDREW
    I have had a situation arise today where I need to construct a complex type from a source of a NameValueCollection.  A little while back I submitted a patch for the Agatha Project to include REST (JSON and XML) support for the service contract.  I realized today that as useful as it is, it did not actually support true REST conformance, as REST should support GET so that you can use JSONP from JavaScript directly meaning you can query cross domain services.  My original implementation for POX and JSON used the POST method and this immediately rules out JSONP as from reading, JSONP only works with GET Requests. This then raised another issue.  The current operation contract of Agatha and one of its main benefits is that you can supply an array of Request objects in a single request, limiting the about of server requests you need to make.  Now, at the present time I am thinking that this will not be the case for the REST imlementation but will yield the benefits of the fact that : The same Request objects can be used for SOAP and RST (POX, JSON) The construct of the JavaScript functions will be simpler and more readable It will enable the use of JSONP for cross domain REST Services The current contract for the Agatha WcfRequestProcessor is at time of writing the following: [ServiceContract] public interface IWcfRequestProcessor { [OperationContract(Name = "ProcessRequests")] [ServiceKnownType("GetKnownTypes", typeof(KnownTypeProvider))] [TransactionFlow(TransactionFlowOption.Allowed)] Response[] Process(params Request[] requests); [OperationContract(Name = "ProcessOneWayRequests", IsOneWay = true)] [ServiceKnownType("GetKnownTypes", typeof(KnownTypeProvider))] void ProcessOneWayRequests(params OneWayRequest[] requests); }   My current proposed solution, and at the very early stages of my concept is as follows: [ServiceContract] public interface IWcfRestJsonRequestProcessor { [OperationContract(Name="process")] [ServiceKnownType("GetKnownTypes", typeof(KnownTypeProvider))] [TransactionFlow(TransactionFlowOption.Allowed)] [WebGet(UriTemplate = "process/{name}/{*parameters}", BodyStyle = WebMessageBodyStyle.WrappedResponse, ResponseFormat = WebMessageFormat.Json)] Response[] Process(string name, NameValueCollection parameters); [OperationContract(Name="processoneway",IsOneWay = true)] [ServiceKnownType("GetKnownTypes", typeof(KnownTypeProvider))] [WebGet(UriTemplate = "process-one-way/{name}/{*parameters}", BodyStyle = WebMessageBodyStyle.WrappedResponse, ResponseFormat = WebMessageFormat.Json)] void ProcessOneWayRequests(string name, NameValueCollection parameters); }   Now this part I have not yet implemented, it is the preliminart step which I have developed which will allow me to take the name of the Request Type and the NameValueCollection and construct the complex type which is that of the Request which I can then supply to a nested instance of the original IWcfRequestProcessor  and work as it should normally.  To give an example of some of the urls which you I envisage with this method are: http://www.url.com/service.svc/json/process/getweather/?location=london http://www.url.com/service.svc/json/process/getproductsbycategory/?categoryid=1 http://www.url.om/service.svc/json/process/sayhello/?name=andy Another reason why my direction has gone to a single request for the REST implementation is because of restrictions which are imposed by browsers on the length of the url.  From what I have read this is on average 2000 characters.  I think that this is a very acceptable usage limit in the context of using 1 request, but I do not think this is acceptable for accommodating multiple requests chained together.  I would love to be corrected on that one, I really would but unfortunately from what I have read I have come to the conclusion that this is not the case. The mapping function So, as I say this is just the first pass I have made at this, and I am not overly happy with the try catch for detecting types without default constructors.  I know there is a better way but for the minute, it escapes me.  I would also like to know the correct way for adding mapping functions and not using the anonymous way that I have used.  To achieve this I have used recursion which I am sure is what other mapping function use. As you do have to go as deep as the complex type is. public static object RecurseType(NameValueCollection collection, Type type, string prefix) { try { var returnObject = Activator.CreateInstance(type); foreach (var property in type.GetProperties()) { foreach (var key in collection.AllKeys) { if (String.IsNullOrEmpty(prefix) || key.Length > prefix.Length) { var propertyNameToMatch = String.IsNullOrEmpty(prefix) ? key : key.Substring(property.Name.IndexOf(prefix) + prefix.Length + 1); if (property.Name == propertyNameToMatch) { property.SetValue(returnObject, Convert.ChangeType(collection.Get(key), property.PropertyType), null); } else if(property.GetValue(returnObject,null) == null) { property.SetValue(returnObject, RecurseType(collection, property.PropertyType, String.Concat(prefix, property.PropertyType.Name)), null); } } } } return returnObject; } catch (MissingMethodException) { //Quite a blunt way of dealing with Types without default constructor return null; } }   Another thing is performance, I have not measured this in anyway, it is as I say the first pass, so I hope this can be the start of a more perfected implementation.  I tested this out with a complex type of three levels, there is no intended logical meaning to the properties, they are simply for the purposes of example.  You could call this a spiking session, as from here on in, now I know what I am building I would take a more TDD approach.  OK, purists, why did I not do this from the start, well I didn’t, this was a brain dump and now I know what I am building I can. The console test and how I used with AutoMapper is as follows: static void Main(string[] args) { var collection = new NameValueCollection(); collection.Add("Name", "Andrew Rea"); collection.Add("Number", "1"); collection.Add("AddressLine1", "123 Street"); collection.Add("AddressNumber", "2"); collection.Add("AddressPostCodeCountry", "United Kingdom"); collection.Add("AddressPostCodeNumber", "3"); AutoMapper.Mapper.CreateMap<NameValueCollection, Person>() .ConvertUsing(x => { return(Person) RecurseType(x, typeof(Person), null); }); var person = AutoMapper.Mapper.Map<NameValueCollection, Person>(collection); Console.WriteLine(person.Name); Console.WriteLine(person.Number); Console.WriteLine(person.Address.Line1); Console.WriteLine(person.Address.Number); Console.WriteLine(person.Address.PostCode.Country); Console.WriteLine(person.Address.PostCode.Number); Console.ReadLine(); }   Notice the convention that I am using and that this method requires you do use.  Each property is prefixed with the constructed name of its parents combined.  This is the convention used by AutoMapper and it makes sense. I can also think of other uses for this including using with ASP.NET MVC ModelBinders for creating a complex type from the QueryString which is itself is a NameValueCollection. Hope this is of some help to people and I would welcome any code reviews you could give me. References: Agatha : http://code.google.com/p/agatha-rrsl/ AutoMapper : http://automapper.codeplex.com/   Cheers for now, Andrew   P.S. I will have the proposed solution for a more complete REST implementation for AGATHA very soon. 

    Read the article

  • Securing an ASP.NET MVC 2 Application

    - by rajbk
    This post attempts to look at some of the methods that can be used to secure an ASP.NET MVC 2 Application called Northwind Traders Human Resources.  The sample code for the project is attached at the bottom of this post. We are going to use a slightly modified Northwind database. The screen capture from SQL server management studio shows the change. I added a new column called Salary, inserted some random salaries for the employees and then turned off AllowNulls.   The reporting relationship for Northwind Employees is shown below.   The requirements for our application are as follows: Employees can see their LastName, FirstName, Title, Address and Salary Employees are allowed to edit only their Address information Employees can see the LastName, FirstName, Title, Address and Salary of their immediate reports Employees cannot see records of non immediate reports.  Employees are allowed to edit only the Salary and Title information of their immediate reports. Employees are not allowed to edit the Address of an immediate report Employees should be authenticated into the system. Employees by default get the “Employee” role. If a user has direct reports, they will also get assigned a “Manager” role. We use a very basic empId/pwd scheme of EmployeeID (1-9) and password test$1. You should never do this in an actual application. The application should protect from Cross Site Request Forgery (CSRF). For example, Michael could trick Steven, who is already logged on to the HR website, to load a page which contains a malicious request. where without Steven’s knowledge, a form on the site posts information back to the Northwind HR website using Steven’s credentials. Michael could use this technique to give himself a raise :-) UI Notes The layout of our app looks like so: When Nancy (EmpID 1) signs on, she sees the default page with her details and is allowed to edit her address. If Nancy attempts to view the record of employee Andrew who has an employeeID of 2 (Employees/Edit/2), she will get a “Not Authorized” error page. When Andrew (EmpID 2) signs on, he can edit the address field of his record and change the title and salary of employees that directly report to him. Implementation Notes All controllers inherit from a BaseController. The BaseController currently only has error handling code. When a user signs on, we check to see if they are in a Manager role. We then create a FormsAuthenticationTicket, encrypt it (including the roles that the employee belongs to) and add it to a cookie. private void SetAuthenticationCookie(int employeeID, List<string> roles) { HttpCookiesSection cookieSection = (HttpCookiesSection) ConfigurationManager.GetSection("system.web/httpCookies"); AuthenticationSection authenticationSection = (AuthenticationSection) ConfigurationManager.GetSection("system.web/authentication"); FormsAuthenticationTicket authTicket = new FormsAuthenticationTicket( 1, employeeID.ToString(), DateTime.Now, DateTime.Now.AddMinutes(authenticationSection.Forms.Timeout.TotalMinutes), false, string.Join("|", roles.ToArray())); String encryptedTicket = FormsAuthentication.Encrypt(authTicket); HttpCookie authCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encryptedTicket); if (cookieSection.RequireSSL || authenticationSection.Forms.RequireSSL) { authCookie.Secure = true; } HttpContext.Current.Response.Cookies.Add(authCookie); } We read this cookie back in Global.asax and set the Context.User to be a new GenericPrincipal with the roles we assigned earlier. protected void Application_AuthenticateRequest(Object sender, EventArgs e){ if (Context.User != null) { string cookieName = FormsAuthentication.FormsCookieName; HttpCookie authCookie = Context.Request.Cookies[cookieName]; if (authCookie == null) return; FormsAuthenticationTicket authTicket = FormsAuthentication.Decrypt(authCookie.Value); string[] roles = authTicket.UserData.Split(new char[] { '|' }); FormsIdentity fi = (FormsIdentity)(Context.User.Identity); Context.User = new System.Security.Principal.GenericPrincipal(fi, roles); }} We ensure that a user has permissions to view a record by creating a custom attribute AuthorizeToViewID that inherits from ActionFilterAttribute. public class AuthorizeToViewIDAttribute : ActionFilterAttribute{ IEmployeeRepository employeeRepository = new EmployeeRepository(); public override void OnActionExecuting(ActionExecutingContext filterContext) { if (filterContext.ActionParameters.ContainsKey("id") && filterContext.ActionParameters["id"] != null) { if (employeeRepository.IsAuthorizedToView((int)filterContext.ActionParameters["id"])) { return; } } throw new UnauthorizedAccessException("The record does not exist or you do not have permission to access it"); }} We add the AuthorizeToView attribute to any Action method that requires authorization. [HttpPost][Authorize(Order = 1)]//To prevent CSRF[ValidateAntiForgeryToken(Salt = Globals.EditSalt, Order = 2)]//See AuthorizeToViewIDAttribute class[AuthorizeToViewID(Order = 3)] [ActionName("Edit")]public ActionResult Update(int id){ var employeeToEdit = employeeRepository.GetEmployee(id); if (employeeToEdit != null) { //Employees can edit only their address //A manager can edit the title and salary of their subordinate string[] whiteList = (employeeToEdit.IsSubordinate) ? new string[] { "Title", "Salary" } : new string[] { "Address" }; if (TryUpdateModel(employeeToEdit, whiteList)) { employeeRepository.Save(employeeToEdit); return RedirectToAction("Details", new { id = id }); } else { ModelState.AddModelError("", "Please correct the following errors."); } } return View(employeeToEdit);} The Authorize attribute is added to ensure that only authorized users can execute that Action. We use the TryUpdateModel with a white list to ensure that (a) an employee is able to edit only their Address and (b) that a manager is able to edit only the Title and Salary of a subordinate. This works in conjunction with the AuthorizeToViewIDAttribute. The ValidateAntiForgeryToken attribute is added (with a salt) to avoid CSRF. The Order on the attributes specify the order in which the attributes are executed. The Edit View uses the AntiForgeryToken helper to render the hidden token: ......<% using (Html.BeginForm()) {%><%=Html.AntiForgeryToken(NorthwindHR.Models.Globals.EditSalt)%><%= Html.ValidationSummary(true, "Please correct the errors and try again.") %><div class="editor-label"> <%= Html.LabelFor(model => model.LastName) %></div><div class="editor-field">...... The application uses View specific models for ease of model binding. public class EmployeeViewModel{ public int EmployeeID; [Required] [DisplayName("Last Name")] public string LastName { get; set; } [Required] [DisplayName("First Name")] public string FirstName { get; set; } [Required] [DisplayName("Title")] public string Title { get; set; } [Required] [DisplayName("Address")] public string Address { get; set; } [Required] [DisplayName("Salary")] [Range(500, double.MaxValue)] public decimal Salary { get; set; } public bool IsSubordinate { get; set; }} To help with displaying readonly/editable fields, we use a helper method. //Simple extension method to display a TextboxFor or DisplayFor based on the isEditable variablepublic static MvcHtmlString TextBoxOrLabelFor<TModel, TProperty>(this HtmlHelper<TModel> htmlHelper, Expression<Func<TModel, TProperty>> expression, bool isEditable){ if (isEditable) { return htmlHelper.TextBoxFor(expression); } else { return htmlHelper.DisplayFor(expression); }} The helper method is used in the view like so: <%=Html.TextBoxOrLabelFor(model => model.Title, Model.IsSubordinate)%> As mentioned in this post, there is a much easier way to update properties on an object. Download Demo Project VS 2008, ASP.NET MVC 2 RTM Remember to change the connectionString to point to your Northwind DB NorthwindHR.zip Feedback and bugs are always welcome :-)

    Read the article

< Previous Page | 56 57 58 59 60 61 62 63 64 65 66 67  | Next Page >