For the past few weeks I've been experimenting with a number of new and not-so-new technologies that seem to combine very well. The technologies include:
-
ASP.NET MVC: This is a new framework from Scott Guthrie's team at Microsoft that provides a real model-view-controller implementation for ASP.NET. The framework includes a robust URL routing engine that is flexible enough to do real RESTful routing, and can generate URLs from the routes (allowing you to change your routing later without breaking your app). You don't need to use MVC to use the routing engine either.
-
IIS 7.0: The new version of IIS is lean and modular, and supports integration with ASP.NET applications. This allows individual apps to plug into the processing pipeline and completely take over processing from IIS. For me, this allows custom authentication plus clean RESTful URLs with no file extensions.
-
ADO.NET Entity Framework: This is the new ORM tool from Microsoft. It can reverse-engineer your database and generate a data model with mapping between the physical database, logical data model and entity objects. I and a colleague of mine have written a handful of serious ORM frameworks, and although so far I've really only kicked EF's tires, it seems to do everything I need. A key feature for me is that it supports querying using
LINQ to SQL (among other methods).
-
DI: Dependency Injection is a technique for decoupling the components of an application to enable future extensibility and better testing. I haven't started implementing this yet in this app, but I plan to very soon. A couple of frameworks I'm looking at are
Unity and
NInject.
-
REST: Not so much a technology as a mindset, REST has intrigued me ever since I read
RESTful Web Services a few months ago. Microsoft tools haven't supported it well at all - until now. I thought this was a good time to explore an alternative (OK, "non-Microsoft") way to design and build web applications.
-
Ajax: I've used Ajax in web apps for several years now, but only for specific, narrowly-defined purposes. I wanted to build an app that leveraged it to the hilt, and an app based on RESTful design seemed to present the best opportunity to do so.
-
Dojo: This is a client-side Javascript framework that provides a cornucopia of capabilities including Ajax support, widgets, fancy UI effects, event wiring, etc. etc. In many cases it can eliminate the need for server-side controls.
-
CSS: OK, this is not new, and I've used CSS for years; but I wanted to create an app that leverages CSS for
all style information, and avoids cluttering the document with it. In particular, I wanted to avoid using tables for layout, except for tabular data.
For my guinea pig, I chose to reimplement the web application that supports my audio product for Second Life, SlipStream. The new version will be completely web-driven, eliminating almost all notecard configuration within the device in-world. The system must do the following:
-
Allow management of customers, plus their devices, playlists, managers, etc. from both a browser-based web UI and scripts in Second Life (SL);
-
Allow indirect but real-time searching of the
Shoutcast directory;
-
Provide configuration and stream information to device scripts in SL;
-
Track the current state of devices in SL, based on the calls they make to the application.
The requirement to support both SL script clients and web browsers causes some issues. First, the scripting language in Second Life, LSL, is pretty limited when it comes to making HTTP calls, despite being compiled to and run on Mono (this feature is currently in an almost-production stage). You can't, for example, set custom request headers or check the response headers, and there's no facility for parsing JSON or XML data returned by the call. Plus, the size of data that can be sent and received is severely restricted, to 255 bytes per call last time I checked. And HTTP requests are throttled to 100 per 100 seconds per object in SL.
I'm dealing with most of this by carefully designing the resources I expose and the representation formats I use when talking to a script client in SL. But another wrinkle is authentication - SL scripts will need to authenticate on every call by passing the appropriate query string parameters. Browser clients, however, are asked to log in only when they try to access a restricted resource, and they will get an authentication token they can send back on subsequent requests. The authentication scheme is pretty much completely custom as a result. It consists of an HTTPModule that checks for the necessary credentials, and establishes a custom security principal and identity for the current request.
Authorization is done pretty much the normal way. The app only has three classes of users: anonymous users, authenticated normal users, and administrators. For simple, "static" authorization, the controller action methods use a PrincipalPermission attribute to check membership in a role. However, this type of checking is rarely enough. Typically I would provide another layer of mapping for static authorization: instead of Users <-> Roles, I would have Users <-> Groups <-> Permissions. This can be done using the .NET administrative tools, but most people aren't aware of that and don't use them. Anyway, for this app, the simple role-based authorization suffices for static authorization.
But many apps also have what I call "dynamic" authorization - that is, authorization that is dependent on current application state, typically the resource that the user is trying to access. An example of this would be a system where user Fred can only access documents he created, but not other people's documents. In this case, a simple role check won't cut it - you need to find out who authored the document being requested, and then see if that matches the current user. Anyway, this application has some scenarios like that, and so I have some helper code built into my controllers to do this type of checking.
Just for grins, I also want to support conditional HTTP GET on the resources and actions where it's appropriate (which as it turns out, aren't that many, but hey). So, I wrote some code in a base class for my views that tacks on the appropriate response headers based on the timestamp of the current resource from my database, and examines incoming headers to see if it can optimize the response body away.
The default routes provided in the MVC templates from Microsoft are not (IMHO) completely RESTful - they include the action in the URL: for example /{controller}/{action}. I felt that the action should be expressed by the HTTP method used to make the request, so I reworked the routes accordingly: /{controller}/{id}/{format}, for example.
The application is completely stateless; that is, it does not use session state at all. This allows it to keep working through a restart - the user's authentication token will be accepted on the next request after a restart, and the user never knows the difference. The user cannot fake an authentication token because it's encrypted on the server using the server's private key;
On the client side, the app uses CSS for all styling except tabular data, including form layout. All the forms submit via Ajax, eliminating postbacks and allowing things like password fields to retain their values when you submit. I'm using Dojo for the Ajax calls and for a few other things here and there... I'll be looking at expanding to use it for all my form widgets, but whether I stick to that approach will depend on whether the resulting code is XHTML- and CSS-compliant.
So far, I have the basics of the application working: authentication, authorization, fetching data, supplying forms, handling form submissions, etc. I need to do some more styling and finish building out the rest of the features, but it's starting to come together. When I get the app done, then it will be time to build out the device scripts in LSL, package the product and start selling!
Subscribe