Archive for the ‘Asp.Net MVC’ Category
During the talk “Beefing Up Security in ASP.NET – Part 2 at Dot Net Bangalore 4th meet up Aug 08 2015 “ someone asked how to encrypt web.config programmatically. Here’s an extract from a snippet I have used in the past. The below code should help you with the libraries you need to call, it is not complete, some parts of the code are removed. Copy & Paste may not work
Someone also asked if there is a way to specifically encrypt a particular attribute alone. I am afraid that is not possible out of the box. You could look at one of my RSCryptoServiceProvider implementation here to get started
This article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/let-your-iis-worker-process-crash-with-stackoverflowexception/
Months back I posted a screenshot at https://renouncedthoughts.wordpress.com/2013/12/05/system-stackoverflowexception-in-mscorlib-dll/, finally got time to write it down.
There was a Login page, that did some sort of authorization check beyond authenticating the user, and displayed an Access Denied page for those who weren’t lucky enough. This was all done by the ASP.NET MVC with ASPX view engine. So there’s things like Views, Partial Views, RenderPartial, and so on. The application also was heavily ajax enabled, so partial views really seemed to fit in at many places that did not want to include a master page content in the response text. There was a view file called AccessDenied.aspx that barked at unauthorized users. Things were working fine, and one day something broke, IIS was crashing without any meaningful error message. I lied, actually it did give a meaningful error message that was like – An unhandled exception of type ‘System.StackOverflowException’ occurred in mscorlib.dll. And the Call Stack showed some recursive function call. That is all there was to it.
Let’s look at a POC sample application below. Download the source from github – https://github.com/gmaran23/ASPXViewEngineCrash, Hit F5.
When you click the AccessDeniedForCrash page, the below is what you see. An unhandled exception of type ‘System.StackOverflowException’ occurred in mscorlib.dll. If you look at the Call Stack window, there would be a lot of repeated method calling method.
Let’s look at what happens when a view is requested, as in how the view engine probes the known locations to find the view definition. Click ViewDoesNotExist, and you would see an error page, that actually tells you the file locations that ASPX view engine probed to find a matching view. Pay attention to the search order where a .aspx file is searched first, and then the .ascx file.
Now, if you go back to the StackOverflowExceptionInASPXViewEngine solution, there are two files called AccessDeniedForCrash.ascx and AccessDeniedForCrash.aspx under ~/Views/Home.
The following code inside AccessDeniedForCrash.aspx calls the partial view AccessDeniedForCrash.ascx.
A typical programming practice right? You define sub routines, and you keep calling them as and when required. Reusability! You have created a partial view here (AccessDeniedForCrash.ascx), and kept calling the partial view inside the main view (AccessDeniedForCrash.aspx). But it was the ASPX view engine’s probing method that caused the recursive method call. The view engine reached AccessDeniedForCrash.aspx, as it came through the HomeController’s action method AccessDeniedForCrash. It tried to find a partial view AccessDeniedForCrash.ascx, but always ended up with AccessDeniedForCrash.aspx because of the file search order; you know the rest of the story about recursion without an exit condition.
So, is this a programming error? or the framework error? or the ‘programmer did not understand the framework well’ error?
A slightly different version of this article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/access-control-through-asp-net-mvc-custom-action-filters/
HttpModule being the gatekeeper ASP.Net, one level down is the Action Filters for ASP.Net MVC. While managing large scale applications, it would not always seem very rational to create new Controllers for every functionality sometimes. You may also want to restrict access to specific controllers or specific action methods, and if you worked it through you would end up with a code snipped like below. An if else condition everywhere you wanted access control.
Which is obviously redundant and does not reflect on code reusability principle. So you may choose to create a custom HttpModule for access control during the initial ASP.Net request pipeline, of if that is not a possible solution in your case (or like the one above in ASP.Net MVC), then you must be looking at building a custom action filter. Once you have that in place, you could decorate your required action methods with your access control custom filter, or the entire controller, or as a global action filter (post ASP.Net MVC 3) so that the action filter would get invoked on every controller in the application.
Below is the code snippet showing the bare minimal implementation of a custom action filter for access control. In case the current request does not come from an Administrator, then it redirects him to an AccessDenied action method in the CompanyController.
The if else statements in the first snippets would take a little more elegant, and neat form.
Thus you would have a simple, elegant, and powerful access control mechanism via a custom action filter. If you like this kind of cleanliness in non MVC projects, please take a look at POSTSHARP as well.
Update – 30 June 2014: The original reason for this exception is posted here – https://renouncedthoughts.wordpress.com/2014/06/30/let-your-iis-worker-process-crash-with-stackoverflowexception/
This is just a picture down there. The last time I got this exception, it was a missing exit condition on a recursive loop in a Java program that a friend of mine was writing. I have got one from C# compiler, while I tried build a Console project couple of years ago. Restarting Visual studio fixed that one. Never really had a chance to take a screenshot, cause I think these are things that you don’t encounter often unless you explicitly tried for a demonstration. So here it is, archived.
This article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/writing-helper-like-inline-helper-method-for-aspx-view-engine/
When I started my MVC course with ASP.NET MVC 3, I got introduced to the @helper syntax with the Razor view engine. In case you didn’t know what an @helper syntax is, you may read more about it here. It is common that during training sessions, certain features of a technology may not appeal to you until you really use it, or until you have someone who puts that in perspective for you. So, I was dealing with an MVC application with ASPX view engine and I had a situation where I thought if I had Razor view engine, I could use the @helper syntax, and here’s what I ended up with.
The @helper syntax within Razor enables you to easily create re-usable helper methods that can encapsulate output functionality within your view templates. They enable better code reuse, and can also facilitate more readable code. – Source
In this post, I will show you can write a Razor style @helper method for ASPX view engine. Some people like to call it the Inline helper method If you look at the end result of the helper method in Razor view engine and ASPX view engine, it not aesthetically similar or lucid, but it solves the purpose – you get re-usability within the view. There are alternative ways of achieving the same thing using a Html helper of a server method within the view, but I ended with this approach.
In the ASPX view engine, if you declare and initialize a variable, if would show up in the intelli-sense. In the same way, if you try declaring an Action delegate, it would show up in the intelli-sense.
And that’s the trick. Declare an Action delegate, initialize with an anonymous delegate. You are done.
Note that when you initialize the Action delegate, you could either use the explicit delegate keyword or just a lambda.
Download: Sample projects including the source code for @helper sample in Razor view engine, and the Action delegate way of doing it in the ASPX view engine is downloadable at the SkyDrive location – http://sdrv.ms/15ykUXD
This article was originally published for www.prowareness.com and could be located at http://www.prowareness.com/blog/di-unity-mvc3-and-object-reference-not-set-to-an-instance-of-an-object/
When you use Unity.Mvc3 or Unity.Mvc4 for DI, odds are you might not even run in to the below exception/stack trace.
But you’d never know what kind of system you are dealing with. By name, these dlls – Unity.Mvc3, and Unity.Mvc4 – imply that they need to be used with MVC applications; which means, they are many things related to a web page or web request that this dll might possibly expect, for instance, the web context, the authorization context, routing context and so on.
We were dealing with a system where we tried using Unity.Mvc3 for dependency injection, and a very few parts of existing functionalities started failing with the below stack trace.
This exception occurred because we invoke a background worker from the UI (to run a long running Task), and when the background worker finishes, it would call in RenderViewToString, and update the UI. During the second part a System.NullReferenceException was thrown. With the given stack trace it was evident that this was happening due to the Unity.Mvc3 at Unity.Mvc3.UnityDependencyResolver.get_ChildContainer().
Searching internet yielded no results. We went and looked at the Unity.Mvc3 source code at and found that property named ChildContainer was expecting a HttpContext and our BackgroundWorker didn’t have that for obvious reasons. Hence the Object reference not set to an instance of an object.
Credits to Brijesh, where he had it spot on when he saw the word HttpContext. We ended up removing Unity.Mvc3 completely and used the infamous custom dependency resolver implementing the System.Web.Mvc.IDependencyResolver interface.
There is also an answer at stackoverflow that is on the similar lines – http://stackoverflow.com/questions/22491437/how-can-i-enter-quotes-to-white-list-on-htmlencode/22536280#22536280
What returns an encoded output by default, try it out yourself with the sample code below.
Code: Paste it in any .cshtml file.
Questions to ponder –