<![CDATA[Pablo Cibraro (Cibrax)]]>2014-10-20T15:32:01-03:00http://cibrax.me/Octopress<![CDATA[do not version urls]]>2014-10-20T15:21:00-03:00http://cibrax.me/blog/2014/10/20/do-not-version-urlsVersioning the Web API URL is probably one of most common choice among developers. Well-known APIs such as Twitter, Github or Facebook use this approach, but it does not mean it’s the best way to do things. It presents some of the issues discussed below.
A new version number represents a new set of resources. If you have to create a new version to introduce a breaking change in one resource, that change expands to all the resources.
For example. You have two resources /orders and /customers. You need to introduce a new version to accommodate an schema change in orders. That implies adding a new version number in the URL for v1/orders and v1/customers. Although customers is still the same resource, it’s now referenced as a new resource v1/customers.
It’s hard to introduce backward compatibility changes. You might want to introduce improvements or changes that new clients can use without affecting existing ones. You can create a new version number for this, but it will represent some unnecessary overhead. Existing clients won’t be affected by the change so creating a new version does not seem to be right. Also, you will not want to keep the same version number as you will want clients to know which specific version they are targeting.
It does not go along with the idea of introducing incremental changes. A new version number usually represents a major release. If you want to make those changes public as they become available, you need a new version number. However, you won’t want to create v1, v1.1, v1.2 for the overhead discussed in #2.
A better approach for versioning.
Use an http header to specify version. If no http header is specified in the request message, stick to the latest version.
The “accepts-version” header represents the version the client can understand. If some changes were introduced in the resource representation that won’t affect the client, the service might be able to return it. Let’s say that you now have a new version 1.3 for /orders, which only contains backward compatibility changes. The server can return a header to inform that.
12
/orders
version: 1.3
The client will know a new version exists, which is also compatible with 1.0 so it can optionally upgrade to it. This approach also works for fine for dynamic languages or schema-less types like json.
For embedded URLs or browser support, the http header can be replaced by an optional query string parameter ?accepts-version or ?v to make it shorter.
]]><![CDATA[SelfHost Utilities]]>2014-07-23T09:49:00-03:00http://cibrax.me/blog/2014/07/23/selfhost-utilitiesSelf Hosting a Http server is a very common scenario these days with the push that Microsoft and the rest of the community are giving to Owin. One of the challenges you often find in this scenario is the ability to use HTTPS, and I can say by experience that it’s not something trivial. You have to run several commands, and usually generate a self signed certificate for SSL.
As part of the project where I was working on, we had to automate many of these steps in the installation process so we came up with a set of utilities classes that call the underline Win32 APIS for generate the certificate and also do the required registrations for the namespace and port. The process for doing this with these classes is pretty straigforward as it is shown below,
12345678910111213
varcert=X509Util.CreateSelfSignedCertificate(Environment.MachineName);//Register a namespace reservation for everyone in localhost in port 9010HttpServerApi.ModifyNamespaceReservation(newUri("https://localhost:9010"),"everyone",HttpServerApiConfigurationAction.AddOrUpdate);//Register the SSL certificate for any address (0.0.0.0) in the port 9010.HttpServerApi.ModifySslCertificateToAddressBinding("0.0.0.0",9010,cert.GetCertHash(),System.Security.Cryptography.X509Certificates.StoreName.My,HttpServerApiConfigurationAction.AddOrUpdate);
]]><![CDATA[AppFabric OutputCaching]]>2014-05-23T14:36:00-03:00http://cibrax.me/blog/2014/05/23/appfabric-outputcachingASP.NET Web API does not provide any output caching capabilities out of the box other than the ones you would traditionally find in the ASP.NET caching module.
Fortunately, Filip wrote a very nice library that you can use to decorate your Web API controller methods with an [OutputCaching] attribute, which is similar to the one you can find in ASP.NET MVC.
This library provides a way to configure different persistence storages for the cached data, which uses memory by default. As part of this post, I will show how you can implement your own persistence provider for AppFabric in order to support distributed caching on web applications running on premises.
The first thing is to install AppFabric Caching. Wade Wegner wrote a very useful post describing all the required steps here.
Once AppFabric Cache is installed, you need to start the cluster and configure a new cache that will be used by our extension. Open up the Cache PowerShell console (Caching Administration Windows PowerShell in programs). Run the following command in the PowerShell console:
Start-CacheCluster
Create a new cache for our extension. Run the following command in the PowerShell console:
New-Cache OutputCache
At that point, we are ready to jump into the implementation of the extension. Before writing any code, we will use the AppFabric Caching client library, which is available as a Nuget package. You can find it in the repository under the name of “ServerAppFabric.Client”.
The library written by Filip provides an extension point for the persistence providers called IApiOutputCache, so we will have to implement that interface.
This implementation is pretty straightforward and uses the AppFabric client library for getting or storing data in the cache. All the data is stored as part of a region, which groups all the entries together to facilitate management. The name of the cache is passed as part of the constructor, so it will be provided at the moment of instantiating and configuring this extension.
The following code shows how the extension is configured,
]]><![CDATA[Making ajax calls with Hawk authentication to ASP.NET Web API]]>2014-01-31T14:14:00-03:00http://cibrax.me/blog/2014/01/31/making-ajax-calls-with-hawk-authentication-to-asp-dot-net-web-apiHawk is an authentication protocol initially written by Eran Hammer in javascript for being used in Node.js. Later on, Eran also added support for browsers through a browser.js library, which is also part of the hawk github project.
As part of this post, I will show how you can use that browser.js library to make Ajax calls to a ASP.NET Web API that authenticates the calls with Hawk.
The first thing is to define the Web API to call from javascript. For the sake of simplicity, we will use a very simple “Hello World” controller that returns the name of the authenticated user.
As second step, we will configure the Hawk filter globally to authenticate the calls. This filter is part of the HawkNet integration project with Web API.
Once we have the Web API configured, we will write the javascript to make the call, which will use browser.js to generate the hawk header on the client.
12345678910111213141516171819202122232425262728
<script src="~/Scripts/browser.js"></script><script>$(function(){varurl='http://localhost:28290/api/HelloWorld';varcredentials={id:'dh37fgj492je',// Required by Hawk.client.headerkey:'werxhqb98rpaxn39848xrunpaw3489ruxnpa98w4rxn',algorithm:'sha256',user:'Steve'};$("#helloworld").click(function(){varheader=hawk.client.header(url,'GET',{credentials:credentials});$.ajax({dataType:"json",headers:{authorization:header.field},url:url,success:function(error,response,body){$("#response").html(body.responseText);}});});});</script>
As you can see, the part that matters in the sample above is how you generate the hawk header by calling the “header” method in the client object provided by the browser.js library. That method receives the url, the http method and the credentials. The result of that call is the hawk authentication header, which is attached to the authorization header in the ajax call.
]]><![CDATA[Coordinating async work in Node.js]]>2014-01-13T10:39:00-03:00http://cibrax.me/blog/2014/01/13/coordinating-async-work-in-node-dot-jsWhen you first move to Node.js, you need to get used to write asynchronous single thread code that does not block. For some scenarios, writing such kind of code is not trivial, specially when you have to coordinate the execution of multiple async calls in parallel and return a result after all these tasks have been completed. One thing you don’t want to do in that scenario is block the main thread to wait for all the calls, which is how you normally do in other platforms. Let’s discuss a very trivial example that coordinates two calls for getting information from two different sources, which is subsequently returned as a response message in express.
The code above calls two functions to retrieve a name and a phone from different places asynchronously. The results of the calls are temporarily stored as members of the “data” variable. The ugly part is how the “returnResponse” variable is also used to notify that each function has done its part and a response can be returned. This contains duplicated code, it’s error prone and it can easily get more complicated as the number of async calls increase.
As interesting fact, there isn’t any built-in or native functionality to handle an scenario like this in Node.js. That’s where an module like “async” comes in place. “Async” is a swiss knife for async work in Node.js. It provides a ton of functions for coordinating asynchronous tasks such as the ones shown in next examples.
One of the functions you will find useful for an scenario like this is parallel. The parallel function receives an array of async functions to call, and invokes a final callback when all the functions have completed their part.
Every function in the Array passed to the parallel function receives a callback argument, which must be called after the work is completed. That callback receives two arguments, an error if something went wrong and a result. All the collected results and errors are later passed to the final callback.
Another useful function is “each”, which is similar to “parallel”, but it iterates over an array and invokes a function representing the async work for every element in that array.
In the code above, the function is executed three times with the values “1”, “2” and “3”. A callback is also executed when the work is completed. The final callback is executed after all the functions invoked the callback.
This is a good way to coordinate async work in node.js, but you also have promises, which is not widely adopted yet in the platform as a way to represent async tasks. It’s implemented by a lot of modules out there, but it’s not something standard yet. A promise is an object that represents an asynchronous task. Among other things, this object represents a way to manipulate the task, determine when it is completed or to chain other tasks for example. The following example illustrates how a promise looks like in the Moongose module (example included in the Moongose docs),
123456789101112131415
promise=Meetups.find({tags:'javascript'}).select('_id').exec();promise.then(function(meetups){varids=meetups.map(function(m){returnm._id;});returnPeople.find({meetups:{$in:ids}).exec();}).then(function(people){if(people.length<10000){thrownewError('Too few people!!!');}else{thrownewError('Still need more people!!!');}}).then(null,function(err){assert.ok(errinstanceofError);});
Meetups is a Moongose object for executing queries against a MongoDB collection. “exec” is a method in the returned promise to start the call, and “then” is another method to chain other promises when the execution is completed. In this example, another promise to find people is executed after all the meetups have been found.
]]><![CDATA[OAuth Bridge for ADFS with ThinkTecture Authorization Server]]>2013-12-27T10:23:00-03:00http://cibrax.me/blog/2013/12/27/oauth-bridge-for-adfs-with-thinkteckture-authorization-serverADFS 2.0 only supports SAML 2.0 and WS-Federation for supporting single sign on web applications and services. However, some new development platforms such as iOS only support OAuth 2.0, which makes the use of ADFS a bit tricky. ADFS for Windows Server 2012 R2 already provides some limited support for JSON Web Tokens (JWT) with the OAuth 2.0 the code flow (As it is described in this excellent post by Vittorio).
For some other scenarios in which your applications or services rely on JWTs for doing authentication/authorization, the Thinktecture Authorization Server represents a very nice alternative, which integrates really well with ADFS. The Authorization Server can act as a brige or broker between client apps that use OAuth 2.0 to get a JWT, and ADFS, which is used for authenticating the users.
The configuration of the Authorization Server is very simple. Once you get Authorization Server deployed in IIS, it uses Entity Framework code first to automatically generate the backend database for you on the first use. After that, you only need to change the configuration files to trust ADFS as it is shown bellow,
[Authorization Server Folder]\Configuration\identityModel.config
urn:authorizationserver is the Relying Party identifier I used for configuring Authorization Server in ADFS. In ADFS, you only to configure a new relying party with a WS-Federation endpoint, and set the URL of the Authorization Server. Make also sure the Relying Party identifier matches the one you configured in Authorization Server.
The following code shows how to get a JWT from Authorization Server using the Resource Owner Flow (The user is authenticated by Authorization Server in ADFS)
privatestaticstringGetToken(){ServicePointManager.ServerCertificateValidationCallback=(o,cert,chain,ssl)=>true;HttpClientclient=newHttpClient();HttpRequestMessagerequest=newHttpRequestMessage(HttpMethod.Post,"https://[your auth server]/[App namespace in Authorization Server]/oauth/token");request.Headers.Add("Authorization","Basic "+Convert.ToBase64String(System.Text.ASCIIEncoding.ASCII.GetBytes(string.Format("{0}:{1}","[client id]","[client secret]"))));request.Content=newFormUrlEncodedContent(newDictionary<string,string>{{"grant_type","password"},{"username","[account]"},//Windows account name without domain{"password","[password]"},{"scope","All"}});HttpResponseMessageresponse=client.SendAsync(request).Result;response.EnsureSuccessStatusCode();JObjectjson=JObject.Parse(response.Content.ReadAsStringAsync().Result);stringaccessToken=json["access_token"].ToString();stringrefreshToken=json["refresh_token"].ToString();returnaccessToken;}
]]><![CDATA[Automatic Client Cert Detection in ADFS 2.0]]>2013-11-22T12:29:00-03:00http://cibrax.me/blog/2013/11/22/automatic-client-cert-detection-in-adfs-2-dot-0ADFS 2.0 supports multiple authentication methods through authentication handlers that are mutually exclusive. If one of the handlers runs, the others don’t. There is no way to implement a fallback logic if one the handlers fail to run or the user was not able to provide the expected credentials, so supporting dual authentication such as username/password and client certificates is sometimes problematic. The following list shows the handlers included out of the box with ADFS 2.0,
Those handlers are for Forms Authentication (Username/Password in an html form), Integrated Windows Authentication, Client Cert Authentication, and finally Http Basic Auth Authentication. The order in this list determines the priority by default unless the priority has been changed in the execution context. The order in the execution context can be changed in multiple ways. For example, when you are doing WS-Federation, the relying party can pass an additional “WAuth” query string parameter with the expected authentication type such as “urn:oasis:names:tc:SAML:1.0:am:password” for Forms Authentication or “urn:ietf:rfc:2246” for Client Cert authentication, which overrides the priority in the list set on the configuration. The same thing can be done for SAML 2.0 by changing the authentication context in the SAML Request message or changing the URL.
However, as I said before, in one of the handlers run, you will not have a chance to run any of the other handlers unless you implement some workaround. For example, you might want to add a checkbox in the html form for Forms authentication to allow the user to authenticate with a client certificate. When the checkbox is clicked, you do an http redirect to ADFS but changing the URL this time to use this new authentication method. If the RP is using WS-Federation, that means a new redirect that includes the WAuth query string variable with the value “urn:ietf:rfc:2246”, or a redirect to “auth/sslclient/” in the case of SAML 2.0.
If you want to avoid this manual step and detect the client certificate automatically, more work is involved, and it is what we are going to discuss next.
Enable Forms Authentication as default in the configuration file. The “Forms” handler must be on top of the list.
Create a new virtual directory in the ADFS IIS, and configure that virtual directory to require HTTPS and Accept Client Certs.
Configure an ASP.NET Generic handler in that virtual directory to check if the certificate is present or not
This code checks if the client certificate is present and invokes a javascript callback with “true” or “false” based on that condition. This code does not check the authenticity of the cert or anything else, and it is only for determining if the certificate is present. The rest of the validations will be done by ADFS.
Configure this handler in the web.config of that virtual directory.
This code is very simple. It simply does a redirect when the cert is present (the callback was called with a “true” value). The redirect in this sample is only valid for SAML 2.0
Modify the FormsSign.aspx page to include the following code at the end of the Page_Load event,
This code injects our CertCallBack.js script in the page and it also includes the script located in the virtual directory configured to accept client certs (/CertDetection/Script invokes the ASP.NET Handler basically)
That should be all. If the browser detects a client certificate when the script in the CertDetection virtual directory is resolved, the callback will be executed with a true value, making the form to do a redirect to authenticate the client with a Client Certificate instead. Otherwise, the client will see the Form to enter the username and password. We are adding a new virtual directory for not interferring with the existing authentication methods in the ADFS virtual directory.
The code for the handler and the javascript callback is included in the attached zip file
]]><![CDATA[Injecting dynamic content in Windows Azure packages]]>2013-11-21T10:52:00-03:00http://cibrax.me/blog/2013/11/21/injecting-dynamic-content-in-windows-azure-packageThe Windows Azure Tools 1.7 introduced a new feature for adding content to the Windows Azure projects called “Role Content Folders”. In some scenarios, you might want to add custom content such as static pages, documentation, configuration files or external binaries for example. This is useful for example if you want to deploy a solution not written in .NET such as java implementation, and you don’t want to mix that with the .NET code in the Role project. The following image shows how the content folders are added in the Azure project.
That content is included in the generated Azure package, and it is deployed in the AppRoot folder when the package is finally published in VM in the cloud.
One of the problem with this feature is that you might want to include content with an structure that changes often or content with thousands of folders/files, which requires some tedious manual work in Visual Studio to keep that content updated in the project.
Good news is that you can use a MSBuild task to inject that custom content automatically when the package is being generated. You have to include a custom Target “BeforeRoleAddContent” right after the declaration of the “Microsoft.WindowsAzure.targets” as it is shown bellow,
The example above injects several content folders in two different roles, “SolrMasterHostWorkerRole” and “SolrSlaveHostWorkerRole”. The “Include” attribute specifies the source folder, and the Destination folder within the AppRoot is specified in the Destination element.
]]><![CDATA[Full-Text Searches in SQL Azure with Solr]]>2013-11-01T15:41:00-03:00http://cibrax.me/blog/2013/11/01/full-text-searches-in-sql-azure-with-solrSolr is a robust search platform created by the open source community on top of Apache Lucene. It’s completelly written in java, and uses the Lucene java implementation at is core for full-text indexing and search. In addition, it exposes an http web interface for doing the full text searches and perform management tasks.
On other hand, we have SQL Azure, which currently does not support full text searches, so these two services complement very well each other.
As Solr is mainly a java implementation, you only have a few alternatives to run in on Windows Azure. You can deploy it as a worker role together with the java runtime machine, or you can deploy it in a VM. As any solution in the cloud, the state persisted in the worker role or VM goes away when the VMs are replaced or they go down. As Solr persists the indexes in disk, you need to make sure it is stored in a permament storage like Azure Drive or the storage service. If you decide to use a worker role, this requires some additional work to make Solr to store the indexes in Azure drive for example, which is a VHD stored in the storage service that can be mounted by the VM as a local disk. Good news is that MS Open Tech has already done this for us. They have a created a template that deployes Solr with a fail-over configuration(master-slave) in two worker roles, one role for the master node, and another role for the slave node. The slave node replicates from the master node, so in case you lost one of them, you still have the other node available. . In addition, it configures a web role with an MVC application that acts as a admin dashboard for doing basic management stuff. This solution is hosted in Github as part of this project Windows-Azure-Solr. The Github site also provides instructions to get the solution deployed in Windows Azure.
The template that you download from GitHub imports data into Solr by crawling some URLs. That’s part of the data-config.xml file that you can find in the configuration folder of the master and slave nodes (SolrMasterWorkerRole\SolrFiles\data-config.xml and SolrSlaveWorkerRole\SolrFiles\data-config.xml). Solr supports the idea of data importers, which can be used to import data from different sources such as existing web sites, files in disk or even a database.
In this case, we will modify that data-config.xml file to use a data importer that pulls data from an existing SQL Azure instance. The following example shows how this data importer configuration looks like,
12345678910111213141516171819202122
<dataConfig><dataSourcetype="JdbcDataSource"name="ds1"driver="com.microsoft.sqlserver.jdbc.SQLServerDriver"url="jdbc:sqlserver://[your server];database=[your database];user=[your user];password=[your user];encrypt=true;hostNameInCertificate=*.database.windows.net;loginTimeout=30;"readOnly="true"/><documentname="articles"><entityname="article"dataSource="ds1"pk="id"query ="SELECT id, title, description, tags, author, lastupdated from Articles"deltaQuery="select id FROM Articles WHERE LastUpdated > '${dataimporter.last_index_time}'"deltaImportQuery="SELECT id, title, description, tags, author, lastupdated from Articles where id = '${dataimporter.delta.id}'"><fieldcolumn="id"name="id"/><fieldcolumn="title"name="title"/><fieldcolumn="description"name="description"/><fieldcolumn="tags"name="tags"/><fieldcolumn="author"name="author"/><fieldcolumn="lastupdated"name="lastupdated"/></entity></document></dataConfig>
First of all, we have defined a dataSource element that points to our SQL Azure instance. This is a Jdbc data source that uses the SQL Server driver and sets the connection string in the url attribute.
Secondly, we have defined a document, which specifies one or more entities that are mapped from the SQL Azure database with a select statement. The fields section maps the different fields in the document to the fields returned by the select statements. This document is what Solr stores in the index using Lucene. As you can see, three queries have been defined. The first one with the “query” attribute is used by the data importer when a full import of the complete database is done into Solr. The other two queries are used for supporting a delta or partial import scenario. These two are optional and useful only in scenarios where you have frecuent updates and a lot of data to import, which will make the full import considerably slow.
Since this data importer uses the SQL Server driver for the Jdbc data source, you will have to download that package from the Microsoft website and copying it in the folder where Solr looks for the external libraries (SolrMasterWorkerRole\Solr\dist and SolrSlaveWorkerRole\Solr\dist).
We have defined so far the mapping of a document against one or more tables in the database, but Solr still requires the definition of those fields, which are part of the schema. The schema definition can be found in the schema.xml file (SolrMasterWorkerRole\SolrFiles\v44\schema.xml and SolrSlaveWorkerRole\SolrFiles\v44\schema.xml). The following example shows how the schema is modified to include the fields used by the data importer.
This is enough to get Solr configured to pull data from SQL Azure, so we are in conditions to deploy Solr into an Windows Azure subscription also using the tool provided by MS Open Tech. If you have installed all the pre-requisites and followed the instructions in the wiki page of the Github website, the following command should be enough to perform that deployment.
If you are lucky enough to get the command to work in the first instance, it will open a new browser instance when the deployment is complete, and it will also redirect you to the MVC dashboard running in the web role.
You are in conditions now to execute a few commands to import the data into Solr. You will see the location and port where the Solr master and slave nodes are running as part of the home page in the dashboard. For doing a full import into the master role, you have to copy that location and port, and append “/dataimport?command=full-import”. For example, “http://mysamplesolr.cloudapp.net:21000/solr/dataimport?command=full-import”. That will start a full import that runs asynchronously, so you can use this other command to check the status of the import “/dataimport?command=status”. For doing a partial import, you only change the command to this one “/dataimport?command=delta-import”. Once the import is complete, you can do a search to verify that everything looks ok. That can be done with the following command “/select?q=[query]”. For example, “http://mysamplesolr.cloudapp.net:21000/solr/select?q=azure”
So you have Solr indexing all your data now, but what happens with the security ?. This thing is open to the world. Anyone can do anything with your Solr instances as everything is public. There are some ways to secure Solr pages by changing some settings in the web server, which is Jetty by default. However, the Solr documentation recommends to put Solr behind a reverse proxy that filters the requests. There are several reverse proxy implementations for Solr in Github, but I will use a different approach for Windows Azure here. Given that the MS Open Tech template includes a web role for the MVC dashboard, and two worker roles for running the Solr master and slave instances, we can make the Solr instances available in internal endpoints only and use the MVC application as a facade or reverse proxy to forward all the requests to these instances. The only public and visible face will be the MVC application in the web role. All the requests for Solr must go through this MVC application first, which can filter any request that looks malicious or any request that can damage the existing indexes. A simple way to do this is to allow only get operations and filter the rest. This is the approach I’ve been taken and implemented as part of a fork created from the MS OpenTech project in Github. This fork is available here.
]]><![CDATA[Unit Testing Improvements in ASP.NET Web API]]>2013-09-27T12:46:00-03:00http://cibrax.me/blog/2013/09/27/unit-testing-improvements-in-asp-dot-net-web-apiA time ago I discussed some serious issues in ASP.NET Web API for testing controllers that were using the Request or UrlHelper instances because those required a valid HttpConfiguration instance. You could initialize the HttpConfiguration instace, but that required a lot of work and some ugly code as part of your tests.
The following method in a controller works to describe the problem,
The Request propery is being used to generate a content negotiated response, and the Url property to infer the new location for the resource. If you use ASP.NET Web API as it is today, you will have to write a lot of custom code to initialize the configuration instance as it is shown below.
However, we can left all this in the past with the new ASP.NET Web API vNext release. The introduction of the IHttpActionResult interface (Equivalent to ActionResult in ASP.NET MVC) has simplified a lot the unit testing story for controllers. A controller method can return now an implementation of IHttpActionResult, which internally uses the Request or the UrlHelper for link generation, so the unit test only cares about the returned IHttpActionResult instance.
The following code shows the same controller method using an instance of IHttpActionResult.
CreatedAtRouteNegotiatedContentResult is an implementation also included in the framework for handling this scenario. A new resource is created and the location is set in the response message.
The UrlHelper class has also been modified to make most of its methods virtual, so they can be mocked or overriden as part of an unit test. You can use this in case you still need to rely on the Url instance in the controller. For example, if you have a controller method like this one.
]]><![CDATA[Using the Katana Authentication handlers with NancyFx]]>2013-07-29T00:00:00-03:00http://cibrax.me/blog/2013/07/29/using-the-katana-authentication-handlers-with-nancyfxOnce you write an OWIN Middleware service, it can be reused everywhere
as long as OWIN is supported. In my last
post,
I discussed how you could write an Authentication Handler in Katana for
Hawk (HMAC Authentication). Good news is NancyFx can be run as an OWIN
handler, so you can use many of existing middleware services, including
the ones that are ship with Katana.
Running NancyFx as a OWIN handler is pretty straightforward, and
discussed in detail as part of the NancyFx documentation
here.
After run the steps described there and you have the application
working, only a few more steps are required to register the additional
middleware services.
The example bellow shows how the Startup class is modified to include
Hawk authentication.
This code registers the Hawk Authentication Handler on top of the OWIN
pipeline, so it will try to authenticate the calls before the request
messages are passed over to NancyFx.
The authentication handlers in Katana set the user principal in the OWIN
environment using the key “server.User”. The following code shows how
you can get that principal in a NancyFx module,
Thanks to OWIN, you don’t know any details of how these cross cutting
concerns can be implemented in every possible web application framework.
]]><![CDATA[Writing an AuthenticationHandler for Katana]]>2013-07-26T00:00:00-03:00http://cibrax.me/blog/2013/07/26/writing-an-authenticationhandler-for-katanaAs I discussed in my previous
post,
Katana is pretty much organized in middleware services. One of those
middleware services is authentication, which provides some built-in
implementations for existing OAuth providers such as Facebook, Twitter,
Google or Microsoft, and also an implementation for Forms authentication
with cookies. All those implementations are currently distributed as
Nuget packages under the name of Microsoft.Owin.Security.*, where the
last part identifies the name of the implementation (e.g.
Microsoft.Owin.Security.Twitter).
Microsoft.Owin.Security is also the core project where you can find the
base classes for writing a new authentication handler, and the ones that
all the these implementations use.
At first glance, the core class that you will use to create a new
authentication handler is
Microsoft.Owin.Security.Infrastructure.AuthenticationHandler<T>, where
T is class that derives from AuthenticationOptions and contains all the
properties for initializing the handler.
AuthenticationHandler<T> derives from
Microsoft.Owin.Security.Infrastructure.AuthenticationHandler, which
provides the following definition.
This class basically provides access to the current request/response
OWIN messages, and also a few methods that can be overridden as part of
the implementation.
ApplyResponseChallenge: This method can be overridden to send a
authentication challenge when a middleware service in the upper
layer denies the execution (e.g 401 status code). For example, this
can be useful for basic authentication.
ApplyResponseCore: This method by default calls
ApplyResponseChallenge and ApplyResponseGrant. It can be changed to
make some additional processing of the Response message.
ApplyResponseGrant: This method is only useful for authentication
methods that needs to implement sign-in/sign-out concerns such as
OAuth or Forms authentication. You won’t be using this for some
authentication options such as basic or hmac authentication.
AuthenticateCore: This is the more important method, and the one
where all the main implementation of the authentication handler
lives. The AuthenticationTicket will contain the identity of the
authenticated user or null if the user couldn’t be authenticated.
The AuthenticationOptions base class only contains the following
structure,
AuthenticationMode. It’s an enumeration with two possible values
Active/Passive. It basically identifies the http flow for the
authentication implementation. Some authentication methods like
Basic or HMac are Active, so it can be used directly against the
current request without requiring additional http redirections. Some
other methods like OAuth or Forms are not, so those have to
identified as Passive. This setting will affect the authentication
middleware behaves, so you have to set the correct value for it.
AuthenticatinType. It represents the authentication scheme. For
example, Basic.
AuthenticationDescription. It can be used to provide more
information about the authentication method.
Only these two classes are used so far to create a new authentication
handler. However, you will also need a another class that acts as a
factory, and it is used to inject the handler into the OWIN pipeline.
That class is
Microsoft.Owin.Security.Infrastructure.AuthenticationMiddleware.
This class basically receives the Options that must be passed to the
AuthenticationHandler, and also contains a method CreateHandler where
the handler is actually created.
I will use the rest of this post to describe the implementation of a
handler for doing HMac authentication using Hawk.
The first step in the implementation is to create a custom
AuthenticationOptions class.
The Credentials property is a callback that the authentication handler
implementation will use to resolve the user/key to verify the HMAC
received in the authorization header. In a Basic Authentication
implementation, you could potentially have a callback or a reference to
a repository to verify the username and password received in the
authorization header. I am also passing “Hawk” as part of the
constructor to set the authentication scheme associated to the handler.
The next step is to implement the AuthenticationHandler.
publicclassHawkAuthenticationHandler:AuthenticationHandler<HawkAuthenticationOptions>{privatereadonlyILoggerlogger;publicHawkAuthenticationHandler(ILoggerlogger){this.logger=logger;}protectedoverrideTask<AuthenticationTicket>AuthenticateCore(){AuthenticationHeaderValueauthorization=null;if(Request.GetHeader("authorization")!=null){authorization=AuthenticationHeaderValue.Parse(Request.GetHeader("authorization"));}if(authorization!=null&&!string.Equals(authorization.Scheme,HawkAuthenticationOptions.Scheme)){this.logger.WriteInformation(string.Format("Authorization skipped. Schema found {0}",authorization.Scheme));returnTask.FromResult(EmptyTicket());}if(authorization==null||string.IsNullOrWhiteSpace(authorization.Scheme)){this.logger.WriteWarning("Authorization header not found");returnTask.FromResult(EmptyTicket());}else{if(string.IsNullOrWhiteSpace(authorization.Parameter)){this.logger.WriteWarning("Invalid header format");returnTask.FromResult(EmptyTicket());}if(string.IsNullOrWhiteSpace(Request.Host)){this.logger.WriteWarning("Missing Host header");returnTask.FromResult(EmptyTicket());}try{varprincipal=Hawk.Authenticate(authorization.Parameter,Request.Host,Request.Method,Request.Uri,this.Options.Credentials);varidentity=(ClaimsIdentity)((ClaimsPrincipal)principal).Identity;varticket=newAuthenticationTicket(identity,(AuthenticationExtra)null);returnTask.FromResult(ticket);}catch(SecurityExceptionex){this.logger.WriteWarning(ex.Message);returnTask.FromResult(EmptyTicket());}}}protectedoverrideTaskApplyResponseChallenge(){if(Response.StatusCode!=401){returnTask.FromResult<object>(null);}varts=Hawk.ConvertToUnixTimestamp(DateTime.Now).ToString();varchallenge=string.Format("ts=\"{0}\" ntp=\"{1}\"",ts,"pool.ntp.org");Response.AddHeader("WWW-Authenticate",HawkAuthenticationOptions.Scheme+" "+challenge);returnTask.FromResult<object>(null);}privatestaticAuthenticationTicketEmptyTicket(){returnnewAuthenticationTicket(null,(AuthenticationExtra)null);}}
The implementation is Active, so only overrides the AuthenticationCore
and ApplyResponseChallenge methods. The AuthenticationCore
implementation tries to locate a Authorization Header with a format that
follows the Hawk specification to authenticate the call. If an
Authorization header is not found or it can not be parsed, an
AuthenticationTicket instance with an empty identity is returned.
Otherwise, the identity is set in the ticket and returned as part of the
task. This implementation also uses the logging facilities provided by
Katana.
The last step is to implement the AuthenticationMiddleware class.
This implementation only overrides the CreateHandler method to return a
new HawkAuthenticationHandler instance. As that instance relies on the
Katana logger, the logger instance is first created from the IAppBuilder
instance injected in the constructor.
Once you have the AuthenticationMiddleware implementation completed, you
will want to inject it in the OWIN pipeline to use it in an existing
application. An extension method can be provided to make this task
easier for the developer.
The following example shows how this extension is used to register the
HawkAuthenticationMiddleware service in an application that uses Web API
with OWIN
All the code provided as part of this example for Hawk can be found in
the HawkNet github project.
]]><![CDATA[Getting started with Owin and Katana]]>2013-07-22T00:00:00-03:00http://cibrax.me/blog/2013/07/22/getting-started-with-owin-and-katanaIntroduction
The .NET ecosystem offers today a lot of alternatives for developing web
applications. You can either use any of the frameworks supported by
Microsoft with ASP.NET such as Forms, MVC or Web API, or any other open
source alternative like FubuMVC, ServiceStack, NancyFx or OpenRasta to
name a few. From an architecture standpoint, all these frameworks have
three main layers in common (in spite of the difference with the
implementation details), hosting, middleware, and application.
The hosting layer is responsible for managing the underline process,
where the http connections are established and managed, and also to
materialize those connections into request/response objects that are
sent to the upper layers. For example, the hosting layer could be
ASP.NET running in IIS, or it could also be a console application that
uses the http listener directly.
The middleware layer provides common infrastructure services, which runs
at low level in the http stack, such as security, caching, or any other
concern that can be handled at this level.
The application layer is where the applications or services are
implemented using the features available in the framework.
However, the distinction between the middleware and application layers
is not always clear, which causes that many of the middleware services
end up being implemented in the application layer. For example, you
could implement middleware services for security in ASP.NET MVC using
filters, which rely on features specific to the application level in
that framework. This make almost impossible to reuse all these services
across all the available frameworks, so you will find different
implementations of the same services for the different frameworks. To
give an example, basic authentication is something that could be
implemented as middleware service and reused, but today is implemented
differently in each framework.
Someone would suggest that a ASP.NET Http Module could be a good option
for implementing a middleware service, but that’s not necessarily true
as it would only work when the hosting layer uses ASP.NET.
This exact problem is what OWIN
specification tries to address by
providing a common abstraction for any http-aware service or application
with minimal dependencies on existing frameworks or implementations. At
very core level, OWIN defines a handler, which is represented as an
application delegate,
The idea is to represent the three layers discussed above as a set of
handlers using the “chain of responsibility” pattern. The environment
argument is a dictionary that the different handlers use to exchange
values, and the next handler in the chain is represented with the task
argument. Having said that, the first handler in the chain would be
responsible for the hosting layer, and it should populate the
environment with keys that describe the received http request message,
such as scheme, port, request path, headers, etc. All those common
headers are discussed as part of the specification.
Katana is a Microsoft implementation of the OWIN specification, which
includes handlers for the hosting and middleware layers. It’s an open
source project, which can be found in this
location. All
the investment that Microsoft has done so far for ASP.NET in the
different application frameworks (i.e. MVC or Web API), it’s now being
refactored as OWIN handlers that can be reused across different
application frameworks. For example, cookie authentication or even OAuth
are being implemented as middleware services that can be reused not only
by ASP.NET web apps but also for other application frameworks in the
open source world.
The application layer is also implemented as another OWIN handler, which
is responsible for setting up all the infrastructure required to handle
the request/response at the application level. You will find application
handlers for ASP.NET MVC, ASP.NET Web API, SignalR, or NancyFx to give
an example.
Gettting Started with OWIN and Katana
The easiest way to get started with OWIN is to use the assembly
distributed as nuget package. You will find a single nuget package for
this called “OWIN”. This assembly only contains an interface
IAppBuilder, which can be used to configure all the handlers that you
want to use in your web application. This is a very low level interface
that you won’t have to implement yourself if you use Katana.
In addition to the “OWIN” assembly, you will find two additional nuget
packages
Owin.Extensions: Provides a set of very useful extensions methods
for the IAppBuilder interface that you can use to configure the
handlers.
Owin.Types: Provides a set of wrappers to represent the environment
dictionary as a typed object representing the request and response
messages.
You can implement your first OWIN handler using these three packages
(You will not able to run it without the hosting handlers provided by
Katana).
123456789101112131415161718192021222324252627
publicclassMyMiddleware{Func<IDictionary<string,object>,Task>next;publicMyMiddleware(Func<IDictionary<string,object>,Task>next){this.next=next;}publicTaskInvoke(IDictionary<string,object>env){varheaders=(IDictionary<string,string[]>)env["owin.RequestHeaders"];varurl=string.Format("{0}://{1}{2}{3}",(string)env["owin.RequestScheme"],headers["host"].First(),(string)env["owin.RequestPathBase"],(string)env["owin.RequestPath"]);if((string)env["owin.RequestQueryString"]!="")url+="?"+(string)env["owin.RequestQueryString"];Console.WriteLine("The received URL is {0}",url);returnthis.next(env);}}
This is a low level handler that sends the request url to the console.
As you can see, it relies on some existing properties in the
environment, which should have been set by Katana in the hosting layer.
The handler also receives the next handler to call in the chain as part
of the constructor.
The entry point in any Katana application must be a class that receives
the IAppBuilder interface as argument to configure all the handlers, as
it is shown below,
UseType is one the extension methods provided by “Owin.Extensions” to
configure a new handler in the pipeline. You can also other extension
methods to define a handler on the fly using delegates as this one,
There is one more nuget package that you will find useful to create OWIN
handlers, which is “Microsoft.Owin”. This is a package provided as part
of Katana (It’s still a pre-release), which extends the Owin Request and
Response classes with more properties and methods, and also helper
methods to deal with these classes.
Hosting an application with Katana
Katana provides three options to host a web application.
1. OwinHost.exe. It’s a command tool that you can use to run the
application. You can use multiple command arguments to specify the
assembly with the entry point for configuring the IAppBuilder or other
configuration settings such as the port number or tracing. This is tool
is available as part of the nuget package “OwinHost”.
2. .NET application. There is a WebApp class that you can use to
self-host a web application in any regular .NET application such as
console app or a windows service. This class is available as part of the
“Microsoft.Owin.Hosting” assembly.
12345
using(WebApp.Start<Startup>(newStartOptions{Port=5000})){Console.WriteLine("Press Enter to quit.");Console.ReadKey();}
You need to pass the startup entry as argument to the static method
“Start”.
3. ASP.NET. You need to reference the nuget package
“Microsoft.Owin.Hosting.SystemWeb” (Pre-Release) from your web
application project, and include the Startup class in that project as
well.
]]><![CDATA[Pushing ETW events through SignalR]]>2013-06-03T00:00:00-03:00http://cibrax.me/blog/2013/06/03/pushing-etw-events-through-signalrETW or Event Tracing for Windows is a very efficient pub/sub built-in
mechanism that runs in Kernel Mode for doing event tracing. That implies
there is just a little overhead in using this feature compared to other
traditional tracing solutions that are I/O bound and drop the traces in
different storages like files or databases for example. As it is a
built-in mechanism in Windows, many of the operating systems services
and components make good use of it. You can not only troubleshoot your
application but also many of the OS components involved in the execution
of that application.
In ETW, you have applications publishing events in queues (or providers)
and other applications consuming events from those queues in real-time
through ETW sessions. When an event is published in a provider, it goes
nowhere unless there is session collecting events on that queue. (The
events are not persisted).
The adoption of ETW in .NET application was pretty low as it was very
hard to configure and use. However, things might change now that .NET
4.5 supports a new EventSource class for publishing events easily in any
.NET application. Another way to publish events in the past was to use
.NET diagnostics infrastructure with the trace listener for ETW,
“EventProviderTraceListener”.
About this last one, it can be easily configured and associated to a
trace source as it is shown bellow,
The trace listener is associated to a GUID through the initializeData
attribute. That identifier is used by ETW and associated to the
provider, so it’s the one you will use to collect the events in a
session.
Once the listener is configured, you can start publishing events in that
provider through a the trace source.
Listening for those events in a ETW session is a different story. The
standard procedure is to use a set of tools for starting an ETW session
and dump the events into a binary file with a proprietary format (these
are “etl” files), that can be imported in the event log viewer or an
specific tool for this kind of file. You also have a tool for converting
“etl” files to more user readable formats like xml or cvs. However, you
can also use the ETW unmanaged API to start a new session and subscribe
to the events as it was done with the EventTraceWatcher
implementation in
this sample.
You use the EventTraceWatcher to subscribe to events generated by an ETW
provider, which are received as part of an event. What’s really
interesting about this code is that it runs out of process. You could be
collecting the events in a completely different application in the same
host and doing whatever you want with those events like persisting them
in a database for example. The performance of the application generating
the events would not be affected at all.
Now, imagine that you have a service running in one of your servers,
which can be used to start a new ETW session and publish those events
via SignalR. In that way, you can connect with a browser to the SignalR
hub created by that service and get the events realtime, which
represents an interesting way to see what’s going on your server at a
given time.
You can do an slight change to the code using the EventTraceWatcher to
publish the events to a SignalR hub as it is shown bellow,
classProgram{staticvoidMain(string[]args){stringurl="http://localhost:8080";using(WebApplication.Start<Startup>(url)){Console.WriteLine("Server running on {0}",url);varhubConnection=newHubConnection("http://localhost:8080/");varserverHub=hubConnection.CreateHubProxy("EventsHub");hubConnection.Start().Wait();varproviderId=newGuid("13D5F7EF-9404-47ea-AF13-85484F09F2A7");using(EventTraceWatcherwatcher=newEventTraceWatcher("MySession",providerId)){watcher.EventArrived+=delegate(objectsender,EventArrivedEventArgse){if(e.Error!=null){Console.Error.WriteLine(e.Error);Environment.Exit(-1);}// Dump properties (key/value)foreach(varpine.Properties){serverHub.Invoke("PushEvent","\t"+p.Key+" -- "+p.Value).Wait();}};// Start listeningwatcher.Start();Console.WriteLine("Listening...Press <Enter> to exit");Console.ReadLine();}Console.ReadLine();}}}classStartup{publicvoidConfiguration(IAppBuilderapp){// Turn cross domain on varconfig=newHubConfiguration{EnableCrossDomain=true};// This will map out to http://localhost:8080/signalr by defaultapp.MapHubs(config);}}publicclassEventsHub:Hub{publicvoidPushEvent(stringmessage){Console.WriteLine("Event: "+message);Clients.All.PushEvent(message);}}
This uses SignalR hosted in a console application with OWIN, so it could
be literally moved to a windows service as well. Every time an event is
captured from the ETW session, it is published in the SignalR hub.
On the other side, you can also use SignalR to subscribe to the same hub
and receive the generated messages at real time.
123456789101112131415161718
<script type="text/javascript">$(function(){varmessages=$('#messages');varconnection=$.hubConnection('http://localhost:8080');connection.start().done(function(){console.log("Connected, transport = "+connection.transport.name);}).fail(function(){console.log('Could not connect');});varproxy=connection.createHubProxy('EventsHub');proxy.on('PushEvent',function(message){messages.append(message+"<br>");});});</script>
]]><![CDATA[IP Throttling in ASP.NET Web API]]>2013-05-22T00:00:00-03:00http://cibrax.me/blog/2013/05/22/ip-throttling-in-asp-net-web-apiSome Web APIs use the client IP address to enforce Service Level
Agreements such as limit the number of calls in a period of time. The
client IP address can be used as a replacement for an authentication key
sometimes when a previous registration of client applications is not
required.
This is relatively simple to implement in a message handler,
publicclassIPThrottlingMessageHandler:DelegatingHandler{IIPRepositoryrepository;intmaxRequestsHour;publicIPThrottlingMessageHandler(IIPRepositoryrepository,intmaxRequestsHour=150):base(){this.repository=repository;this.maxRequestsHour=maxRequestsHour;}publicIPThrottlingMessageHandler(HttpMessageHandlerinner,IIPRepositoryrepository,intmaxRequestsHour=150):base(inner){this.repository=repository;this.maxRequestsHour=maxRequestsHour;}protectedoverrideSystem.Threading.Tasks.Task<HttpResponseMessage>SendAsync(HttpRequestMessagerequest,System.Threading.CancellationTokencancellationToken){varip=GetClientIp(request);if(ip==null){returnToResponse(request,HttpStatusCode.Forbidden,"The client ip couldn't be found");}if(this.repository.Increment(DateTime.Now.Hour,ip)>this.maxRequestsHour){returnToResponse(request,HttpStatusCode.Forbidden,"Quota exceeded");}returnbase.SendAsync(request,cancellationToken);}privatestringGetClientIp(HttpRequestMessagerequest){if(request.Properties.ContainsKey("MS_HttpContext")){return((HttpContextWrapper)request.Properties["MS_HttpContext"]).Request.UserHostAddress;}elseif(request.Properties.ContainsKey(RemoteEndpointMessageProperty.Name)){RemoteEndpointMessagePropertyprop;prop=(RemoteEndpointMessageProperty)request.Properties[RemoteEndpointMessageProperty.Name];returnprop.Address;}else{returnnull;}}privatestaticTask<HttpResponseMessage>ToResponse(HttpRequestMessagerequest,HttpStatusCodecode,stringmessage){vartsc=newTaskCompletionSource<HttpResponseMessage>();varresponse=request.CreateResponse(code);response.ReasonPhrase=message;response.Content=newStringContent(message);tsc.SetResult(response);returntsc.Task;}}
This handler uses a repository to store the number of calls with a given
IP in one hour. If the number of requests per hour exceeds the quota, an
error response is returned to the client.
]]><![CDATA[Authentication in Web APIs. Keys, OAuth or HMAC]]>2013-05-21T00:00:00-03:00http://cibrax.me/blog/2013/05/21/authentication-in-web-apis-keys-oauth-or-hmacMost of the Web APIs available out there in the web nowadays use some
kind of authentication for identifying client applications. Although
they implement authentication in different ways, they can be typically
categorized in three main groups, services that use Keys, OAuth or HMAC.
Keys is the first scenario and probably the simplest one. Every client
application is identified with a simple and fixed application key. This
authentication mechanism is perhaps a bit weak, but the data that the
service has to offer is not sensitive at all. The data is available for
everyone with a key, and it’s pretty much used for public services such
as Google maps or a search for public pictures in Instagram for example.
The only purpose of the key is to identify clients and apply different
SLA (service level agreements) such as api quotas, availability, etc.
HMAC is typically used for consuming sensitive data that is only
consumed by his owner and not shared with anyone else. This kind of
authentication is typically used in multitenant applications, where a
tenant is the owner of the data. This model fits real well with cloud
computing where a vendor such as AWS or Windows Azure use a key for
identifying the tenant and provide the right services and private data.
No matter which client application is used to consume the services and
data, the main purpose of the key is to identify the tenant. Hawk is new
specification born in this area to standardize how HMAC
authentication.
OAuth is last one and probably the most complicated one. It was born
with the idea of delegating authorization in the web 2.0. The service
who owns the data can use OAuth to share that data with other services
or applications without compromising the owner credentials.
The analogy given by Eran Hammer Lahav in this post “Explaining
OAuth”
is very close to what the specification tries to address,
“Many luxury cars today come with a valet key. It is a special key you
give the parking attendant and unlike your regular key, will not allow
the car to drive more than a mile or two. Some valet keys will not open
the trunk, while others will block access to your onboard cell phone
address book. Regardless of what restrictions the valet key imposes, the
idea is very clever. You give someone limited access to your car with a
special key, while using another key to unlock everything else.”
This kind of authentication makes a lot of sense in social media
services like Twitter, Facebook, Windows Live or Google to name a few,
where the service owns some private data like contacts or pictures that
can shared with other applications without putting the user credentials
into risk.
OAuth assigns a key to every different client application allowed to
consume the data, so the access can easily be revoked by disabling the
key associated that client application.
]]><![CDATA[Giving temporary access to your ASP.NET Web API with Hawk]]>2013-03-08T00:00:00-03:00http://cibrax.me/blog/2013/03/08/giving-temporary-access-to-your-asp-net-web-api-with-hawkOne of the features supported by Hawk, an HTTP authentication protocol
based on HMAC, is to provide read-only access to a Web API for a short
period time. That’s performed through a token called “bewit” that a Web
API can provide to a client. That token is only valid for Http GET calls
and it can be used for a limited period of time.
I already implemented this feature in my Hawk port for
.NET. A bewit token can be
generated as it is shown below,
In that way, you can share a link to your Web API with a limited access
for a period of time to someone without having to share any security
credentials.
On the service side is as simple as configuring the HawkMessageHandler
as part of the Web API configuration,
The handler will automatically detect a bewit token in the query string,
and it will performed all the required validations.
]]><![CDATA[ASP.NET Web API Logging and Troubleshooting]]>2013-03-01T00:00:00-03:00http://cibrax.me/blog/2013/03/01/asp-net-web-api-logging-and-troubleshootingASP.NET ships with two built-in mechanisms for doing logging and
troubleshooting. Chasing errors without knowing these two mechanisms
might be a daunting task, specially if they happen in the runtime
pipeline much before a message gets to a handler or a controller.
The first mechanism is the error policy. You can configure the error
policy preferences as part of the configuration object
(HttpConfiguration) in the IncludeErrorDetailPolicy property. This is
just an enum that instructs Web API about how to deal with exceptions.
The possible values for this enum are,
Default: It’s uses the customErrors configuration settings if you
are using ASP.NET as host or LocalOnly for self-host.
LocalOnly: Only includes error details for local requests
Always: Always includes error details
Never: Never includes error details
When an exception happens, Web API will check the value on this setting
for including details about the exception in the response message or
not. For example, if Always is enabled, Web API will serialize the
exception details as part of the message that you get as response.
The second mechanism is Tracing. Tracing is a service that you can
inject as part of the configuration object as well. The default
implementation does do anything.
MyTracer is a custom implementation of the ITraceWriter service, which
Web API uses for tracing purposes. This is a general tracing mechanism,
so Web API will call it for logging everything and not just errors.
If any of these two work for you, you can still use an Error Filter.
Tugberk has written a blog post about how to integrate ELMAH with an
Error Filter in Web API
here.
]]><![CDATA[Message Handlers per Route in ASP.NET Web API]]>2013-02-25T00:00:00-03:00http://cibrax.me/blog/2013/02/25/message-handlers-per-route-in-asp-net-web-apiMessage Handlers are one of the core components for message processing
in Web API. They use an asynchronous model for processing messages, so
they receive a request message and returns a Task with the corresponding
response.
In most cases, a message handler does something and delegates some other
work to the rest of the handlers configured in the pipeline. For
example, a handler for security checks the Auth Http header, and
delegates the call the handlers configured out of the box by Web API,
which eventually will call a controller method. The framework also
provides a base class to make delegation implicit, DelegatingHandler,
which receives the next handler to call as part of the constructor.
The following example shows a message handler implementation for basic
authentication,
A good thing about Message Handler is that you can configure them
globally or per route. In this case, if you want to enable basic
authentication for some routes only, it’s a matter of configuring this
handler in the routes you want to have protected.
As you can see, the Inner Handler is a built-in handler provided by Web
API, HttpControllerDispatcher, which does all the magic for processing
the request and pass it over to the controller action. You can also
inject any other dependency as part of the constructor. One thing to
consider is that message handlers are singleton if you configure them
this way, so make sure to inject the dependencies in the right way for
avoiding memory leaks (If you have to use a repository for example, you
might want to inject a factory or pass a delegate for resolving the
dependencies from a DI container).
]]><![CDATA[Multitenant domain routing with AWS Route 53]]>2013-02-12T00:00:00-03:00http://cibrax.me/blog/2013/02/12/multitenant-domain-routing-with-aws-route-53A common requirement in SaaS applications is the ability to route
requests to different tenants based on a URL routing strategy.
In most cases, a domain prefix is good enough to identify tenants (e.g.
mytenant.xxxxx.com). That approach typically relies on CName records for
mapping the prefixes or tenants and the domain name to an URL where the
application is actually hosted. Many cloud providers support the idea of
mapping custom domains to their web hosted services, so this approach
with CName works just fine.
An evident problem is that you would require a different CName record
per prefix or tenant. If you have to create those records manually, this
approach simply does not scale as the number of tenants increase.
An alternative is to use a wildcard CName, and route all the requests
that match that wildcard to the hosted application in the cloud. For
example, *.xxxxxx.com to your web application url.
Many DNS servers don’t support wildcards in CName such as the ones
offered by free for GoDaddy or NameCheap. However, AWS Route 53 supports
wildcards and also an API to manage almost everything in the DNS tables.
Configuring AWS Route 53 is relatively easy. Assuming that you already
have a AWS account, you need to create first a hosted zone, which
represents the association of a domain name with a set of name servers
provided by Route 53. Once you specified the domain name (e.g
cibrax.me), and the hosted zone is created. Route53 will show you a list
of name servers you need to use. If you already own a domain in other
place like GoDaddy or NameCheap, you need to go there and update the
list of name servers associated to that domain.
Afterwards, you need to create a resource record set, which is basically
the CName record containing the wildcard or prefix you want to use.
Here, you can specify the CNAme record and the mapped URL. For example,
*.cibrax.me goes to www.xxxxxxxx.com.
That’s all from the point of view of DNS configuration. The rest is part
of the implementation of your web application.
