December 2005 - Posts

Slightly OT: Hooking this blog up to Technorati

If anyone using DotNetJunkies (or the same version of Community Server) is trying to "claim" their blog in Technorati, I don't recommend the automatic method. Every time I have tried the automatic method to link this blog to my Technorati profile it has sat endlessly and patiently at the "Please wait while we check your site for Technorati goodness" stage. I am now trying the "Skip this step" step.

Technorati Profile

Wish me luck!

posted Wednesday, December 28, 2005 10:26 PM by thomasswilliams with 2 Comments

Two Interesting Finds, and Merry Christmas

First, I hope this festive season is great for fellow bloggers, readers, and everyone else. Merry Christmas!

Next, I came across two sites that I'm keeping an eye on and thought I'd mention here: Red Gate bloggers (makers of the excellent SQL Compare), and site called TracksLife that offers a free service to track anything as "lists" - TracksLife will send you reminders to update your lists on a schedule of your choosing, as well as making your lists (shopping lists, budget, diet, etc.) available via RSS if you choose. And of interest to me, the site uses AJAX technologies too.

posted Wednesday, December 21, 2005 8:59 PM by thomasswilliams with 0 Comments

Wanting a Folder Size Column in Windows Explorer's "Detail" View?

I've used Windows Explorer day in, day out for many long years, and one thing that has bugged me all that time is the blank space in the "Size" column next to a folder in details view. One workaround is to view the Properties dialog of the folder which will show the total space used, including all files and sub-directories. Another is the excellent (but now no longer free, apparently) TreeSize program.

But now I don't need either.

Thanks to fellow DNJ Scott Munro, I now have a "Folder Size" column in Windows Explorer, courtesy of the Folder Size for Windows SourceForge project. That means I can now see...

...cool, hey?

posted Wednesday, December 14, 2005 8:32 PM by thomasswilliams with 3 Comments

S5 - Browser Slideshow

Jason Salas posts about S5 (Simple Standards-based Slide Show System), an XHTML, CSS and JavaScript browser-based slideshow. The demo is very impressive - after looking at it stupidly for a few seconds, I realised that clicking in the white area or pressing the space bar starts the slideshow. Hovering over the bottom-right corner reveals navigation controls, and viewing the source shows that authoring can be done on a simple XHTML page by surrounding each slide in a div with the "slide" class - the navigation controls are created dynamically in the JavaScript. Very cool.

 

posted Tuesday, December 13, 2005 12:40 AM by thomasswilliams with 3 Comments

web.config, Windows Authentication, and getting the logged-in user's identity

I've been developing an ASP.NET 2.0 web site on my machine (and I love the in-built web server) which accesses an SQL Server 2000 database through an SQL account, but which also passes the current user's Windows login for row-level access. This works fine in development when the web.config file is set up like:

<authentication mode="Windows"/>

In this situation in development, my Windows login is returned when using code like System.Security.Principal.WindowsIdentity.GetCurrent(), which is what I want.

But, when I tested the deployment of the site on Windows Server 2003, the current user always returned NT AUTHORITY! So, after checking all the possible settings in IIS (and comparing settings to sites I *know* get the current user), I discovered the following on a page of PAG documentation on MSDN:

Impersonation Options

You can use Windows authentication with ASP.NET in a number of ways:

  • Windows authentication without impersonation. This is the default setting. ASP.NET performs operations and accesses resources by using your application's process identity, which by default is the Network Service account on Windows Server 2003.
  • Windows authentication with impersonation. With this approach, you impersonate the authenticated user and use that identity to perform operations and access resources.
  • Windows authentication with fixed-identity impersonation. With this approach, you impersonate a fixed Windows account to access resources using a specific identity. On Windows Server 2003, you should avoid this impersonation approach; instead, use a custom application pool with a custom service identity.

The second option was exactly what I wanted, and can be accomplished by simply adding the following line to web.config (I added it after the "authentication" section):

<identity impersonate="true" />

Problem solved! I hope this might help anyone else in the future...and I know I'm probably going to need to refer back too.

posted Wednesday, December 07, 2005 9:04 PM by thomasswilliams with 0 Comments

Regular Expression to Prevent Users Entering Malicious (HTML) Form Data

Cross-site scripting (XSS) is a problem that ASP.NET helps you deal with by not allowing any "malicious" (I'm interpreting this as HTML tags, whether it's <0BJECT> or <i>) input in the Request object, by default. This behaviour can be switched off by setting the "ValidateRequest" Page directive to "false" and you can do your own validation à la Peter van Ooijen's "Protecting an ASP.NET page against malicious input with ValidateRequest (A potentially dangerous Request.Form value was detected)" post.

In my case I left the default setting on - I'm not good enough to catch all possible vectors of attack - but used a RegularExpressionValidator validation control, with a regular expression of "^[^<>]+$" (without the quotes) to detect if there are any angle brackets in the field. For later-version browsers, the validation controls are rendered as client-side Javascript which could possibly be bypassed, but that doesn't worry me because ASP.NET also handles the problem server-side and if malicious text did make it to the server, a System.Web.HttpRequestValidationException exception is raised which I handle through my error page.

The validation control merely forewarns the user and in my mind is enough to prevent accidental or curious users from entering HTML tags in free-text data entry fields.

Note: I figured out the regex using http://www.regular-expressions.info/reference.html - the regex matches strings from start to end (the first ^ character and closing dollar sign) where there are no occurences of the characters in the square brackets. Initially I thought that the angle bracket characters would need to be escaped, but they don't.

posted Wednesday, December 07, 2005 8:34 PM by thomasswilliams with 0 Comments

Upgrade From Visual Studio 2005 Trial Version

One very cool feature of Visual Studio 2005 is the ability to install a Trial version, and then upgrade to the full version by buying a product key or boxed copy. Doing this means that the trial version does not need to be removed (wiping out all the carefully-crafted settings for the IDE) to install the full version. This option can be found under the "Add or Remove Programs", "Change/Remove" screen:

Microsoft Visual Studio 2005 Setup - Maintenance Page

This is helpful to me because I have a web site currently on Beta 2, and I want to upgrade to the RTM before going much further. Now I can do this with a 90-day Trial, while waiting for the full Pro version I've ordered to arrive.

The MSDN link describing this setting can be found at http://msdn2.microsoft.com/en-us/library/ms246600.aspx.

posted Sunday, December 04, 2005 7:40 PM by thomasswilliams with 0 Comments