Monday, May 14, 2012
Sunday, May 13, 2012
Anonymous Types
Anonymous types provide a convenient way to encapsulate a set of
read-only properties into a single object without having to explicitly
define a type first. The type name is generated by the compiler and is
not available at the source code level. The type of each property is
inferred by the compiler.
You create anonymous types by using the new operator together with an object initializer. For more information about object initializers, see Object and Collection Initializers (C# Programming Guide).
The following example shows an anonymous type that is initialized with two properties named Amount and Message.
Anonymous types typically are used in the select clause of a query expression to return a subset of the properties from each object in the source sequence.
'
nonymous types contain one or more public read-only properties. No other kinds of class members, such as methods or events, are valid. The expression that is used to initialize a property cannot be null, an anonymous function, or a pointer type.
The most common scenario is to initialize an anonymous type with properties from another type. In the following example, assume that a class exists that is named Product. Class Product includes Color and Price properties, together with other properties that you are not interested in. Variable products is a collection of Product objects. The anonymous type declaration starts with the new keyword. The declaration initializes a new type that uses only two properties from Product. This causes a smaller amount of data to be returned in the query.
If you do not specify member names in the anonymous type, the compiler gives the anonymous type members the same name as the property being used to initialize them. You must provide a name for a property that is being initialized with an expression, as shown in the previous example. In the following example, the names of the properties of the anonymous type are Color and Price.
Typically, when you use an anonymous type to initialize a
variable, you declare the variable as an implicitly typed local variable
by using var.
The type name cannot be specified in the variable declaration because
only the compiler has access to the underlying name of the anonymous
type. For more information about var, see Implicitly Typed Local Variables (C# Programming Guide).
You can create an array of anonymously typed elements by combining an implicitly typed local variable and an implicitly typed array, as shown in the following example.
Anonymous types as the name suggests, help us to create an object
without declaring its data type. Since name of the data type is not
specified that the type is referred to as an anonymous type.
We have lot of resources around us on this concept, but I still see some confusion and arguments on this concept that made me to write this blog post. I will try to explain it in simple words so that a novice can understand the basics of the concept.
VB.NET
C#.NET
The above code snippet is an anonymous declaration in VB. We can notice that the as key word is not required to declare it.
Visual Studio Editor is user-friendly to give us the IntelliSense as below. Once you declared the type then you can access all the properties.
When the above code reaches the complier these are the steps that are done internally.
You create anonymous types by using the new operator together with an object initializer. For more information about object initializers, see Object and Collection Initializers (C# Programming Guide).
The following example shows an anonymous type that is initialized with two properties named Amount and Message.
var v = new { Amount = 108, Message = "Hello" }; // Rest the mouse pointer over v.Amount and v.Message in the following // statement to verify that their inferred types are int and string. Console.WriteLine(v.Amount + v.Message);
'
nonymous types contain one or more public read-only properties. No other kinds of class members, such as methods or events, are valid. The expression that is used to initialize a property cannot be null, an anonymous function, or a pointer type.
The most common scenario is to initialize an anonymous type with properties from another type. In the following example, assume that a class exists that is named Product. Class Product includes Color and Price properties, together with other properties that you are not interested in. Variable products is a collection of Product objects. The anonymous type declaration starts with the new keyword. The declaration initializes a new type that uses only two properties from Product. This causes a smaller amount of data to be returned in the query.
If you do not specify member names in the anonymous type, the compiler gives the anonymous type members the same name as the property being used to initialize them. You must provide a name for a property that is being initialized with an expression, as shown in the previous example. In the following example, the names of the properties of the anonymous type are Color and Price.
You can create an array of anonymously typed elements by combining an implicitly typed local variable and an implicitly typed array, as shown in the following example.
var anonArray = new[] { new { name = "apple", diam = 4 }, new { name = "grape", diam = 1 }};
compiler generates an internal sealed class that models the anonymous
type. The anonymous type is immutable; all the properties are read only.
you cannot declare methods that take anonymous types as parameters, nor can you return them from methods
if anonymous types are so limited, why use them at all? In my opinion,
there are two related reasons. First, the compiler writes code faster
than I do. The compiler creates a page full of code for each new
anonymous type. That’s code I don’t have to write, test, and debug
myself. It’s a great time saver. Second, anonymous types are great for
local values that support algorithms, but aren’t part of the overall
object model for a system. Because the types are anonymous, they don’t
clutter the picture of the system as a whole. You don’t browse the code
for an anonymous type. Anonymous types do not show up in Class View.
Anonymous types don’t require external documentation. They just quickly
provide a small bit of functionality.
We have lot of resources around us on this concept, but I still see some confusion and arguments on this concept that made me to write this blog post. I will try to explain it in simple words so that a novice can understand the basics of the concept.
VB.NET
1.Emp = New With {2. .EmplD = 123, 3. .FName = "Hima", 4. .LName = “Vejella” , 5. .Country = "India"6. }1.var Emp = new { 2. FirstName = "Hima", 3. LastName = "Vejella", 4. DOJ = DateTime.Now, 5. EMPCode = 150 6. };Visual Studio Editor is user-friendly to give us the IntelliSense as below. Once you declared the type then you can access all the properties.
When the above code reaches the complier these are the steps that are done internally.
- Compiler automatically generates anonymous class.
- It anonymously instantiate an object that contains the properties in anonymous type
- The instantiated object is assigned to the anonymous type variable "Emp"
Extension-methods
http://weblogs.asp.net/scottgu/archive/2007/03/13/new-orcas-language-feature-extension-methods.aspx
Extension Methods enable a variety of useful scenarios, and help make possible the really powerful LINQ query framework that is being introduced with .NET as part of the "Orcas" release.
To add this specific Extension Method implementation to string instances within my code, I simply use a standard "using" statement to import the namespace containing the extension method implementation:
The VB and C# compilers also naturally give you compile-time checking of all Extension Method usage - meaning you'll get a compile-time error if you mis-type or mis-use one.
[Credit: Thanks to David Hayden for first coming up with the IsValidEmailAddress scenario I used above in a prior blog post of his from last year.]
For example, consider a scenario where I want an easy, descriptive, way to check whether an object is already included within a collection or array of objects. I could define a simple .In(collection) extension method that I want to add to all objects within .NET to enable this. I could implement this "In()" extension method within C# like so:
Note above how I've declared the first parameter to the extension method to be "this object o". This indicates that this extension method should applied to all types that derive from the base System.Object base type - which means I can now use it on every object in .NET.
The "In" method implementation above allows me to check to see whether a specific object is included within an IEnumerable sequence passed as an argument to the method. Because all .NET collections and arrays implement the IEnumerable interface, I now have a useful and descriptive method for checking whether any .NET object belongs to any .NET collection or array.
I could use then use this "In()" extension method to see whether a particular string is within an array of strings:
I could use it to check to see whether a particular ASP.NET control is within a container control collection:
I could even use it with scalar datatypes like integers:
Note above how you can even use extension methods on base datatype values (like the integer value 42). Because the CLR supports automatic boxing/unboxing of value-classes, extensions methods can be applied on numeric and other scalar datatypes directly.
As you can probably begin to see from the samples above, extension methods enable some really rich and descriptive extensibility scenarios. When applied against common base classes and interfaces across .NET, they enable some really nice domain specific framework and composition scenarios.
A few of the advantages of using the extension method extensibility model for this query support include:
1) It enables a common query programming model and syntax that can be used across all types of data (databases, XML files, in-memory objects, web-services, etc).
2) It is composable and allows developers to easily add new methods/operators into the query syntax. For example: we could use our custom "In()" method together with the standard "Where()" method defined by LINQ as part of a single query. Our custom In() method will look just as natural as the "standard" methods supplied under the System.Linq namespace.
3) It is extensible and allows any type of data provider to be used with it. For example: an existing ORM engine like NHibernate or LLBLGen could implement the LINQ standard query operators to enable LINQ queries against their existing ORM implementation and mapping engines. This will enable developers to learn a common way to query data, and then apply the same skills against a wide variety of rich data store implementations.
I'll be walking through LINQ much more over the next few weeks, but wanted to leave you with a few samples that show how to use a few of the built-in LINQ query extension methods with different types of data:
I could then use the new object Initializer and collection Initializer features to create and populate a collection of "people" like so:
I could then use the standard "Where()" extension method provided by System.Linq to retrieve a sequence of those "Person" objects within this collection whose FirstName starts with the letter "S" like so:
The new p => syntax above is an example of a "Lambda expression", which is a more concise evolution of C# 2.0's anonymous method support, and enables us to easily express a query filter with an argument (in this case we are indicating that we only want to return a sequence of those Person objects where the firstname property starts with the letter "S"). The above query will then return 2 objects as part of the sequence (for Scott and Susanne).
I could also write code that takes advantage of the new "Average" and "Max" extension methods provided by System.Linq to determine the average age of the people in my collection, as well as the age of the oldest person like so:
Let's assume we have an XML file on disk that contains the data below:
I could obviously use the existing System.Xml APIs today to either load this XML file into a DOM and access it, or use a low-level XmlReader API to manually parse it myself. Alternatively, with "Orcas" I can now use the System.Xml.Linq implementation that supports the standard LINQ extension methods (aka "XLINQ") to more elegantly parse and process the XML.
The below code-sample shows how to use LINQ to retrieve all of the <person> XML Elements that have a <person> sub-node whose inner value starts with the letter "S":
Note that it uses the exact same Where() extension method as with the in-memory object sample. Right now it is returning a sequence of "XElement" elements, which is an un-typed XML node element. I could alternatively re-write the query to "shape" the data that is returned instead by using LINQ's Select() extension method and provide a Lambda expression that uses the new object initializer syntax to populate the same "Person" class that we used with our first in-memory collection example:
The above code does all the work necessary to open, parse and filter the XML in the "test.xml" file, and return back a strongly-typed sequence of Person objects. No mapping or persistence file is necessary to map the values - instead I am expressing the shaping from XML->objects directly within the LINQ query above.
I could also use the same Average() and Max() LINQ extension methods as before to calculate the average age of <person> elements within the XML file, as well as the maximum age like so:
I do not have to manually parse the XML file. Not only will XLINQ handle that for me, but it will parse the file using a low-level XMLReader and not have to create a DOM in order to evaluate the LINQ expression. This means that it is lightening fast and doesn't allocate much memory.
I could use the new LINQ to SQL WYSIWYG ORM designer within Visual Studio to quickly create a "Person" class that maps to the database:
I can then use the same LINQ Where() extension method I used previously with objects and XML to retrieve a sequence of strongly-typed "Person" objects from the database whose first name starts with the letter "S":
Note how the query syntax is the same as with objects and XML.
I could then use the same LINQ Average() and Max() extension methods as before to retrieve the average and maximum age values from the database like so:
You don't need to write any SQL code yourself to have the above code snippets work. The LINQ to SQL object relational mapper provided with "Orcas" will handle retrieving, tracking and updating objects that map to your database schema and/or SPROCs. You can simply use any LINQ extension method to filter and shape the results, and LINQ to SQL will execute the SQL code necessary to retrieve the data (note: the Average and Max extension methods above obviously don't return all the rows from the table - they instead use TSQL aggregate functions to compute the values in the database and just return a scalar result).
Please watch this video I did in January to see how LINQ to SQL dramatically improves data productivity in "Orcas". In the video you can also see the new LINQ to SQL WYSIWYG ORM designer in action, as well as see full intellisense provided in the code-editor when writing LINQ code against the data model.
Extension methods enable you to "add" methods to existing types without creating a new derived type, recompiling, or otherwise modifying the original type. Extension methods are a special kind of static method, but they are called as if they were instance methods on the extended type.
What are Extension Methods?
Extension methods allow developers to add new methods to the public contract of an existing CLR type, without having to sub-class it or recompile the original type. Extension Methods help blend the flexibility of "duck typing" support popular within dynamic languages today with the performance and compile-time validation of strongly-typed languages.Extension Methods enable a variety of useful scenarios, and help make possible the really powerful LINQ query framework that is being introduced with .NET as part of the "Orcas" release.
Simple Extension Method Example:
Ever wanted to check to see whether a string variable is a valid email address? Today you'd probably implement this by calling a separate class (probably with a static method) to check to see whether the string is valid. For example, something like:
string email = Request.QueryString["email"];
if ( EmailValidator.IsValid(email) ) {
}
Using
the new "extension method" language feature in C# and VB, I can instead
add a useful "IsValidEmailAddress()" method onto the string class
itself, which returns whether the string instance is a valid string or
not. I can then re-write my code to be cleaner and more descriptive
like so:if ( EmailValidator.IsValid(email) ) {
}
string email = Request.QueryString["email"];
if ( email.IsValidEmailAddress() ) {
}
How
did we add this new IsValidEmailAddress() method to the existing string
type? We did it by defining a static class with a static method
containing our "IsValidEmailAddress" extension method like below:if ( email.IsValidEmailAddress() ) {
}
public static class ScottGuExtensions
{
public static bool IsValidEmailAddress(this string s)
{
Regex regex = new Regex(@"^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$");
return regex.IsMatch(s);
}
}
Note
how the static method above has a "this" keyword before the first
parameter argument of type string. This tells the compiler that this
particular Extension Method should be added to objects of type
"string". Within the IsValidEmailAddress() method implementation I can
then access all of the public properties/methods/events of the actual
string instance that the method is being called on, and return
true/false depending on whether it is a valid email or not.{
public static bool IsValidEmailAddress(this string s)
{
Regex regex = new Regex(@"^[\w-\.]+@([\w-]+\.)+[\w-]{2,4}$");
return regex.IsMatch(s);
}
}
To add this specific Extension Method implementation to string instances within my code, I simply use a standard "using" statement to import the namespace containing the extension method implementation:
using ScottGuExtensions;
The compiler will then correctly resolve the IsValidEmailAddress() method on any string. C# and VB in the public "Orcas" March CTP
now provide full intellisense support for extension methods within the
Visual Studio code-editor. So when I hit the "." keyword on a string
variable, my extension methods will now show up in the intellisense
drop-downlist: The VB and C# compilers also naturally give you compile-time checking of all Extension Method usage - meaning you'll get a compile-time error if you mis-type or mis-use one.
[Credit: Thanks to David Hayden for first coming up with the IsValidEmailAddress scenario I used above in a prior blog post of his from last year.]
Extension Methods Scenarios Continued...
Leveraging the new extension method feature to add methods to individual types opens up a number of useful extensibility scenarios for developers. What makes Extension Methods really powerful, though, is their ability to be applied not just to individual types - but also to any parent base class or interface within the .NET Framework. This enables developers to build a variety of rich, composable, framework extensions that can be used across the .NET Framework.For example, consider a scenario where I want an easy, descriptive, way to check whether an object is already included within a collection or array of objects. I could define a simple .In(collection) extension method that I want to add to all objects within .NET to enable this. I could implement this "In()" extension method within C# like so:
Note above how I've declared the first parameter to the extension method to be "this object o". This indicates that this extension method should applied to all types that derive from the base System.Object base type - which means I can now use it on every object in .NET.
The "In" method implementation above allows me to check to see whether a specific object is included within an IEnumerable sequence passed as an argument to the method. Because all .NET collections and arrays implement the IEnumerable interface, I now have a useful and descriptive method for checking whether any .NET object belongs to any .NET collection or array.
I could use then use this "In()" extension method to see whether a particular string is within an array of strings:
I could use it to check to see whether a particular ASP.NET control is within a container control collection:
I could even use it with scalar datatypes like integers:
Note above how you can even use extension methods on base datatype values (like the integer value 42). Because the CLR supports automatic boxing/unboxing of value-classes, extensions methods can be applied on numeric and other scalar datatypes directly.
As you can probably begin to see from the samples above, extension methods enable some really rich and descriptive extensibility scenarios. When applied against common base classes and interfaces across .NET, they enable some really nice domain specific framework and composition scenarios.
Built-in System.Linq Extension Methods
One of the built-in extension method libraries that we are shipping within .NET in the "Orcas" timeframe are a set of very powerful query extension method implementations that enable developers to easily query data. These extension method implementations live under the new "System.Linq" namespace, and define standard query operator extension methods that can be used by any .NET developer to easily query XML, Relational Databases, .NET objects that implement IEnumerable, and/or any other type of data structure.A few of the advantages of using the extension method extensibility model for this query support include:
1) It enables a common query programming model and syntax that can be used across all types of data (databases, XML files, in-memory objects, web-services, etc).
2) It is composable and allows developers to easily add new methods/operators into the query syntax. For example: we could use our custom "In()" method together with the standard "Where()" method defined by LINQ as part of a single query. Our custom In() method will look just as natural as the "standard" methods supplied under the System.Linq namespace.
3) It is extensible and allows any type of data provider to be used with it. For example: an existing ORM engine like NHibernate or LLBLGen could implement the LINQ standard query operators to enable LINQ queries against their existing ORM implementation and mapping engines. This will enable developers to learn a common way to query data, and then apply the same skills against a wide variety of rich data store implementations.
I'll be walking through LINQ much more over the next few weeks, but wanted to leave you with a few samples that show how to use a few of the built-in LINQ query extension methods with different types of data:
Scenario 1: Using LINQ Extension Methods Against In-Memory .NET Objects
Assume we have defined a class to represent a "Person" like so: I could then use the new object Initializer and collection Initializer features to create and populate a collection of "people" like so:
I could then use the standard "Where()" extension method provided by System.Linq to retrieve a sequence of those "Person" objects within this collection whose FirstName starts with the letter "S" like so:
The new p => syntax above is an example of a "Lambda expression", which is a more concise evolution of C# 2.0's anonymous method support, and enables us to easily express a query filter with an argument (in this case we are indicating that we only want to return a sequence of those Person objects where the firstname property starts with the letter "S"). The above query will then return 2 objects as part of the sequence (for Scott and Susanne).
I could also write code that takes advantage of the new "Average" and "Max" extension methods provided by System.Linq to determine the average age of the people in my collection, as well as the age of the oldest person like so:
Scenario 2: Using LINQ Extension Methods Against an XML File
It is probably rare that you manually create a collection of hard-coded data in-memory. More likely you'll retrieve the data either from an XML file, a database, or a web-service.Let's assume we have an XML file on disk that contains the data below:
I could obviously use the existing System.Xml APIs today to either load this XML file into a DOM and access it, or use a low-level XmlReader API to manually parse it myself. Alternatively, with "Orcas" I can now use the System.Xml.Linq implementation that supports the standard LINQ extension methods (aka "XLINQ") to more elegantly parse and process the XML.
The below code-sample shows how to use LINQ to retrieve all of the <person> XML Elements that have a <person> sub-node whose inner value starts with the letter "S":
Note that it uses the exact same Where() extension method as with the in-memory object sample. Right now it is returning a sequence of "XElement" elements, which is an un-typed XML node element. I could alternatively re-write the query to "shape" the data that is returned instead by using LINQ's Select() extension method and provide a Lambda expression that uses the new object initializer syntax to populate the same "Person" class that we used with our first in-memory collection example:
The above code does all the work necessary to open, parse and filter the XML in the "test.xml" file, and return back a strongly-typed sequence of Person objects. No mapping or persistence file is necessary to map the values - instead I am expressing the shaping from XML->objects directly within the LINQ query above.
I could also use the same Average() and Max() LINQ extension methods as before to calculate the average age of <person> elements within the XML file, as well as the maximum age like so:
I do not have to manually parse the XML file. Not only will XLINQ handle that for me, but it will parse the file using a low-level XMLReader and not have to create a DOM in order to evaluate the LINQ expression. This means that it is lightening fast and doesn't allocate much memory.
Scenario 3: Using LINQ Extension Methods Against a Database
Let's assume we have a SQL database that contains a table called "People" that has the following database schema: I could use the new LINQ to SQL WYSIWYG ORM designer within Visual Studio to quickly create a "Person" class that maps to the database:
I can then use the same LINQ Where() extension method I used previously with objects and XML to retrieve a sequence of strongly-typed "Person" objects from the database whose first name starts with the letter "S":
Note how the query syntax is the same as with objects and XML.
I could then use the same LINQ Average() and Max() extension methods as before to retrieve the average and maximum age values from the database like so:
You don't need to write any SQL code yourself to have the above code snippets work. The LINQ to SQL object relational mapper provided with "Orcas" will handle retrieving, tracking and updating objects that map to your database schema and/or SPROCs. You can simply use any LINQ extension method to filter and shape the results, and LINQ to SQL will execute the SQL code necessary to retrieve the data (note: the Average and Max extension methods above obviously don't return all the rows from the table - they instead use TSQL aggregate functions to compute the values in the database and just return a scalar result).
Please watch this video I did in January to see how LINQ to SQL dramatically improves data productivity in "Orcas". In the video you can also see the new LINQ to SQL WYSIWYG ORM designer in action, as well as see full intellisense provided in the code-editor when writing LINQ code against the data model.
Extension methods enable you to "add" methods to existing types without creating a new derived type, recompiling, or otherwise modifying the original type. Extension methods are a special kind of static method, but they are called as if they were instance methods on the extended type.
Extension methods are defined as static methods but are called by using
instance method syntax. Their first parameter specifies which type the
method operates on, and the parameter is preceded by the this modifier. Extension methods are only in scope when you explicitly import the namespace into your source code with a using directive.
You can use extension methods to extend a class or interface, but not to
override them. An extension method with the same name and signature as
an interface or class method will never be called. At compile time,
extension methods always have lower priority than instance methods
defined in the type itself. In other words, if a type has a method named
Process(int i), and you have an extension
method with the same signature, the compiler will always bind to the
instance method. When the compiler encounters a method invocation, it
first looks for a match in the type's instance methods. If no match is
found, it will search for any extension methods that are defined for the
type, and bind to the first extension method that it finds. The
following example demonstrates how the compiler determines which
extension method or instance method to bind to.
automatic-properties-object-initializers-and-collection-initializers
http://weblogs.asp.net/scottgu/archive/2007/03/08/new-c-orcas-language-features-automatic-properties-object-initializers-and-collection-initializers.aspx
http://community.bartdesmet.net/blogs/bart/archive/2007/03/03/c-3-0-automatic-properties-explained.aspx
which will be translated automatically in something like this:
The clue is on line 7 where I've declared an automatic property.
Basically this frees me from the burden of declaring a private variable
and a get and set accessor to it by means of a property. Although you
can just use the "prop" code snippet in Visual Studio, this is much
cleaner in case you don't need the private fields at all. Imagine some
entity mapping class that consists of 20 properties, do you want to see
all of the private variable, getter and setter noise around your class? I
don't think so.
Please notice that the use of automatic properties is not equal to just defining a public field - you still keep the get_PropertyName and set_PropertyName methods behind the scenes as well as all the metadata that goes with a property, as illustrated below:
This means your code can be upgraded at any time to define getters/setters together with an explicitly defined member variable when you need to do so, without having to recompile external consumers of your code (i.e. the "contract" remains untouched). Behind the scenes what happens is the injection of a private member variable, prefixed with <>k__AutomaticallyGeneratedPropertyField#, like this:
The CompilerGeneratedAttribute
attribute is useful for tools to find out about these auto-generated
things. Next, the compiler emits a getter and setter for you:
All the stuff in here is pretty much the same as a manually defined
property, except for the presence of the CompilerGeneratedAttribute
attribute. Finally, there's the metadata for the property:
Notice that automatic properties should have both a getter and a setter declared. Read-only or write-only properties are not permitted.
http://community.bartdesmet.net/blogs/bart/archive/2007/03/03/c-3-0-automatic-properties-explained.aspx
automatic properties. Basically it allows you to write stuff like this:
public string Bar { get; set; }
private string foo; public string Bar { get { return foo; } set { foo = value; }}
1 using System; 2 3 namespace ConsoleApplication1 4 { 5 class Program 6 { 7 public string Name { get; set; } 8 9 static void Main(string[] args)10 {11 var p = new Program();12 p.Name = "Bart";13 }14 }15 }
Please notice that the use of automatic properties is not equal to just defining a public field - you still keep the get_PropertyName and set_PropertyName methods behind the scenes as well as all the metadata that goes with a property, as illustrated below:
This means your code can be upgraded at any time to define getters/setters together with an explicitly defined member variable when you need to do so, without having to recompile external consumers of your code (i.e. the "contract" remains untouched). Behind the scenes what happens is the injection of a private member variable, prefixed with <>k__AutomaticallyGeneratedPropertyField#, like this:
.field private string '<>k__AutomaticallyGeneratedPropertyField0' .custom instance void [mscorlib]System.Runtime.CompilerServices.CompilerGeneratedAttribute::.ctor() = ( 01 00 00 00 )
.method public hidebysig specialname instance string get_Name() cil managed { .custom instance void [mscorlib]System.Runtime.CompilerServices.CompilerGeneratedAttribute::.ctor() = ( 01 00 00 00 ) // Code size 11 (0xb) .maxstack 1 .locals init (string V_0) IL_0000: ldarg.0 IL_0001: ldfld string ConsoleApplication1.Program::'<>k__AutomaticallyGeneratedPropertyField0' IL_0006: stloc.0 IL_0007: br.s IL_0009 IL_0009: ldloc.0 IL_000a: ret } // end of method Program::get_Name .method public hidebysig specialname instance void set_Name(string 'value') cil managed { .custom instance void [mscorlib]System.Runtime.CompilerServices.CompilerGeneratedAttribute::.ctor() = ( 01 00 00 00 ) // Code size 8 (0x8) .maxstack 8 IL_0000: ldarg.0 IL_0001: ldarg.1 IL_0002: stfld string ConsoleApplication1.Program::'<>k__AutomaticallyGeneratedPropertyField0' IL_0007: ret } // end of method Program::set_Name
.property instance string Name() { .get instance string ConsoleApplication1.Program::get_Name() .set instance void ConsoleApplication1.Program::set_Name(string) } // end of property Program::Name
Thursday, May 10, 2012
ASP.NET authentication and authorization
http://www.codeproject.com/Articles/98950/ASP-NET-authentication-and-authorization
This article will discuss how to implement ASP.NET authentication and authorization. This article initially starts with authentication and authorization concepts and later explains the three important ways of doing authentication and authorization i.e. windows, forms and passport. As the article moves ahead it explains basic, digest and integrated authentication in depth. This article also dives in depth on how forms authentication can be used to implement custom authentication and single-sign on authentication. One of the important concepts this article touch bases is ticket generation in cookies and how ASP.NET membership and role can help us to increase productivity.
Authentication and Authorization
Before proceeding ahead we need to understand four important
vocabularies which you will see in this article again and again: -
authentication, authorization, principal and identity. Let’s first start
with authentication and authorization. If you search in www.google.com
for the dictionary meaning of authentication and authorization, you will
land up with something below:-Authentication: - prove genuineness
Authorization: - process of granting approval or permission on resources.
The same dictionary meaning applies to ASP.NET as well. In ASP.NET authentication means to identify the user or in other words its nothing but to validate that he exists in your database and he is the proper user.
Authorization means does he have access to a particular resource on the IIS website. A resource can be an ASP.NET web page, media files (MP4, GIF, JPEG etc), compressed file (ZIP, RAR) etc.
So the first process which happens is authentication and then authorization. Below is a simple graphical representation of authentication and authorization. So when the user enters ‘userid’ and ‘password’ he is first authenticated and identified by the user name.
Now when the user starts accessing resources like pages, ASPDOTNETauthentication, videos etc, he is checked whether he has the necessary access for the resources. The process of identifying the rights for resources is termed as ‘Authorization’.
To put it in simple words to identify “he is shiv” is authentication and to identify that “Shiv is admin” is authorization.
Detecting authentication and authorization: - The principal and identity objects
At any moment of time if you want to know who the user is and what
kind of authentication type he using you can use the identity object. If
you want to know what kind of roles it’s associated with then we need
to use the principal object. In other words to get authentication
details we need to the identity object and to know about authorization
details of that identity we need the principal object.
For instance below is a simple sample code which shows how to use identity and principal object to display name and check roles.
Response.Write(User.Identity.Name +"<br>"); Response.Write(User.Identity.AuthenticationType + "<br>"); Response.Write(User.Identity.IsAuthenticated + "<br>"); Response.Write(User.IsInRole("Administrators") + "<br>");
Now if you run this code in IIS under anonymous mode it will display no details as shown below.
If you run the above code in IIS using some authentication mode like one shown below “Basic authentication” it will show all the details as shown below.
Types of authentication and authorization in ASP.NET
There are three ways of doing authentication and authorization in ASP.NET:-• Windows authentication: - In this methodology ASP.NET web pages will use local windows users and groups to authenticate and authorize resources.
• Forms Authentication: - This is a cookie based authentication where username and password are stored on client machines as cookie files or they are sent through URL for every request. Form-based authentication presents the user with an HTML-based Web page that prompts the user for credentials.
• Passport authentication :- Passport authentication is based on the passport website provided
by the Microsoft .So when user logins with credentials it will be reached to the passport website ( i.e. hotmail,devhood,windows live etc) where authentication will happen. If Authentication is successful it will return a token to your website.
• Anonymous access: - If you do not want any kind of authentication then you will go for Anonymous access.
GenericPrincipal and GenericIdentity objects represent users who have been authenticated using Forms authentication or other custom authentication mechanisms. With these objects, the role list is obtained in a custom manner, typically from a database.
FormsIdentity and PassportIdentity objects represent users who have been authenticated with Forms and Passport authentication respectively.
Windows Authentication
When you configure your ASP.NET application as windows authentication
it will use local windows user and groups to do authentication and
authorization for your ASP.NET pages. Below is a simple snap shot which
shows my windows users and roles on my computer.
5 steps to enable authentication and authorization using Windows
We will do a small sample to get a grasp of how authentication and
authorization works with windows. We will create 2 users one
‘Administrator’ and other a simple user with name ‘Shiv’. We will create
two simple ASPX pages ‘User.aspx’ page and ‘Admin.aspx’ page.
‘Administrator’ user will have access to both ‘Admin.aspx’ and
‘User.aspx’ page , while user ‘Shiv’ will only have access to
‘User.aspx’ page.
Step 1:- Creation of web site.
The next step is to create a simple web site with 3 pages (User.aspx, Admin.aspx and Home.aspx) as shown below.
Step 2:- Create user in the windows directory
The next step is we go to the windows directory and create two users. You can see in my computer we have ‘Administrator’ and ‘Shiv’.
Step 3:- Setup the ‘web.config’ file
In ‘web.config’ file set the authentication mode to ‘Windows’ as shown in the below code snippets.
<authentication mode="Windows"/>
We also need to ensure that all users are denied except authorized users. The below code snippet inside the authorization tag that all users are denied. ‘?’ indicates any
unknown user. <authorization> <deny users="?"/> </authorization>
Step 4:- Setup authorization
We also need to specify the authorization part. We need to insert the below snippet in the ‘web.config’ file stating that only ‘Administrator’ users will have access to
‘Admin.aspx’ pages. <location path="Admin.aspx"> <system.web> <authorization> <allow roles="questpon-srize2\Administrator"/> <deny users="*"/> </authorization> </system.web> </location>
Step 5:-Configure IIS settings
The next step is to compile the project and upload the same on an IIS virtual directory. On the IIS virtual directory we need to ensure to remove anonymous access and check the integrated windows authentication as shown in the below figure.
Now if you run the web application you will be popped with a userid and password box as shown below.
Once you enter credentials you should be able to see home.aspx as shown below.
In case you are not an administrator (i.e in this case its ‘shiv’) and you navigate to ‘Admin.aspx’ it will throw an error as shown in the below figure.
In case you want to read who the user is and with what authorization rights has he logged in you can use ‘WindowsPrincipal’ and ‘WindowsIdentity’. These two objects represent users who have been authenticated with Windows authentication. You can also get the roles these users have.
Different methods of collecting username and password
In the above step by step article you must have noticed the below
options on IIS (Integrated, digest and basic). These three checkboxes
decide how the windows username and password credentials are passed from
the client desktop to the IIS.There are three different way of passing the windows username and password to IIS:-
• Basic
• Digest
• Windows
In the coming session we will understand in depth what these 3 options are.
Basic Authentication
When basic authentication is selected the ‘userid’ and ‘password’ are
passed by using Base64 encoded format . i.e. why the name is basic
authentication. ‘Base64’ is a encoding and not encryption. So it’s very
easy to crack. You can read more about ‘Base64’ encoding at
http://en.wikipedia.org/wiki/Base64 . Its a very weak form of
protection.
Below is a small demonstration how easy it is to crack a basic authentication. You can see in the below figure we have checked ‘Basicauthentication’ check and we ran the fiddler tool to see the data.
We then copied the ‘Authorization:Basic’ data and ran the below program. LOL, we can see our windows userid and password.
Below is the code snippet of how to decode ‘Base64’ encoding.
public static string DecodeFrom64(string encodedData) { byte[] encodedDataAsBytes = System.Convert.FromBase64String(encodedData); string returnValue = System.Text.Encoding.ASCII.GetString(encodedDataAsBytes); return returnValue;}
Base64 is an encoding mechanism and not encryption
Basic authentication in other words ‘Base64’ encoding is used to
transmit binary data and convert them to text so that they can run over
the network. Some protocols may interpret your binary data as control
characters. For instance the FTP protocol for certain combination of
binary characters can interpret the same as FTP line endings. At the end of the days it’s not an encryption algorithm it’s an encoding mechanism. That’s why in our previous section we demonstrated how easy it was to decode basic authentication.
Digest Authentication
The problem associated with basic authentication is solved by using
digest authentication. We saw in our previous section how easy it was to
crack basic authentication. Digest authentication transfers data over
wire as MD5 hash or message digest. This hash or digest is difficult to
dechiper.In other words digest authentication replaces the lame basic authentication.
Said and done there one of the big problems of digest authentication is it’s not supported on some browsers.
Integrated Authentication
Integrated Windows authentication (formerly called NTLM, and also
known as Windows NT Challenge/Response authentication) uses either
Kerberos v5 authentication or NTLM authentication, depending upon the
client and server configuration.(The above paragraph is ripped from http://msdn.microsoft.com/en-us/library/ff647076.aspx ).
Let’s try to understand what NTLM and Kerberos authentication is all about and then we will try to understand other aspects of integrated authentication.
NTLM is a challenge response authentication protocol. Below is how the sequence of events happens:-
• Client sends the username and password to the server.
• Server sends a challenge.
• Client responds to the challenge with 24 byte result.
• Servers checks if the response is properly computed by contacting the domain controller.
• If everything is proper it grants the request.
Kerberos is a multi-hounded (3 heads) who guards the gates of hades. In the same way Kerberos security has 3 participants authenticating service, service server and ticket granting server. Let’s try to understand step by step how these 3 entities participate to ensure security.
Courtesy: - http://24-timepass.com/postimg/three-headed-dog.jpg
Kerberos uses symmetric key for authentication and authorization. Below is how the things work for Kerberos:-
• In step 1 client sends the username and password to AS (Authenticating service).
• AS authenticates the user and ensures that he is an authenticated user.
• AS then asks the TGT (Ticket granting service) to create a ticket for the user.
• This ticket will be used to verify if the user is authenticated or not. In other words in further client interaction no password will be sent during interaction.
Order of Precedence
One of the things which you must have noticed is that integrated,
digest and basic authentication are check boxes. In other words we can
check all the three at one moment of time. If you check all the 3
options at one moment of time depending on browser security support one
of the above methods will take precedence.
Let’s understand how the security precedence works as per browser security.
• Browser makes a request; it sends the first request as Anonymous. In other words it does not send any credentials.
• If the server does not accept Anonymous IIS responds with an "Access Denied" error message and sends a list of the authentication types that are supported by the browser.
• If Windows NT Challenge/Response is the only one supported method then the browser must support this method to communicate with the server. Otherwise, it cannot negotiate with the server and the user receives an "Access Denied" error message.
• If Basic is the only supported method, then a dialog box appears in the browser to get the credentials, and then passes these credentials to the server. It attempts to send these credentials up to three times. If these all fail, the browser is not connected to the server.
• If both Basic and Windows NT Challenge/Response are supported, the browser determines which method is used. If the browser supports Windows NT Challenge/Response, it uses this method and does not fall back to Basic. If Windows NT Challenge/Response is not supported, the browser uses Basic.
You can read more about precedence from http://support.microsoft.com/kb/264921.
In order words the precedence is:-
1. Windows NT challenge ( Integrated security)
2. Digest
3. Basic
Comparison of Basic, digest and windows authentication
| Browse support | Authentication mechanism | |
| Basic | Almost all browsers | Weak uses Base64. |
| Digest | IE 5 and later version | Strong MD5 |
| Integrated windows | ||
• Kerberos
|
IE5 and above | Ticket encryption using AD , TGT and KDC |
• Challenge / response
|
IE5 and above | Send a challenge |
Forms Authentication
Forms authentication is a cookie/URL based authentication where
username and password are stored on client machines as cookie files or
they are sent encrypted on the URL for every request if cookies are not
supported.Below are the various steps which happen in forms authentication:-
• Step 1:- User enters “userid” and “password” through a custom login screen developed for authentication and authorization.
• Step 2:- A check is made to ensure that the user is valid. The user can be validated from ‘web.config’ files, SQL Server, customer database, windows active directory and various other kinds of data sources.
• Step 3:- If the user is valid then a cookie text file is generated on the client end. This cookie test file signifies that the user has been authenticated. Hence forth when the client computer browses other resources of your ASP.NET site the validation is not conducted again. The cookie file indicates that the user has logged in.
Forms authentication using ‘web.config’ as a data store
So let’s understand step by step how to configure forms
authentication. As said in the previous sections you can store user in
‘web.config’ files. Definitely it’s not the best way to store user in
“web.config” files but it will really help us to understand forms
authentication. Once we understand the same we can then move ahead to
better improvised versions of forms authentication.Step 1:- The first thing we need to do is make an entry in to the web.config file with authentication mode as forms as shown below. We need to also provide the following things :-
• LoginUrl :- This property helps us to provide the start page of authentication and authorization.
• defaultUrl :- Once the user is validated he will be redirected to this value , currently its “Home.aspx”.
• Cookieless :- As said previously forms authentication uses cookies. There are four ways by which you can change this behavior :-
oAutoDetect: - Depending on your browser configuration it can either use cookies or pass the authentication information encrypted via browser URL.
o UseCookies: - You would like the forms authentication mechanism to create cookie when the authentication is successful.
o UseURI :- You would like to pass data encrypted via the browser URL query string.
o UseDeviceProfile :- This is the default value. When you set this value the forms authentication mechanism will do look up at
“C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers” to see if the browser support cookies and then decides whether it should use cookies or should not. In other words it does not check on actual runtime if the browser has cookies enabled.
• Credentials: - In the credentials tag we have also some users with name and password. As said previously we will first use forms authentication with username’s stored in web.config files.
<authentication mode="Forms"> <forms loginUrl="Login.aspx" timeout="30" defaultUrl="Home.aspx" cookieless="AutoDetect"> <credentials passwordFormat="Clear"> <user name="Shiv" password="pass@123"/> <user name="Raju" password="pass@123"/> </credentials> </forms> </authentication>
Different customization values for ‘cookieless’ property.
If you set the cookieless as ‘UseDeviceProfile” it will use the browser data from the below file. You can see how Ericsson browser does not support cookies. So if any one connects with ericsson browser and the value is ‘UseDeviceProfile” , forms authentication will pass data through query strings.
Step 2:- Once you have set the “forms” tag values , it’s time to ensure that anonymous users are not able to browse your site. You can set the same by using the authorization tag as shown in the below code snippet.
<authorization> <deny users="?"/> </authorization>
Step 3:- We also need to define which user have access to which page. In this project we have created two pages “Admin.aspx” and “User.aspx”. “Admin.aspx” is accessible to only user “Shiv” while “Admin.aspx” and “User.aspx” is accessible to both the users.
Below web.config settings show how we can set the user to pages.
<location path="Admin.aspx"> <system.web> <authorization> <allow users="Shiv"/> <deny users="*"/> </authorization> </system.web> </location> <location path="User.aspx"> <system.web> <authorization> <allow users="Shiv"/> <allow users="Raju"/> <deny users="*"/> </authorization> </system.web> </location>
Step 4 :- We now create our custom page which will accept userid and password.
In the button click we provide the below code. The “FormsAuthentication.Authenticate” looks in the web.config the username and passwords. The “FormsAuthentication.RedirectFromLoginPage” creates cookies at the browser end.
If you run your application , enter proper credentials , you should be able to see a cookie txt file created as shown in the below figure.
If you disable cookies using the browser settings, credentials will be passed via query string as shown in the below figure.
Forms Authentication using SQL server as a data store
In order to do custom authentication you need to need to just replace
“FormsAuthentication.Authenticate” statement with your validation. For
instance in the below code we have used ‘clsUser’ class to do
authentication but we have yet used the cookie creation mechanism
provided by ‘FormAuthentication’ system.clsUser objUser = new clsUser(); if (objUser.IsValid(txtUser.Text,txtPass.Text)) { FormsAuthentication.RedirectFromLoginPage(txtUser.Text, true); }
Forms authentication using ASP.NET Membership and role
We have used forms authentication mechanism to generate cookie which
has minimized lot of our development effort. Many other tasks we are
still performing like:-• Creation of user and roles tables.
• Code level implementation for maintaining those tables.
• User interface for userid and password.
We are sure you must have done the above task for every project again and again. Good news!!! All the above things are now made simple with introduction of membership and roles. To implement ASP.NET membership and roles we need to do the following steps :-
• Run aspnet_regsql.exe from ‘C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727’ folder. Enter SQL Server credentials and run the exe. This will install all the necessary stored procedures and tables as shown in figure ‘Object created by aspnet_regsql.exe’
• Specify the connection string in the ‘web.config’ file where your ASP.NET roles tables and stored procedures are created.
<connectionStrings> <remove name="LocalSqlServer1"/> <add name="LocalSqlServer1" connectionString="Data Source=localhost;Initial Catalog=test;Integrated Security=True"/> </connectionStrings>
• Specify the ASP.NET membership provider and connect the same with the connection string provided in the previous step.
<membership> <providers> <remove name="AspNetSqlMembershipProvider"/> <add name="AspNetSqlMembershipProvider" type="System.Web.Security.SqlMembershipProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" connectionStringName="LocalSqlServer1" enablePasswordRetrieval="false" enablePasswordReset="true" applicationName="/" minRequiredPasswordLength="7"/> </providers> </membership>
• We also need to specify the role provider and connect the same with the connection string provided in the previous session.
<roleManager enabled="true"> <providers> <clear/> <add name="AspNetSqlRoleProvider" connectionStringName="LocalSqlServer1" applicationName="/" type="System.Web.Security.SqlRoleProvider, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/> </providers> </roleManager>
Now you can use the “Membership” class to create users and roles as shown in the below 2 figures.
You can get a feel how easy it is to use develop authentication and authorization by using forms authentication
and ASP.NET membership and roles.
The dual combination
Authentication and authorization in any application needs 2 things:-• Mechanism by which you can generate a cookie: - Provided by Forms authentication.
• Custom tables in SQL Server to store user and roles: - Provided by ASP.NET provider and roles.
In other words by using the combination of ticket generation via forms authentication and ASP.NET provider and roles we can come up with a neat and quick solution to implement authentication and authorization in ASP.NET applications.
Forms Authentication using Single Sign on
Many time we would like to implement single sign on across multiple
sites. This can be done using forms authentication. You can implement
forms authentication in both the websites with same machine key. Once
the validation is done in one website a cookie text file will be
created. When that user goes to the other website the same cookie file
will used to ensure that the user is proper or not.Please note you need to have same machine key in both the web.config files of your web application.
<machineKey validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E340 0267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE" decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F" validation="SHA1" />
You can see a very detail article on Single sign at http://msdn.microsoft.com/en-us/library/ms972971.aspx . You can also download the code from http://download.microsoft.com/download/B/7/8/B78D1CED-2275-4AEE-B0BE-0DEA1A2A9581/MSDNEnterpriseSecurity.msi
The above discusses how a internal intranet and internet application login through one single sign-on facility.
The above diagram is taken from http://msdn.microsoft.com/en-us/library/ms972971.aspx
Passport Authentication
Passport authentication is based on the passport website provided by
the Microsoft .So when user logins with credentials it will be reached
to the passport website ( i.e. hotmail,devhood,windows live etc) where
authentication will happen. If Authentication is successful it will
return a token to your website.I am leaving this section for now, will update in more details soon
Subscribe to:
Comments (Atom)