Wednesday - the last day of DevConnections. Although, I’ve been here since Saturday evening, I wish the conference was lasting a day or two longer. I haven’t had the chance to meet all the peoplethat I wanted to meet and can’t get enough of taking in the great content. I WANT MORE. Maybe I’m used to the Microsoft conferences (TechEd and PDC) were it’s a full-on week of in-your-face technical sessions with some sort event every night. Just a few recommendations to the DevConnections crew for the next event:

• Hand-on Labs - it would’ve been nice to have some hands-on labs for Visual Studio 2005 and SQL 2005.
  
• Wireless network access - who doesn’t have wireless access at a technical conference???
  
• More networking events - too many people not enough time to meet them.

I’m sure I’ll think of more later, but with that said, on to today’s notes:

WSE2 Security (for Dummies?) - Julia Lerman

Julia did a great job of explaining a years worth of her research in a very short amount of time. Not an easy subject to cover in 75 minutes.

[Update: Julia added some additional information to her blog.]

• Protection
  
  
  
  • Authentication - who are you? (credentials)
    
  • Authorization - what are you allowed to do? (user roles)
    
  • Confidentiality - who can read this message? (encryption)
    
  • Integrity - has message been tampered with? (digital signature)
  
  
• Keys
  
  
  
  • Symmetric Key - shared secret
    
  • Assymetric Key - key pair
    
    
    
    • private/public
      
    • digital signature is package of public/private keys
  
  
• X.509 Certificates
  
  
  
  • WSE X.509 Certificate Tool
  
  
• WS-Security
  
  
  
  • Not limited to HTTP
    
  • Selective encryption is possible (encrypt only part of the message)
    
  • Sender/Receiver are the only ones who can interpret the message
    
  • SOAP header carries security
  
  
• WSE2
  
  
  
  • an API, Microsoft.Web.WSE2
    
  • enable WSE through the project properties
    
    
    
    • adds config section to .config file and adds reference to WSE2 DLL library
  
  
• Key Elements
  
  
  
  • Security.Tokens (for Authentication)
    
    
    
    • Can have multiple tokens for different purposes in same call
      
    • UserName token manager, assign roles via principle
      
    • X509SecurityToken, KerberosSecurityToken, SecurityToken (for custom security)
    
    
  • Security.Elements
    
    
    
    • MessageSignatureObject, EncryptedDataObject
    
    
  • SOAPContext
    
    
    
    • Object for encapsulating the SOAP Header object
      
    • RequestSOAPContext, ResponseSOAPContext
  
  
• WSE 2.0 Trace tool - http://www.mtaulty.com
  
• Sign message
  
  
  
  • RequestSOAPContext.Security.Elements.Add(new MessageSignature(myToken))
  
  
• Verify Message
  
  
  
  • Check for existence of SecurityToken (specific type)
    
  • Check for existence of MessageSignature
    
  • WSE does the rest!

SQL Server 2000 Optimizing Stored Procedure Performance - Kimberly Tripp

Obviously a very popular topic, standing room only for this one! Kimberly has a very dynamic personality and is a charismatic presenter. I would love to share a cocktail or two with Kimberly sometime and talk tech. It was hard to pay attention and keep detailed notes on this one, sorry.

• Pick your top 10 stored procedures that need a performance overhaul and study their execution patterns and resulting query plans
  
• master.dbo.syscacheobjects where cacheobjtype = ‘executable plan’
  
• options for recompilation
  
  
  
  • CREATE…WITH RECOMPILE
    
    
    
    • when proc returns varying results
      
    • when plan isn’t consistent
    
    
  • EXECUTE…WITH RECOMPILE
    
    
    
    • for testing and to determine if CREATE WITH RECOMPILE is necessary
    
    
  • sp_recompile
    
    
    
    • forces all plans for that object to be invalidated (does not force views)
  
  
• Show Server Trace - helps find costly queries
  
• Use QUOTENAME in dynamic string execution - helps prevent SQL injection attacks
  
• Modular code execution helps formulate better query plans for different type of param queries
  
  
  
  • example used was a wild card search
    
  • if (param contains a wild card), call spSearchWithWildCard
    
  • else, call spSearchWithNoWildCard
    
  • helps formulate different query plans and better results
  
  
• Watch out for procs that contain AND searches with indexes involved
  
• ALTER PROC loses its dependencies from sysdepends - be aware of it
  
• Best practice session settings
  
  
  
  • SET NOCOUNT ON
    
  • DON’T use SET QUOTED_IDENTIFIER_OFF
    
    
    
    • could effect indexes on views and computed columns
      
    • see books on line: “Session Settings that Effect Results”
  
  
• In profiler, use SQLProfilerTSQL_sps template
  
  
  
  • replace StmtCompleted with StmtStarting
    
  • add duration, Read Writes, exec plan
    
  • Always use filters for DBName
    
  • exclude system ids

Some references to where you’ll find more from Kimberly, http://www.tsqlsolutions.com, http://www.sqlmag.com, http://www.sqlskills.com, http://www.scalabilityexperts.com

Healing sick ASP.NET Applications - Don Kiely

I’ve been working on ASP.NET applications for a LONG time so I was interested to see what Don had to say. Don talked about making your applications safer and some solutions to common pitfalls. I learned that ASP.NET applications have trust levels. Did you know that? I didn’t.

• ASP.NET Trust Levels
  
  
  
  • controlled in machine.config under
    
    
    &;lt;system.web>
    - Full trust out of box - EVIL DEFAULT
    
    
    
  • security.config defines for policy level
    
  • example is to have different FileIOPermission defined for different directories for different permission types
  
  
• Approaches to partial trust
  
  
  
  • problem is how to grant privileges that the trust level doesn’t have
    
  • solution 1 - customize CAS policy
    
    
    
    • easy, no code changes required
      
    • but, requires admin rights
    
    
  • solution 2 - sandbox server side code
    
    
    
    • don’t put code inline
      
    • only option for missing AllowPartiallyTrustedCallers
      
      
  
  
• 4 categories of ASP.NET problems
  
  
  
  • config errors, html parsing, compilation, run-time problems
    
  • conditions can change as code runs (ie. .ASPX pages get recompiled)
  
  
• 5 levels of handling errors
  
  
  
  • procedure-level
    
  • page-level
    
  • application-level
    
  • default asp.net error handling (don’t want unless you hate your users) (also a potential security risk)
    
  • IIS custom error pages (typicall HTTP 500)
  
  
• (quote of the conference) “exceptions are exceptional events that are exceptional to your code”
  
• Lesson here: catch exceptions that your routine has the potential to raise (catch the specific exception, not System.Exception)
  
• If you want to catch a generic exception for logging purposes, use only ‘throw’ to re-throw the exception up the call stack, not ‘throw ex’
  
• always have a global default exception handler
  
• Book: Debugging Applications for Microsoft .NET and Microsoft Windows Applications by John Robbins
  
• When sites behave badly
  
  
  
  • Clear the VSWebCache directory
    
  • Clear the Temporary ASP.NET Files directory (in Framework directory)
    
    
  
  
• Common Errors
  
  
  
  • “Failed to start monitoring Directory Changes”
    
    
    
    • process identity requires read, execute, list permissions on the web site root directory, the content directory and the application root directory (in order to monitor config changes)
    
    
  • “SQL Server does not exist or access denied”
    
    
    
    • error in connection string (invalid connection string, invalid username/password, server truly doesn’t exist)
      
    • some other common causes, you’re running indexing server (Don had a solution but I didn’t catch it)
      
    • with MSDE as a database, you need to add the ASPNET account as valid database user to MSDE
    
    
  • APPLICATION_ERROR event firing more than once
    
    
    
    • add context.ClearError to end of procedure
      
    • don’t raise an exception inside APPLICATION_ERROR procedure
      
    • set AutoEventWireUp=False where you specify your own Handles definitions
      
      
  
  
• Resources
  
  
  
  • Production Debugging for .NET Framework Applications by the Microsoft Patterns and Practices Group
    
    
    
    • a little outdated by still valuable
    
    
  • Error Handling and Debugging forum on ASP.NET Forums