Ajaxus place on the net

This is Joe Walker’s presentation from The Ajax Experience last week. It is about web application security issues and possible solutions.

Recently from Microsoft released RC0 build of Windows Server 2008 and IIS 7.0. Scott Guthrie posted about new features of II7, view his post here.

Some of the new features include:

- IIS 7.0 Extensibility

One of the major changes we made to IIS 7.0 was to make the system radically more extensible than previous versions of the web-server. This extensibility applies both to the core HTTP processing engine, as well as to the configuration system, health monitoring system, and admin tool architecture. You can now write managed .NET classes to cleanly extend all of these sub-systems.

This is great from a customer perspective (since you can now replace and extend anything in the system). It also enables us to easily ship web-server extensions and additions in a very agile way on the web. Starting this week you are going to begin to see a number of really cool, fully-supported, free features start to be delivered this way.

- IIS 7.0 FTP Publishing Service

We are delivering a new modern FTP service implementation that runs on IIS 7.0. This FTP service offers a much improved administration and configuration experience (it uses the same web.config model as IIS7 and ASP.NET, and integrates into the IIS7 admin tool). It now supports FTP over SSL, as well as UTF8 and IPv6.

The FTP server enables you to host both FTP and web content from the same web-site on IIS7 (just add a FTP binding to your existing web-site to enable it). It now provides support for virtual host names, which means you can host multiple FTP sites on the same IP address. It also has built-in user-isolation support, which makes it perfect for shared hosting scenarios.

The FTP server’s authentication system is now pluggable - which means you can add your own username/password store to manage logins. Best of all, you can use the existing ASP.NET Membership Provider model to plug-in your own credential system for logins and user management.

- IIS 7.0 Media Pack Bit-Rate Throttling Module

One of the challenges when hosting large videos and audio files on the Internet is that bandwidth costs can be expensive. What is worse is that you often end up having to pay for users to download videos that aren’t fully watched. Specifically, web-servers are by default designed to download content files as fast as possible. So if a user visits your site and starts watching a 50MB video on it, the web-server will by default try and transmit the 50MB file as quickly as possible to them. If the user closes the browser half-way through watching the video, you will end up having to pay for the remaining 25MB of content they had finished downloading - but which they never actually watched.

The IIS 7.0 Media Pack Bit-Rate throttler provides a much more cost-effective way to host video and audio on standard web-servers. When a browser (using a plug-in like Silverlight, Flash, Windows Media Player, iTunes, etc) requests a media file, IIS7 will automatically detect the encoding bit-rate of the file and determine how many bytes per second the player needs to receive to play it continuously.

IIS7 will then “burst” enough of the content (by default 20 seconds of the video/audio file) to ensure that the client player can start playing the video, and won’t ever run into a buffering delay. IIS7 then automatically slows down the file transmission to equal the encoded bit-rate (so if the video is encoded at 400kbs, IIS7 will burst 20 seconds of this, and then slow the remaining transmission to 400kbs of content). If the user closes the browser on the video while it is playing, IIS7 will automatically detect the connection was dropped and avoid sending any more of the content (saving you the remaining bandwidth costs). This module works today with Silverlight, Flash and Windows Media Player - no code changes are required in the players to enable it.

- IIS 7.0 Remote Manager Administration Tool

IIS 7.0 ships with a significantly improved administration tool experience. The admin tool is entirely written in managed code (using Windows Forms), and supports remotely administering a web-server over HTTP based web-services (allowing you to use the admin tool to manage servers remotely in a hosted environment through proxy servers). The administration tool supports configuring both standard IIS settings, as well as ASP.NET ones (for example: you can use the tool to remotely manage ASP.NET membership/roles).

- FastCGI Support for IIS 5.1 and IIS 6.0

IIS 7.0 ships with built-in support for FastCGI - which is a high performance alternative to using CGI for web-server extensibility. Many popular web frameworks (in particular PHP) use this to integrate with web-servers. In addition to having FastCGI support built-in to IIS 7.0, this week we also shipped a FastCGI ISAPI extension that works on existing IIS 5.1 and IIS 6.0 web servers.

This is last list published by Scott, in which he presents latest articles and posts relating ASP.NET, ASP.NET AJAX, Visual Studio, Silverlight and IIS7. Check it out here, at the bottom is a link to the original:

ASP.NET

• ASP.NET RSSToolkit 2.0 Released: One of the cool projects for ASP.NET 2.0 that was released last year was this free RSS Toolkit - which makes consuming and exposing RSS feeds in ASP.NET super easy (you can even databind any ASP.NET control against them). The team working on the CodePlex project has recently released V2 of the RSSToolkit. You can learn all about it and download it here.

• Building a Custom Database Driven Site Map Provider: Scott Mitchell has written a great article on how to implement your own site map provider for ASP.NET that is populated from a database (instead of statically from an XML file). You can learn more about the ASP.NET 2.0 SiteMap system from this older blog post of mine here.

• .NET DateTime and Number Format String Cheat Sheet: If you are like me, you might have trouble remembering all of the standard format strings you can pass to the String.Format() method and/or the Eval() databinding method in ASP.NET to generate the appropriate string output from a DateTime or Numeric datatype. This PDF cheatsheet is a useful one to download and save to quickly look these format strings up. John has some other really useful .NET PDF cheatsheets he has also created that you might like to download here.

• Profile Support for ASP.NET Web Application Projects: VS 2005 Web Application Projects can’t directly access the strongly-typed ASP.NET “Profile” object that web site projects support. This VS add-in supports the ability to generate a strongly typed profile class to accomplish this. You can read this great series of posts to learn more about how to use the ASP.NET 2.0 Profile system. I have it on my list of tips/tricks posts to-do to cover using this VS add-on as well.

• ASP.NET Photo Handler: Bertrand has posted a cool photo album HttpHandler for ASP.NET that allows you to easily drop images into a web directory and automatically generate a nice photo album of them (complete with EXIF information, stack sorting icons, etc). Might be very useful for people enjoying holidays this summer. Download the code here.

• SubSonic: Auto-Generate a DAL for Class Library, Windows Applications and Web Application Projects: Rob Conery recently posted a blog entry that talks about how to use the great SubSonic project in non-website Visual Studio project types to easily generate your data access layers.

• BlogEngine.NET: This is a new open source blog engine for ASP.NET that Mads Kristensen has helped start up, and which I’ve heard a lot of good things about. You can read about its features here, and download it here.

ASP.NET AJAX

• ScriptDoc 1.0 Available: Bertrand Le Roy has published a cool ScriptDoc utility that extracts documentation from JavaScript files and packages it into XML that can be consumed by documentation building tools. A very useful tool as you start to build up your own JavaScript libraries.

• ASP.NET AJAX Client Control Development: Kazi Manzur Rashid from PageFlakes.com has written a great set of posts that cover building your own client-side AJAX controls using ASP.NET AJAX’s client-side JavaScript libraries. Here is a post on how to build an ASP.NET AJAX Grid and Pager, and here is a post on how ASP.NET AJAX Control Development works.

• Using the ASP.NET AJAX PageRequestManager to Provide Visual Feedback: Dan Wahlin - author of the fantastic new Professional ASP.NET AJAX book - has written a nice blog post that covers a technique you can use to obtain fine grain visual feedback control (above and beyond what the UpdateProgress control provides you) when doing AJAX callbacks to the server.

Visual Studio

• GhostDoc 2.1.1 Released: GhostDoc is a free add-in for Visual Studio 2005 (and now 2008) that automatically generates default XML documentation comments for code you write in C# or VB. It can automatically re-use existing documentation inherited from base classes or implemented interfaces, or generate initial documentation by deducing comments from the name and type of the member signature. You can learn more about it and download it for free here.

Silverlight

• Silverlight Tutorials: Michael Schwarz has a great blog where he writes regularly about Silverlight. This tutorials link points to a bunch of great Silverlight content.

• Integrating Web Services and Silverlight Including Debugging: Peter Kellner has written some great blog posts covering Silverlight (as well as gotchas he has learned from). Check out this post to learn how to handle debugging web services when using Silverlight, as well as his post on Displaying Images with the Silverlight Downloader in the 1.1 Alpha.

• Some keyboard input tricks for Silverlight 1.1: Jon Galloway has a nice post on handling keyboard input using the Silverlight 1.1 Alpha release. Also check out his tip on Calling an ASMX webservice from Silverlight post.

IIS 7

• IIS 7.0 is now running all of Microsoft.com: One of the things we push at Microsoft is to “dogfood” our products on our high volume sites when they enter the beta cycle. As of a few weeks ago, all of the web servers running www.microsoft.com are now running on IIS7 and Windows 2008 Server Beta3. These servers host 500+ virtual roots and 350 ASP.NET applications, and handle 300,000 concurrent connections. IIS7 is going to be an awesome release.

• IIS 7.0 on Server Core: Bill Staples blogs about some of the new IIS7 enhancements that appear with the June CTP of Windows 2008 Server. One of the big features that is now supported is the ability to install IIS7 on “server core” - which is a low footprint installation of Windows 2008 Server that lays down just the minimal footprint needed to boot (meaning no GUI shell). This lowers the resources required on servers, and even more importantly means that servers don’t need to be updated if a patch is released for a component not installed on the server (which lowers the downtime of servers). ASP.NET and the .NET Framework aren’t supported yet in server core configurations - but will be in the future.

read original

This is nice article showing us new features of IIS7 in the contex of relation with Apache. The author show us recent tendencies in the use of web servers. Actually IIS is growing slowly but gradually! Let see what IIS7 has to offer:

IIS5 came out with Windows 2000, right as I joined Microsoft, and ended up being a disasterous release for the IIS team. I remember sitting through meeting after meeting with customers who were hit by Code Red and Nimda, who were justifiably furiated by the impact the vulnerabilities had made on their business. IIS wasn’t very popular inside the company at the time either, as these were the first broad-scale internet worm attacks against any Microsoft product, and it took time for others to realize: it can happen to you.

The IIS team learned some very hard lessons about security vs. features in 2001 and 2002. We poured over our code, we hired independent contractors to come pour over our code, fuzz it, hack it, and try to break it. The result is quite possibly the most secure and reliable Web server ever with IIS6 - released with Windows 2003 Server. Don’t take my word, search http://secunia.com for IIS security issues yourself, and compare it to any other Web server product.

And with 2007 came IIS7 in Windows Vista, and later this year, with Windows Server “Longhorn”. IIS7 is more like a “v1″ release, than a “v7″. I can honestly say it is the biggest release of IIS ever. It has more fundamental improvements and new capabilities than any previous release of IIS, and hasn’t lost sight of the basics: security, reliability, performance. I think it will change the Web server market. If you’re already an IIS customer, there is a lot to look forward to with IIS7. And if you haven’t checked out IIS for a while, or you are still worried about security or reliability, it is time to give IIS a second look.

Bad reasons to avoid IIS

If you’re saying to yourself: IIS isn’t as secure as Apache, or isn’t as reliable, or isn’t as fast, you should think twice.

Security. If you’re worried about IIS security vs. Apache, you’re concerns are outdated. Check out http://secunia.com and compare IIS5 and IIS6’s track record for the last 4-5 years and compare it to Apache. Having been on the IIS team during Code Red and Nimda I can tell you it was a very painful experience and one I don’t ever hope to re-live, nor do I wish it on my worst enemy. The IIS team learned hard lessons in 2001, and the results speak for themselves. Is IIS perfect? Nope, it is still build by faliable humans and we make mistakes just like every other engineering team.

Reliability and Performance. IIS6 included a new process model which can reliably host Web applications, and monitors them for health and responsiveness. It can proactively recycle applications when they are unhealthy. IIS7 takes this process model to the next level by automatically isolating each new site when it is created in it’s own Application Pool, and dynamically assigning a unique SID (identity) to the AppPool so it is isolated from all other sites on the box from a runtime identity perspective - without any additional management required. It also isolates the configuration for the AppPool, so it is impossible to read configuration from other sites on the server. This provides the ultimate Web server architecture for Windows - a high performance multi-threaded server that provides secure isolation of Web sites by default and is also agile enough to respond to poor health conditions and gracefully recycle applications

If you’re worried about IIS performance and reliability when running PHP vs. running on Apache, you’re concerns are definitely valid. Up until recently there were only two ways to run PHP: the slow way (CGI), and the unreliable way (ISAPI). This is primarily a result of the lack of thread-safety in some PHP extensions - they were originally written for the pre-fork Linux/Apache environment which is not multi-threaded. Running them on IIS with the PHP ISAPI causes them to crash, and take out the IIS process serving your application.

Fortunately, the Microsoft / Zend partnership has brought about fixes to these issues with many performance and compatibility fixes by Zend, and a FastCGI feature for IIS which enables fast, reliable PHP hosting. FastCGI is available now in Tech Preview form, and has also been included in Windows Server “Longhorn” Beta 3. It will be included in Vista SP1 and Longhorn Server at RTM.

Reasons you should check out IIS7 if you use Apache today

There are so many new capabilities in IIS7, it would turn this already long post, into a short novel to list them all. If you want lots of specifics, go read through the IIS7 site. Here are a few reasons you Apache users might be interested in looking at IIS7:

Text file configuration

Apache has httpd.conf - a simple text file for configuration - which makes it very easy to edit Apache configuration using text/code editors or write PERL or other scripts to automate configuration changes. Since the configuration file is just a text file, it also makes it easy to copy configuration from one server to another. Unfortunately, Apache does require that you ‘restart’ Apache in order for the configuration changes to take effect. Many IIS customers dread IIS’ configuration store - the ‘metabase’ - and for good reason. It has been an opaque configuration store like the registry since it was introduced in IIS4, and while there are many tools and APIs to use to configure IIS with, nothing beats being able to open up your configuration in the text editor of your choice and directly change configuration settings. With IIS7, all IIS configuration is now stored in a simple XML file called applicationHost.config, which is placed by default in the \windows\system32\inetsrv\config directory. Changing configuration is as simple as opening the file, adding or changing a configuration setting, and saving the file. Want to share configuration across a set of servers? Simply copy the applicationHost.config file onto a file share and redirect IIS configuration to look there for it’s settings. And whether your configuration is stored locally on the hard drive, or on a file server, changes take effect immediately, without requiring any restarts. All IIS configuration settings are self-described in a schema file that can be accessed by going to \windows\sytem32\inetsrv\config\schema. Adding new configuration to IIS is as simple as dropping a new schema file in this directory, registering it, and it automatically becomes available through IIS’ cmd-line tool and programmatic APIs.

Distributed Configuration (by default)

Apache supports distributed configuration with a feature called .htaccess. It is a powerful feature that enables configuration for a Web site to be overriden using a simple text file in the content directory. Unfortunately, due to the way it is designed in Apache, using it incurrs a huge performance hit. In fact, the apache.org site recommends you avoid using it whenever possible.

IIS7 supports distributed configuration in web.config files, and has some important advantages over .htaccess. Web.config is the file that ASP.NET uses today to store configuration, so developers now have a single file, format and API to use to target Web site / app configuration. Imagine storing your PHP, Apache and Web Application settings in one file. This distributed configuration support is very powerful, and allows for every per-URL configuration IIS property to be set in distributed configuration. IIS7 caches web.config data, which avoids the per-request performance hit Apache suffers from. The IIS implmenetation for distributed config is so good we’ve made it the default for a bunch of IIS configuration that we know developers typically want to set along with their Web sites. For example, if you use any IIS7 tool to override the default document for a site or application, that setting will be stored in the web.config file for that directory by default. Of course, you can override the default and store everything in IIS’ global configuration file if you want, and you can decide on a section-by-section basis which settings you want distributed, and which you want to keep centralized. There is much more granulatiry in IIS’ configuration locking support over Apache, enabling you to even lock at the attribute level if desired.

Extensibility (C/C++/C#/VB.NET/and 30+ other languages…)

As I noted above, Apache has had a very modular architecture with powerful extensibility for many years. Apache’s architecture has allowed many people to take it and add / modify / extend the Web server to do many custom things. The resulting community modules for Apache has been impressive to watch. IIS’ ISAPI extensibility hasn’t been a complete slouch: some of the world’s biggest application frameworks have successfuly run on ISAPI, including ASP, ASP.NET, ColdFusion, ActiveState PERL, etc. Unfortunately, the number of successful ISAPI developers does seem to be smaller than the successful Apache mod developers, and the product team itself elected to rarely use ISAPI to build actual IIS features.

This all changes with IIS7. With IIS7, IIS introduces a new native extensibility interface, CHttpModule, on top of which we ported all of the IIS features as a discrete, pluggable binary. The IIS core Web server itself is a very thin event pipeline, and each of the IIS features can now be added and removed independently. The extensibility point, CHttpModule, is much more powerful than ISAPI, and provides a fully asynchronous super-set support for extensions and filters. Don’t like how IIS does XYZ feature, rip it out and replace it with your own: you have all the APIs the IIS team has.

Even more impressive, IIS7 introduces managed extensibility of the core Web server via the existing System.Web IHttpModule and IHttpHandler interfaces, enabling any .NET framework developer to extend IIS at the core and build a new, custom or replacement feature. I showed this off in a recent blog post on how to build a SQL Logging module that can add to or replace the built-in W3C logging using .NET in less than 50 lines of code.

Advanced Diagnostics and Troubleshooting support

Whether you’re running IIS or Apache, troubleshooting problems can be a real bear. Applications running in a high-performance, multi-threaded, console environment are very tough to debug, especially when in production use. IIS7 innovates in several key ways to make the support for these situations far better than what you see with any other Web server.

First, IIS supports a feature called ‘failed request tracing’, which is really very cool. Simply give IIS a set of error conditions to watch out for, based on response code or timeout value, and IIS will trap this condition and log a detailed trace log of everything that happened during the request lifetime that led up to the error. Seeing requests timeout on a periodic basis, but not sure why? Simply tell IIS to look out for requests that take longer than n seconds to complete, and IIS will show you ever step in the request lifetime, and including duration to complete each step. And you’ll see the last event to have fired before the timeout to occur. Are you seeing the dreaded “Server 500 Error - Internal Server Error”? Tell IIS to trap this error and then browse through each step along the request to see where things went south. I know of nothing like this with Apache.

IIS also supports real-time request monitoring and runtime data. Want to know which requests are in flight on the server, how long they have been running, which modules they are in, etc? IIS can tell you from the cmd-line, administration tool, or even programmatically via .NET and WMI APIs. It is very easy to now look inside IIS and see what’s going on inside your Server.

Rich Administration APIs and Tools

This is an area where IIS has traditionally shined, and IIS7 takes the lead even further. IIS7’s new administration tool is very simple and easy to use, but extremely powerful. It is now feature-focused: simply click on a Web server, site or application and see every feature available to manage. On the right hand pane there is a set of simple administration tasks for each scope that makes it easy to create new sites and applications, modify logging settings, or see advanced settings. The administration tool remotes over HTTP, making it possible to manage the server locally or over the internet. And the tool fully supports the distributed configuration model, making it possible to add ‘delegated’ administrators for Web sites and applications and allowing them to use Web.config or the same Administration tool to configure their Web site. The administration tool is also completely modular, and built on top of a new extensibility framework, making it easy to add new features into the tool.

In addition to a rich administration tool, IIS also ships AppCmd.exe, a swiss-army knife for cmd-line administration. With it, you can set any IIS setting, view real-time request and runtime information, and much more.

IIS7 also includes several programmatic interfaces which can be used to manage the server. Sure, you can use PERL to hack away at the new text-based config file if you want, or you can use rich, object-oriented APIs in any .NET or script language if you prefer. Microsoft.Web.Administration is a powerful new .NET api for programmatically managing the Server. IIS7 also includes a new WMI provider for scripting management using VBscript or JScript.

Summary

IIS7 is a major overhaul of the Web server. It builds on the rock-solid security and reliability of IIS6, and promises some very powerful new extensibility and management capabilities that meet and exceed what Apache can do today. It’s already in Vista, so you can use it on the desktop today, and with Beta 3 it is available for free for production use through the GoLive program.

view original

Great article just published on ScottGu’s Blog. Shows some basic advantages of new IIS 7 over previous releases which includes:

- You can now use ASP.NET Forms Authentication, Membership/Roles, and any other feature for all requests to the server (for example: .htm, .php, and .jsp files)

- You can now easily re-write the URL of any web request and/or modify the request in interesting ways

- You can replace or extend any existing IIS feature using VB or C# (for example: you could remove the built-in directory listing module and plug-in your own).
view original

Look at this great post from Joe:
“The IIS team delivered an amazing product with IIS 6 but they sure haven’t rested in their laurels since then.

They’ve been doing all sorts of great work, not the least of which is IIS 7.

So I thougt I’d share this list of IIS Resources that I keep my eye on.”
view original