Adding Security To The 5 Minute ASP.NET MVC CRUD App | Fri 25 Mar 2011 | Blog

Adding Security To The 5 Minute ASP.NET MVC CRUD AppFri 25 Mar 2011

Yesterday I showed how I could build a CRUD app in ASP.NET MVC 3 in about 2m 30s.

As was pointed out it came without any security, whereas Domino apps come with it by default.

Well, here's another stab at the same ASP.NET app. This time I include not only user authentication (forcing users to login before creating a new contact record) but also some basic validation of required fields. All still inside 5 minutes:

Again, let me re-iterate the point that this whole exercise is merely intended as a bit of fun. At no point have I said "ASP.NET is better than Domino". No single platform could ever be singled out as the "best".

I do all this to try and educate and show you another side to things. There seems to be an assumption that anything that is easy with Domino has to be complicated in anything and everything else. That's simply not the case.

While I appreciate how simple things are in Domino (and miss aspects of that) what I like about other platforms are the lack of restrictions. With ASP.NET I can pretty much make my apps do whatever I and, most importantly, my customers want them to.

Comments

- Miguel A Calvo
- Fri 25 Mar 2011 05:34 AM
It's a draw now. :-)
Let's wait for next round.

Reply
1. - Jake Howlett
  - Fri 25 Mar 2011 05:38 AM
  I want to see Domino (classic and/or xpages) do server-side field-level validation as easily as I did in the above demo.
  Have things changed in the last seven years since I wrote about how hard it is to do server-side validation in Domino, without creating "temporary" documents in the DB:
  http://www.codestore.net/store.nsf/unid/EPSD-5ZZG8M
  Would XPages still need the use of a SaveOptions field I wonder?
  Rule #1: JavaScript not allowed.
  
  Reply
  
  Show the rest of this thread
  1. - Miguel A Calvo
    - Fri 25 Mar 2011 05:56 AM
    In XPages, server side validation is just a click away. You select that in the INPUTTEXT Control, and the validation takes place in the server. You've got several default Validators, even RegExp and Custom validators to validate as you prefer.
    But, XPages is based in Dojo JS Framework, so, under the hood there's javascript client-side involved always. You don't need to write JS but XPages is sending it to the browser
    src="/domjs/dojo-1.5.0/ibm/xsp/widget/layout/xspClientDojo.js"
    
    Reply
    1. - Jake Howlett
      - Fri 25 Mar 2011 06:49 AM
      Interesting. I didn't know that Xpages could do that.
      Just wondering -- if an XPage is bound to a form then can I hack around this validation and do a "/contact?OpenForm" (classic) URL and bypass the new Xpage server-side validation by submitting the backend form directly?
      
      Reply
      1. Horatiu Agarbiceanu
        
        Fri 25 Mar 2011 07:08 AM
        
        I guess, yes you can... as long as you don't bind the Form to the xPage.
        
        Reply
        
        Henning Heinz
        
        Fri 25 Mar 2011 09:22 AM
        
        Forms you bind to an XPage don't need to be accessible from the web. You can hide them. You also have an option on traditional forms to open an XPage instead of the form.
        
        Reply
      2. Stephen Hood
        
        Fri 25 Mar 2011 08:12 AM
        
        Hope this answers your question.
        http://www.bleedyellow.com/blogs/m... ..rity_use_of_the_display_xpage_instead_option?lang=en_us
        
        Reply
      3. Miguel A Calvo
        
        Fri 25 Mar 2011 08:13 AM
        
        Yes, if the Form is not hidden for browsers, in Properties/Design, you could open it by using "/contact?OpenForm" if you guess its name.
        If you bind the Form to the XPage, then if you try to open a document created with that Form, it will always show with the XPage in the browser, no matter the URL you use to open it.
        
        Reply
      4. David Leedy
        
        Fri 25 Mar 2011 08:13 AM
        
        Jake,
        In XPages world, just don't make the form acessable to the web browser. There's no need for it to be. Also the actual form will NEVER be seen in a URL so no one would know the form name - not that this is REAL security, I'm just mentioning this as information.
        Again - just don't make the form or views really accessable to the web. There's no need for it.
        
        Reply
      5. Baiju Thomas
        
        Fri 25 Mar 2011 08:50 AM
        
        Jake,
        You are thoroughly underestimating the power of xPages. Server side validation is just the click of a checkbox (and it can get as complex as you want).No way to hack around it since all your validation logic is running in the server and nothing is exposed in the client.
        In my honest opinion, the whole comparison excersice is pointless unless you compare it with xPages. What you are doing now is comparing the latest .Net technology with domino development techniques of 90's.
        
        Reply
        
        Jake Howlett
        
        Fri 25 Mar 2011 10:07 AM
        
        But Domino classic is all I know and it's not quite a forgotten legacy just yet.
        I still support websites I built with classic and (in fact) just this month I created a *new* Domino website for a (new) customer using Domino classic (they're on version 8 servers with no intention of going to 8.5, as a SharePoint migration is on the cards).
        Domino classic can't be written of as being "of the 90's" as it was the *only* way until just a couple of years ago.
        But you're right. It's is all pretty pointless. Don't forget the "just for fun clause" this all comes with.
        
        Reply
        
        Baiju Thomas
        
        Fri 25 Mar 2011 12:44 PM
        
        I understand the fun part of this excersice.. The only point I wanted to make is, Domino development with xPages is no way the same as classic domino development. You need to forget all the classic hacks you've been doing.. I've done it for 10 years(and was very comfortable doing it) and working with xPages for last 1 year. Believe me, it is a killer technology. I don't want to do classic domino development ever again in my life. IBM has some of the brightest minds in the market. And without learning the technology you will never understand the power of it. I have gone through that difficult period myself. But once you are through with it, you will be as excited as you are with all the new .Net stuff you learn.
        How can we compare .Net development with Domino when we cannot even compare classic domino development with xPages development.
        From a technology point of view, xPages can compete with any other leading platform in the market. But wheather you can get more business with it, I don't know.. It depends on a lot of things.. not necessarily based on a technologycal weakness of the platform..
        
        Reply
- Mark Teichmann
- Fri 25 Mar 2011 05:40 AM
I recorded a demo app using SAP River Application System (closed beta at the moment) but unfortunately the upload to Screenr fails because of proxy issues... River is based on Cogheads technology (example screenshot: http://tctechcrunch.files.wordpress.com/form_editing_2.jpg) and allows you to create applications using some mouse clicks and DnD. Quite interesting technology...
Using JBoss Seam you can also generate a complete CRUD application from existing database entities in minutes. It even implements relationships between different tables etc.

Reply
1. - Jake Howlett
  - Fri 25 Mar 2011 05:42 AM
  Looks like it's built with Flex?
  Note that the demo I'm doing with MVC scaffolding is started from the point where there's no database and it creates it for us. Using an existing database would be cheating ;-)
  
  Reply
  
  Show the rest of this thread
  1. - Mark Teichmann
    - Fri 25 Mar 2011 06:00 AM
    yes, River uses Flex (or AIR or some kind of Flash). But you can also use a REST API.
    Regarding Seam: It makes use of Hibernate for database access and you can also generate the database from your code. I think nowadays you can do all this stuff also using Microsoft or other technologies but I always like the idea of open standards.
    The SEAM application can run on many different application servers using different databases (Hibernate supports all known databases) all with the same code (ok, you have to tweak some config files). While this is also possible using M$ technology you can develop all this SEAM stuff using only free software.
    But ASP.NET is also very nice indeed. It is always good to have a choice.
    
    Reply
    1. - Henning Heinz
      - Fri 25 Mar 2011 07:08 AM
      If you like Hibernate (which I can fully understand) it also is available for .Net (NHibernate).
      
      Reply
- Mark Hughes
- Fri 25 Mar 2011 07:30 AM
Dude, required fields on XPages is a check box!!!

Reply
- David Leedy
- Fri 25 Mar 2011 08:34 AM
Jake,
In XPages, Server Side Validation is really PREFERRED in my opinion. Sure it's a round trip to the server, but it's just SO DARN EASY you just don't want to write the CSJS.
In the simple edit box controls and such, there are built in properties for required and length for instance. So in the case of Required, you turn it on - fill in a field with the message you want to return to the user and you're done.
There are many custom validators behind the scenes as well if you need to get a little more advanced. And quite honestly I've not really played with the advanced stuff yet.
I'm a little surprised that I've not done a short NotesIn9 on basic validation yet. I did cover it a little bit in my "Introduction to XPages" Show. This is 73 minutes, but it looks like I demo it a bit around the 49 minute mark.
Here's link to there video on my site and also YouTube:
http://notesin9.com/index.php/2010/09/26/notesin9-extended-edition-intro-to-xpages/
http://www.youtube.com/watch?v=p6dvFZRNfZc&hd=1
Hope that helps!

Reply
1. - Robert Shaver
  - Mon 4 Apr 2011 03:39 PM
  The best case is to do both. Validate in the client for the convenience of the user then validate on the server for the security of the application.
  
  Reply
- Erik Brooks
- Fri 25 Mar 2011 10:15 AM
Technically with XPages you don't even need a form. OR a view in many cases. They just make it a bit quicker to setup the XPage in an example like this one.

Reply
- Jyotiprakash Mohanty
- Fri 25 Mar 2011 10:03 PM
Jake,
If you are doing these for fun then why not Xpages for fun.
Who knows someone lands here searching Xpages and opens the door for new Business.

Reply
- Michael Bourak
- Mon 28 Mar 2011 03:42 AM
I'm a little disapointed because you compare code generation (your asp.net sample) with "raw" development. It's as if you put 4 fields on a form, ran an agent that builds a view and an xpages based on those fields...it'll basically take 30sec.
Anyway :
- what scaffolding does is to "hide" the complexity necessary to build such a simple stuff. Complexity should not be hidden, it should be avoided when possible.
- The scenario is far too simplistic to conclude anything other than= "we can built very fast a very simple app"...wow ;-)

Reply
1. - Michael Bourak
  - Mon 28 Mar 2011 09:05 AM
  The post above relates to your "5 min" post, not this one. sorry
  
  Reply
- Luke
- Tue 29 Mar 2011 04:25 AM
Just by using scaffolding, you get a working CRUD website with Ruby on Rails in 2 minutes. Actually, you have to get the db configured properly (whichever you decide to use, just like with ASP.net), and then you go with (I use terminal on OS X, but you could go with a cmd prompt)
rails testcrud
cd testcrud
ruby script/generate scaffold contact firstname:string lastname:string email:string phone:string
rake db:migrate
ruby script/server
and you have a working web site with CRUD functionalities.
It will take you less than a minute actually... And the power and customability of Ruby on Rails is for sure astonishing.
So far, let's add another platform , *not tied to a single vendor* , to the scenario of RAD.
Cheers

Reply
1. - Michael
  - Tue 29 Mar 2011 06:52 AM
  Welcome back in command line mode ;)
  
  Reply
  
  Show the rest of this thread
  1. - Luke
    - Tue 29 Mar 2011 07:03 AM
    Yep. The only thing you're going to need with RoR is a Text editor.
    But I believe it's the same with almost every kind of programming environment, aside from complex IDE like Visual Studio, XCode, Eclipse and the rest.
    What you lose we all know. What you gain is total detachment from OS , platform and vendor. And who really knows what is M$ goin' to do in the future to their products, let's say, to push the market in Sharepoint direction? Or IBM for the next Websphere version? We all know where Lotus was goin' to be headed with RNext. We all saw where M$ was headed with Silverlight 1.0. Only to be neglected with the next releases of their products.
    So far , so good. I still use XCode and TextMate when I'm not workin' on my PC.
    
    Reply
    1. - Michael
      - Tue 29 Mar 2011 07:25 AM
      And who knows if RoR becomes obsolete in 3 years... (look at Struts...from Hype to HasBeen in 5 years)
      Of course, RoR is open source so you could maintain it...good luck ;-)
      
      Reply
      1. Luke
        
        Tue 29 Mar 2011 07:28 AM
        
        Good point Michael.
        At the moment, very big names are adopting RoR. Just to give you a quick hindsight: http://www.workingwithrails.com/high-profile-organisations
        But then, this could be said for every platform. Even Sharepoint, after the huge curve of adoption, when companies realize what a mess of a product it is, they will embrace new techs. Who will know how much time will it take?
        
        Reply
        
        Michael
        
        Tue 29 Mar 2011 07:43 AM
        
        And in those situations, when you deal with a decent vendor (like IBM), they tend to provide a smoother path to evolve...while, in opensource world, you often deal with RnR ...meaning rip and replace in this case ;)
        5 years ago, every one was doing Struts too...now it's a hard time finding valuable people to maintain those apps due to it's "has been" factor.
        Anyway, I agree with you on the fact that RoR is a great peace of software. Just trying to say the world is not black or white.
        
        Reply
- Jerry Carter
- Tue 29 Mar 2011 12:58 PM
As said earlier via P2P carrier pigeon, I've enjoyed this discussion as it has finally moved so many people off the side-lines and into the fray to spout off with much useful information answering really useful basic questions about x-pages in defense of cod and country.
It is somewhat of a sad commentary that this honest bit of fun has rankled so many. Have ye so little faith in thy skills? Meanwhile, some have apparently had the bur so firmly lodged under their saddle that they have aspired to spray the crowd with so much blood of a now well and truly beaten dead horse (http://planetlotus.org/8626f8 leaves me wondering if "parody" is latin for "You've really got my back up, but damn if I'm going to come off as anything but clever").

Reply
1. - David Goodchild
  - Tue 29 Mar 2011 01:30 PM
  I have to agree Jerry. I've enjoyed the discussion as I'm Domino and .net, but know nothing of RoR, and I've been learning from it. I'm also in the same boat as Jake where there has been very little XPages work (in the UK market, certainly on my radar), some trad Notes/Domino but alot more scope for M$ work, so the chance and opportunity to keep current with Xpages (even though I did the learning curve a while ago) is not apparent. I'm disappointed that what is a (serious or geeky - not sure which!) bit of fun and also a chance to learn others views/skills/insights has even been labelled FUD, but has certainly put some on the defensive/attack (again not sure which).
  Anyway, have enjoyed everyone's input and certainly the different ways to do an admittedly basic requirement.
  
  Reply