book

Pro ASP.NET MVC 2 Framework

Name: Pro ASP.NET MVC 2 Framework
Author: Steven Sanderson
ISBN: 9781430228868

by Steven Sanderson

July 2010

Intermediate to advanced

776 pages

20h 25m

English

Apress

Read now

Unlock full access

Copyright
About the Author
About the Technical Reviewer
Acknowledgments
Introduction
You Don't Need to Know ASP.NET MVC 1 AlreadyWhich Technologies Are Used in This BookCode SamplesErrataContacting the Author
I. Introducing ASP.NET MVC 2
1. What's the Big Idea?
1.1. A Brief History of Web Development1.1.1. Traditional ASP.NET Web Forms1.1.2. What's Wrong with ASP.NET Web Forms?1.2. Web Development Today1.2.1. Web Standards and REST1.2.2. Agile and Test-Driven Development1.2.3. Ruby on Rails1.3. Key Benefits of ASP.NET MVC1.3.1. MVC Architecture1.3.2. Extensibility1.3.3. Tight Control over HTML and HTTP1.3.4. Testability1.3.5. Powerful Routing System1.3.6. Built on the Best Parts of the ASP.NET Platform1.3.7. Modern API1.3.8. ASP.NET MVC Is Open Source1.4. Who Should Use ASP.NET MVC?1.4.1. Comparisons with ASP.NET Web Forms1.4.1.1. Migrating from Web Forms to MVC1.4.2. Comparisons with Ruby on Rails1.4.3. Comparisons with MonoRail1.5. What's New in ASP.NET MVC 21.6. Summary
2. Your First ASP.NET MVC Application
2.1. Preparing Your Workstation2.2. Creating a New ASP.NET MVC Project2.2.1. Adding the First Controller2.2.2. How Does It Know to Invoke HomeController?2.3. Rendering Web Pages2.3.1. Creating and Rendering a View2.3.2. Adding Dynamic Output2.4. A Starter Application2.4.1. The Story2.4.2. Designing a Data Model2.4.2.1. Adding a Model Class2.4.3. Linking Between Actions2.4.3.1. Introducing Strongly Typed Views2.4.4. Building a Form2.4.4.1. Dude, Where's My Data?2.4.5. Handling Form Submissions2.4.5.1. Introducing Model Binding2.4.5.2. Rendering Arbitrary Views and Passing a Model Object to Them2.4.6. Adding Validation2.4.6.1. Model Binding Tells Input Controls to Redisplay User-Entered Values2.4.6.2. Highlighting Invalid Fields2.4.7. Finishing Off2.5. Summary
3. Prerequisites
3.1. Understanding MVC Architecture3.1.1. The Smart UI (Anti-Pattern)3.1.2. Separating Out the Domain Model3.1.2.1. Model-View Architecture3.1.3. Three-Tier Architecture3.1.4. MVC Architecture3.1.4.1. Implementation in ASP.NET MVC3.1.4.2. History and Benefits3.1.5. Variations on MVC3.1.5.1. Where's the Data Access Code?3.1.5.2. Putting Domain Logic Directly into Controllers3.1.5.3. Model-View-Presenter3.1.5.4. Model-View-View Model3.2. Domain Modeling3.2.1. An Example Domain Model3.2.2. Ubiquitous Language3.2.3. Aggregates and Simplification3.2.3.1. Is It Worth Defining Aggregates?3.2.4. Keeping Data Access Code in Repositories3.2.5. Using LINQ to SQL3.2.5.1. Implementing the Auctions Domain Model3.2.5.2. Implementing the Auction Repositories3.3. Building Loosely Coupled Components3.3.1. Taking a Balanced Approach3.3.2. Using Dependency Injection3.3.2.1. An MVC-Specific Example3.3.3. Using a DI Container3.3.3.1. Meet Ninject3.4. Getting Started with Automated Testing3.4.1. Understanding Unit Testing3.4.1.1. How DI Supports Unit Testing3.4.1.2. TDD and the Red-Green-Refactor Workflow3.4.1.3. To Unit Test or Not to Unit Test3.4.2. Understanding Integration Testing3.4.2.1. BDD and the Given-When-Then Model3.4.2.2. Why This Book Demonstrates Unit Testing Rather Than Integration Testing3.5. C# 3 Language Features3.5.1. The Design Goal: Language-Integrated Query3.5.2. Extension Methods3.5.3. Lambda Methods3.5.4. Generic Type Inference3.5.5. Automatic Properties3.5.6. Object and Collection Initializers3.5.7. Type Inference3.5.8. Anonymous Types3.5.8.1. Putting It All Together3.5.8.2. Deferred Execution3.5.9. Using LINQ to Objects3.5.10. Lambda Expressions3.5.11. IQueryable<T> and LINQ to SQL3.5.11.1. LINQ to Everything3.6. Summary
4. SportsStore: A Real Application
4.1. Getting Started4.1.1. Creating Your Solutions and Projects4.2. Starting Your Domain Model4.2.1. Creating an Abstract Repository4.2.2. Making a Fake Repository4.3. Displaying a List of Products4.3.1. Adding the First Controller4.3.2. Setting Up the Default Route4.3.3. Adding the First View4.4. Connecting to a Database4.4.1. Defining the Database Schema4.4.2. Setting Up LINQ to SQL4.4.3. Creating a Real Repository4.5. Setting Up DI4.5.1. Creating a Custom Controller Factory4.5.2. Using Your DI Container4.6. Creating Unit Tests4.7. Configuring a Custom URL Schema4.7.1. Assigning a Default Parameter Value4.7.2. Displaying Page Links4.7.2.1. Making the HTML Helper Method Visible to All View Pages4.7.2.2. Supplying a Page Number to the View4.7.3. Improving the URLs4.8. Styling It Up4.8.1. Defining Page Layout in the Master Page4.8.2. Adding CSS Rules4.8.3. Creating a Partial View4.9. Summary

5. SportsStore: Navigation and Shopping Cart
5.1. Adding Navigation Controls5.1.1. Filtering the Product List5.1.1.1. Implementing the Category Filter5.1.2. Defining a URL Schema for Categories5.1.3. Building a Category Navigation Menu5.1.3.1. Creating the Navigation Controller5.1.3.2. Selecting and Rendering a List of Category Links5.1.3.2.1. Rendering a Partial View Directly from the Menu Action5.1.3.3. Highlighting the Current Category5.2. Building the Shopping Cart5.2.1. Defining the Cart Entity5.2.2. Adding "Add to Cart" Buttons5.2.2.1. Multiple <form> Tags5.2.3. Giving Each Visitor a Separate Shopping Cart5.2.3.1. ASP.NET MVC Offers a Tidier Way of Working with Session Storage5.2.3.2. Creating a Custom Model Binder5.2.4. Creating CartController5.2.4.1. Implementing AddToCart and RemoveFromCart5.2.5. Displaying the Cart5.2.6. Removing Items from the Cart5.2.7. Displaying a Cart Summary in the Title Bar5.3. Submitting Orders5.3.1. Enhancing the Domain Model5.3.2. Adding the "Check Out Now" Button5.3.3. Prompting the Customer for Shipping Details5.3.4. Defining an Order Submitter DI Component5.3.5. Completing CartController5.3.5.1. Adding a Fake Order Submitter5.3.5.2. Displaying Validation Errors5.3.5.3. Displaying a "Thanks for Your Order" Screen5.3.6. Implementing EmailOrderSubmitter5.4. Summary
6. SportsStore: Administration and Final Enhancements
6.1. Adding Catalog Management6.1.1. Creating AdminController: A Place for the CRUD Features6.1.2. Rendering a Grid of Products in the Repository6.1.2.1. Implementing the List View6.1.3. Building a Product Editor6.1.3.1. Creating a Product Editor UI6.1.3.2. Handling Edit Submissions6.1.3.2.1. Displaying a Confirmation Message6.1.3.3. Adding Validation6.1.3.4. Enabling Client-Side Validation6.1.4. Creating New Products6.1.5. Deleting Products6.2. Securing the Administration Features6.2.1. Setting Up Forms Authentication6.2.2. Using a Filter to Enforce Authentication6.2.3. Displaying a Login Prompt6.3. Image Uploads6.3.1. Preparing the Domain Model and Database6.3.2. Accepting File Uploads6.3.2.1. A Little-Known Fact About HTML Forms6.3.2.2. Saving the Uploaded Image to the Database6.3.2.3. Handling Form Posts That Don't Include an Image6.3.2.3.1. An Alternative: Serializing Data into Hidden Form Fields6.3.3. Displaying Product Images6.4. Summary
II. ASP.NET MVC in Detail
7. Overview of ASP.NET MVC Projects
7.1. Developing MVC Applications in Visual Studio7.1.1. Naming Conventions7.1.2. The Initial Application Skeleton7.1.3. Debugging MVC Applications and Unit Tests7.1.3.1. Launching the Visual Studio Debugger7.1.3.2. Attaching the Debugger to IIS7.1.3.3. Attaching the Debugger to a Test Runner (e.g., NUnit GUI)7.1.3.4. Remote Debugging7.1.4. Using the Debugger7.1.5. Stepping into the .NET Framework Source Code7.1.6. Stepping into the ASP.NET MVC Framework Source Code7.2. The Request Processing Pipeline7.2.1. Stage 1: IIS7.2.2. Stage 2: Core Routing7.2.2.1. Routing Configurations7.2.3. Stage 3: Controllers and Actions7.2.3.1. Finding and Invoking Controllers7.2.3.2. What Controllers Must Do7.2.3.3. What Controllers Normally Do7.2.4. Stage 4: Action Results and Views7.2.4.1. Rendering a View7.3. Summary
8. URLs and Routing
8.1. Putting the Programmer Back in Control8.1.1. About Routing and Its .NET Assemblies8.2. Setting Up Routes8.2.1. Understanding the Routing Mechanism8.2.1.1. The Main Characters: RouteBase, Route, and RouteCollection8.2.1.2. How Routing Fits into the Request Processing Pipeline8.2.1.3. The Order of Your Route Entries Is Important8.2.2. Adding a Route Entry8.2.2.1. URL Patterns Match the Path Portion of a URL8.2.2.2. Meet RouteValueDictionary8.2.2.3. Take a Shortcut with MapRoute()8.2.3. Using Parameters8.2.3.1. Receiving Parameter Values in Action Methods8.2.4. Using Defaults8.2.4.1. Creating Optional Parameters with No Default Value8.2.5. Using Constraints8.2.5.1. Matching Against Regular Expressions8.2.5.2. Matching HTTP Methods8.2.5.3. Matching Custom Constraints8.2.6. Prioritizing Controllers by Namespace8.2.7. Accepting a Variable-Length List of Parameters8.2.8. Matching Files on the Server's Hard Disk8.2.8.1. Using the RouteExistingFiles Flag8.2.9. Using IgnoreRoute to Bypass the Routing System8.3. Generating Outgoing URLs8.3.1. Generating Hyperlinks with Html.ActionLink()8.3.1.1. Passing Extra Parameters8.3.1.2. How Parameter Defaults Are Handled8.3.1.3. Generating Fully Qualified Absolute URLs8.3.2. Generating Links and URLs from Pure Routing Data8.3.3. Performing Redirections to Generated URLs8.3.4. Understanding the Outbound URL-Matching Algorithm8.3.5. Generating Hyperlinks with Html.ActionLink<T> and Lambda Expressions8.3.6. Working with Named Routes8.3.6.1. Why You Might Not Want to Use Named Routes8.4. Working with Areas8.4.1. Setting Up Areas8.4.2. Routing and URL Generation with Areas8.4.2.1. Linking to an Action in the Same Area8.4.2.2. Linking to an Action in a Different Area8.4.2.3. Linking to an Action in the Root Area8.4.2.4. Areas and Explicitly Named Routes8.4.3. Areas and the Ambiguous Controller Problem8.4.4. Areas Summary8.5. Unit Testing Your Routes8.5.1. Testing Inbound URL Routing8.5.1.1. Using Test Doubles8.5.1.2. Using a Mocking Framework (Moq)8.5.2. Testing Outbound URL Generation8.5.2.1. Unit Testing Area Routes8.6. Further Customization8.6.1. Implementing a Custom RouteBase Entry8.6.2. Implementing a Custom Route Handler8.7. URL Schema Best Practices8.7.1. Make Your URLs Clean and Human-Friendly8.7.2. Follow HTTP Conventions8.7.2.1. GET and POST: Pick the Right One8.7.2.2. On Query Strings8.7.2.3. Use the Correct Type of HTTP Redirection8.7.3. SEO8.8. Summary
9. Controllers and Actions
9.1. An Overview9.1.1. Comparisons with ASP.NET Web Forms9.1.2. All Controllers Implement IController9.1.3. The Controller Base Class9.2. Receiving Input9.2.1. Getting Data from Context Objects9.2.2. Using Action Method Parameters9.2.2.1. Parameters Objects Are Instantiated Using Value Providers and Model Binders9.2.2.2. Optional and Compulsory Parameters9.2.2.3. Specifying Default Parameter Values9.2.2.4. Parameters You Can't Bind To9.2.3. Invoking Model Binding Manually in an Action Method9.3. Producing Output9.3.1. Understanding the ActionResult Concept9.3.2. Returning HTML by Rendering a View9.3.2.1. Rendering a View by Path9.3.2.2. Passing a ViewData Dictionary and a Model Object9.3.2.2.1. Treating ViewData As a Loosely Typed Dictionary9.3.2.2.2. Sending a Strongly Typed Object in ViewData.Model9.3.2.2.3. Combining Both Approaches9.3.2.2.4. Passing a Dynamic Object As ViewData.Model9.3.3. Performing Redirections9.3.3.1. Redirecting to a Different Action Method9.3.3.2. Redirecting to a Different URL9.3.3.3. Using TempData to Preserve Data Across a Redirection9.3.3.3.1. Where TempData Stores Its Data9.3.3.3.2. Controlling the Lifetime of TempData Items9.3.4. Returning Textual Data9.3.4.1. Generating an RSS Feed9.3.5. Returning JSON Data9.3.6. Returning JavaScript Commands9.3.7. Returning Files and Binary Data9.3.7.1. Sending a File Directly from Disk9.3.7.2. Sending the Contents of a Byte Array9.3.7.3. Sending the Contents of a Stream9.3.8. Creating a Custom Action Result Type9.3.8.1. Example: Watermarking an Image (and the Concept of Unit Testability Seams)9.4. Unit Testing Controllers and Actions9.4.1. How to Arrange, Act, and Assert9.4.2. Testing a Choice of View and ViewData9.4.2.1. Testing ViewData Values9.4.3. Testing Redirections9.4.4. More Comments About Unit Testing9.4.5. Mocking Context Objects9.4.6. Reducing the Pain of Mocking9.4.6.1. Method 1: Make a Reusable Helper That Sets Up a Standard Mock Context9.4.6.2. Method 2: Access Dependencies Through Virtual Properties9.4.6.3. Method 3: Receive Dependencies Using Model Binding9.4.6.4. Method 4: Turn Your Dependencies into DI Components9.4.6.5. Method 5: Factor Out Complexity and Don't Unit Test Controllers9.5. Summary
10. Controller Extensibility
10.1. Using Filters to Attach Reusable Behaviors10.1.1. Introducing the Four Basic Types of Filter10.1.2. Applying Filters to Controllers and Action Methods10.1.3. Creating Action Filters and Result Filters10.1.3.1. Controlling the Order of Execution10.1.3.2. Filters on Actions Can Override Filters on Controllers10.1.3.3. Using the Controller Itself As a Filter10.1.4. Creating and Using Authorization Filters10.1.4.1. How Authorization Filters Interact with Output Caching10.1.4.2. Creating a Custom Authorization Filter10.1.5. Creating and Using Exception Filters10.1.5.1. Using HandleErrorAttribute10.1.5.2. Creating a Custom Exception Filter10.1.6. Bubbling Exceptions Through Action and Result Filters10.1.7. The [OutputCache] Action Filter10.1.8. The [RequireHttps] Filter10.1.9. Other Built-In Filter Types10.2. Controllers As Part of the Request Processing Pipeline10.2.1. Working with DefaultControllerFactory10.2.1.1. Prioritizing Namespaces Globally Using DefaultNamespaces10.2.1.2. Prioritizing Namespaces on Individual Route Entries10.2.1.3. Limiting a Route Entry to Match Controllers in a Specific Set of Namespaces10.2.2. Creating a Custom Controller Factory10.2.2.1. Registering a Custom Controller Factory10.2.3. Customizing How Action Methods Are Selected and Invoked10.2.3.1. The Real Definition of an Action10.2.3.2. Using [ActionName] to Specify a Custom Action Name10.2.3.3. Method Selection: Controlling Whether a C# Method Should Agree to Handle a Request10.2.3.3.1. Creating a Custom Action Method Selector Attribute10.2.3.3.2. Using the [NonAction] Attribute10.2.3.4. How the Whole Method Selection Process Fits Together10.2.3.5. Handling Unknown Actions10.2.4. Overriding HTTP Methods to Support REST Web Services10.2.4.1. Submitting a Plain HTML Form with an Overridden HTTP Method10.2.4.2. How HTTP Method Overriding Works10.3. Boosting Server Capacity with Asynchronous Controllers10.3.1. Introducing Asynchronous Requests10.3.2. Using Asynchronous Controllers10.3.2.1. Turning a Synchronous Action into an Asynchronous Action10.3.2.2. Passing Parameters to the Completion Method10.3.2.3. Controlling and Handling Timeouts10.3.2.4. Using Finish() to Abort All Remaining Asynchronous Operations10.3.2.5. Using Sync() to Transition Back to the Original HTTP Context10.3.3. Adding Asynchronous Methods to Domain Classes10.3.4. Choosing When to Use Asynchronous Controllers10.3.4.1. Measuring the Effects of Asynchronous Controllers10.3.4.2. Ensuring Your Server Is Configured to Benefit from Asynchronous Requests10.4. Summary
11. Views
11.1. How Views Fit into ASP.NET MVC11.1.1. The Web Forms View Engine11.1.2. View Engines Are Replaceable11.2. Web Forms View Engine Basics11.2.1. Adding Content to a View11.2.2. Five Ways to Add Dynamic Content to a View11.3. Using Inline Code11.3.1. Why Inline Code Is a Good Thing in MVC Views11.4. Understanding How MVC Views Actually Work11.4.1. Understanding How ASPX Pages Are Compiled11.4.1.1. The Code-Behind Model11.4.2. How Automatic HTML Encoding Works11.4.2.1. How ASP.NET 4 Automatically Skips Encoding When Rendering HTML Helpers11.4.2.2. Introducing the <%: ... %> Syntax11.4.2.3. Working with MvcHtmlString11.4.2.4. Using Custom Encoding Logic (Applies to .NET 4 Only)11.4.3. Understanding ViewData11.4.4. Extracting ViewData Items Using ViewData.Eval11.5. Using HTML Helper Methods11.5.1. The Framework's Built-In Helper Methods11.5.1.1. Rendering Input Controls11.5.1.1.1. Using Strongly Typed Input Controls11.5.1.1.2. How Input Controls Get Their Values11.5.1.1.3. Adding Arbitrary Tag Attributes11.5.1.1.4. A Note About HTML Encoding11.5.1.2. Rendering Links and URLs11.5.1.3. Performing HTML and HTML Attribute Encoding11.5.1.4. Rendering Drop-Down and Multiselect Lists11.5.1.5. Bonus Helper Methods in Microsoft.Web.Mvc.dll11.5.1.6. Other HTML Helpers11.5.1.7. Rendering Form Tags11.5.1.7.1. Forms That Post Back to the Same URL11.5.1.7.2. Using Html.BeginForm<T>11.5.2. Creating Your Own HTML Helper Methods11.6. Using Partial Views11.6.1. Creating and Rendering a Partial View11.6.1.1. Rendering a Partial Directly to the Response Stream11.6.1.2. Passing ViewData to a Partial View11.6.1.3. Passing an Explicit Model Object to a Partial View11.6.1.3.1. Rendering a Partial View for Each Item in a Collection11.6.2. Rendering a Partial View Using Server Tags11.6.2.1. Passing ViewData to the Control11.6.2.2. Passing an Explicit Model Object to the Control11.7. Summary
12. Models and Data Entry
12.1. How It All Fits Together12.2. Templated View Helpers12.2.1. Displaying and Editing Models Using Templated View Helpers12.2.1.1. Using Model Metadata to Influence Templated View Helpers12.2.1.2. Rendering Editors for Individual Properties12.2.1.3. Rendering Labels for Individual Properties12.2.1.4. The Built-in Editor Templates12.2.1.4.1. Scaffolding Is Not Recursive12.2.1.5. Displaying Models Using Templated View Helpers12.2.2. Using Partial Views to Define Custom Templates12.2.2.1. Creating a Custom Editor Template12.2.2.2. Respecting Formatting Metadata and Inheriting from ViewTemplateUserControl<T>12.2.2.3. Passing Additional View Data to Custom Templates12.2.2.4. Working with HTML Field Prefixes and the TemplateInfo Context12.3. Model Metadata12.3.1. Working with Data Annotations12.3.2. Creating a Custom Metadata Provider12.3.2.1. The Full Set of Metadata Options12.3.3. Consuming Model Metadata in Custom HTML Helpers12.3.4. Using [MetadataType] to Define Metadata on a Buddy Class12.4. Model Binding12.4.1. Model-Binding to Action Method Parameters12.4.2. Model-Binding to Custom Types12.4.2.1. Specifying a Custom Prefix12.4.2.2. Omitting a Prefix12.4.2.3. Choosing a Subset of Properties to Bind12.4.3. Invoking Model Binding Directly12.4.3.1. Dealing with Model Binding Errors12.4.4. Model-Binding to Arrays, Collections, and Dictionaries12.4.4.1. Model-Binding Collections of Custom Types12.4.4.2. Using Nonsequential Indexes12.4.4.3. Model-Binding to a Dictionary12.4.5. Creating a Custom Value Provider12.4.6. Creating a Custom Model Binder12.4.6.1. Configuring Which Model Binders Are Used12.4.7. Using Model Binding to Receive File Uploads12.5. Validation12.5.1. Registering and Displaying Validation Errors12.5.1.1. Using the Built-In Validation HTML Helpers12.5.1.1.1. Controlling Where Validation Messages Appear12.5.1.2. Distinguishing Property-Level Errors from Model-Level Errors12.5.1.3. How the Framework Retains State After a Validation Failure12.5.2. Performing Validation As Part of Model Binding12.5.3. Specifying Validation Rules12.5.3.1. Using Data Annotations Validation Attributes12.5.3.1.1. Creating a Custom Data Annotations Validation Attribute12.5.3.2. Using the IDataErrorInfo Interface12.5.3.3. Creating a Custom Validation Provider12.5.4. Invoking Validation Manually12.5.5. Using Client-Side Validation12.5.5.1. Using Client-Side Validation with a Validation Summary12.5.5.2. Dynamically Highlighting Valid and Invalid Fields12.5.5.3. Allowing Specific Buttons to Bypass Validation12.5.5.4. How Client-Side Validation Works12.5.5.5. Implementing Custom Client-Side Validation Logic12.5.5.5.1. Reusing the Built-In Client-Side Validation Logic12.5.6. Putting Your Model Layer in Charge of Validation12.5.6.1.12.5.6.1.1. What About Client-Side Validation?12.6. Summary
13. User Interface Techniques
13.1. Wizards and Multistep Forms13.1.1. Defining the Model13.1.2. Navigation Through Multiple Steps13.1.3. Collecting and Preserving Data13.1.4. Completing the Wizard13.1.5. Validation13.2. Implementing a CAPTCHA13.2.1. Creating an Html.Captcha() Helper13.2.1.1. Rendering a Dynamic Image13.2.1.2. Distorting the Text13.2.2. Verifying the Form Submission13.3. Using Child Actions to Create Reusable Widgets with Application Logic13.3.1. How the Html.RenderAction Helper Invokes Child Actions13.3.2. When It's Appropriate to Use Child Actions13.3.3. Creating a Widget Based on a Child Action13.3.4. Capturing a Child Action's Output As a String13.3.5. Detecting Whether You're Inside a Child Request13.3.6. Restricting an Action to Handle Child Requests Only13.4. Sharing Page Layouts Using Master Pages13.4.1. Using Widgets in MVC View Master Pages13.4.1.1. Method 1: Have Your Controller Put a Control-Specific Data Item into ViewData13.4.1.2. Method 2: Use an Action Filter to Put a Control-Specific Data Item into ViewData13.4.1.3. Method 3: Use Child Actions13.5. Implementing a Custom View Engine13.5.1. A View Engine That Renders XML Using XSLT13.5.1.1. Step 1: Implement IViewEngine, or Derive a Class from VirtualPathProviderViewEngine13.5.1.2. Step 2: Implement IView13.5.1.3. Step 3: Use It13.5.1.4. Step 4: Register Your View Engine with the Framework13.6. Using Alternative View Engines13.6.1. Using the NVelocity View Engine13.6.2. Using the Brail View Engine13.6.3. Using the NHaml View Engine13.6.4. Using the Spark View Engine13.7. Summary
14. Ajax and Client Scripting
14.1. Why You Should Use a JavaScript Toolkit14.2. ASP.NET MVC's Ajax Helpers14.2.1. Fetching Page Content Asynchronously Using Ajax.ActionLink14.2.1.1. Passing Options to Ajax.ActionLink14.2.1.2. Running JavaScript Functions Before or After Asynchronous Requests14.2.1.3. Detecting Ajax Requests14.2.2. Submitting Forms Asynchronously Using Ajax.BeginForm14.2.3. Invoking JavaScript Commands from an Action Method14.2.4. Reviewing ASP.NET MVC's Ajax Helpers14.3. Using jQuery with ASP.NET MVC14.3.1. Referencing jQuery14.3.1.1. Referencing jQuery on a Content Delivery Network14.3.2. Basic jQuery Theory14.3.2.1. Waiting for the DOM14.3.2.2. Event Handling14.3.2.3. Global Helpers14.3.2.4. Unobtrusive JavaScript14.3.3. Adding Client-Side Interactivity to an MVC View14.3.3.1. Improvement 1: Zebra-Striping14.3.3.2. Improvement 2: Confirm Before Deletion14.3.3.3. Improvement 3: Hiding and Showing Sections of the Page14.3.4. Ajax-Enabling Links and Forms14.3.4.1. Unobtrusive JavaScript and Hijaxing14.3.4.2. Hijaxing Links14.3.4.2.1. Performing Partial Page Updates14.3.4.2.2. Using live to Retain Behaviors After Partial Page Updates14.3.4.3. Hijaxing Forms14.3.5. Client/Server Data Transfer with JSON14.3.5.1. A Note About JsonResult and GET Requests14.3.6. Performing Cross-Domain JSON Requests Using JSONP14.3.7. Fetching XML Data Using jQuery14.3.8. Animations and Other Graphical Effects14.3.9. jQuery UI's Prebuilt UI Widgets14.3.9.1. Example: A Sortable List14.3.10. Summarizing jQuery14.4. Summary
III. Delivering Successful ASP.NET MVC 2 Projects
15. Security and Vulnerability
15.1. All Input Can Be Forged15.1.1. Forging HTTP Requests15.2. Cross-Site Scripting and HTML Injection15.2.1. Example XSS Vulnerability15.2.1.1. Attack15.2.1.2. Defense15.2.2. ASP.NET's Request Validation Feature15.2.2.1. Request Validation: Good or Bad?15.2.2.2. Disabling Request Validation15.2.2.3. Customizing Request Validation Logic15.2.3. Filtering HTML Using the HTML Agility Pack15.2.4. JavaScript String Encoding and XSS15.3. Session Hijacking15.3.1. Defense via Client IP Address Checks15.3.2. Defense by Setting the HttpOnly Flag on Cookies15.4. Cross-Site Request Forgery15.4.1. Attack15.4.2. Defense15.4.3. Preventing CSRF Using the Anti-Forgery Helpers15.5. SQL Injection15.5.1. Attack15.5.2. Defense by Encoding Inputs15.5.3. Defense Using Parameterized Queries15.5.4. Defense Using Object-Relational Mapping15.6. Using the MVC Framework Securely15.6.1. Don't Expose Action Methods Accidentally15.6.2. Don't Allow Model Binding to Change Sensitive Properties15.7. Summary
16. Deployment
16.1. Server Requirements16.1.1. Requirements for Shared Hosting16.2. Building Your Application for Production Use16.2.1. Controlling Dynamic Page Compilation16.2.2. Detecting Compiler Errors in Views Before Deployment16.2.2.1. Detecting Compiler Errors in Views Only When Building in Release Mode16.3. IIS Basics16.3.1. Understanding Web Sites and Virtual Directories16.3.2. Binding Web Sites to Hostnames, IP Addresses, and Ports16.4. Deploying Your Application16.4.1. Manually Copying Application Files to the Server16.4.1.1. Where Should I Put My Application?16.4.2. Bin-Deploying ASP.NET MVC 216.4.3. Deploying to IIS 6 on Windows Server 200316.4.3.1. Adding and Configuring a New MVC Web Site in IIS Manager16.4.3.2. How IIS 6 Processes Requests16.4.3.3. Making Extensionless URLs Work on IIS 616.4.3.3.1. Extensionless URLs on IIS 6 with .NET 3.516.4.3.3.2. Extensionless URLs on IIS 6 with .NET 416.4.3.3.3. Troubleshooting IIS 6 Errors16.4.4. Deploying to IIS 7.x on Windows Server 2008/2008 R216.4.4.1. Installing IIS 7.x on Windows Server 2008/2008 R216.4.4.2. Adding and Configuring a New MVC Web Site in IIS 7.x16.4.4.3. How IIS 7.x Processes Requests in Classic Pipeline Mode16.4.4.4. How IIS 7.x Processes Requests in Integrated Pipeline Mode16.4.4.4.1. How Integrated Mode Makes Extensionless URLs Easy16.4.4.4.2. Why Extensionless URLs Work on IIS 7.x Integrated Pipeline Mode with .NET 3.516.4.4.4.3. Why Extensionless URLs Work in IIS 7.x Integrated Pipeline Mode with .NET 416.4.4.5. Further IIS 7.x Deployment Considerations16.4.4.6. Troubleshooting IIS 7.x Errors16.4.5. Deploying to IIS 7.5 on Windows Server 2008 R2 Core16.5. Automating Deployments with WebDeploy and Visual Studio 201016.5.1. Transforming Configuration Files16.5.2. Automating Online Deployments with One-Click Publishing16.5.3. Automating Offline Deployments with Packaging16.6. Summary
17. ASP.NET Platform Features
17.1. Windows Authentication17.1.1. Preventing or Limiting Anonymous Access17.2. Forms Authentication17.2.1. Setting Up Forms Authentication17.2.1.1. Handling Login Attempts17.2.2. Using Cookieless Forms Authentication17.3. Membership, Roles, and Profiles17.3.1. Setting Up a Membership Provider17.3.1.1. Setting Up SqlMembershipProvider17.3.1.1.1. Using a SQL Server Express User Instance Database17.3.1.1.2. Preparing Your Own Database for Membership, Roles, and Profiles17.3.1.2. Managing Members Using the Web Administration Tool17.3.1.3. Managing Members Using IIS 7.x's .NET Users Configuration Tool17.3.2. Using a Membership Provider with Forms Authentication17.3.3. Creating a Custom Membership Provider17.3.4. Setting Up and Using Roles17.3.4.1. Using the Built-In SqlRoleProvider17.3.4.2. Securing Controllers and Actions by Role17.3.4.3. Creating a Custom Roles Provider17.3.5. Setting Up and Using Profiles17.3.5.1. Using the Built-In SqlProfileProvider17.3.5.2. Configuring, Reading, and Writing Profile Data17.3.5.3. Creating a Custom Profile Provider17.4. URL-Based Authorization17.5. Configuration17.5.1. Configuring Connection Strings17.5.2. Configuring Arbitrary Key/Value Pairs17.5.3. Defining Configuration Sections to Configure Arbitrary Data Structures17.6. Data Caching17.6.1. Reading and Writing Cache Data17.6.2. Using Advanced Cache Features17.7. Site Maps17.7.1. Setting Up and Using Site Maps17.7.2. Creating a Custom Navigation Control with the Site Maps API17.7.3. Generating Site Map URLs from Routing Data17.7.3.1. Using Security Trimming17.8. Internationalization17.8.1. Setting Up Localization17.8.2. Tips for Working with Resource Files17.8.3. Using Placeholders in Resource Strings17.8.4. Internationalizing Validation17.8.4.1. Globalizing Validation Rules17.8.4.1.1. Using Ajax.GlobalizationScript()17.8.5. Localizing Data Annotations Validation Messages17.8.5.1. Localizing the Client-Side Number Validation Message17.9. Performance17.9.1. HTTP Compression17.9.2. Tracing and Monitoring17.9.3. Monitoring Page Generation Times17.9.4. Monitoring LINQ to SQL Database Queries17.10. Summary
18. Upgrading and Combining ASP.NET Technologies
18.1. Using ASP.NET MVC in a Web Forms Application18.1.1. Upgrading an ASP.NET Web Forms Application to Support MVC18.1.1.1. Changing the Project Type18.1.1.2. Adding Assembly References18.1.1.3. Enabling and Configuring Routing18.1.1.4. Adding Controllers and Views18.1.2. Interactions Between Web Forms Pages and MVC Controllers18.1.2.1. Linking and Redirecting from Web Forms Pages to MVC Actions18.1.2.2. Transferring Data Between MVC and Web Forms18.2. Using Web Forms Technologies in an MVC Application18.2.1. Using Web Forms Controls in MVC Views18.2.2. Using Web Forms Pages in an MVC Web Application18.2.3. Adding Routing Support for Web Forms Pages18.2.3.1. Web Forms Routing on .NET 418.2.3.2. Web Forms Routing on .NET 3.518.2.3.3. A Note About URL-Based Authorization18.3. Upgrading from ASP.NET MVC 118.3.1. Using Visual Studio 2010's Built-In Upgrade Wizard18.3.1.1. Upgrading to .NET 418.3.2. Other Ways to Upgrade18.3.3. A Post-Upgrade Checklist18.3.3.1. Avoiding Anti-Forgery Token Problems Next Time You Deploy18.3.3.1.1. Detecting and Fixing the Problem Automatically18.4. Summary

Content preview from Pro ASP.NET MVC 2 Framework

Chapter 15. Security and Vulnerability

You can't go far as a web developer without a solid awareness of web security issues understood at the level of HTTP requests and responses. All web applications are potentially vulnerable to a familiar set of attacks—such as cross-site scripting (XSS), cross-site request forgery (CSRF), and SQL injection—but you can mitigate each of these attack vectors if you understand them clearly.

The good news for ASP.NET MVC developers is that ASP.NET MVC doesn't on its own introduce significant new risks. It takes an easily understood bare-bones approach to handling HTTP requests and generating HTML responses, so there's little uncertainty for you to fear.

To begin this chapter, I'll recap how easy it is for end users ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781430228868Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Pro ASP.NET MVC 2 Framework

by Steven Sanderson

Chapter 15. Security and Vulnerability

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.