book

Programming ASP.NET MVC 4

by Jess Chadwick, Todd Snyder, Hrusikesh Panda

September 2012

Intermediate to advanced

488 pages

13h 28m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Programming ASP.NET MVC 4
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Preface
AudienceAssumptions This Book MakesConventions Used in This BookUsing Code ExamplesSafari® Books OnlineHow to Contact Us
I. Up and Running
1. Fundamentals of ASP.NET MVC
Microsoft’s Web Development PlatformsActive Server Pages (ASP)ASP.NET Web FormsASP.NET MVCThe Model-View-Controller ArchitectureThe ModelThe ViewThe ControllerWhat’s New in ASP.NET MVC 4?Introduction to EBuyInstalling ASP.NET MVCCreating an ASP.NET MVC ApplicationProject TemplatesConvention over ConfigurationRunning the ApplicationRoutingConfiguring RoutesControllersController ActionsAction ResultsAction ParametersModel binding basicsModel binding complex objectsAction FiltersViewsLocating ViewsHello, Razor!Differentiating Code and MarkupCode nuggetsCode blocksLayoutsPartial ViewsDisplaying DataCleaner access to ViewData values via ViewBagView modelsStrongly typed viewsHTML and URL HelpersModelsPutting It All TogetherThe RouteThe ControllerController templatesThe ViewAuthenticationThe AccountControllerSummary
2. ASP.NET MVC for Web Forms Developers
It’s All Just ASP.NETTools, Languages, and APIsHTTP Handlers and ModulesManaging StateDeployment and RuntimeMore Differences than SimilaritiesSeparation of Application Logic and View LogicURLs and RoutingState ManagementRendering HTMLHTML helpers versus server controlsPartial views versus user controlsLayouts versus master pagesAuthoring ASP.NET MVC Views Using Web Forms SyntaxA Word of CautionSummary
3. Working with Data
Building a FormHandling Form PostsSaving Data to a DatabaseEntity Framework Code First: Convention over ConfigurationCreating a Data Access Layer with Entity Framework Code FirstValidating DataSpecifying Business Rules with Data AnnotationsRequired fieldsValid rangesCustom error messagesDisplaying Validation ErrorsSummary
4. Client-Side Development
Working with JavaScriptSelectorsResponding to EventsDOM ManipulationAJAXClient-Side ValidationSummary
II. Going to the Next Level
5. Web Application Architecture
The Model-View-Controller PatternSeparation of ConcernsMVC and Web FrameworksArchitecting a Web ApplicationLogical DesignASP.NET MVC Web Application Logical DesignLogical Design Best PracticesPhysical DesignProject Namespace and Assembly NamesDeployment OptionsPhysical Design Best PracticesPerformance and scalabilityBandwidth and latencyDesign PrinciplesSOLIDThe Single Responsibility PrincipleThe Open/Closed PrincipleThe Liskov Substitution PrincipleThe Interface Segregation PrincipleThe Dependency Inversion PrincipleInversion of ControlUnderstanding dependenciesService locationDependency injectionPicking an IoC containerUsing Inversion of Control to extend ASP.NET MVCDon’t Repeat YourselfSummary

6. Enhancing Your Site with AJAX
Partial RenderingRendering Partial ViewsRendering a “normal” viewRendering a partial viewManaging complexity with partial viewsJavaScript RenderingRendering JSON DataAvoiding JSON hijacking with JsonRequestBehaviorRequesting JSON DataClient-Side TemplatesReusing Logic Across AJAX and Non-AJAX RequestsResponding to AJAX RequestsResponding to JSON RequestsApplying the Same Logic Across Multiple Controller ActionsSending Data to the ServerPosting Complex JSON ObjectsModel Binder SelectionReplacing the default (fallback) binderAdorning models with custom attributesRegistering a global binderSending and Receiving JSON Data EffectivelyCross-Domain AJAXJSONPMaking a JSONP requestAdding JSONP support to ASP.NET MVC controller actionsEnabling Cross-Origin Resource SharingSummary
7. The ASP.NET Web API
Building a Data ServiceRegistering Web API RoutesLeaning on Convention over ConfigurationOverriding ConventionsHooking Up the APIPaging and Querying DataException HandlingMedia FormattersSummary
8. Advanced Data
Data Access PatternsPlain Old CLR ObjectsUsing the Repository PatternObject Relational MappersEntity Framework OverviewChoosing a Data Access ApproachDatabase ConcurrencyBuilding a Data Access LayerUsing Entity Framework Code FirstCode First data annotationsOverriding conventionsThe EBuy Business Domain ModelWorking with a Data ContextSorting, Filtering, and Paging DataSummary
9. Security
Building Secure Web ApplicationsDefense in DepthNever Trust InputEnforce the Principle of Least PrivilegeAssume External Systems Are InsecureReduce Surface AreaDisable Unnecessary FeaturesSecuring an ApplicationSecuring an Intranet ApplicationSetting up Windows AuthenticationConfiguring IIS ExpressConfiguring IIS 7Using the AuthorizeAttributeForms AuthenticationAccountControllerAuthenticating usersRegistering new usersChanging passwordsInteracting via AJAXUser authorizationGuarding Against AttacksSQL InjectionCross-Site ScriptingCross-Site Request ForgeryUsing ASP.NET MVC to avoid Cross-Site Request ForgerySummary
10. Mobile Web Development
ASP.NET MVC 4 Mobile FeaturesMaking Your Application Mobile FriendlyCreating the Auctions Mobile ViewGetting Started with jQuery MobileEnhancing the View with jQuery MobileImproving the auctions list with jQuery Mobile’s “listview”Making the auctions list searchable with jQuery Mobile’s “data-filter”Switching between desktop and mobile viewsAvoiding Desktop Views in the Mobile SiteImproving Mobile ExperienceAdaptive RenderingThe Viewport TagMobile Feature DetectionCSS Media QueriesBrowser-Specific ViewsCreating a New Mobile Application from ScratchThe jQuery Mobile Paradigm ShiftThe ASP.NET MVC 4 Mobile TemplateUsing the ASP.NET MVC 4 Mobile Application TemplateSummary
III. Going Above and Beyond
11. Parallel, Asynchronous, and Real-Time Data Operations
Asynchronous ControllersCreating an Asynchronous ControllerChoosing When to Use Asynchronous ControllersReal-Time Asynchronous CommunicationComparing Application ModelsHTTP PollingBrowser supportDownsidesHTTP Long PollingBrowser supportDownsidesServer-Sent EventsBrowser supportDownsidesWebSocketsBrowser supportDownsidesEmpowering Real-Time CommunicationPersistent connectionsHubsConfiguring and TuningManaging SignalR connectionsConfiguring the environmentSummary
12. Caching
Types of CachingServer-Side CachingClient-Side CachingServer-Side Caching TechniquesRequest-Scoped CachingUser-Scoped CachingSession lifetimeStoring session dataApplication-Scoped CachingThe ASP.NET CacheExpirationCache dependenciesScavengingThe Output CacheConfiguring the cache locationVarying the output cache based on request parametersOutput cache profilesDonut CachingDonut Hole CachingDistributed CachingDistributed caching solutionsInstalling VelocityAdministering your memory cluster from PowerShellUsing the cacheClient-Side Caching TechniquesUnderstanding the Browser CacheApp CacheDefine the manifestReference the manifestServe the manifest correctlyLocal StorageSummary
13. Client-Side Optimization Techniques
Anatomy of a PageAnatomy of an HttpRequestBest PracticesMake Fewer HTTP RequestsUse a Content Delivery NetworkAdd an Expires or a Cache-Control HeaderSet up client caching in IISSet up client caching through ASP.NET MVCCache bustingGZip ComponentsPut Stylesheets at the TopPut Scripts at the BottomDefer script executionLazy loading scriptsMake Scripts and Styles ExternalReduce DNS LookupsMinify JavaScript and CSSAvoid RedirectsRemove Duplicate ScriptsConfigure ETagsMeasuring Client-Side PerformancePutting ASP.NET MVC to WorkBundling and MinificationDefining bundlesEnabling bundlesCache bustingSummary
14. Advanced Routing
WayfindingURLs and SEOBuilding RoutesDefault and Optional Route ParametersRouting Order and PriorityRouting to Existing FilesIgnoring RoutesCatch-All RoutesRoute ConstraintsPeering into Routes Using GlimpseAttribute-Based RoutingExtending RoutingThe Routing PipelineSummary
15. Reusable UI Components
What ASP.NET MVC Offers out of the BoxPartial ViewsHtmlHelper Extensions or Custom HtmlHelpersDisplay and Editor TemplatesHtml.RenderAction()Taking It a Step FurtherThe Razor Single File GeneratorInstalling the Razor Single File GeneratorCreating Reusable ASP.NET MVC ViewsIncluding Precompiled views in an ASP.NET MVC web applicationCreating Reusable ASP.NET MVC HelpersUnit Testing Razor ViewsSummary
IV. Quality Control
16. Logging
Error Handling in ASP.NET MVCEnabling Custom ErrorsHandling Errors in Controller ActionsDefining Global Error HandlersCustomizing the error pageLogging and TracingLogging ErrorsSimple try/catch handlerOverriding Controller.OnException()Custom error filtersASP.NET Health MonitoringSummary
17. Automated Testing
The Semantics of TestingManual TestingHumans are error proneComputers are more efficientManual testing takes timeAutomated TestingLevels of Automated TestingUnit TestsAtomicRepeatableIsolated/IndependentFastIntegration TestsAcceptance TestsUser acceptance testingWhat Is an Automated Test Project?Creating a Visual Studio Test ProjectCreating and Executing a Unit TestTesting an ASP.NET MVC ApplicationTesting the ModelFocus on the positiveProtect against the negativeTest-Driven DevelopmentWriting Clean Automated TestsDuplicate codeNamingTesting ControllersTesting data access logicRefactoring to Unit TestsMocking DependenciesManually creating mock objectsUsing a mock frameworkTesting ViewsTesting application logic in the browserCode CoverageThe Myth of 100% Code CoverageDeveloping Testable CodeSummary
18. Build Automation
Creating Build ScriptsVisual Studio Projects Are Build Scripts!Adding a Simple Build TaskExecuting the BuildBuilding in Visual StudioBuilding from the command lineThe Possibilities Are Endless!Automating the BuildTypes of Automated BuildsCreating the Automated BuildContinuous IntegrationDiscovering IssuesThe Principles of Continuous IntegrationMaintain a single source repositoryAutomate the buildMake your build self-testingHave everyone commit to the mainline frequentlyEvery commit should build the mainline on an integration machineKeep the build fastTest in a clone of the production environmentMake it easy for anyone to get the latest executableEveryone can see what’s happeningAutomate deploymentSummary
V. Going Live
19. Deployment
What Needs to Be DeployedCore Website Files“bin-deploying” ASP.NET MVC librariesStatic ContentWhat Not to DeployDatabases and Other External DependenciesWhat the EBuy Application RequiresDeploying to Internet Information ServerPrerequisitesDeploying the ASP.NET MVC Framework assembliesCreating and Configuring an IIS WebsitePublishing from Within Visual StudioCopying files with MSBuildExecuting database scripts with MSBuildDeploying to Windows AzureCreating a Windows Azure AccountCreating a New Windows Azure WebsitePublishing a Windows Azure Website via Source ControlSummary
VI. Appendixes
A. ASP.NET MVC and Web Forms Integration
Choosing Between ASP.NET MVC and ASP.NET Web FormsTransitioning a Web Forms Site to ASP.NET MVCAdding ASP.NET MVC to an Existing Web Forms ApplicationCopying Web Forms Functionality to an ASP.NET MVC ApplicationIntegrating Web Forms and ASP.NET MVC FunctionalityUser ManagementCache ManagementMany, Many More!Summary
B. Leveraging NuGet as a Platform
Installing the NuGet Command-Line ToolCreating NuGet PackagesThe NuSpec FileUsing the NuGet command-line toolUsing the NuGet Package ExplorerGenerating the NuGet Package from a NuSpec FileSpecifying token valuesSetting the versionThe Anatomy of a NuGet PackageContentAssembliesToolsTypes of NuGet PackagesAssembly PackagesTool PackagesMeta PackagesSharing Your NuGet PackagesPublishing to the Public NuGet.org Package RepositoryUsing the NuGet.org package upload wizardUsing the NuGet command-line toolHost Your Own Package RepositoryUsing a filesystem repositoryHosting a NuGet Server repositoryTips, Tricks, and PitfallsPitfall: NuGet Does Not Solve “DLL Hell”Tip: Use Install-Package -Version to Install a Specific Package VersionTip: Use Semantic VersioningTip: Mark “Beta” Packages with Prerelease Version MarkersPitfall: Avoid Specifying “Strict” Version Dependencies in Your NuSpec FilesTip: Use Custom Repositories to Control Package VersionsTip: Configure Your Continuous Integration Builds to Generate NuGet PackagesSummary
C. Best Practices
Use the NuGet Package Manager to Manage DependenciesDepend on AbstractionsAvoid the New KeywordAvoid Referring to HttpContext Directly (Use HttpContextBase)Avoid “Magic Strings”Prefer Models over ViewDataDo Not Write HTML in “Backend” CodeDo Not Perform Business Logic in ViewsConsolidate Commonly Used View Snippets with Helper MethodsPrefer Presentation Models over Direct Usage of Business ObjectsEncapsulate if Statements with HTML Helpers in ViewsPrefer Explicit View NamesPrefer Parameter Objects over Long Lists of ParametersEncapsulate Shared/Common Functionality, Logic, and Data with Action Filters or Child Actions (Html.RenderAction)Prefer Grouping Actions into Controllers Based on How They Relate to Business ConceptsAvoid Grouping Actions into Controllers Based on Technical RelationPrefer Placing Action Filters at the Highest Appropriate LevelPrefer Multiple Views (and/or Partial Views) over Complex If-Then-Else Logic That Shows and Hides SectionsPrefer the Post-Redirect-Get Pattern When Posting Form DataPrefer Startup Tasks over Logic Placed in Application_Start (Global.asax)Prefer Authorize Attribute over Imperative Security ChecksPrefer Using the Route Attribute over More Generic Global RoutesConsider Using an Antiforgery Token to Avoid CSRF AttacksConsider Using the AcceptVerbs Attribute to Restrict How Actions May Be CalledConsider Output CachingConsider Removing Unused View EnginesConsider Custom ActionResults for Unique ScenariosConsider Asynchronous Controllers for Controller Tasks That Can Happen in Parallel
D. Cross-Reference: Targeted Topics, Features, and Scenarios
Index
About the Authors
Colophon
SPECIAL OFFER: Upgrade this ebook with O’Reilly
Copyright

Content preview from Programming ASP.NET MVC 4

Chapter 9. Security

This chapter discusses the details of how to build secure ASP.NET MVC web applications, including guidance on how to secure web applications; the differences that need to be taken into account when securing Internet, intranet, or extranet applications; as well as how to take advantage of functionality built right into the .NET Framework that can help prevent the common security issues that most web applications face.

Building Secure Web Applications

Benjamin Franklin once said that “an ounce of prevention is worth a pound of cure.” This statement conveys the philosophy that you should embrace when it comes to securing your web applications: the world is a dangerous place and web applications often represent attractive targets for would-be attackers, so you’re going to want to be prepared.

Unfortunately, there are no silver bullets when it comes to web application security. It isn’t as simple as including a library or making a method call. Security is something that needs to be baked into an application right from the start and not an afterthought that is tacked on at the last minute.

There are, however, a few security principles that we will explain over the next few sections that can have a great impact on creating more secure ASP.NET MVC web applications. If you keep these principles in mind as you design and implement your web applications, you have a much greater chance of avoiding some of the more common and serious security mistakes.

Defense in Depth

Just because ...

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 9781449321932Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design