Herding Code 175: Dominick Baier on Securing ASP.NET Web APIs and HTTP Services

At NDC, Jon, K Scott and Rob Conery talked to Dominick Baier about HTTP API security: CORS, token based authentication and more.

Download: Herding Code 175: Dominick Baier on Securing ASP.NET Web APIs and HTTP Services

Show Notes:

  • Overview of CORS and Token Based Authentication
    • (00:17) K Scott asks Dominick about the subject of his talk at NDC. Dominick runs through the upcoming changes in Web API authentication, including an overview of CORS and token based authentication.
    • (03:49) Dominick explains the ability to support a separate token server in Web API and announces Authentication Server, his new open source project which provides
    • (05:13) Rob describes how he’s seen people breaking their sites and services across multiple domains and subdomains. He explains a problem he’s currently running into with older releases of Internet Explorer. Dominick explains more about how CORS works and talks about options for working with older browsers – either sticking with JSONP or putting services in the same domain.
  • OAuth
    • (08:15) Jon asks how security token service relates to more well-known terms like OpenID and OAuth. Dominick explains some of the history and challenges OAuth has encountered. As a result, the OAuth spec is really just a collection of patterns rather than a strict specification.
    • (11:19) Jon asks Dominick how he implemented the OAuth spec in his Authentication Server implementation. Dominick gives examples of how the spec is very open – for instance, there are 69 occurrences of the word MAY in the spec. He says he’s been advocating for a minimum profile.
    • (12:56) K Scott asks what sort of authentication should be used with Dominick’s security token server, since OAuth isn’t an authentication mechanism. Dominick explains the interaction with security tokens.
  • Token based security and JWT
    • (14:49) Jon comments on the difference in security implications between a compromised token vs. a compromised account password. Dominick says that a token binds five things together: the client, a human, an application, permissions and time. He mentions that with token based authentication you can outsource the security mechanism – passwords, certificates, etc. – and talks about the newly released JSON Web Token (JWT) handler.
    • (15:50) K Scott asks for some specifics about the JWT handler.
    • (16:27) K Scott asks for more information about Dominick’s talk.
  • Roles vs. Claims
    • (17:14) Jon asks about the difference between roles and claims. Dominick explains that a role is just a very simple claim: are you in a role or not? Claims move from a simple boolean to more of a name / value pair
    • (18:31) Jon asks what the average developer needs to know about Windows Identity Foundation.
  • Photography and wrap-up
    • (19:02) K Scott asks Dominick about the photos section on his site and comments on how they’re just about all black and white. Dominick
    • (20:52) K Scott asks Dominick what he’s got coming up. Dominick says he’s been heads down on the Authentication Server release.

Show Links:

Herding Code 174: Paul Stack on automating Windows configuration management with Puppet and PowerShell

At NDC, K Scott and and Jon talked to Paul Stack about automating server configuration management with Puppet and PowerShell.

Download: Herding Code 174: Paul Stack on automating Windows configuration managment with Puppet and PowerShell

Show Notes:

  • Intro
    • (00:32) Paul gave a talk on Windows infrastructure management with Puppet and PowerShell. Puppet is a configuration management tool. It allows you to define a configuration management level, and Puppet will bring it to that level and keep it there.
    • (01:05) K Scott asks Paul how this relates to his continuous deployment emphasis. Paul explains how this has been part of the maturity model they’ve been using at his employer, Open Table.
    • (01:50) Paul explains how they started using Puppet in their pre-production environment of 19 VMs. Their production environment is four times that large.
  • Some more questions about Puppet
    • (03:00) Jon asks how Vagrant and Chef fit in. Paul explains how Puppet, Chef and CFEngine relate.
    • (04:07) K Scott asks if it’s worthwhile to look at Puppet in a small environment with 2-3 servers. Paul says there’s an investment, so you really start seeing the rewards as things start getting more complex.
    • (05:01) K Scott asks how you define a state.
    • (06:30) K Scott asks about the client running on the target servers.
    • (06:51) Jon asks how the verification works.
    • (07:32) Jon asks if it’s possible to use Puppet in cloud environments.
    • (07:56) K Scot asks if you can use Puppet to configure developer workstations. Paul talks about GitHub’s Boxen system. Jon talks about his experiences looking at Boxen before settling on sprout-wrap.
    • (09:21) Paul mentions that Open Table just open sourced their Puppet IIS implementations.
  • How Puppet relates to PowerShell and Chocolatey
    • (09:36) Jon asks what the PowerShell tie-in is, since Puppet is all Ruby based. Paul talks about the PowerShell scripts they exec from Puppet and how they use them to do things like turn Windows features on and off.
    • (11:01) K Scott asks if you could use Chocolatey with Puppet, and Paul says they’re using Chocolatey via PowerShell. Jon says that sounds useful since Chocolatey can now integrate with the Web Platform Installer, and Paul says they’re doing just that to install .NET 4 on their servers.
  • More questions about Puppet
    • (11:47) Paul talks about how traditional infrastructure management runs on documentation, and how they can replace all of that using Puppet.
    • (12:58) K Scott asks if this is also useful for deployments. Paul says a deployment is just a different configuration state, so Puppet can handle that just fine.
    • (14:09) Jon asks if Puppet can handle database state.
    • (14:50) Jon asks how you handle licenses with Puppets.
    • (15:20) Jon asks how Puppet relates to Windows configuration management options. Paul says that at Open Table they’ve moved to using multiple platforms, so they need infrastructure management options that can work across all of those environments.
    • (16:30) K Scott asks what is was about Puppet that caused him to lose some hair. Paul says it’s scary to be able to write a module that makes changes to 90 servers.
  • And some more Puppet stuff
    • (17:30) Jon asks if it’s possible to do automated testing with Puppet configuration and modules.
    • (18:27) K Scott asks if there’s any kind of rollback plan for Puppet.
    • (18:40) K Scott tries to ask Paul about what he does in his free time, but Paul says in his free time he writes code and changes the subject back to Puppet.
    • (19:21) Paul says he’s going to be speaking at Puppet Conf, so he’ll be speaking at a Linux administrator’s conference.
    • (20:00) K Scott asks if there’s political fallout from systems administrators who are concerned he’s trying to replace their jobs. Paul says he’s trying to free them up from repetitive tasks in their jobs so they can get more done.
    • (20:56) K Scott asks Paul about upcoming conferences he’s going to be speaking at.

Show Links:

Herding Code 173: Laurent Bugnion on sharing code with MVVM Light in Windows 8 and Windows Phone

At NDC, Jon, K Scott and and Rob Conery talked to Laurent Bugnion about XAML development, sharing code between Windows 8 and Windows Phone, and modern design.

Download / Listen: Herding Code 173: Laurent Bugnion on sharing code with MVVM Light in Windows 8 and Windows Phone

Show Notes:

  • XAML vs. HTML for Windows Store development
    • (00:40) Rob asks Laurent how often customers ask for HTML/JS based Windows Store application rather than XAML based. Laurent lists a few of the cases where people ask for HTML based work, but says the cases are very rare. Generally they’re much more productive with XAML and C#.
    • (02:49) Rob asks Laurent if he thinks this will change over time. Laurent says IDE support may affect things a little, but generally he thinks web developers don’t do desktop development because they don’t want to do desktop development – they went into web development because they wanted to develop for the web.
    • (04:09) Jon asks if Laurent sees things changing over time in XAML based development. Laurent says he sees some big changes in performance – you can get good performance out of the native controls with full designer support now. In terms of Windows 8, he’s hoping for more controls to cover some Windows 8 UI elements so they don’t require custom controls. In terms of design, he sees some cases where people are breaking some of the general Windows Store design guidelines in cases where they aren’t as user friendly. Jon says he’s seen one example of this – adding a print app bar button to applications where printing is a regular activity, even though technically the print is supposed to be accessed via the share charm. Laurent says he also sees this in search-heavy apps.
  • Cross-platform code sharing and Portable Class Libraries
    • (07:46) Jon asks about Laurent’s talk on sharing code between platforms – does it work? Laurent says he’s focusing on portable class libraries – writing logic that works on Windows Phone and Windows Store, then building a UI on top of those libraries. That’s working well for him and he’s using it in production. It’s still XAML and C#, so you can also share code, too.
    • (09:26) K Scott asks about MVVM Light – is that working with Portable Class Libraries? Laurent says someone at Microsoft use a PCL port of MVVM Light as a test case, and it’s working very well. They still maintain platform specific versions of MVVM Light for people who only work on a specific platform.
    • (10:38) K Scott asks for a quick summary of what MVVM Light does.
    • (12:45) K Scott asks about some of the challenges in converting MVVM Light to a PCL. Laurent talks about some UI and platform differences.
  • Metro and modern design
    • (14:21) Rob asks how you make different design decisions around “Metro” design or other alternatives. Laurent discusses the design process.
    • (16:29) Rob asks about some of the design considerations, and how you’d decide on platforms. Laurent says a default XAML application uses themes which will fit in with the host platform and operating systems, but might look at bit boring, which is why you work with a designer.
    • (18:25) Jon says the Windows Store design principles don’t prescribe a boring look, referencing the “alive with color” thing and Kelly Sommers’ post about how Metro Doesn’t Have To Be Boring. Laurent says he doesn’t like the “flat design” term, preferring modern – and modern came from Bauhaus in the 1920’s, Swiss design in the 1950’s, etc. He says it’s important to go the design principles, then use your skill as a designer to apply that. There are enough apps on the Windows Phone store that getting noticed takes a good design.
  • Hobbies
    • (22:09) Rob asks Laurent what he does for hobbies. Laurent lists some things that keep him busy, then talks about his fish pond. Rob tells probably the worst newt joke of all time.

Show Links:

Herding Code 172: Nik Molnar on Running an Open Source Project

At NDC, Jon and K Scott talked to Nik Molnar about what he’s learned about running an open source project from his experiences with Glimpse.

Download: Herding Code 172: Nik Molnar on Running an Open Source Project

Show Notes:

  • Running an open source project
    • (00:35) Nik says he’s writing the guide he wishes he’d had a few years ago.
    • (01:06) K Scott asks him for one big thing he’s learned. Nik talks about the importance of public communication.
    • (01:36) Jon mentions the difference between open source code and open source projects, and Nik mentions some of the different documented governance models for open source projects, citing OSS Watch and YUI. This helps
    • (03:15) K Scott asks if Glimpse presents unique challenges because there’s a plugin ecosystem. Nik says they used to just see code contributors and plugin authors, but now he sees contributors with a much broader perspective, citing Peter Hahndorf’s documentation contributions.
    • (4:54) Jon asks Nik how he defines success for an open source project. Nik says it depends on the project founder’s goals. He says project popularity isn’t important to him personally, it’s helping users.
    • (5:50) K Scott asks Nik about his slide that says Avoid Bikeshedding. Nik explains Parkinson’s law of triviality and how it affects open source.
    • (08:58) Jon asks Nik if he thinks roadmaps are important. Nik says this an important part of the public communication he mentioned earlier. Jon says he’s found that involving people in decisions that will affect them early really important for any kind of project, open source or not. Nik explains how this is handled in the meritocratic model.
  • Cooking’s like programming
    • (11:12) K Scott asks Nik about the latest big dish he’s prepared.
    • (12:45) Nik talks about the parallels between programming and cooking – both have rules that must be followed, but a lot of room for creativity.
    • (13:35) Jon talks about a professional chef textbook he got from the library (Nik tells him it’s from the Culinary Institute of America). Jon says he saw some parallels between things like food sanitation and source control – you need to start with fundamentals, but then you can apply them in creative ways. Nik describes some further parallels: cooking math and resourcing, the kitchen brigade system and project management.
    • (15:12) Nik talks about the ALT.NET of cooking and the focus on basic, classic skills.
  • What’s next
    • (16:08) K Scott asks Nik about what’s next for him. Nik talks about their latest release and the Heads Up Display. He talks about how simplified web publishing has led to a big increase in documentation contributions. K Scott raves about the UI design.
    • (18:45) Jon asks what’s new with semantic versioning since they last talked.
    • (19:18) Jon asks what’s next for Glimpse. Nik says it’ll be decided by the community, but he’s expecting they’ll want Web API support.

Show Links:

Herding Code 171: Magnus Martensson talks Continuous Delivery on Windows Azure and the Global Windows Azure Bootcamp

At NDC, Jon and K Scott talked to Magnus Martensson about continuous delivery on the Windows Azure platform and the Global Windows Azure Bootcamp he helped run.

Download / Listen:

Herding Code 171: Magnus Martensson talks Continuous Deliverery on Windows Azure and the Global Windows Azure Bootcamp [audio:http://herdingcode.com/wp-content/uploads/HerdingCode-0171-NDC-Magnus-Martensson-on-Azure.mp3]

Show Notes:

  • Continuous Delivery on Windows Azure
    • (00:20) Jon asks Magnus about what he’ll be speaking about at NDC.
    • (00:45) Jon asks about the difference between continuous integration and continuous delivery. Magnus says continuous integration just runs tests and builds, but it doesn’t go anywhere; continuous delivery actually deploys the code to an environment – staging, possibly production.
    • (02:06) K Scott asks about Azure support for continuous delivery. Magnus says you can do it with cloud services, but there’s a delay; with Windows Azure Web Sites the deployment is extremely fast and easy.
    • (03:00) K Scott asks about the steps of setting up continuous delivery for a web application for deployment including non-git source control. Magnus talks about the setup, new offerings for dev / test scenarios, and asks why anyone wouldn’t integrate this into their development process.
    • (05:02) Jon asks what recent Azure changes were announced. Magnus discusses both pricing and policy changes for MDSN subscriptions.
    • (05:47) Jon asks what some of Magnus’ demos include. Magnus talks about using your own TFS service, other git repos, etc. He talks about a his secret demo – the non-Microsoft demo that uses TeamCity, NUnit, and GitHub.
    • (07:45) K Scott mentions all the new Azure SDK language support.
  • Migrating to the cloud and surprise business transformations
    • (07:54) Jon asks how this relates to Magnus’ work. Magnus works at Active Solution, which employs both of Sweden’s Azure MVP’s. Cloud development is really a hot field in Sweden right now.
    • (08:45) Jon asks about some common challenges. Magnus says the biggest thing is learning the platforms – there are a lot of architectural and strategic things they haven’t even considered.
    • (10:23) K Scott asks if businesses think they can’t move to the cloud because they have custom processes or protocols.
    • (10:59) Jon asks if they often do hybrid solutions. Magnus says that multitenant solutions are common, and the process allows companies to transform themselves from product to service companies.
  • Global Windows Azure Bootcamp
    • 12:21 Jon asks about the Global Windows Azure Bootcamp that Magnus helped organize. Magnus tells the story of how they started talking to a few MVPs and things spiraled out of control. In the end they had all timezones, 92 locations, over 5000 attendees. They had some big turnout in some unexpected locations: Nepal, Brazil, Africa.
    • 14:08 Jon asks what happened at the event. Magnus talks about the content in the Windows Azure Training Kit and a shared demo with nearly 5000 coordinated worker roles in a giant render farm passed the rendering power of some Pixar films.
    • (16:13) Jon asks about the relationship with Microsoft for the event. It was community run, but Microsoft helped out with things like attendee giveaways.
    • (16:52) Jon asks if they’ll do this again. Magnus says yes and talks about some of the scaling challenges. He calls out the sponsors, who gave away $18 million in license giveaways. It scales because each location is independent, so each location just needs to run one event. 
    • (18:36) Jon says this reminds him of Corey Haines’ Global Day of Code Retreat.
    • (18:52) Jon asks what Magnus is up to next. Magnus says he’s moving and calls out the upcoming CloudBurst conference – in Sweden and live streamed.

Show Links: