Friday, May 22, 2009

Will Visual Studio 2010 put Expression Blend out of business?

Not according to Jesse Liberty.

You will want Blend 3 for its terrific designer and animation capabilities and VS for its development capabilities. Microsoft is trying to make these tools the best for their target audience, rather than one tool that does everything merely adequately.

The other point Jesse makes: Because it is a few months old at this point, the Blend 3 beta won't work with .NET 4 projects yet. If you want to work on projects in VS 2010 and Blend 3, create them as .NET 3.5 projects.

Good news and bad news for Silverlight 3 development

According to this post by Tim Heuer, the good news is that you can install the Silverlight 2 and 3 SDKs with Visual Studio 2010 Beta 1. You will get multi-targeted Silverlight development (i.e., either Silverlight 2 or 3) and an editable design surface.

Do not install the Silverlight 2 or 3 Tools packages, it won't work on VS 2010. And the Silverlight Navigation App template is not included with the SDK, only with the tools package.

You also need to install the Silverlight 3 Beta Developer runtime.

The bad news: .NET RIA Services will not install on VS 2010 Beta 1.

Monday, May 18, 2009

Visual Studio 2010 (.NET 4.0) Beta 1 released

The first Beta release of VS 2010 is available starting today for MSDN subscribers.

There is a great write-up on Jason Zander's blog -


  • New templates and tools can be downloaded from VS Gallery within Visual Studio.
  • Support for TDD
  • dynamic keyword for Office programmability
  • many VB language improvements (I won't go into them 'cuz I'm a C# guy)
  • many improvements to C++ support (again, not my bag)
  • F# included with VS 2010
  • improvements to the WPF editor
  • Silverlight editor now built-in
  • HTML snippets for ASP.NET coding
  • JavaScript IntelliSense improvements
  • JQuery included
  • Team Arch does standard UML now. I'm not big into UML, but I find Sequence Diagrams pretty useful.
  • Architectural Explorer lets you browse through your Namespaces and view the structure of your app; then generate Sequence Diagrams automatically. Looks cool.
  • Test Plan management improvements ("Camano", now called Microsoft Test and Lab Manager, will be available as a scaled-down VS edition)
  • TFS improvements: branch management, visualizations, drag-drop merging.

Wow. I am looking forward to a test-drive.

.NET RIA Services minor bug fix release - May 2009 Preview

See the announcement on Brad Abrams blog -

Brad states that the Go Live for .NET RIA Services will be right around the time that Silverlight 3 releases.

Thursday, May 7, 2009

Authorization Strategies for the Business Layer

It's tempting to design a Business Layer that accepts User identity information and attempts to authenticate and authorize the user. However, security is a cross-cutting concern, and as such, should not be intertwined with your business logic.

kick it on

The strategies presented here will extract the authorization component from the business logic and embed it as a separate concern within the Business Layer. I'm going to ignore the authentication function, and focus on determining what authority an authenticated user has to call functions in the Business Layer.

Two-step Business Layer Factory

using(IFactory factory = AuthenticatedFactory.New(user, pw))
IOrderProcessing processing = factory.CreateOrderProcessing();
return processing;
// or
// container.RegisterInstance<IOrderProcessing>(processing);
catch (AuthenticationError e) { }
catch (AuthorizationError e) { }
// clean up

The authentication is done in the AuthenticationFactory. If the AuthenticationFactory has dependencies on a data layer or LDAP provider, you can trade in the static New method approach for a dependency injection approach:

public class AuthenticatedFactory 
public AuthenticatedFactory(IDataLayer dataLayer)
DataLayer = dataLayer;
// more code

Get your factory this way:

using (IFactory factory = container.Resolve<AuthenticatedFactory>())
factory.User = user;
factory.Password = pw;
// get the business layer

Fine-grained Authorization using Sub-classes

One strategy for the Business Layer is to have coarse-grained authorization to the BusinessLayer. The user is either allowed to access that particular Business Layer, or an AuthorizationError is thrown. To make the access more fine-grained, the IOrderProcessing class that is returned can be tailored to the privileges that the authenticated user has. In either case, the factory method CreateOrderProcessing with determine the access level for the user.

For example suppose the IOrderProcessing interface offers three methods: LookupOrder(), EnterOrder() and ApproveOrder(). There are three levels of access: managers can access all three, clerks can access the first two, and salespeople can only access LookupOrder(). This can be accommodated by four classes and the factory determines which to return to the application.

public class NoAccessOrderProcessing : IOrderProcessing
public virtual Order LookupOrder() { throw new AuthenticationError(); }
public virtual void EnterOrder(Order o) { throw new AuthenticationError(); }
public virtual void ApproveOrder(Order o) { throw new AuthenticationError(); }

public class SalespersonOrderProcessing : NoAccessOrderProcess
public override Order LookupOrder() { /* code here */ }

public class ClerkOrderProcessing : SalespersonOrderProcessing
public override void EnterOrder(Order o) { /* code here */ }

public class ManagerOrderProcessing : ClerkOrderProcessing
public override void ApproveOrder(Order o) { /* code here */ }

This approach has the advantage of removing the authorization logic from the business logic, but it embeds the authorization logic in your class hierarchy. The designer of the business logic will need to be aware of the authorization model at design-time. However, if you know that the functions permitted to each role are going to be static, this approach has merit.

Single business class with Static-bound delegates

An alternate approach uses indirection through delegates. This strategy will move the logic entirely out of the class hierarchy and into the Factory class. The public methods on the business layer will call delegates that are, by default, set to the methods that perform the actual business logic. The Factory can disable certain methods by setting the delegates to null prior to handing the business layer object to the application.

public delegate Order LookupHandlerType();
public delegate void ProcessOrderType(Order o);

public class OrderProcessing : IOrderProcessing
public LookupHandlerType LookupHandler;
public ProcessOrderType EnterHandler;
public ProcessOrderType ApproveHandler;

public OrderProcessing(IDataLayer dataLayer) {
DataLayer = dataLayer;

LookupHandler = _LookupOrder;
EnterHandler = _EnterOrder;
ApproveHandler = _ApproveOrder;


private IDataLayer DataLayer { get; set; }

public Order LookupOrder() {
if (LookupHandler == null)
throw new AuthorizationError();
return LookupHandler();

public void EnterOrder(Order o) {
if (EnterHandler == null)
throw new AuthorizationError();

public void ApproveOrder(Order o) {
if (ApproveHandler == null)
throw new AuthorizationError();

// business logic in these methods
private Order _LookupOrder() { return new Order(); }
private void _EnterOrder(Order o) { }
private void _ApproveOrder(Order o) { }


public class Factory
public IOrderProcessing CreateOrderProcessing()
// set these based on role user is in.
bool manager = false;
bool clerk = true;
bool salesperson = true;

//var processing = container.Resolve<IOrderProcessing>() as OrderProcessing;
OrderProcessing processing = new OrderProcessing(new MyDataLayer());

if (!manager) processing.ApproveHandler = null;
if (!clerk) processing.EnterHandler = null;
if (!salesperson) processing.LookupHandler = null;
return processing;

Dynamic-binding Authorization

As a further refinement, rather than statically binding to the Handler delegate properties, we could have the names of the Handlers stored in a database or file and use Reflection to set them to null if the role disallows access.

    public class DynamicFactory
public IOrderProcessing CreateOrderProcessing()

//var processing = container.Resolve<IOrderProcessing>() as OrderProcessing;
OrderProcessing processing = new OrderProcessing(new MyDataLayer());

//get user role, list of prohibited methods from authorization database
var prohibitedHandlers = new List<string>()
// { "ApproveHandler", "EnterHandler" };
//disable access
foreach (string handler in prohibitedHandlers)
var field = processing.GetType().GetField(handler);
field.SetValue(processing, null);
return processing;

I've presented some strategies for authorizing access to your business layer objects. It's important to keep authorization code separated from your business logic, since it is a cross-cutting concern and since security models will likely change over time, it makes sense to encapsulate the access in a Factory type object that can evolve over time. The key is that the business logic object that is handed to the application is already configured for the privileges that the user has and the authorization checking does not need to be embedded in the business logic.

kick it on

Monday, May 4, 2009

Windows 7 news

  • If you have installed the Windows 7 Beta, starting July 1, your computer will shut down every two hours, and it will expire on August 1, 2009.
  • Windows 7 Release Candidate is now available for MSDN subscription download.
  • Windows 7 Release Candidate will be available for public download tomorrow May 5.
  • Windows 7 Release Candidate will expire June 1, 2010. Bi-hourly shutdowns will start March 1, 2010.
  • In both cases (Beta and RC), there will be no upgrade path to a retail, licensed version. You will need to wipe and re-install.
  • Windows 7 includes IE 8, Windows Media Player 12 and .NET 3.5 SP1.

WPF Model-View-ViewModel Toolkit

The WPF team at Microsoft has released a toolkit (version 0.1) that addresses developing UIs with the M-V-VM pattern.

It's definitely a first-pass (e.g. no VB.NET support), but they are looking for feedback on this effort. There is also a bit of confusion as to how this compares to the Silverlight development pattern in RIA Services. See this StackOverflow discussion.

The toolkit includes:

  • A Visual Studio 2008 template (Visual C# Express 2008 also supported)
  • Documentation
    • General introduction to M-V-VM
    • Walkthrough using the VS template
  • A complete WPF application demonstrating the M-V-VM pattern

Here's a post about ViewModel and how it enhances the UI's testability.

Check it out here: WPF Model-View-ViewModel Toolkit

kick it on