Tài liệu ASP.NET 1.1 Insider Solutions- P10 docx

”) End Sub 445 446 11 Working with XML Data FIGURE 11.1 Alternatives to XPathNavigator Accessing book and author nodes by using the XPathNavigator API Sorting XML Data The XmlDocument and DataSet classes could also be used to search and filter the XML document shown in Listing 11.7 However, because no editing operations were performed, the XPathDocument and XPathNavigator combination provides a more efficient solution In the past, applications that required XML data to be sorted have typically relied on XSLT and the xsl:sort element due to XPath’s lack of native support for sorting data Although using XSLT to sort can get the job done, writing stylesheets and templates is often overkill and doesn’t work for all types of data sorts In fact, the XSLT 1.0 specification only supports text and numeric sorts “out of the box.” Fortunately, the reliance on XSLT to sort XML data is minimized in the NET Framework due to native XML sorting capabilities found in the XPathExpression and DataView classes In addition to being able to perform textual and numeric sorts, you can use the XPathExpression class to perform custom sorts, using objects that implement the IComparer interface You can also use the DataView class to sort data loaded into a DataTable instance The following sections demonstrate how to sort XML data by using the XPathNavigator and XPathExpression classes and provide details on how to leverage the IComparer interface They also demonstrate how to sort XML data by using XSD schemas, along with DataTable and DataView instances Sorting with the XPathExpression Class You can sort XML nodes by first compiling an XPath statement into an XPathExpression object This is accomplished by calling the XPathNavigator class’s Compile() method Then you can add a text or numeric sort to the XPathExpression object by calling its AddSort() method AddSort() has two overloads: Searching, Filtering, and Sorting XML Data Overloads Public MustOverride Sub AddSort( _ ByVal expr As Object, _ ByVal comparer As IComparer _ ) Overloads Public MustOverride Sub AddSort( _ ByVal expr As Object, _ ByVal order As XmlSortOrder, _ ByVal caseOrder As XmlCaseOrder, _ ByVal lang As String, _ ByVal dataType As XmlDataType _ ) The first of these overloads allows a custom object implementing IComparer to be used to perform sorts This is useful when more advanced sorts need to take place The second overload accepts a sort key, the sort order (ascending or descending), a value indicating how to sort uppercase and lowercase text, a language value, and the type of sort to perform (text or numeric) Listing 11.9 shows how to use the Compile() and AddSort() methods to sort the news headlines shown in Listing 11.1 The code sorts the headlines based on the title element, in ascending order LISTING 11.9 Sorting XML Data by Using the XPathNavigator and XPathExpression Classes Dim sorted As New StringBuilder ‘XPath statement Dim xpath As String = “/moreovernews/article/headline_text” ‘Create XPathDocument class so we can get a navigator Dim doc As New XPathDocument(Server.MapPath(“Listing1.xml”)) Dim nav As XPathNavigator = doc.CreateNavigator() ‘Compile xpath expression Dim exp As XPathExpression = nav.Compile(xpath) ‘Add a sort based upon the headline_text child text node exp.AddSort(“text()”, XmlSortOrder.Ascending, XmlCaseOrder.None, _ “”, XmlDataType.Text) ‘select nodes so we can see the sort Dim it As XPathNodeIterator = nav.Select(exp) While it.MoveNext() ‘Grab headline_text value Dim headline As String = it.Current.Value ‘Move to article it.Current.MoveToParent() ‘Move to url it.Current.MoveToFirstChild() 447 Simplifying Configuration by Using XML LISTING 11.27 The ConfigFileReader Class Public Class ConfigFileReader Public Shared Function GetConnectionString(ByVal server _ As String) As String Dim config As ServerConfig = GetConfig() ‘Check if Web server matches with dev server name or not Array.Sort(config.SqlServer.Dev.Servers) If Array.BinarySearch(config.SqlServer.Dev.Servers, _ server) > -1 Then Return config.SqlServer.Dev.ConnString End If ‘Check if Web server matches with prod server name or not Array.Sort(config.SqlServer.Prod.Servers) If Array.BinarySearch(config.SqlServer.Prod.Servers, _ server) > -1 Then Return config.SqlServer.Prod.ConnString End If ‘Default is Nothing Return Nothing End Function Public Shared Function GetConfig() As ServerConfig Dim context As HttpContext = HttpContext.Current ‘Check if config is already loaded into cache If context.Cache.Get(“ServerConfig”) Is Nothing Then Dim reader As XmlTextReader = Nothing Try Dim configPath As String = _ context.Server.MapPath(_ ConfigurationSettings.AppSettings(“ServerConfig”)) reader = New XmlTextReader(configPath) ‘Deserialize XML configuration data Dim s As New XmlSerializer(GetType(ServerConfig)) Dim config As ServerConfig = CType(s.Deserialize(reader), _ ServerConfig) ‘Create file dependency for cache Dim cd As New CacheDependency(New String() {configPath}) context.Cache.Insert(“ServerConfig”, config, cd) Return config Catch Throw New ApplicationException(“Unable to find config file.”) Finally 473 474 11 Working with XML Data LISTING 11.27 Continued If Not (reader Is Nothing) Then reader.Close() End If End Try Else Return CType(context.Cache.Get(“ServerConfig”), ServerConfig) End If End Function End Class When you use the ConfigFileReader class, you can quickly and easily access configuration data by using object-oriented code rather than XPath statements: Dim config As ServerConfig = ConfigFileReader.GetConfig() Dim connStr As String = _ ConfigFileReader.GetConnectionString(Request.UserHostName) Me.lblOutput.Text = connStr + “” Me.lblOutput.Text += “SMTP Server: “ + config.SmtpServer.Name + “” Me.lblOutput.Text += “Proxy Server: “ + config.ProxyServer.Name XML serialization really shines when structural or naming changes are made to the XML configuration document Although you must run the xsd.exe utility against an updated version of the document’s XSD schema, any code that contains invalid object references to old configuration classes or properties will be instantly identified by the compiler This makes it easier to ensure that changes made in the code mirror configuration file changes Summary This chapter focuses on several ways that you can use XML data in ASP.NET applications XML’s support for marking up data in a platform-neutral manner makes it an excellent choice for sending data between distributed systems and applications XML is also useful for more basic duties, such as storing configuration settings The chapter discusses the pros and cons of the different XML APIs in the NET Framework Knowing when and where different APIs should be used is important to ensuring that an ASP.NET application is scalable and efficient This is especially true as the size of XML documents increases This chapter also discusses techniques for combining functionality offered by the XmlTextReader and XmlTextWriter classes Using these classes provides a fast and efficient way to parse and generate XML documents You can also use the XmlTextWriter class to format XML data Summary Additional topics discussed include the role of XmlResolver in accessing XML resource URIs You can use XmlResolver instances to access secured XML resources, and they also play an important role in helping to determine whether specific functions such as document() are available to be used securely with XSLT stylesheets This chapter also provides information about searching and filtering XML data As this chapter shows, you can use the XPath language or ADO.NET-specific classes such as DataView to perform similar tasks The remaining sections of this chapter discuss how to create a reusable XML validation component, shape the structure of XML data emitted from the DataSet class, and work with custom XML configuration files by using XPath and XML serialization 475 PART IV Hosting and Security 12 Side-by-Side Execution in ASP.NET 13 Taking Advantage of Forms Authentication 14 Customizing Security 12 Side-by-Side Execution in ASP.NET One of the major advantages envisioned for the NET Framework when it was under development was the ability to run multiple versions concurrently on the same machine and allow applications to execute under whichever version is appropriate In other words, in terms of ASP.NET, different Web applications, Web services, and Web sites can be running concurrently under different versions of the NET Framework without interfering with each other This also means that components and other resources that are tied to one version of the NET Framework can continue to be used with the appropriate applications, and installing updated versions will not interfere with existing ones These components and other resources run side-by-side as separate processes and not share any resources, assemblies, or other NET Framework class files In Windows Server 2003 the new version of Internet Information Services (IIS)—version 6.0—provides a different core-processing model for Web applications and Web services Although this isn’t the topic of this chapter, it means that Windows Server 2003 IN THIS CHAPTER How Version 1.1 of the NET Framework Is Distributed 480 How Installing a New Version of the NET Framework Affects Existing Applications 481 How ASP.NET Selects the Runtime Version 488 How to Specify the ASP.NET Version for Individual Applications 489 ASP.NET and IIS 6.0 on Windows Server 2003 492 Summary 497 480 12 Side-by-Side Execution in ASP.NET can provide better performance, better process separation, and more robust management of errors and deadlocks Windows Server 2003 achieves these advantages through the use of a new kernel-level module called http.sys, which redirects incoming requests to the appropriate one of multiple separate instances of the Web service It also handles output caching directly, providing another useful (and considerable) performance boost Version 1.1 of the NET Framework fully supports side-by-side execution, allowing you to run both version 1.0 and version 1.1 of the NET Framework on the same machine You can also run the current beta version of the NET Framework, code-named “Whidbey” and the forthcoming final version 2.0 alongside both version 1.0 and 1.1 installations You can configure applications to run under any of the installed NET Framework versions However, by default, all applications will run under the most recent version (the highest version number) of the NET Framework You have to configure applications and other resources (such as Web services) to force them to run under a specific version This chapter looks at the following: n How version 1.1 of the NET Framework is distributed n How installing a new version of the NET Framework affects existing applications n How ASP.NET selects the NET Framework version to use at runtime n How to specify the version that each application will run under n Web service extensions and application pools in IIS 6.0 How Version 1.1 of the NET Framework Is Distributed ASP.NET 1.1 is installed by default on Windows Server 2003, which does not provide version 1.0 You can also install version 1.1 in three other ways: n By installing Visual Studio NET 2003 Version 1.0 of the NET Framework is a prerequisite for this n By installing the version 1.1 redistributable file named Dotnetfx.exe, which you can download from the Microsoft Web site, at http://msdn.microsoft.com/netframework/ technologyinfo/howtoget/default.aspx Alternatively, you can install it from the Windows Update site, using the link on your Start menu n By installing an application that itself contains the NET Framework redistributable file To check whether version 1.1 of the NET Framework is already installed, you can select Start, Control Panel, Add/Remove Programs and then look for the entry “Microsoft NET Framework [language] 1.1.” How Installing a New Version of the NET Framework Affects Existing Applications How Installing a New Version of the NET Framework Affects Existing Applications If you install a version of the NET Framework that is compatible with and more recent than those already installed, the setup program will automatically update IIS so that all applications run under the new version When you create new applications, they will also run under the new version of the NET Framework by default—as long the new version is compatible Compatible, in this case, is defined as having the same major version number (for example, versions 1.0 and 1.1 are compatible) However, the final release of version 2.0 will not be compatible with versions 1.0 and 1.1 What happens when you remove a version of ASP.NET that is currently installed depends on the version you are removing and the other versions (if any) present on the server If you remove (that is, uninstall) the latest version, all the applications that use this version are automatically converted to run under the next most recent compatible version that is installed For example, if you remove version 1.1 and have version 1.0 installed, all applications will revert to running under version 1.0 However, if you uninstall one of the versions that is not the most recent, the applications that run under it will be converted to run under the most recent compatible version If there are no other compatible versions installed, ASP.NET pages will be served as simple text files Therefore, it’s important to ensure that existing applications are correctly mapped to the new version to prevent users from being able to view the source code of your ASP.NET pages and configuration files Configuration Settings in machine.config One important point to note is that installing another version of the NET Framework will install the default version of machine.config and the other policy and security files If you have modified these files for the existing version and want the same configuration and policies to apply to the new version, you must copy the settings to the newly installed files The ASP.NET State Service and SQL Server State Service If you configure the ASP.NET State Service or SQL Server State Service to handle session state (rather than the default in-process state storage mechanism), all state for all ASP.NET applications is managed by a single instance of the service This approach is often used in Web farms or multiple server installations, and you may use a separate dedicated server just for this purpose When you run applications under different versions of the NET Framework, all state is held in the same single instance of the ASP.NET State Service or SQL Server State Service—the one installed with the most recent version of the NET Framework If you uninstall a version of the NET Framework, the previous most recent version is used instead 481 482 12 Side-by-Side Execution in ASP.NET The ASP.NET Process Account ASP.NET pages and resources are executed under the context of an account named ASPNET by default Unless you specify otherwise, all access for all pages and resources, regardless of the version of the NET Framework they are running under, will use this single account It will be, by default, the account installed by the most recent version of the NET Framework If you uninstall a version of the NET Framework, the previous most recent version is used instead Windows Performance Counters Each version of the NET Framework installs its own pair of performance counters, named ASP.NET [version] and ASP.NET Apps [version] The name of each of these counters contains the version number, which allows you to view the data for each version of the NET Framework separately However, the most recent version of the NET Framework also installs counters that aggregate performance for ASP.NET over all versions of the NET Framework that are installed These two counters are named ASP.NET and ASP.NET Applications (see Figure 12.1) FIGURE 12.1 The ASP NET performance counters, when multiple versions of ASP NET are installed Running Version 1.0 Applications on Version 1.1 of the NET Framework In general, any application that is running on version 1.0 of the NET Framework will run without modification on version 1.1 There are, however, five changes to the NET Framework in version 1.1 that might affect your applications: n Automatic input validation n The SelectedValue property for ASP.NET list controls n The ODBC provider for NET n Changes to forms authentication n The Microsoft Mobile Internet Toolkit controls How Installing a New Version of the NET Framework Affects Existing Applications Automatic Input Validation A major addition to ASP.NET in version 1.1 of the NET Framework is the implementation of a new feature that helps to reduce the risk of attacks that use cross-site scripting or SQL injection techniques being successful By default, all input to a page within the Request collections (QueryString, Form, and Cookies) is checked against a hard-coded list of undocumented, but potentially dangerous, data strings If your existing version 1.0 pages depend on accepting this kind of data, they may fail to work correctly under version 1.1 However, you should always validate input to protect your pages against this type of attack, even in version 1.1, where there is some built-in protection The example in Listing 12.1 demonstrates the automatic validation feature It provides a text box into which a value can be entered and a button to submit the form LISTING 12.1 An Example That Demonstrates Automatic Input Validation Sub ShowInput(Source As Object, E As EventArgs) lblResult.Text = txtTest.Text End Sub When a potentially dangerous value, such as , is submitted, an exception is raised and the standard ASP.NET error page is displayed (see Figure 12.2) Of course, in an application, you’ll probably want to trap this error and display a more suitable message or just ignore the input You can experiment with this feature by turning off input validation Automatic input validation is controlled by an addition to the Page directive in ASP.NET, a new addition to the web.config and machine.config files, and a new property of the HttpRequest class (which implements the Request object in ASP.NET), named ValidateInput 483 484 12 Side-by-Side Execution in ASP.NET FIGURE 12.2 The resulting error page when potentially dangerous input is detected The ValidateRequest Page and web.config Directive In version 1.1 of ASP.NET, adding an attribute to the Page directive allows you to turn off automatic input validation (the default, if this value is omitted, is “true”, and input validation is carried out): You can also control input validation by adding an attribute to the element of the web.config file or changing the existing attribute in the machine.config file This is the default machine.config file for version 1.1: If the input is invalid, an HttpRequestValidationException error is raised The HttpRequest.ValidateInput Method If you disable automatic input validation in the web.config file or the machine.config file, you can still validate the input to a specific page by using the new ValidateInput method of the HttpRequest class: Request.ValidateInput() Again, if the input is invalid, an HttpRequestValidationException error is raised How Installing a New Version of the NET Framework Affects Existing Applications The SelectedValue Property for ASP.NET List Controls The ASP.NET list controls expose several properties that you can use to extract the selected value(s) from them For a DropDownList, CheckBoxList, RadioButtonList, or ListBox control, you can access the SelectedIndex property after a postback to get the index of the ListItem instance (within the List collection of the control) that was selected If the list allows more than one item to be selected, this property returns the index of the first item selected in the list You can also access the SelectedItem property to get a reference to the first item selected in the control, and then you can query the Text or Value property of that ListItem object to get the currently selected text or value of the control In version 1.1 of ASP.NET, the DropDownList, CheckBoxList, RadioButtonList, and ListBox controls gain a new property, named SelectedValue Following a postback, this property is automatically set to the value of the Value property for the first selected ListItem object in the list For example, the following code populates one of each of the four list controls that expose this property, and the button at the bottom of the page causes a postback during which the SelectedValue property of each control is extracted and displayed: lblResult.Text = “DropDownList.SelectedValue = ’” _ & MyDropDown.SelectedValue & “‘” lblResult.Text &= “ListBox.SelectedValue = ’” _ & MyListBox.SelectedValue & “‘” lblResult.Text &= “CheckBoxList.SelectedValue = ’” _ & MyCheckBoxList.SelectedValue & “‘” lblResult.Text &= “RadioButtonList.SelectedValue = ’” _ & MyRadioButtonList.SelectedValue & “‘” Figure 12.3 shows the result of running this code You can see that only the first selection in the CheckBoxList control is returned by the SelectedValue property When you have a list control that allows multiple selection—in other words, a CheckBoxList control or a ListBox control with the SelectionMode=”Multiple” attribute—you still have to iterate through the Items collection, checking the Selected property of each ListItem object You can also use the SelectedValue property to select an item in these four list controls, by assigning the required String value to the property In the sample page, the following code is executed when the Set to ‘Sun’ button is clicked: MyDropDown.SelectedValue = “Sun” MyListBox.SelectedValue = “Sun” MyCheckBoxList.SelectedValue = “Sun” MyRadioButtonList.SelectedValue = “Sun” This sets the current selection to the entry for “Sun” in all the controls If the value you specify is not in the list, an exception is raised 485 486 12 Side-by-Side Execution in ASP.NET FIGURE 12.3 The SelectedValue property for the ASP NET version 1.1 list controls System.Data Namespace Changes In version 1.1 of the NET Framework, there have been several changes in the classes from the System.Data namespace and its subsidiary namespaces These are the classes that implement ADO.NET The changes fall into several categories: n Two new data-related namespaces that have been added to the NET Framework System.Data.Odbc implements the ODBC data provider (which was originally available in beta form for use with version 1.0) System.Data.OracleClient implements the NET Framework data provider for Oracle An important point to note is that the namespace name for the ODBC data provider has changed between version 1.0 and version 1.1 of the NET Framework The namespace for the (beta) version 1.0 is Microsoft.Data.Odbc, whereas for version 1.1 it is System.Data.Odbc This means that you must change any Import directives that specify the namespace when you move your pages or components to version 1.1 n The new property HasRows, which is added to the DataReader classes, returns True if there are one or more rows in the result set to which the DataReader instance is attached, following a call to the Execute method of the Command object that provides the result set If the SQL statement or stored procedure executed by the Command object does not return any rows, the HasRows property returns False n A new method named EnlistDistributedTransaction for the Connection classes, which allows Connection instances to manually enlist into the current transaction if auto-enlist is disabled n Fixes for bugs or security issues in the existing classes Some of these may affect your existing code For example, see www.daveandal.net/alshed/datasetkludges/default.asp for details How Installing a New Version of the NET Framework Affects Existing Applications on some of the changes to the workings of the DataSet class For details of other changes between versions 1.0 and 1.1, see the GotDotNet pages, at www.gotdotnet.com/team/ changeinfo/default.aspx Changes to Forms Authentication When forms authentication is used, an encrypted cookie is stored on the client machine and sent with each request for a secured page This encryption uses the value of the element within the section of the machine.config file or the web.config file The element also specifies the value used for encrypting and validating the viewstate in a page that contains a server-side element In version 1.1 of the NET Framework, by default, the validationKey and encryptionKey attribute values within the element contain a new modifier, named IsolateApps: When this is present, the auto-generated keys include details of the ASP.NET application, so different applications running on the same machine will each generate different keys for securing their cookies or viewstate This improves security and application isolation, especially where a server is hosting multiple sites or applications In version 1.0 of the NET Framework, where this modifier is not supported, the same key is used for all applications on the server This new behavior will cause a problem if you rely on shared authentication cookies, perhaps where you have a nested application (that is, an application within a subfolder of another application, with the path of the cookie set to / in the local web.config file) or if you are passing the viewstate from a page to a different application through a customized form post To retain the version 1.0 behavior when running under version 1.1 of the NET Framework, you can the following: n Remove the IsolateApps modifiers from machine.config or (better) use a local web.config file that does not contain the IsolateApps modifiers n Change the validationKey and decryptionKey attribute values to specify an explicit key rather than auto-generating it If you are using a Web farm or another shared server setup, you will be using a specific key that is the same on all the servers anyway There are also two new properties for the FormsAuthentication class—RequireSSL and SlidingExpiration When the RequireSSL property is True, all requests must be made under the secure HTTPS protocol rather than the more usual HTTP The SlidingExpiration property specifies whether the timeout for forms authentication (as specified in the machine.config or web.config file) is absolute, or starts again on each request In other words, when the SlidingExpiration property is True, the timer effectively restarts on each request When it is False, authentication expires after the prescribed period, regardless of how many requests the user has made 487 ... 6.0 How Version 1.1 of the NET Framework Is Distributed ASP.NET 1.1 is installed by default on Windows Server 2003, which does not provide version 1.0 You can also install version 1.1 in three other... Version 488 How to Specify the ASP.NET Version for Individual Applications 489 ASP.NET and IIS 6.0 on Windows Server 2003 492 Summary 497 480 12 Side-by-Side Execution in ASP.NET can provide better... example, versions 1.0 and 1.1 are compatible) However, the final release of version 2.0 will not be compatible with versions 1.0 and 1.1 What happens when you remove a version of ASP.NET that is currently