Showing posts from April, 2012

Custom WCF Authentication Using Message Contract

When you create a WCF Service or Web Service, you may want to implement subscription based access to this service. This allows you to have many customers consuming the service, with each customer having their own account and credentials to access.

When creating ASP.NET Web Services, implementing subscription based access can be done by using the SOAP header to add credentials particular to the customer consuming the web service. In a WCF service, this is done using the Message Contract.
For this post, I have created a test WCF service application which is used to return account data for a customer. The interface has one operations contract called GetAccountsData which returns a message contract called accounts info. As the accounts info message contract has sensitive information, I am also specifying the EncryptAndSign attribution on the properties on the message contract. 
The Interface:
[ServiceContract]     public interface IAccountsService     {         [OperationContract]         Acco…

UAC Administrator Access on a Windows Server 2008 Development Server

Windows Server 2008 R2 has UAC build-in and turned on by default. With a server hosting your applications that is exposed to the outside world, you definitely want to keep this feature turned on!

On an internal development server however, you may wish to disable UAC for the administrator users group as with it turned on you will find barriers when testing that can slow things down - one example is changing a value in an exe.config file in the programs directory as you won't be able to save the config file back to the same location without running the editing program in Administrator mode.

To disable UAC for the administrators group, follow these simple steps:

1. On your server, go to "Administrative Tools" > "Local Security Policy"
2. Expand the "Local Policies" > "Security Options" node and find the "User Account Control: Run all administrators in Admin Approval Mode" policy in the main window.

3. Open the policy and select the &…

SQL Server: Insert, Update and Delete Data in a Single Execution by Using MERGE

With the release of SQL Server 2008, insert, update, or delete operations can be performed in a single statement using MERGE. Prior to SQL Server 2008, each insert, update or delete had to be run separately. The MERGE statement allows you to join a data source with a target table or view, and then perform multiple actions against the target based on the results of that join. 

The following example is taken from TechNet, and the original example can be found at This example uses MERGE to insert, update, or delete rows in a target table based on differences with the source data.


Consider a small company with five departments, each with a department manager. The company decides to re-organise its departments. To implement the re-organisation results in the target table dbo.Departments, the MERGE statement must implement the following changes:

Some existing departments will not change.Some existing d…

MVC3 Custom 500 Error Handling Inside the MVC Pipeline

In any well designed application, 500 errors are handled. I have seen too many applications that simply throw an exception when an error occurs - at best this gives a bad user experience, but at worst it could expose security information a potential attacker could use to exploit a hole in your application and/or system.
In many applications, particularly enterprise applications, an end user experiencing an error needs to be coupled with a logging process or a notification to a support team depending on the severity of the error. In ASP.NET Web Forms, this can be achieved by using the Application_Error event in global.asax to send a notification or log an event. The user can then be redirected to an error page either by setting the appropriate  CustomErrors properties in web.config or using a redirect in the Application_Error method.
Web.Config Redirect:
    <customErrors mode="Off" defaultRedirect="~/errors/500.aspx">       <error statusCode="500"…