Uploaded bySkillwise Group
Skillwise - Advanced web application development
The document details the lifecycle of an ASP.NET request within IIS, explaining how requests are processed through various components such as the worker process and HTTP pipeline classes. It also discusses the customization of applications using the global.asax file, the role of HTTP modules, and how ASP.NET MVC handles requests through controllers, routes, and action filters. Additionally, it covers security measures like preventing XSS and CSRF attacks, along with data access using ADO.NET Entity Framework and LINQ.
Skillwise - Advanced web application development
- 1.
- 2.
- 3. Life of anASP.NET Request • ASP.NET is layered on top of IIS5, IIS6 – IIS receives a request for a ASP.NET page – aspnet_isapi.dll registered for ASP.NET extensions – ISAPI extension passes request to worker process aspnet_wp.exe (IIS 5) or hands request to ASP.NET within w3wp.exe – ASP.NET classes take over request – When processing is complete, response is returned to IIS and ultimately back to client • ASP.NET is integrated into IIS7 – IIS receives a request for an ASP.NET page (.aspx) – Request is dispatched to PageHandlerFactory by IIS (handler associated with .aspx)
- 4.
- 5.
- 6.
- 7. Inside the Pipeline •Once inside the worker process, a request goes through a series of steps – It is first routed to the AppDomain associated with that application – A number of classes within the AppDomain interact to service the request • HttpRuntime • HttpWorkerRequest • HttpApplication • HttpContext • Modules • Handlers • ...
- 8. Classes in theHTTP Pipeline of ASP.NET
- 9. HttpContext • ASP.NET requestinformation stored in HttpContext – Unique instance created for each request – Stores all request-specific data – Stores links to all relevant classes (Application, Session, ...) – Passed as a parameter to many methods (ProcessRequest)
- 10.
- 11.
- 12. Applications • The firstpoint of extensibility in the pipeline is the application – The application class acts as initial entry point for a request – Serves as a repository of globally available resources • application state • cache • session state • Gives access to many important events that occur during the lifetime of the application • Always an instance or derivative of HttpApplication • Accessible through HttpContext and Page classes
- 13.
- 14. Customizing the ApplicationClass • You create a custom application by writing a global.asax file – Placed at the top-level of the virtual directory – Parsed and compiled into an assembly on first access – Creates a new class deriving from HttpApplication – Used in place of the default application class
- 15.
- 16.
- 17. Additional events availablethrough global.asax
- 18. Custom Handlers • Each.aspx file creates a Page class, which is a handler – Handlers must implement IHttpHandler – Can configure alternate extensions to map to a custom class that implements IHttpHandler (httpHandlers section of web.config) – For handlers to be invoked, URI path must be first mapped to the ASP.NET ISAPI Dll (aspnet_isapi.dll) (IIS 6 and earlier)
- 19. Custom Modules • HttpModulescan intercept any Application-level events – Exist at the application level (not per request) – Similar to ISAPI Filters – Implement IHttpModule interface – Initmethod called on application startup allowing module to hook application- level events – System provided modules include SessionStateModule, UrlAuthorizationModule, and so on
- 20.
- 21. Modules vs. global.asax •Modules and custom applications can perform many of the same functions – Not always obvious which to use – Use global.asax for application- specific functionality – Use modules for 'pluggable' pieces of functionality that may be used in multiple applications
- 22.
- 25. ASP.NET MVC DesignGoals • Embrace the web • Run on ASP.net • Extensible • Testable
- 26.
- 27. Routes & Controllers routes.MapRoute( "Default",// Route name "{controller}/{action}/{id}", // URL with parameters new { controller = "Home", action = "Index", id = "" } // Parameter defaults
- 28. Controller Execution • IController –Execute method invoked by MvcHandler – Writes to the response stream • ControllerBase – Introduces ViewData and ControllerContext • Controller – Default base class in MVC – Introduces Actions – Includes helper methods for rendering content
- 29. Actions • Actions arethe ultimate request destination – Public controller methods – Non-static – No return value restrictions
- 30. Action Parameters • Actionscan take a variety of parameters – Primitive parameters (int, bool, string) – Complex parameters • Model Binder looks for parameter values – In route data – In form data – In query string
- 31. Results • Actions typicallyreturn an • ActionResult
- 32. Action Selectors • ActionName •AcceptVerbs – HttpPost, HttpGet
- 33.
- 34. Custom Action Filters •Derive from ActionFilterAttribute base class
- 35.
- 36. Razor Templates Template +Data = Generated Output
- 37. Layout with Razor •Use inherited methods to specify content areas – RenderBody – RenderSection
- 38. HTML Helpers • Htmlis a property of the ViewPage base class – Create inputs – Create links – Create forms
- 39. Custom Helpers • Writeextension methods for the HtmlHelper class – Return string or override ToString method – TagBuilder manages closing tags and attributes – Add namespace in web.config • The place for complicated view logic
- 40. Partials • Partial viewsrender portions of a page – Reuse pieces of a view – Html helpers – Partial and Action • Razor partial views are still .cshtml files
- 41. Html.Action vs. Html.Partial •Partial – Use partials to reuse markup • Action – Think "sub-request" – Let controller build sub-model, select partial view @Html.RenderPartial("movieDetail", Model.Movie) @Html.RenderAction("show", "weather", new { postalCode="21740" }
- 42. Security • Encoding – Helpsto avoid XSS attacks – Not encoding user input makes you particularly vulnerable • Html.AntiForgeryToken – Helps to avoids CSRF attacks – Requires a ValidateAntiForgeryToken attribute on controller action – Valid only for POST operators
- 44. ADO.NET Entity Framework •Access a relational data base with strongly-typed LINQ queries
- 45. LINQ • Comprehension QuerySyntax • Extension Method Syntax
- 46.
- 47.
- 48. Forms Authentication 1. Usertries to access “members only” page. 2. ASP.NET redirects user to login page (“~/Account/Login”) 3. User submits username and password 4. ASP.NET sets authentication cookie, redirects back to “members only” page.
- 49. Forms Authentication • AccountController/ Views • WebMatrix WebSecurity • SimpleMembershipProvider • SQL Storage
- 50. Threat: Cross-Site Scripting •Cookie Theft • Download Malware • XSS • Account Hijacking • Modify User Settings • Modify Content