A very good question answer session related to Architecture

We would appreciate any guidance you may have to offer on the following

• From experience are there any particular areas that need attention up-front that might be overlooked?

Long discussion; will need a separate session for this.

• Security – what measures have you taken to ensure that the application is secure?

Application security is not a short term task. Like other software development activities it should be practiced through out the SDLC.
In our mode of development, application security is a continuous process. Our process includes…

• Application Threat modelling: At the beginning of project, we did application threat modelling. During this process we have identified and quantified the application threats and have established a security document. We encourage our developers to go through the check list on periodic basis


• Establishment of secure development standards and team training


• Verification of code security during peer reviews

• What is authentication method is used?

We are using our own custom authentication mechanism. We have developed a generic portal application in which we can host our ASPX files. This portal provides mechanisms for application level user authentication and per resource authorisation. This portal provides role based security mechanism. Administrator can define different application roles and respective functions (web forms) associated with this particular role along with rights (can read, can edit etc). Then users can be associated with one or many application roles.
All passwords are stored in database after they are properly hashed with a salt.

• How do you handle security - re: different levels of access to areas of the system?

Explained above.

• Is a single user id used to access the main database?

Yes, during development phase. For testing phase we have proposed to create different users at database level with different sets of rights based upon high level user role (like FX trader should have right to access FX related tables).
In beginning we decided to create db users against every user in our application. But this dramatically reduces the possibility of connection pooling. So we dropped this idea. Other way around can be, create db users for particular role (there can be many users attached to a role). Authenticate a user using db user with minimum rights and then switch to db user who has enough rights to access data according to his rights.
There can be many possibilities. Please search for Microsoft Patterns and Practices.

• If a single user is used, does it have restricted database access?

Explained above.

• How is auditing handled?

None yet. We are currently evaluating procedures for it.

• Portal Layout and Site navigation – what methods do you use to control site-layout?

We are just using CSS based application design.
I would highly recommend you to use Master pages and themes/skin features provided by ASP .NET 2.0. I wish we had this feature in ASP .NET 1.1.

• Scalability – the application should scale to 500 users. What Load testing do you do and what tools do you use?

We are practicing standard routines to make the application scalable. Currently we haven’t done any load testing. The option that we have debated is to involve third party services who have the infrastructure and experience in this domain.

• Testing of components / web application

Internal procedures are being followed like in case of QA, developing test cases, test case execution, bug reporting and rectification cycle. In case of developers we conduct peer reviews and unit testing.
We are not currently deploying any Test driven development approaches.

• How do you achieve database independence? We have a large number (~ 100) of Oracle PL/SQL stored procedures which would have to be rewritten in Transact SQL.

We have developed our own database access layer making use of the design of ADO .NET. On database level, we strongly discourage placing business logic. We only create stored procedures for Querying and DML operations using standard SQL. There are scenarios where we needed to impart business logic in stored procedures, but this is very rare.
You will be using ADO .NET 2.0 which provides built in mechanism to achieve database independence. It provides creation of different objects (like connections etc) based upon factory pattern. It has some other exciting features which can be used to make an application more scalable. These features may include asynchronous reads and promote-able transactions etc

• How do you achieve Multilanguage, multi locale, multicurrency support?

Currently our application is not multilingual and multi locale. However it is multi currency. However these features have been initially thought through and require a separate discussion thread.

• How do you control paging?

Currently we are not, but when in future we will need it, we will do it at stored procedure level instead of at presentation tier. We have decided this while considering scalability issues.

• Is anyone at Lahore using Visual Studio 2005 or planning to use it in the future?

At Lahore office, nobody is using it officially. At personal level, some team members of inBanking including myself have been using Visual Studio 2005 since its CTP releases. About future plans, I can’t answer this. You have to ask higher management/architects who are responsible for such decisions.

• With Visual Studio 2005 Microsoft offers either the Team Suite or Visual Source Safe 2005 which of these will you be using and why?

Not a question for me, but if I am ever asked, I will vote for Team System. I have advocated this above.

• Do you run the application under IIS 5.0 or IIS 6.0?

We are developing and testing our application using IIS 5.0.

• Does the application only run under Internet Explorer or is it Browser independent?

We have recently run a cycle to make our application available in latest versions of four major browsers (MS IE, Fire Fox, Opera and Netscape).
We have also established a document explaining areas to focus on to make a web application (such as ours) browser independent. This document is currently in construction phase.

• What were the main difficulties that you had to overcome in the development of the inBanking and ePOS products?

There were many issues and I think it require a separate discussion thread.

• Are there any pitfalls that you can forewarn us of?

Should be carried out in separate thread.

• We do not have much information on the ePOS product can you let us know aht it entails


• We have copies of the TRAPEZE design document (2004) and TRAPEZE functional specification for the inBanking product. Are there more recent versions of these documents? Is the user manual for the product available.

No major revisions has been conducted as yet

• How do you handle errors within the application?

We have developed our own exception handling and logging framework.
I would recommend you to visit Patterns and Practices section and check out Exception Handling and logging block. I recommend using this application block. We are evaluating switching to it as well.

• GUI Design/Layout - have you used CSS? How difficult has this been? Should we consider using the new master template system within .NET 2005?

I strongly recommend you to use Master pages and skins/themes.

• What tool is used to create layout? e.g. Dreamweaver, GoLive etc…

We use Dream weaver MX

• What points should be borne in mind re: Scalability / Multiple users?

There can be many issues and I think it require a separate discussion thread. We have not documented any practices.
I personally think that such practices should be documented and should be made available at organisation level.

Here I would like to throw some light on what we are keeping in mind to achieve scalability…

• Open connection only when it is needed


• Open connection as late as you can


• Close it as early as possible


• Identify data which is rarely modified in database and establish data caching policy


• In ASP .NET 2.0 you can even cache at web controls level


• Do not place heavy objects in View State


• Where ever it is possible, use typed datasets


• Recommended deployment strategies


• Establishment of session server


• Establishment of web forms

• How have you performed stress testing?

We are not currently performing any application stress testing.

• When bolting onto an existing system that contains business rules logic, and new rules are required (e.g. governing user access in the web system), have these been separated from the main business rules?

Can’t get what you are trying to ask.

• Does ePOS use the business rules of the underlying system or is it standalone?


• Is security testing of the application done using automated tools or using 3rd party?

No automated tools are being currently used other then FX Cop. FX Cop is provided as built in feature in Visual Studio 2005. It not only provides mechanism to check the application code for known security issues but also tests the application for scalability issues, naming conventions etc.

• Was the design of the GUI in-house or passed to 3rd party? Was a static prototype created initially for look and feel?

It is In-house production and there is no third party involvement.

• How have you handled the control of web interface navigation


• Turn off browser buttons?


• Stop right clicking?


• Expire pages to force a refresh?

Turning off browser buttons: can be done if you start your application in full screen and No buttons mode.
Stop right clicking: can be done quite easily using some java scripts freely available on internet.
Expiring pages: It is a very complex issue. Pages are cached at different levels in their life cycle and these levels may involve IIS itself, ISP, proxy and then at browser. If we set page expiry date in past, page is not cached at most of the levels. This is the only measure we are currently taking. For more information, please google this topic. I would love to hear feed back from you as well.

• How are your ASP.NET projects organised? What file structure is used in the web app / project / source control?

Application level: All resource files are placed in logical grouping (using folders)
Project: Logical grouping
Source Control: Same as file structure but following the rules asserted by our QE department.

• Are documents produced via the browser? If so how (e.g. PDF / HTML)?

None yet

• Are Reports produced via the browser, if so how?

None yet

• Does any data persist from session to session that is not stored in the main database (e.g. incomplete records)? If so how is this handled?

None

• Is client side validation (i.e javascript) used or avoided?

I do not advocate the idea of avoiding client side validation. In our application we have used client side validation extensively. But since security rule number one is not to trust any input coming in, hence, we also validate it on server. In ASP .NET we can validate all the inputs by simply calling this.Page.IsValid.
I would highly recommend usage of Regular expressions to validate all the input fields. You should establish a separate infrastructure tier which should not only provide regular expressions to validate integers, doubles etc but also complex inputs where business rules are to be followed (like standards runs 3m, 6m and money short cuts 10m for 10 million etc)


Other pointers of interest:

• Consider ATLAS (alias of AJAX, for asynchronous XML calls.), updating application UI without page refresh

.NET Data Access Architecture Guide

http://msdn.microsoft.com/vbasic/using/arch/default.aspx?pull=/library/en-us/dnbda/html/daag.asp

Architecture and Design

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/e2k3/e2k3/ita_TheITAVisualStudioNETProject.asp

Enterprise Application Architecture Perspectives

Information in the enterprise architecture can be viewed from many perspectives and it can satisfy many needs. But four general perspectives are important and are commonly used. These are the business, application, information, and technology perspectives.

The business perspective
The business perspective describes how a business works. It includes broad business strategies along with plans for moving the organization from its current state to an envisaged future state. It will typically include the following:

• The enterprise's high-level objectives and goals.
• The business processes carried out by the entire enterprise, or a significant portion of the enterprise.
• The business functions performed.
• Major organizational structures.
• The relationships between these elements.

The application perspective

The application perspective defines the enterprise's application portfolio and is application-centered. This view will typically include:

• Descriptions of automated services that support the business processes.
• Descriptions of the interaction and interdependencies (interfaces) of the organization's application systems.
• Plans for developing new applications and revising old applications based on the enterprises objectives, goals, and evolving technology platforms.

The information perspective

The information perspective describes what the organization needs to know to run its business processes and operations. It includes:

• Standard data models.
• Data management policies.
• Descriptions of the patterns of information production and consumption in the organization.

The technology perspective

The technology perspective lays out the hardware and software supporting the organization. It includes, but is not limited to:

• Desktop and server hardware.
• Operating systems.
• Network connectivity components.
• Printers.
• Modems.

For detailed Information

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnea/html/eaarchover.asp

Things to do before starting to develop a project

Coding Standards
Commenting Standards
Threat Modeling
Exception/Logging
Authorization, Authentication and Auditing
concurrency avoid policy
Fesibility to existing components
External interface requirements
Knowedle sharing platform
Interface establishment code
Deployment Stretegies
Components Defination (Library Infrastructure)
Code Structure
Caching Policy
Recursive code paterns
caching policy
Assumptions related to Hardware, Software etc
GUI Controls
Scaling stratigy
Technology selection
secondary technologies Ajax etc
GUI Expectations
Reporting
Architecture Tiers etc...
Data Container for traveling data between tiers
Data Base independence
Front end independence
Development Language

How to roll back transaction completely

If a run-time statement error (such as a constraint violation) occurs in a batch, the default behavior in SQL Server is to roll back only the statement that generated the error. You can change this behavior using the SET xact_abort statement. After SET xact_abort ON is executed, any run-time statement error causes an automatic rollback of the current transaction. Compile errors, such as syntax errors, are not affected by SET

web application performance tips(asp.net)

I am a student of computer science at this time i am trying to write down some tips for web application performance boast, For this i have collected some data from microsoft articles, wrox professional Asp.net performance book etc and from my personal experiences.I must highly appreciate your comments, corrections and additions.------------------------------------------------------------------------------------------------
Tips
1-Review your database code to see if you have request paths that go to the database more than once. Each of those round-trips decreases the number of requests per second your application can serve. By returning multiple resultsets in a single database request, you can cut the total time spent communicating with the database. You'll be making your system more scalable, too, as you'll cut down on the work the database server is doing managing requests.

2-The ASP.NET DataGrid exposes a wonderful capability: data paging support. When paging is enabled in the DataGrid, a fixed number of records is shown at a time. Additionally, paging UI is also shown at the bottom of the DataGrid for navigating through the records. The paging UI allows you to navigate backwards and forwards through displayed data, displaying a fixed number of records at a time.one that i want to mention in this respect is, in this case your datagrid will be bound to all result set what if client needs only 10% data of this result set??? so in this case i would like to recomend little bit different approach that can be done with the help of stored procedure. i just want to suggest that you must return the actual number of records that are needed and size and there correct calculation beacuse it can be displayed correctly on client side.

3- In ideal scanario of application dployment whenver your data layer is seprately working on data server, effective connection pooling can increase your performance.

4- Effective caching can greatly increase your application performance but if it is not done intelligently than it is so harmful for your application like out of memory exception etc. There are several rules for caching data. First, if data can be used more than once it's a good candidate for caching. Second, if data is general rather than specific to a given request or user, it's a great candidate for the cache. If the data is user- or request-specific, but is long lived, it can still be cached, but may not be used as frequently. Third, an often overlooked rule is that sometimes you can cache too much that can create an out-of-memory error. Therefore, caching should be bounded. There are a several great features of the Cache that you need to know. The first is that the Cache implements a least-recently-used algorithm, allowing ASP.NET to force a Cache purge—automatically removing unused items from the Cache—if memory is running low. Secondly, the Cache supports expiration dependencies that can force invalidation. These include time, key, and file. Time is often used, but with ASP.NET 2.0 a new and more powerful invalidation type is being introduced: database cache invalidation. This refers to the automatic removal of entries in the cache when data in the database changes.

5- Per request cache is also very good option in some cases, small improvements to frequently traversed code paths can lead to big, overall performance gains. This can be done in asp.net by using HttpContext.Items.

6- you can achive performance gains by using worker threads in case of heavy processing.

7- If you have an ASP.NET page that generates output, whether HTML, XML, images, or any other data, and you run this code on each request and it generates the same output, you have a great candidate for page output caching. By simply adding this line to the top of your page . At this point i do agree that page out put cache does not make your application more efficient but it can reduce burden on servers.

8- There are a number of drawbacks to the use of view state, however. First of all, it increases the total payload of the page both when served and when requested. There is also an additional overhead incurred when serializing or deserializing view state data that is posted back to the server. Lastly, view state increases the memory allocations on the server. Several server controls, the most well known of which is the DataGrid, tend to make excessive use of view state, even in cases where it is not needed. The default behavior of the ViewState property is enabled, but if you don't need it, you can turn it off at the control or page level. Within a control, you simply set the EnableViewState property to false, or you can set it globally within the page using this setting: If you are not doing postbacks in a page or are always regenerating the controls on a page on each request, you should disable view state at the page level.

Business Rules Framework

Business Rules Composer:
This application enables you to define vocabularies and build and test rules. The rule-building experience is as simple as dragging and dropping facts and setting properties. You can also publish and deploy policies from here.
Rules Engine Deployment Wizard:
Vocabularies and policies are stored in a SQL Server rule store database. To help you move a vocabulary or policy to another computer, this wizard provides import/export functionality. You can also deploy or undeploy a policy.
Rules Engine:
This is the runtime engine that processes your policies. The engine evaluates rules, based on their facts, and decides which actions need to be executed. It also supports complexities like dealing with forward chaining. Forward chaining refers to the situation where your rule conditions modify the facts used in your policy, as the underlying facts change, the engine determines when it needs to re-evaluate your rule conditions

configuration of iis with asp.net and other related issues

aspnet_regiis.exe -i
http://support.microsoft.com/default.aspx?scid=kb;en-us;306005http://support.microsoft.com/default.aspx?scid=kb;en-us;318465

Understanding the .NET Framework - The .NET Architecture

http://www.aspfree.com/c/a/.NET/Understanding-the-.NET-Framework/1/

Specifying the tab order in ASP.NET controls

In the body tag write this code to set the focus on the first controlonload="javascript:document.Form1.TextBox1.focus();
Every control has a property, TAB INDEXstart numbering the tab index of the controls starting from 1The controls that you do not intend to specify tab order, assign them -1 tab indexNote: if 0 'zero' is assigned to the controls then the tab order is in the order the controls were added to the form

Implementation of Factory pattern, Smart Client and Refletion.

all these tricks can be achived throug reflection. An amazing thing that i thinks alot in my early programming days. And in end i got all these functionalities through reflectin.a smart client is an windows based application that is dynamically reffering some assemblies, those resides somewhere else with the help of iis.


SmartClient objSmartClient = new SmartClient();
//display splash screenSplash splash = new Splash();
splash.Show();
Application.DoEvents();
// Set the URL to load the Assembly fromstring
strURL = @"C:\Documents and Settings\alif\My Documents\dotnetprojects\SmartServer\bin\Debug\Smart.exe";
// Set the class to callstring
sClassName = "MySmartClient.SmartForm";Assembly assemblyContent = null;
assemblyContent = Assembly.LoadFrom(strURL);splash.Close();
// Create a object for the ClassType
typeContent = assemblyContent.GetType(sClassName);
// Invoke the method. Here we are invoking the
Main method.typeContent.InvokeMember ("Main", BindingFlags.Public BindingFlags.InvokeMethod BindingFlags.Static, null, null, null);