Thursday, December 22, 2005

Indigo (WCF) is going to be huge….

Indigo, or more correctly WCF : Windows Communication Foundation, is going to be huge. After taking a few hours out to read the latest MS white papers on it my immediate reaction was where and when can I get this! I’m currently envisaging the architecture of a large SOA (Service Oriented Architecture) and Indigo appears from even a quick look to be a very good fit for rampantly decreasing the amount of infrastructure coding that would need to be done.

Basically, if you are working on and SOA project, or an SOA/EDA (Event Driven Architecture), there is a multitude of plumbing tasks that needs to be done to allow services to be easily delivered when you get rolling. This includes things like communication endpoint configuration, implementing the correct WS-Security facilities, ensuring these are followed, having common mechanisms to achieve these things irrespective or whether the service is called via a queued or web service interface, handling distributed transactions, etc.

WCF does all this and more. The two main things that I liked about it are the following:

Firstly, you have independence of transport/protocol/binding from the actual service. So if you want a service to be called via MSMQ for some operations, and via web services for others, that’s all supported. In fact WCF appears to provide a commonality across standard web services (think ASMX), MSMQ, Remoting and Serviced Components. The configuration couldn’t be easier and all the WS option you ever wanted, such as security and reliable delivery as well as transactional control are all there.

I can see this halving or more the amount of infrastructure coding that would be required compared to an SOA project that was started today without WCF.

Secondly, MS has taken a big step up from the web services that were provided from VS2002 (.Net 1.0) onwards. Under WCF the tools generate interfaces rather than concrete proxy client and server classes.

Up until and including 2005, Visual Studio and associated tools always generated concrete proxy classes, which meant you wound up with what was a static and frustrating class that you would need to somehow encapsulate further on the client side if you wished to provide added methods for client applications to easily use. In affect you would need to build another entire layer on the client side to gain ease of use, but with much more cost.

Now with WCF you get a client interface class and you simply implement it in your concrete client class. You can do likewise on the server side. Thus both sides are singing from the same hymn sheet and both sides of the contract can implement as they see fit. You can still let the tools generate the proxy client and server classes if you wish, but the tools sensibly do this as a concrete implementation off the generated interfaces.

I personally can’t wait for WCF and will be experimenting with it at home as soon as I can. If you are doing serious SOA/EDA applications development in any environment, check out WCF as soon as you can. If nothing else you can ensure that your architecture is compatible with WCF so that cutting over to it at a future date will be relatively painless. If you don’t get a heads up on WCF, you probably risk reinventing what is going to be a pretty big wheel when it arrives!

An excellent paper on WCF for developers through to architects can be found here:

Thanks to Nils van Boxsel from MS Canberra for pointing me in the right direction for WCF.

Wednesday, December 07, 2005

Would you call this a Windows Security Hole?

We've all done it. Suddenly remembered we are late for the bus, the tube, the subway, the metro, the dinner date, the aniversary, the pub. We decide instead of just locking the work station with WindowsKey-L or with CTRL-ATL-DEL -> Lock Work station we had better actually log off or shut down. I've got 12 windows open but what the heck. There was nothing important or unsaved there.

After we see its on the way down we bolt out of the office. ZAP! Believe it or not this might be the simplest security issue in Windows and you've fallen straight into it, exposing your PC and company to the simplest of intrusions.

The other night I shutdown my XP PC and went to bed, only to find a whining noise and glowing screen greeting me in the morning. What the heck? Well it seems I had an unsaved word document open and the whole OS was sitting at a "Do you want to end this task?" dialog. The terrorfying thing was I could press Cancel, then press Cancel at the underlying "Do you want to save this file?" dialog and hey presto I was still logged in!

This got me thinking. Was this just my XP PC? So I have since tried this on Windows 2000 workstation and Windows 2003 Server and its seems the same. In fact you can probably try it at your PC right now with nothing more than WordPad. Here's how:

Start up wordpad. Type in a line of text. Go to the Start Menu on the task bar. Select Log Off or Shutdown. Confirm the Logoff. Within a few seconds you will get the Wordpad save dialog, and after about 15 seconds an End Program? dialog. And there you will stay. And with just 2 presses of a cancel button you are back to a desktop as the last logged in user!

Even more insidious seems to be that the screen saver does not cut in correctly. I had the basic starfield screen saver set at 1 minute. After I push cancel at the End Now? dialog I was left with an odd screen with just my background picture. Quickly pressing CTRL-ALT-DEL and the desk top came back, cancelling the task manager I was back in.

This also seems to happen even without any obvious programs running. Sometimes some not so well written freeware programs running in the background or dubious drivers for some peripheral take a dislike to being sent the Windows terminate event. Again windows appears to be left at the End Now? dialog.

Now imagine if that spiteful co-worker, that guy from the next cubical who is not cleared to your level, that nosy security guard on his rounds, that cleaner who's not really a cleaner or his kid who knows all about these computer thingys from school decides to just have a play on your machine. You can guess the rest.

A Windows logout or shut down should be just that. Irreversable, final. If you have something open and unsaved, its your problem, you should be warned but the waiting programs should be terminated within the shortest possible time. Any background or drivers that refuse to play the game should recieve similar short shrift from the OS. Maybe there is a setting to cause this to happen but I dont know of it. Please tell me if its so. Maybe this is all history in Windows Vista, but I havent played with the Beta yet to find out.

Yes, I hear you say, users should be more careful and stick around for the whole 2 minute+ shutdown to complete in some cases. But the OS should at least meet them half way and save them when they dont. Advanced Passwords, Certificates, 1024 bit encryption, SSL, WSE 3.0, Code Access Security and a host of other security solutions are wonderful weapons for cybersecurity in the 21st century.

But when we dont even log off even when we think we have, its all a bit of a mute point isn't it.