TeamMentor is ASP.NET, yes, but not as you've seen it often elsewhere

by Kofi Sarfo 20. April 2013 08:32

The SPA [Single Page Application] is all the rage... err, and has been for a while. Gmail appeared in 2004. In that light TeamMentor ought not to seem unusual, but it does. At its heart, it is a Single Page Application with a twist.

TeamMentor is an ASP.NET Webforms application but there isn't a single postback. Plus, it's built on top of the O2 platform which means extension methods everywhere. There is a presentation on the platform given by its creator, @DinisCruz, entitled "OWASP O2 Platform - Automating Security Knowledge through Unit Tests". It's designed to offer something like a Strongly Typed Python.

Opening the solution reveals Global.asax.cs is a wrapper for an O2 action pipeline per application/session event. The start page TeamMentor.html shows that the views are dynamically loaded using JavaScript. Also, there's hand-rolled bundling and minification rather than taking a dependency on ASP.NET MVC 4. It might be worth asking Dinis why he prefers using techniques he's discovered ahead of ASP.NET implementations.

At first glance, it's an interesting piece of software with a good amount of thought behind it. There's an interesting philosophy driving its development and implementation pulls inspiration from other languages / practices. I'll happily pair with anyone on this for an hour or two if you're so inclined.

Disclaimer: I'm not a Web Developer.

In return for your time I'll buy you dinner.



Open Source Security

by Kofi Sarfo 17. April 2013 09:20

A little over a year ago I began working on my|deposits Scotland, an ASP.NET MVC3 web application for managing tenancy deposits. It was a month into the project before the subject of security arose and without any security expertise in the team, the podcast episode in which Troy Hunt Secures ASP.NET was welcome and timely.

Fast forward twelve months and I've been invited to help Security Innovation with their product, Team Mentor, which assists development teams reduce application security risk. It's quite a departure from the multi-threaded, multi-process, service oriented architecture work for pricing journeys at Transport for London. It's a good excuse to return briefly to some web development between these server-side gigs.

This project is a little unique in that all the source code is available on github. It's an interesting model in that the platform is entirely free and is designed to serve as an example of best practise, besides allowing analysis using the tools available once compiled/hosted. So the license (less free), essentially, grants access to the encyclopedia of vulnerabilities and prevention guidance.

I'm working with @diniscruz for the next ten days. This looks interesting,

Typical 2356% APR On a Payday Loan Does Seem Quite An Incredible Offer!

by Kofi Sarfo 1. January 2010 14:37

The Vanilla BlogEngine.NET allows comments to be posted via an HTTP post which is great in terms of enabling an AJAX implementation for blog post comments. However, it's great too for spam bots, almost exclusively, offering pay day loans throughout the comment sections of this site. One new year's resolution was to implement a solution using ReCaptcha. In this case the solution may require writing no code.

StackOverflow: How would one integrate ReCaptcha in to ( C#)?

The Poor Man's XLink-Like Thing

by Kofi Sarfo 23. September 2009 01:18

The following StackOverflow post is interesting not so much because of the text but how it's rendered.

Loading Stack Overflow post...

We begin with a <div> tag which contains an expected id attribute format and using a jQuery regular expression we're able to match all div elements with an "id" attribute beginning "RSSContent".

<div id="Container">
<div id="RSSBlock">
<div id="RSSContent200909222115"
title="" />

The "title" attribute for each element matched is used in an HTTP post of content-type application/json to a web service which acts as a proxy to overcome cross-scripting JavaScript constraints. This returns the post above which I found useful recently.

It's not an elegant solution. I've hacked the div element, using the "title" attribute to hold the URL and the directory structure isn't great either. The web service creates a user control which appears to work only in the root directory and the web application project requires a reference to an identical control in another project. The things we do for code compilation!

The end result is that rather than cut & paste, which would have been far easier we're using using an external resource to supply text so that if the RSS feed item was to change, for example, then we'd still display the most current version.

An XLink implementation, this is not. It's just an example of how I thought the web might work sometime soon after 2001... What we're missing here, conceptually at least, is meta to describe the relationship between this post and the one referenced. Well, in this case the meta is only human-readable and quite incomplete.

Tags: ,

JSON | Toys

Interview with the Hedge Fund

by Kofi Sarfo 24. August 2009 00:03

We interviewed with a London-based Hedge Fund last Friday and, as usual, it was interesting. The first guy I saw (head of development) is a graduate of Conchango, a company that writes software of excellent quality using good developers, the latest software technology and techniques, etc. Also, they often kindly host the London Dotnet User Group meetings at their offices near London Bridge.

Naturally the interviewer asks fair questions along the lines of Value Types versus Reference Types and Garbage Collection. Inheritence and Shadowing. So far so good. Only when we get to the Messaging architecture used and extended at the previous client's site is there a little uncertainty. Without the source code, which we didn't take with us, we can't remember enough detail about the implementation from July 2008 so there's one shaky answer.

Next up is a question about our exposure to SQL Server 2005. Yup, we used it. Oh, which bits? That will be the new Try-Catch (after a little prodding about error-handling). We mention not having used CLR functions but being aware of the possibility which leads to a question about the components of the CLR... and we've a blank moment!

The JIT compiler! In fact we mentioned just JIT.

This is *all* that arrives. That's it. Nothing about Exception-Handling, Memory Management, Thread Management, Garbage Collection, Security, Managed Code, Type Safety - this is an impressive list already - Portable Executables nor IL never mind debugging and profiling services offered. Oh, there's more that wasn't mentioned. Code management (loading and execution), Application memory isolation, Access to metadata (enhanced type information) and Interop. Nice.

Then comes the first of a few quirky incidents. Hint: If ever an interviewer testing your C# knowledge offers the Base Class Library as a component of the CLR it's probably worth saying something. To prevent an already lengthy entry from growing needlessly still a summary will do here. When Interviewer #1 is replaced by a senior developer I then learn that impersonation does not work the way I've used it. Apparently, I've misundersood all along that using the identity element in the web config for an ASP.NET web application will not allow me to use credentials for a SQL Server connection. Maybe at that point I should have just looked it up on my iPhone and shown him this:

<identity impersonate="true" userName="domain\username" password="password" />
Of course that might have seemed a bit smug. Both nice guys. Both almost certainly good developers. I'd still like to work with them on the enterprise reporting solution due by the end of the year. However, during my next interview we won't assume that the interviewers have a monopoly on .NET understanding.

Thank you, John Resig!

by Kofi Sarfo 17. June 2009 04:56

So we had the option of writing some code in order to determine browser responsiveness to see whether the code in the last post - AJAX and the URL short(ening) - was in fact asynchronous... or use jQuery which we know is most definitely AJAX. Really, we're not in the mood for poking under the hood.

There was a wee bit of pain in the why now isn't ths working stakes, some edits later and it did. Mysteriously. So I didn't touch it anymore. A case of Programming by Coincidence?

<script src="Scripts/jquery-1.2.6.js" type="text/javascript"></script>
<script type="text/javascript">
$(function() {
var getBitlyUrl = function() {

// set up default options
var defaults = {
version: '2.0.1',
login: 'bitlyapidemo',
apiKey: 'R_0da49e0a9118ff35f52f629d2d71bf07',
history: '1',
longUrl: $('#rawUrl').val()

// Build the URL to query
var daurl = ""
+ "version=" + defaults.version
+ "&longUrl=" + defaults.longUrl
+ "&login=" + defaults.login
+ "&apiKey=" + defaults.apiKey
+ "&history=" + defaults.history
+ "&format=json&callback=?";

$.getJSON(daurl, function(data) {

$('#getUrl').bind('click', getBitlyUrl);

The body is the same as in the previous post. It's that easy. Great library.

One of the leetlest problems we had was with receiving a 'permission denied' error when omitting "&format=json&callback=?" from the default URL. Solution and Nabble discovery all at the same time!

AJAX and the URL short(ening)

by Kofi Sarfo 16. June 2009 23:42

A popular choice for shorterning URLs on Twitter is It's just so nice and tidy with great analytics. For example, not long after shortening we discovered that there have already been 2,659 clicks to that URL via

I am using the C# API from @kersney by the way and found out that does do the sensible thing and return the same shortened URL each time you supply an unadulterated URL. What I've not yet done is built chains of shortened URLs that lead to each... seemingly endless possibilities! What the C# API code is missing is &history=1 querystring parameter to have the shortened URL added to the list displayed in History.

Some Default.aspx code to give this a go:

<form id="form1" runat="server">
<div style="width: 100%;">
Original URL:
<asp:TextBox ID="TextBox1" runat="server" Width="100%"></asp:TextBox>
<div style="text-align: right; width: 100%">
<asp:Button ID="Button1" runat="server" Text="Shorten" onclick="Button1_Click" />
<asp:TextBox ID="TextBox2" runat="server"></asp:TextBox>

And some codebehind:

protected void Button1_Click(object sender, EventArgs e) { TextBox2.Text = API.Bit("bitlyapidemo", "R_0da49e0a9118ff35f52f629d2d71bf07", TextBox1.Text, "Shorten"); }

Now we pretend that takes ages to return a shortened URL so we use javascript instead.

<script src="


<script type="text/javascript">

BitlyCB.shortenResponse = function(data)
var s = '';

var first_result;
// Results are keyed by longUrl, so we need to grab the first one.
for (var r in data.results) {
first_result = data.results[r]; break;
for (var key in first_result) {
s += key + ":" + first_result[key].toString() + "\n";

document.getElementById("bitlyUrl").value = first_result['shortUrl'];

function getBitlyUrl()
BitlyClient.shorten(document.getElementById("rawUrl").value, 'BitlyCB.shortenResponse');

No prizes for guessing the elements in the document.

<form id="formeula1" runat="server">
<div style="width: 100%;">
<br />Original URL:
<br /><input type="text" id="rawUrl" size="100" value="" />
<input value="Shorten" type="button" onclick="getBitlyUrl()"/>
<br />
<br /> URL:
<br /><input type="text" id="bitlyUrl" size="20" />

So, there are no postbacks anymore but does this make it AJAX? Honestly, I have no idea. I see mention of callback_method_name in the javascript api so my guess is that, yes, this is asynchronous. But shall we bother to test this or do we try and involve jQuery?

I wonder whether I can piggy-back Twitter authentication

by Kofi Sarfo 15. June 2009 00:46

Didn't really fancy maintaining credentials for an application that is designed to work in tandem with Twitter so enter "An open protocol to allow secure API authorization in a simple and standard method..."

What is this new thing then and why had I not heard of it before? See October 2007 entry in Hueniverse: Beginner’s Guide to OAuth. Not so new then.

Also, a little while ago we were in a room with developers and they brayed when asked if anyone liked the ASP.NET 2.0 Membership Controls. I think the Login control was mentioned specifically. They worked fine for me. So we go looking for reasons this - their seeming unpopularity - might be. Stack Overflow (because there's been no reference in minutes) answers one question of what to use for membership in ASP.NET. We're still none the wiser.

And there's more from the timely discoveries department. Tweetsharp: "A C# fluent interface for Twitter, designed for app developers" -- downloading source. I remember being corrected for returning this (or it could have been me) circa 2004 which we did so that we could chain methods but I can't remember what the argument against it might have been.

BlogEngine.NET Deployment

by Kofi Sarfo 2. June 2009 05:53

First take involved opening solution in Visual Studio 2008 and publishing to localhost and then using FTP to send files individually whereupon we discover that using O2 mobile broadband (via USB) results in files arriving "successfully" on remote web server with file size 0KB. Yuck! Many more takes to replace "successfully" transfered files. Don't blame FileZilla because it's doing only as it advertises and we've had issues with FTP ourselves quite recently from within code we'd written.

Digression: It was necessary to compare file content between local and remote files before assuming successful transfer. Not pretty. Never discovered a better solution that didn't involve MoveIt.

Finally everything copied across and directory turned into Web Application using the DiscountAsp.Net unsurprisingly named Web Application Tool. Instead of blog appearance we have this compilation error!

So it turned out there are at least two ways of resolving this without trying to understand intricacies of ASP.NET Dynamic Compilation and being frustrated by not being able to delete Temporary ASP.NET files on a remote server which denies access to said directories and probably with good reason. Wondering why WebDAV isn't an option here though... probably a good reason I'm not aware of.

If you see this then everything's turned out okay. Global warming has been corrected. If you care in even the slightest this application defaults to using an XML file datastore and so we need to weigh up whether there's any advantage to pushing this into SQL Server. Climb the mountain because it's there? Okay, it's probably not quite a mountain and we'd not do it in a tutu.


MSDN: Understanding ASP.NET Dynamic Compilation

Post Script:

It's a love/hate relationship with Infrastructure.

  • By their being responsible for deployment I'm sometimes spared the headache of failed deployment.
    • In this first instance someone else discovers/solves the problem.
  • By their being responsible for deployment I'm sometimes victim of failed deployment.
    • In the second instance someone else *is* the source of the problem.

Poetry very incidental.

Stack Overflow: Who is using BlogEngine.Net for their blog?

by Kofi Sarfo 1. June 2009 04:38

I'm missing another superlative for Stack Overflow. Whilst trying to decide between BlogEngine.Net and SubText for this blog - using Google as is how every but every decision is made now - the following became apparent:

  • BlogEngine code is likely to provide the more interesting read
  • SubText is going to be rewritten to use ASP.NET MVC
  • One is more stable than the other, supposedly

In other news I attended a London .NET user group talk at Microsoft last Thursday (ASP.NET Webforms versus ASP.NET.MVC) in which I learnt that I fall into the second category of developer: those who want to build apps so that they can charge a client. Eight weeks without a client can do that to you. The argument had the expected key themes:

  • Why must we suffer View State?
  • Web development should be about being -
    • pragmatic (Webforms)
    • elegant and of highest quality possible via Test Driven Design/Development (MVC)
  • ASP.NET MVC currently lacks the cushion (view designer, etc)
There were some discoveries. Diary of a Dotnet Developer: What I learned last week. This was easily the best Microsoft tech talk I've been to yet. The Clash of the Titans (Microsoft Web Framework Fight)

It's been a while since I did any web development so I was going to write a web site firrst using ASP.NET old school (.Net Framework 1.2) and do the same again using ASP.NET MVC with as much of .Net Framework 3.5, Nant, NUnit, Rhino Mocks and NHibernate that I might be able to fit in sensibly. I've yet to settle on a preferred IoC implementation. Between this talk and Jon Skeet's C# in Depth (Amazon) perhaps I have enough of the pieces to put this together and more than enough time to play with jQuery besides. I'm told there's more to AJAX than UpdatePanel.


Stack Overflow: Who is using BlogEngine.Net for their blog? Does it run well? Will it scale? :P

Mason Lyngby: Switched from SubText to BloggingEngine.NET

Kiva Loans

  • Las Renovadas Group

    Las Renovadas Group

    Used Clothing

    Requested loan: $800

    Amount raised: $0

    Managua, Nicaragua

    to buy skirts, blouses, shoes, sandals and high heels.

    Loan Now »

  • Yiriwa Group

    Yiriwa Group


    Requested loan: $350

    Amount raised: $0

    Tominian , Mali

    To buy clothing.

    Loan Now »

  • Allakandeme Group

    Allakandeme Group


    Requested loan: $825

    Amount raised: $0

    Konda, Mali

    To buy cereals.

    Loan Now »

To see more entrepreneurs »

Make a loan to an entrepreneur across the globe for as little as $25. Kiva is the world's first online lending platform connecting online lenders to entrepreneurs across the globe.