Category Archives: CodeProject

Modern Configuration for ASP.NET 4.7.1 with ConfigurationBuilders

I’ve been thinking and working with application configuration in ASP.NET applications for years, and its become a tool that I’m very comfortable using. I can add AppSettings, create configuration sections, and manage connectionstrings without thinking twice. However, there is a problem with the current ConfigurationManager and the XML-based config file offering in the .NET Framework: how do I get configuration entries from other sources into my application so that I don’t need to build my own configuration client and tools?  Continue reading

Muggles Don’t Understand Your Release Notes

Hey software friends, we need to talk.  In 2016, 61% of Americans are carrying smart phones and that means they’ve also got an app store on a device in their pocket.  My iPhone reports to me when I have updates to applications that need to be installed.  Many times, I see a screen that looks like this on my phone:

Release Notes Gone Bad

Release Notes Gone Bad

I’ve hidden the application names and icons in an effort to protect the innocent.  The problem with this approach is easy to identify when your non-technical friends and family members ask about the update notifications like this on their phones or tablets.  The conversation sounds something like:

“What are these updates my phone wants me to install?”

“There are some bug fixes for the applications you have installed that the author of those apps wants you to install”

“Will it fix that issue that I’m having and I’ve been calling you about?”

“I don’t know, the update just indicates, ‘various improvements and bug fixes'”

“Then I’m not installing it, it will probably just make my problem worse”

This is not a drill… Everyone is reading your release notes!

Seriously tech friends – when you publish software updates, people want to know what you are changing.  Other tech workers may stomach a “fixes and updates” release note every now and again, but in a world where the non-technical are seeing your notes, this is an opportunity for customer service engagement and you’re doing a TERRIBLE JOB at it.

When I used to publish release notes for NuGet, an open source project, I would give a one or two sentence description of the issue addressed and a link to the original issue on GitHub that discusses the reported issue and links to the software that fixed it.

Some of my NuGet Release Notes

Some of my NuGet Release Notes

Do you need to be this in-depth?  No… but give us a reason to install your update.  If you don’t have space in the minimal field size allocated on your app store or package management service, provide a link for more details.  You can list more in a blog post, a release notes part of your docs, and even include images to show off your cool updates.

Please software authors – start telling us a little more about what work you’ve accomplished in each release.  Its the right thing for your customers to show them that you are fixing things that they care about and gives credit to your development team for their accomplishments.

Where Did My ASP.NET Bundles Go in ASP.NET 5?

Stuffed BagEdit: There is now a screencast version of this post available.

Since ASP.NET 4.5 in 2012, developers have had access to a pair of tools in their ASP.NET toolbox called “bundling and minification”.  This feature would direct the webserver to combine together CSS or JavaScript files into one extra-large file and then apply a minification algorithm to shrink the size of the file for delivery.  In ASP.NET 5 however, this feature is no longer available.  In this article, I’ll review where bundles were configured and how you can migrate them to the recommended deployment model for ASP.NET 5

Continue reading

Get Started with ASP.NET MVC TagHelpers

Tag HelperWe are almost to the BETA cycle of ASP.NET vNext, and I’ve been following the ASP.NET team’s development on GitHub.  If you didn’t know already, the all-star developers at Microsoft are cranking away on the next version of ASP.NET in a completely open-source model.One of the cool new features set to be released with the next version is a significant addition to the HTML Helper model that we currently have in MVC 5, and its called TagHelpers. Continue reading

Authentication, Authorization and OWIN – Who Moved My Cheese?

I was working with one of my ASP.NET projects this weekend and ran into an interesting

problem while I was debugging.  This application was written from the ground up to use ASP.NET identity and OAuth security for all of my authentication and authorization needs.  That also means that my application follows the new default layout for an ASP.NET web forms application, with account management and login capabilities reside in the /Account folder structure.

An interesting series of things happens to web.config when we adapt the OAuth security management in ASP.NET 4.5+  What follows is what I have learned the hard way…

Authentication Information in Web.Config disappears

If you’re a long time developer with ASP.NET like me, you’re accustomed to the FormsAuthentication configuration in web.config.  With the new authentication and identity modules in ASP.NET 4.5, all of this goes away.  This really tweaked me at first, I got confused and followed the code… and trust me, its all good.

Web.Config has its authentication turned off and all identity providers removed.  Check out this snippet from a fresh web.config in a new ASP.NET 4.5 application:

    <authentication mode="None" />
    <!-- other stuff -->
        <clear />
        <clear />
        <clear />
    <!-- other stuff -->
      <remove name="FormsAuthentication" />

That’s some scary stuff right there.  Everything that I’ve known since ASP.NET was released in 2002 screams out: NOOOOOooooooo!  This is the necessary configuration to turn off all of the embedded and automatically activated security modules in ASP.NET  With that functionality shut off, the OAuth security module can step in.

OAuth Security Configuration

Instead, all of the security configuration goodness is kicked off in a new OWIN-compliant manner from within Startup.cs on the root of the application.

[assembly: OwinStartup(typeof(MyApplication.Startup))]

namespace MyApplication
  public partial class Startup
    public void Configuration(IAppBuilder app)

Check out that attribute at the top of the file, an OwinStartupAttribute that points to this class that contains the codified configuration of the application.  The class is required to have a Configuration method with the same signature in this snippet.  I’m not clear why the class does not adhere to an interface that enforces the presence of this method, but this is the requirement.  You can see from here, that it calls the ConfigureAuth method in the App_Start/Startup.Auth.cs file.  Its in there that we can find all of the configuration for managing the authentication of resources in the application.

public void ConfigureAuth(IAppBuilder app)
  // Stuff to configure the Identity data storage
  // Enable the application to use a cookie to store information for the signed in user
  // Configure the sign in cookie
  app.UseCookieAuthentication(new CookieAuthenticationOptions
      AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
      LoginPath = new PathString("/Account/Login")
      // other stuff
  // more stuff down here

This is where I was thrown for a loop.  How does ASP.NET know where my login page is?  Its defined right here with the LoginPage configuration property inside of the CookieAuthenticationOptions class.

How is Authorization Handled?

Finally, how is authorization to pages handled?  In the past, I would write blocks of XML with authorization elements that looked similar to the following…

  <location path="Admin">
        <deny users="?" />
        <allow roles="Admin" />

The good news is that none of that has changed, and we can continue to code high-level authorization rules inside of web.config files in ASP.NET 4.5.


Its not a good idea to tinker with the default security configuration of ASP.NET unless you know where all of the moving pieces are.  In the past, I knew where everything was referencing from web.config through global.asax.cs to verify connections to my application where authenticated and authorized. In the new Owin enabled ASP.NET, those pieces have moved and are now very descriptive in their new locations.  Coming soon, I have a Pluralsight course that will discuss all of the cool things that you can do to configure ASP.NET OWIN security and other Advanced topics.  I look forward to delivering it for you in the very near future.