logo

Adding Security To The 5 Minute ASP.NET MVC CRUD App

Yesterday I showed how I could build a CRUD app in ASP.NET MVC 3 in about 2m 30s.

As was pointed out it came without any security, whereas Domino apps come with it by default.

Well, here's another stab at the same ASP.NET app. This time I include not only user authentication (forcing users to login before creating a new contact record) but also some basic validation of required fields. All still inside 5 minutes:

Again, let me re-iterate the point that this whole exercise is merely intended as a bit of fun. At no point have I said "ASP.NET is better than Domino". No single platform could ever be singled out as the "best".

I do all this to try and educate and show you another side to things. There seems to be an assumption that anything that is easy with Domino has to be complicated in anything and everything else. That's simply not the case.

While I appreciate how simple things are in Domino (and miss aspects of that) what I like about other platforms are the lack of restrictions. With ASP.NET I can pretty much make my apps do whatever I and, most importantly, my customers want them to.

Comments

  1. It's a draw now. :-)

    Let's wait for next round.

      • avatar
      • Jake Howlett
      • Fri 25 Mar 2011 05:38 AM

      I want to see Domino (classic and/or xpages) do server-side field-level validation as easily as I did in the above demo.

      Have things changed in the last seven years since I wrote about how hard it is to do server-side validation in Domino, without creating "temporary" documents in the DB:

      http://www.codestore.net/store.nsf/unid/EPSD-5ZZG8M

      Would XPages still need the use of a SaveOptions field I wonder?

      Rule #1: JavaScript not allowed.

      Hide the rest of this thread

      1. In XPages, server side validation is just a click away. You select that in the INPUTTEXT Control, and the validation takes place in the server. You've got several default Validators, even RegExp and Custom validators to validate as you prefer.

        But, XPages is based in Dojo JS Framework, so, under the hood there's javascript client-side involved always. You don't need to write JS but XPages is sending it to the browser

        src="/domjs/dojo-1.5.0/ibm/xsp/widget/layout/xspClientDojo.js"

          • avatar
          • Jake Howlett
          • Fri 25 Mar 2011 06:49 AM

          Interesting. I didn't know that Xpages could do that.

          Just wondering -- if an XPage is bound to a form then can I hack around this validation and do a "/contact?OpenForm" (classic) URL and bypass the new Xpage server-side validation by submitting the backend form directly?

          1. I guess, yes you can... as long as you don't bind the Form to the xPage.

            1. Forms you bind to an XPage don't need to be accessible from the web. You can hide them. You also have an option on traditional forms to open an XPage instead of the form.

            • avatar
            • Stephen Hood
            • Fri 25 Mar 2011 08:12 AM
          2. Yes, if the Form is not hidden for browsers, in Properties/Design, you could open it by using "/contact?OpenForm" if you guess its name.

            If you bind the Form to the XPage, then if you try to open a document created with that Form, it will always show with the XPage in the browser, no matter the URL you use to open it.

          3. Jake,

            In XPages world, just don't make the form acessable to the web browser. There's no need for it to be. Also the actual form will NEVER be seen in a URL so no one would know the form name - not that this is REAL security, I'm just mentioning this as information.

            Again - just don't make the form or views really accessable to the web. There's no need for it.

          4. Jake,

            You are thoroughly underestimating the power of xPages. Server side validation is just the click of a checkbox (and it can get as complex as you want).No way to hack around it since all your validation logic is running in the server and nothing is exposed in the client.

            In my honest opinion, the whole comparison excersice is pointless unless you compare it with xPages. What you are doing now is comparing the latest .Net technology with domino development techniques of 90's.

              • avatar
              • Jake Howlett
              • Fri 25 Mar 2011 10:07 AM

              But Domino classic is all I know and it's not quite a forgotten legacy just yet.

              I still support websites I built with classic and (in fact) just this month I created a *new* Domino website for a (new) customer using Domino classic (they're on version 8 servers with no intention of going to 8.5, as a SharePoint migration is on the cards).

              Domino classic can't be written of as being "of the 90's" as it was the *only* way until just a couple of years ago.

              But you're right. It's is all pretty pointless. Don't forget the "just for fun clause" this all comes with.

              1. I understand the fun part of this excersice.. The only point I wanted to make is, Domino development with xPages is no way the same as classic domino development. You need to forget all the classic hacks you've been doing.. I've done it for 10 years(and was very comfortable doing it) and working with xPages for last 1 year. Believe me, it is a killer technology. I don't want to do classic domino development ever again in my life. IBM has some of the brightest minds in the market. And without learning the technology you will never understand the power of it. I have gone through that difficult period myself. But once you are through with it, you will be as excited as you are with all the new .Net stuff you learn.

                How can we compare .Net development with Domino when we cannot even compare classic domino development with xPages development.

                From a technology point of view, xPages can compete with any other leading platform in the market. But wheather you can get more business with it, I don't know.. It depends on a lot of things.. not necessarily based on a technologycal weakness of the platform..

  2. I recorded a demo app using SAP River Application System (closed beta at the moment) but unfortunately the upload to Screenr fails because of proxy issues... River is based on Cogheads technology (example screenshot: http://tctechcrunch.files.wordpress.com/form_editing_2.jpg) and allows you to create applications using some mouse clicks and DnD. Quite interesting technology...

    Using JBoss Seam you can also generate a complete CRUD application from existing database entities in minutes. It even implements relationships between different tables etc.

      • avatar
      • Jake Howlett
      • Fri 25 Mar 2011 05:42 AM

      Looks like it's built with Flex?

      Note that the demo I'm doing with MVC scaffolding is started from the point where there's no database and it creates it for us. Using an existing database would be cheating ;-)

      Show the rest of this thread

  3. Dude, required fields on XPages is a check box!!!

  4. Jake,

    In XPages, Server Side Validation is really PREFERRED in my opinion. Sure it's a round trip to the server, but it's just SO DARN EASY you just don't want to write the CSJS.

    In the simple edit box controls and such, there are built in properties for required and length for instance. So in the case of Required, you turn it on - fill in a field with the message you want to return to the user and you're done.

    There are many custom validators behind the scenes as well if you need to get a little more advanced. And quite honestly I've not really played with the advanced stuff yet.

    I'm a little surprised that I've not done a short NotesIn9 on basic validation yet. I did cover it a little bit in my "Introduction to XPages" Show. This is 73 minutes, but it looks like I demo it a bit around the 49 minute mark.

    Here's link to there video on my site and also YouTube:

    http://notesin9.com/index.php/2010/09/26/notesin9-extended-edition-intro-to-xpages/

    http://www.youtube.com/watch?v=p6dvFZRNfZc&hd=1

    Hope that helps!

    1. The best case is to do both. Validate in the client for the convenience of the user then validate on the server for the security of the application.

    • avatar
    • Erik Brooks
    • Fri 25 Mar 2011 10:15 AM

    Technically with XPages you don't even need a form. OR a view in many cases. They just make it a bit quicker to setup the XPage in an example like this one.

    • avatar
    • Jyotiprakash Mohanty
    • Fri 25 Mar 2011 10:03 PM

    Jake,

    If you are doing these for fun then why not Xpages for fun.

    Who knows someone lands here searching Xpages and opens the door for new Business.

  5. I'm a little disapointed because you compare code generation (your asp.net sample) with "raw" development. It's as if you put 4 fields on a form, ran an agent that builds a view and an xpages based on those fields...it'll basically take 30sec.

    Anyway :

    - what scaffolding does is to "hide" the complexity necessary to build such a simple stuff. Complexity should not be hidden, it should be avoided when possible.

    - The scenario is far too simplistic to conclude anything other than= "we can built very fast a very simple app"...wow ;-)

    1. The post above relates to your "5 min" post, not this one. sorry

    • avatar
    • Luke
    • Tue 29 Mar 2011 04:25 AM

    Just by using scaffolding, you get a working CRUD website with Ruby on Rails in 2 minutes. Actually, you have to get the db configured properly (whichever you decide to use, just like with ASP.net), and then you go with (I use terminal on OS X, but you could go with a cmd prompt)

    rails testcrud

    cd testcrud

    ruby script/generate scaffold contact firstname:string lastname:string email:string phone:string

    rake db:migrate

    ruby script/server

    and you have a working web site with CRUD functionalities.

    It will take you less than a minute actually... And the power and customability of Ruby on Rails is for sure astonishing.

    So far, let's add another platform , *not tied to a single vendor* , to the scenario of RAD.

    Cheers

    1. Welcome back in command line mode ;)

      Show the rest of this thread

  6. As said earlier via P2P carrier pigeon, I've enjoyed this discussion as it has finally moved so many people off the side-lines and into the fray to spout off with much useful information answering really useful basic questions about x-pages in defense of cod and country.

    It is somewhat of a sad commentary that this honest bit of fun has rankled so many. Have ye so little faith in thy skills? Meanwhile, some have apparently had the bur so firmly lodged under their saddle that they have aspired to spray the crowd with so much blood of a now well and truly beaten dead horse (http://planetlotus.org/8626f8 leaves me wondering if "parody" is latin for "You've really got my back up, but damn if I'm going to come off as anything but clever").

      • avatar
      • David Goodchild
      • Tue 29 Mar 2011 01:30 PM

      I have to agree Jerry. I've enjoyed the discussion as I'm Domino and .net, but know nothing of RoR, and I've been learning from it. I'm also in the same boat as Jake where there has been very little XPages work (in the UK market, certainly on my radar), some trad Notes/Domino but alot more scope for M$ work, so the chance and opportunity to keep current with Xpages (even though I did the learning curve a while ago) is not apparent. I'm disappointed that what is a (serious or geeky - not sure which!) bit of fun and also a chance to learn others views/skills/insights has even been labelled FUD, but has certainly put some on the defensive/attack (again not sure which).

      Anyway, have enjoyed everyone's input and certainly the different ways to do an admittedly basic requirement.

Your Comments

Name:
E-mail:
(optional)
Website:
(optional)
Comment:


About This Page

Written by Jake Howlett on Fri 25 Mar 2011

Share This Page

# ( ) '

Comments

The most recent comments added:

Skip to the comments or add your own.

You can subscribe to an individual RSS feed of comments on this entry.

Let's Get Social


About This Website

CodeStore is all about web development. Concentrating on Lotus Domino, ASP.NET, Flex, SharePoint and all things internet.

Your host is Jake Howlett who runs his own web development company called Rockall Design and is always on the lookout for new and interesting work to do.

You can find me on Twitter and on Linked In.

Read more about this site »

More Content