|
VSLive! Speaker Interview—Mark Anders Want to know what's happening with ASP.NET? Ask Mark Anders. He founded the ASP.NET team at Microsoft, and now, as the Microsoft Product Unit Manager of the .NET Application Frameworks team, he's in charge of the team that's designing and developing the entire .NET Framework, including ASP.NET, Windows Forms, Base Class Libraries, and other class libraries. VSLive is proud to feature Mark as a keynote speaker at VSLive! New York. As a sneak preview check out the VSLive! Speaker intervew below as he discusses the "state of the ASP.NET art". Want serious ASP .NET content especially designed for advanced developers like you? Check out the ASP Live! component of VSLive! Orlando.
Moving forward, we are constantly looking at ways to improve ASP.NET even further, to ensure that ASP.NET developers will always be the most productive and deliver the best performing applications. We're also planning a series of sample applications, controls, and other resources that will make developers more productive and help ASP developers migrate to the .NET platform. IBuySpy (www.ibuyspy.com) is the first in that series, and it has been successful in teaching developers how to get started quickly with ASP.NET. ASP.NET marks a big step forward from traditional ASP.
What do you do for an encore? Tell me some of the planned
improvements for using ASP.NET inside the VS.NET IDE. For
example, will we see IntelliSense for inline code or support
for writing HTCs? What are some of the other planned improvements?
Are there any changes in the compilation model? Will developers
be able to precompile ASP.NET files, avoiding the first-page
request performance hit? In the short- to mid-term, we are focused on delivering additional resources for ASP.NET community. The focal point for these resources is www.asp.net. This site includes a control gallery (where new Microsoft ASP.NET controls as well as third party controls are uploaded frequently), pointers to community sites, list servs and ASP.NET hosters, code samples, and other resources. We want to ensure that ASP.NET developers—-and those who want to learn ASP.NET—-have everything they need to succeed with their projects. What are a couple of the most interesting real-world applications you've seen developers build with ASP.NET? Merrill Lynch's 1-800-Merrill application is interesting. Merrill needed to consolidate an assortment of legacy voice-response systems serving 25 million customers at 75 million transactions per day into a single call center application. They built a series of ASP.NET pages that emit the appropriate voice logic, which is then converted into VoiceXML. These pages were integrated with legacy data storage on mainframes as well as SQL Server 2000 databases, using XML Web services. Another interesting application was developed by Travelers Property Casualty with a partner in the auto glass industry. They built a set of XML Web services for servicing auto glass damage claims. Travelers provided the services for verifying coverage and paying the repair shop, while the partner provided the services needed to locate nearby shops geographically and schedule customer appointments. Travelers implemented its XML Web services using Visual Basic .NET and ASP.NET, with the help of some existing Visual Basic 6 components for accessing information residing on a mainframe. Now Travelers is seeing a 30 percent overall efficiency improvement for handling auto glass claims. There's less handling cost for Travelers, the glass shop gets paid faster, and customers get their glass fixed faster. One of the coolest applications I've seen within Microsoft is "Alchemy." The sales force uses the application to monitor the status of customer engagements. Alchemy consists of a Web-based UI written in ASP.NET, and a series of back end Web services also running on ASP.NET. The Web services wrap our existing sales force automation and CRM systems and provides data from those systems to the UI component. The UI component aggregates this data and presents it in a coherent manner. What's the real story about Pet Shop? How does .NET compare to J2EE in terms of performance, and why should developers take any of these comparisons or assertions seriously? .NET continues to outperform J2EE in our own internal tests and in those conducted by independent organizations. Regarding the Pet Store application in general, Oracle actually conducted the original performance benchmark of the Java Pet Store application about a year ago. Along with the test they issued the "Oracle 9i Application Server Performance Challenge," inviting others to beat their benchmark results of the Java Pet Store version 1.1.2. Everyone—our partners, customers and sales force—encouraged us to take them up on the offer, which is why we began work to create our version of Pet Store using .NET, and ultimately retained VeriTest to test the application. In the most recent test, they found that .NET is more than ten times faster than J2EE at 5,000 virtual users, and over twice as fast in the cached scenario as the numbers published by Oracle around JavaOne. You can find the results at: http://www.gotdotnet.com/team/compare/Benchmark_ShortRepFinal.aspx . Developers should and do take benchmark tests seriously because they show the blue prints complete, real-world, complex applications. If the application can't scale and perform at the building blocks level, why would anyone trust it to do so when it's fully fleshed out? I would encourage developers using Oracle or any other J2EE server to do their own comparisons. What practical implications will Microsoft's various security initiatives have for ASP.NET developers? Security initiatives for ASP.NET mirror all other Microsoft
technology: Security is a shared responsibility with the developer
to write safer applications. We will continue to improve the
security of our products, evangelize best security practices,
and provide developers with all the resources and guidance
needed to make the most secure applications possible. Ultimately
it is up to the developer to write safe applications. Windows .NET Server provides several enhancements for ASP.NET. What is in Windows .NET Server for the ASP.NET developer specifically? The Mobile Internet Toolkit that shipped separately from ASP.NET in V1 is now integrated into ASP.NET, so there is no need for an additional installation step. With IIS6 (part of Windows .NET Server), we support per-application process isolation to make ASP.NET even more robust than it is today. Also, IIS6's HTTP listener now runs in kernel mode and forwards requests directly to the application, yielding significant performance improvements. Finally IIS6 supports multiple application pools, making it easier for ASP.NET developers to manage and maintain a large number of applications on a server. Web services are part of ASP.NET now. Will that continue to be the case? How will Web services and ASP.NET complement each other in the future? We don't see XML Web services disappearing any time in the near or distant future. XML Web services are still and will continue to be a major focus for ASP.NET and the overall .NET Framework. Systems integration is the number one problem facing developers today. We believe XML Web services provides the best way to tackle this problem, and will continue to make ASP.NET better and better for creating, consuming and integrating them. There has been a perception in some quarters that the combination of ASP and IIS represent a security risk. What steps has Microsoft undertaken to address this perception in ASP.NET? What will it do going forward? First of all, we've made some fundamental changes to the way ASP.NET applications run that make them more secure. By default, ASP.NET applications will run under the "ASPNET_USER" account. This is a special low privileged account created specifically for running ASP.NET applications. This means that even if a cracker could take over the application process, by default, he or she would not be able to access or delete existing files on the system or tamper with the underlying OS. In addition, before loading an assembly, assuming it's in fully managed code (not using the unsafe keyword in C#), the common language runtime will send it through a type safety verification process to ensure the code isn't opened up to buffer overflow attacks. If the assembly fails to pass this test, an exception will be raised, and it will not be loaded. Also we've made it easier for developers to integrated security functionality into their own applications. They can easily implement a variety of authentication types: forms-based, certificates, basic, digest, NTLM, Kerberos, or Passport. Our cryptographic library provides access to virtually all the popular algorithms for encryption, hashing, random number generation, digital signatures (including the XML Digital Signature), and more. As for IIS, we've done a lot of things. For example, we've shipped the IIS Lockdown Tool, which turns off unnecessary features of IIS to reduce the surface area exposed to potential attack. This tool ships with URLScan, which, among other things, limits the size of URL requests and queries the end users can make. You can find these tools and others at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/tools.asp. The current model for building Web services with Visual Studio .NET is based on starting with a class, then adding methods with the WebMethod attribute. The Web service's interface (the WSDL document) is generated automatically based on the code in that class. This is reminiscent of the VB6 model of creating COM components where COM interfaces where generated automatically, based on the VB classes. However, this model didn't work beyond the scope of simple projects and small dev teams. The tried and true model for building distributed apps is first defining the interface (WSDL in the case of a Web service), then writing the code. The question is, why is this not the standard model in Visual Studio .NET (it's doable with the SDK, but not VS .NET)? Do you foresee this changing in a future version? The primary design objective in Visual Studio .NET was to make it easy for developers to implement a given Web service interface. It's too early to know exactly what we'll deliver in future versions of the product, but we wouldn't disable the current behavior. What is Microsoft doing to make ASP.NET development more accessible to script- and tag-based developers, such as those who use Cold Fusion? Yes, you have the ability to incorporate server-side controls, but wouldn't it be nice to use server-side tags in addition to these? I assume that you mean that it would be great to have server controls for things other than user interfaces, and yes there are a number of things that we and third parties are doing with servers that are very cool and that will appeal to the scripter or tag-based developer. For example, Macromedia did some ASP.NET server controls for Dreamweaver MX that let you access relational databases without having to write any code at all—you just use a tag. In the Control Gallery on www.asp.net, there are controls allowing you to send email, obtain FedEx, UPS, DHL and USPS rates, and do credit card processing. In addition, we will be releasing some incredible controls, and there are lots great ones also coming from our third party partners. Are there any efforts inside (or outside) Microsoft to
bring ASP.NET to non-Windows (read: J2EE) platforms?
|
