Blogs

Blog: Bernhard Wesely

admin — Fri, 24 May 2013 01:02:00 GMT

User: vgrimaldi

vgrimaldi — Thu, 16 May 2013 08:21:00 GMT

Blog Post: Creating Service Agents with WCF

Christof Senn — Thu, 16 May 2013 06:29:00 GMT

What I mean by Service Agent

As more often than not it is difficult to find a commonly accepted term for a given pattern in SOA I have to specify what I actually mean by service agent. So here’s my definition:

In SOA a service agent is a thin component, put in front of a service, which provides supplemental functionality to the existing service. Typically service agents are transparent to service consumers, i.e. service consumers are not aware of the existence of service agents.

What’s the Use Case?

Service agents are used to add functionality in a technical sense rather than specifically to the business domain. Common use cases of service agents are:

Bridging service contracts or different versions of contracts
Bridging protocols
Logging
Routing
Load balancing
Etc.

Service agents should introduce as little overhead as possible. Typically a service agent operates on SOAP message level or even only parts of it and is kept free from the burden of serializing and deserializing data objects from and to service messages.

A Concrete Example

Lately on a customer project I had the requirement to secure existing services by applying custom authorization logic. The services were accessible to everyone who had access to the customer’s LAN. Now, my customer wanted to control whom to grant access to which service methods.

The customer was familiar with WCF. In fact the existing services and service consumers were implemented using WCF. Authentication had to be done via Active Directory (Windows Authentication). Authorization settings could be retrieved from an existing database. However, we wanted to change as little as possible in both, the existing service consumers and services.

One option I had in mind to solve the given requirement was to introduce a WCF Message Inspector on the service side, to inspect incoming messages to check/grant access based on the SOAP action and the username of the service consumer.

Another natural attempt would have been the introduction of a custom Service Authorization Manager to take care of granting access to service methods.

However, in order to have as little impact as possible on the existing service I was tending towards a third option. As of version 4.0 WCF introduced the WCF Routing Services as a new component contained in the framework. Even though routing is actually not what we were looking for, the component’s content based routing functionality does, from a conceptual perspective, exactly what we need: receive incoming requests on behalf of another service and forward the request based on its message content, or (in our case) return a failure if access is not granted.

As it turned out, this was actually easy to do. At least once I’ve figured out the details, as some WCF features are not provided with a comprehensive documentation and sample are accordingly rare. So, here you are. Attached to this post you may find a sample implementation I’ve done as proof of concept.

Here are the cornerstones:

Implement the router interfaces according the services messaging patterns, e.g. IRequestReplyRouter for request/response services. Checkout System.ServiceModel.Routing namespace for other router interfaces available.
Invoke authorization logic as part of the request handler and forward request to the actual service if access is granted, throw security exception otherwise.

Expose endpoints using the respective routing interface as contract and define addresses and bindings to listen for incoming requests.

The sample service agent exposes a TCP endpoint for service consumers and forwards requests over named pipe to the actual service running on localhost. This way, service consumers running on machines other than the server may invoke the actual service exclusively via the service agent. This ensures proper authorization for our service.

Summary

Service agents in SOA are thin components put in front of a service. Creating service agents using WCF is actually quite easy making use of the WCF Routing Services and its underlying techniques. The code sample attached to this post demonstrates the implementation of a service agent to take care of authorizing service consumers prior forwarding requests to the actual service.

Blog Post: Mit SQL Server Management Studio 2008 DTS Packages öffnen oder erstellen

Bernhard Lauber — Wed, 15 May 2013 10:08:00 GMT

Grundsätzlich werden ab SQL Server 2005 die Data Transfer Services (DTS) nicht mehr unterstützt und wurden durch die SQL Server Integration Services ersetzt. Wenn man nun trotzdem legacy DTS Packages pflegen muss, dann gibt es einen Weg! (1) Feature Pack for Microsoft SQL Server 2005 – December 2008 downloaden: http://www.microsoft.com/en-us/download/details.aspx?id=11988 In meinem Fall (Windows 7 […]

Blog Post: SharePoint Authentisierung über Forests und einem Ein-Weg Trust…

Stephan Jola — Tue, 14 May 2013 15:05:00 GMT

Die Fragestellung:
Kann ich im SharePoint eine Authentisierung machen, gegen ein Active Directory welches “nur” einen Ein-Weg Trust hat?

Antwort:
Ja das geht.

In meinem Beispiel geht das so, dass ich 2 Domains in 2 verschiedenen Forests habe. Dabei ist die Domain contoso.com die “Extranet” Domain, also diejenige, welche die Externen User Accounts innehat. Die SharePoint Farm ist in der Domain contoso.com und wird von Extranet Benutzern verwendet (Lieferanten, Partner, Kunden etc.)

Die Domain acme.net ist meine Interne Firmen Domain. Hier sind alle Mitarbeiter erfasst. Nun sollen die Mitarbeiter der ACME ebenfalls Zugriff auf CONTOSO erhalten, und zwar mit ihrem bisherigen CONTOSO Domain Account.

Aus Gründen der Security soll aber nur ein “One-Way” Trust zwischen den zwei getrennten Forests und Domains eingerichtet werden.

Wenn der One-Way trust also eingerichtet ist (siehe Bild unten) geht es weiter.

Jetzt muss der People Picker in SharePoint konfiguriert werden.

Damit der PeoplePicker in der Domain contoso.com auf das AD von acme.net lesend zugreiffen kann, muss im SharePoint folgender Befehl abgesetzt werden (dies ist der Encryption Key, auch als “Verschlüsselungsschlüssel” bekannt .

stsadm.exe -o setapppassword –Password <Password>

Damit wir im AD acme.net lesend zugreiffen können, erstellen wir dort einen User Account LDAPReader, welcher ein ganz normaler Domain User Account ist (also quasi ein Service Account). Dessen Passwort müssen wir auch kennen.

Damit der PeoplePicker nun von seinem Glück erfährt, muss das pro Web Application eingerichtet werden. Dies erfolgt wiederum mit einem stsadm Befehl. In meinem Beispiel ist das die Web Application Intranet.contoso.com

stsadm -o setproperty -url http://intranet.contoso.com -pn peoplepicker-searchadforests -pv "forest:acme.net,acme\ldapreader,<Password>;domain:acme.net,acme\ldapreader,<Password>;forest:contoso.com;domain:contoso.com"

That’s it.

Im People Picker der entsprechenden Web Application funktioniert dass nun so, es werden also beide Domains contoso.com und acme.net durchsucht und dargestellt.

Da man aber unter umständen nicht möchte, dass in der Extranet Umgebung die externen Benutzer die Internen Benutzer einfach so darstellt, kann man zusätzlich noch mit einem LDAP Filter arbeiten.

Folgender stsadm Befehl, filtert noch alle Domain Accounts. Das heisst, nur Gruppen werden dargestellt.

stsadm -o setproperty -pn peoplepicker-searchadcustomfilter -pv "(objectcategory=Group)" -url http://intranet.contoso.com

Weitere und komplexere LDAP Filter sind natürlich auch möglich.

Will man diesem Filter wieder entfernen, gilt folgender Befehl:

stsadm.exe -o setproperty -pn peoplepicker-searchadcustomfilter -pv "" -url http://intranet.contoso.com

Viel Spass!

Blog Post: Let Me Introduce Myblog

Christof Senn — Mon, 13 May 2013 06:29:00 GMT

Well, I won’t make it long: this blog is meant for sharing experience and ideas in the area of software development, mainly around topics like software architecture, design, and implementation. My commitment as a software development consultant will definitely affect what you will read in this space.

So welcome to my blog! I hope you will enjoy reading it :-)

Christof

Blog: Christof Senn

admin — Tue, 07 May 2013 07:02:00 GMT

Blog: Christopher Dickinson

admin — Tue, 07 May 2013 06:55:00 GMT

User: Christof Senn

Christof Senn — Tue, 07 May 2013 05:01:00 GMT

User: ChrisDickinson

ChrisDickinson — Sun, 05 May 2013 14:56:00 GMT

Blog Post: SharePoint 2013 BI Funktionen und Kerberos

Stephan Jola — Fri, 03 May 2013 09:23:00 GMT

Kerberos ist die Eierlegendewollmilchsau der Authentisierungsprotokolle. Gerade bei BI Funktionen in SharePoint wird man regelmäßig damit konfrontiert. Bei genauerem Hinsehen bin ich aber auf eine technische Limite gestoßen, welche ich euch nicht vorenthalten möchte.

Somit muss bei einem Farm Design mit BI Features sehr genau über die Art und Weise der BI Implementation nachgedacht werden.

Blog Post: SharePoint 2013 – Remote Blob Storage , Datenbankgrösse bis zur Unendlichkeit und noch viel Weiter?

Stephan Jola — Thu, 02 May 2013 16:58:00 GMT

Vor einiger Zeit hatte ich schon mal einen kleinen Überblick über RBS verfasst “Verordnen Sie SharePoint Datenbanken eine Diät!”

Mit SP15 auch bekannt als SharePoint 2013 ändern sich die Dinge ein wenig, Details dazu sind jetzt auch bekannt:

Plan for RBS in SharePoint 2013 bringt es auf den Punkt http://technet.microsoft.com/en-us/library/ff628583.aspx

Aber dennoch ist sich MS irgendwie nicht ganz einig was die maximal unterstützte Grösse anbelangt:

Also doch bis zur Unendlichkeit und noch viel Weiter?

Für diejenigen welche das Thema neu ist, gibt es das Buch “RBS for Dummies”

Folgende Hersteller bieten auch einen RBS Provider an:

Metalogix

AvePoint

Dell Software (ehemals Quest: Storage Maximizer for SharePoint")

und viele mehr…

Blog Post: ITL Deadlocks (script)

Chris Antognini — Wed, 01 May 2013 06:07:00 GMT

A reader of this blog, VijayS, asked me to share the script I use to demo ITL deadlocks that I mentioned in this comment. Since other readers might be interested, here is the script. SET TERMOUT ON FEEDBACK ON VERIFY OFF SCAN ON ECHO ON @connect SELECT * FROM v$version WHERE rownum = 1; REM [...]

Blog Post: Data Vault Modeling - My first attempt to walk

Dani Schnider — Tue, 30 Apr 2013 18:24:00 GMT

In 2011 at the Oracle OpenWorld conference, I attended a presentation of Kent Graziano about Data Vault Modeling. It was the first time I heard of this special modeling method for Data Warehouses, and after this session I was a bit confused about these data models with hubs, links and satellites. Is it really something new, or is it more or less the same technique we are using for master data versioning using head and version tables? The idea of Data Vault Modeling seems to be interesting, but a lot of details were not clear for me. I ordered the book The Business of Data Vault Modeling of Dan Linstedt, but this book was more confusing than helpful for me. After some discussions with several colleagues at Trivadis, my opinion was clear: Yes, it is more or less the same as our approach described in our DWH book. Problem solved, let's go back to work...

Last week at the Trivadis TechEvent, there was another session about Data Vault Modeling, presented by Hans Hultgren. The presenation was just an introduction into this modeling technique, and most of the information were the same things I already heard two years ago in San Francisco. But after his presentation we had an interesting discussion about the similaritites and differences between Data Vault Modeling and our method of head and version tables. Although Hans has never heard of our approach before, he found it at least "interesting" - whatever that means. After a beer, I decided to do some homework and to design my first draft of a Data Vault Model - based on an example in our book. Here it is.

Master Data Versioning with Head and Version Tables

As described in our Trivadis BI Blueprints and in the book "Data Warehousing mit Oracle", we use the following versioning method to store historical master data:

For each master data entity, a head table is created. It contains a surrogate key, the business key (which is often the primary key of the source system entity) as well as all "static" business attributes that never change during the lifecycle of a record.
All "dynamic" business attributes that may change over the time are stored in a version table. The version table contains a foreign key to the master table, a validation range (effective and expriation date) and all attributes that can be changed.
Relationships between entities are designed with foreign key relationships. A foreign key always refers the head tables to decouple the versions of two entities. Depending on whether the relationship can change over time or not, the foreign key column is either stored in the head or in the version table. In the example below, a product can be moved to another product subcategory during its lifecycle, but a subcategory belongs always to the same product category.

Master Data Versioning with Data Vault Model

Let's try to make a first draft for a Data Vault Model based on the example above. The head tables can be compared to Hubs, the version tables to Satellites in a Data Vault Model. The relationships are always designed as Links, i.e.. many-to-many relationshiops between hubs.

For each master data entity, a Hub is created. It contains a surrogate key and the business key (which is often the primary key of the source system entity), but no additional business attributes. The hubs in the example below are blue colored.
All business attributes are stored in a Satellite. There is no distinction between "static" and "dynamic" attributes. It is possible to have more than one Satellite for the same Hub, but in the example below, all business attributes are stored in one Satellite. The effective date is stored as a business attribute, too, but not the expiration date. The Satellite contains a foreign key to the corresponding Hub and is colored red in the example below.
A Link is used to store the relationships between the entities, in our case between products and subcategories as well as between subcategories and categories. Because a Link allows to store many-to-many relationships, the are no business constraints like "a product belongs to exactly one subcategory" visible in the data model. This increases the flexibility of the data model: if the business rule changes (e.g. a products can belong to more than one subcategories at the same time), no model change is required. Links are colored green in our example.

Similarities and Differences

Both modeling concepts - head and version tables as well as Data Vault Modeling - are used to design the Core model, i.e. the central data store used for data integration and data versioning. They are definitely not designed for end user queries. For this, data marts using Star Schemas or multidimensional OLAP cubes are typically used.

What is common in both methods is a unique key for each business entity that is independent from a particular version (this is one of the main differences to the Slowly Changing Dimensions type 2 where a particular version is referred). In our approach, we use a head table for this, in a Data Vault Model, this is implemented with a Hub.

Version tables and Satellites are not exactly the same. The version tables contain only the business attributes that can be changed during the time. Whenever at least one of the attributes is changed in the source system, a new version is created in the Data Warehouse, and the previous version is marked as outdated by updating the expiration date. This is different in a Satellite. Here, a new version is create for every change, too. But there is no expiration date, only a load date an propably an effective date as a business attribute.

Another difference is that the static attributes, i.e. business attributes that never change in the source system, are stored in the Satellite as well. In Data Vault Modeling, there is no distinction between static or dynamic attributes - or even relationships. A business attribute is a business attribute - that's it.

Relationships in a Data Vault Model are always many-to-many relationships and stored in Links. This increases the complexity of the data model, but allows more flexibility because new business rules can be implemented without changing the data model. This is one of the main reasons for Data Vault Modeling: In agile environment with many change requests is can be very useful to have a flexible data model that can be enhanced easily. This is also the case for new attributes that are just included with additional Satellites.

What I never read or heard about yet is the complexity of the ETL processes. From my current point of view it makes no difference whether to load source data into head and version tables or into a Data Vault. A kind of delta determination to detect changed attributes must be implemented in both models. But even if it would be easier to load data into a Data Vault, it is more complex and expensive to load the Data Marts from a Data Vault because the queries to determine the correct version of each Satellite is not trivial. But these are only assumptions. We will propably see in the future what the benefits and restrictions of Data Vault Modeling will be.

Blog Post: SharePoint 2013 und Reporting Services

Stephan Jola — Tue, 30 Apr 2013 09:38:00 GMT

Mit der neuen SharePoint 2013 Version hat sich einiges geändert. Auch die Implementation und Anbindung von SQL Reporting Services. Damit das bei der Planung und Umsetzung keine Verwirrung gibt, welche SharePoint Version mit welcher SRSS (SQL Reporting Services for SharePoint) von Microsoft Supported ist, empfehlen wir folgenden Artikel zu studieren.

Supported Combinations of SharePoint and Reporting Services Components

Blog Post: SharePoint 2013–Follow me

Stephan Jola — Wed, 24 Apr 2013 15:46:00 GMT

Mit SharePoint 2013 bietet sich an, allem und jedem zu folgen. In unserem Beispiel haben wir eine Library mit mehreren Dokumenten. Jetzt will ich einem bestimmten Dokument folgen.

Nichts leichter als das:

Änderungen und Updates bekomme ich also Zeitnah mit.

Aber, was wenn der Owner nicht will, dass es die Following Funktion nicht gibt?

Ohne Visual Studio Solution geht das, aber nur auf Site Ebene. In der Site Settings das Feature “Following Content” deaktivieren.

Danach kann ich das Follow Item nicht mehr aufrufen.

Ohne über den Sinn und Zweck zu philosophieren, diese Funktion abzuschalten. Nicht vergessen zu testen und validieren ob es noch ungewünschte Seiteneffekte hat… Man weiss ja nie.

Viel Spass!

Blog Post: Adding an own Array.prototype breaks SharePoint 2013 JavaScript

Martin Loitzl — Wed, 24 Apr 2013 14:37:00 GMT

Recently I tried to do some functional enhancements to the Array.prototype within a SharePoint-hosted App… no way. After adding the .js to the page, errors occur in other JavaScript files in SharePoint 2013. It works perfectly in in plain ASP … Continue reading →

User: madhulika.mitra

madhulika.mitra — Wed, 24 Apr 2013 10:55:00 GMT

Blog Post: DOAG SIG Security

Stefan Oehrli — Tue, 23 Apr 2013 17:23:00 GMT

Just a couple of hours ago I’ve lecture a presentation about the latest Generation of Database Technology at the DOAG SIG Security in München. It is a sneak preview on a few upcoming security improvements. Unfortunately I do not yet have the permission to provide the presentation for download. But I will make the download [...]

User: Aleksandar Simic

Aleksandar Simic — Tue, 23 Apr 2013 07:19:00 GMT