A form-entry Tag Helper

Writing line of business applications usually means creating a lot of forms for data entry. Writing the HTML for them over and over again is tedious and also means copy-pasting the layout structure into every single form. Copy-pasting works fine as long as we one is happy with the design, but when it needs to be altered (beyond what’s possible by CSS), all forms in the application need to change. To remedy this, I created a form-entry tag helper. Now creating an entry for a field in a form is as simple as <form-entry asp-for="LocationName" />.

Using the default scaffolding in Visual Studio, I would get a form that repeats the same pattern over and over again, for each property of the view model.

<form asp-action="Create">
    <div asp-validation-summary="ModelOnly" class="text-danger"></div>
    <div class="form-group">
        <label asp-for="Name" class="control-label"></label>
        <input asp-for="Name" class="form-control" />
        <span asp-validation-for="Name" class="text-danger"></span>
    </div>
    <div class="form-group">
        <label asp-for="Address" class="control-label"></label>
        <input asp-for="Address" class="form-control" />
        <span asp-validation-for="Address" class="text-danger"></span>
    </div>
    <div class="form-group">
        <label asp-for="City" class="control-label"></label>
        <input asp-for="City" class="form-control" />
        <span asp-validation-for="City" class="text-danger"></span>
    </div>
    <div class="form-group">
      <input type="submit" value="Create" class="btn btn-default" />
    </div>
</form>

Using my form-entry tag helper, the code required is substantially less.

<form asp-action="Create">
    <div asp-validation-summary="ModelOnly" class="text-danger"></div>
    <form-entry asp-for="Name" />
    <form-entry asp-for="Address" />
    <form-entry asp-for="City" />
    <div class="form-group">
        <input type="submit" value="Create" class="btn btn-default"/>
    </div>
</form>

Kentor.AuthServices 0.21.2 Security Release

Kentor.AuthServices 0.21.2 has just been released to NuGet. It is a security release fixing three issues.

  1. XML External Entity Injection (affecting .NET 4.5 only)
  2. Malicious IdP can cause write to arbitrary file
  3. Flawed ReturnUrl validation leads to Open Redirect

The first two issues were reported by John Heasman, Morgan Roman and Joshua Estalilla from DocuSign. While I have dreaded the day when I would get a security issue I am extremely happy with the professionalism of the disclosure. I got the report privately, including detailed descriptions, reproduction steps and solid recommendations on how to fix it. I am very grateful you took the time to review AuthServices and find the issues and for the detailed reports.

More details on the vulernabilities will be published later.

Kentor.AuthServices v0.20.0 Released

Half a years worth of pull requests with great features have finally been baked into an official release of Kentor.AuthServices which is now available on Nuget. The most important fixes are improved active/passive handling for the Owin middleware and full support for SHA256/384/512 as it is time to leave SHA1.

First of all I would like thank all contributors and users that have had to wait for this while I’ve been on parental leave. A special thanks to Explunit who has made a lot of valuable contributions as well as reviewing pull requests and taken part in design discussions.

Breaking Changes

The public API of AuthServices is getting more and more stable, but nevertheless there are some breaking changes.

  • The Owin Middleware is now once again Passive by default
  • The Owin Middleware will act as Active during Logout, even if it is configured as passive. This can be disabled with the StrictOwinAuthenticationMode compatibility setting.
  • On .NET 4.6.2 and later AuthServices now by default generates SHA256-based signatures and only accepts SHA256 or stronger signatures.
  • The “clever” ReturnUrl expansion has been removed as it proved to create more problems than it solved.
  • ReturnUrl open redirect issue fixed.

Kentor.AuthServices 0.18.1 Breaking Changes

Today we released Kentor.AuthServices 0.18.1. It contains a number of bug fixes, but also a couple of breaking changes to a mostly internal API and logout handling.

You are affected if…

  • you build a HttpRequestData yourself, instead of using a build in ToHttpRequestData() extension method.
  • you are using Single Logout and…
    • you have a ClaimsAuthenticationManager
    • you manually create a AuthServicesClaimTypes.LogoutNameIdentifier claim
    • you filter out claims that are persisted

Most users should not be affected, but if you match any of the above please read on.

TLS on Azure with Legacy Android

In a recent project using Azure, SSL worked perfectly on all devices – but those running Android 2.X. It turned out that legacy Android has limited support for modern SSL/TLS features such as SNI and subject alternative name.

2015-09-08 09_08_05-WebmailGetting TLS configuration right nowadays can be quite tricky. Google Chrome is aggressively pushing for deprecation of old insecure standards by showing warnings or even errors on sites using deprecated https settings. Using a certificate issued merely two years ago, with the standards where common then now shows an error because the SHA-1 algorithm is not considered to be safe for the two remaining years of the lifetime of the certificate. The Google Chrome team is definitely pushing hard for moving web cryptography to safer grounds.

On the other end of the scale (no, I won’t be complaining about Windows XP, it’s not that much of a problem any more) is another Google product: Android. Even with the blazingly fast technology development, people are (IMHO rightfully) expecting a multi €100-device to last for more than a few years. That means that a lot of devices out there are still running Android 2.X. In this particular project, the target audience are not that tech-savvy. A lot of the users even have had to invest in their first smart phone, making their call-and-sms-only phones to history. With that audience, we had to support those old devices. On the other hand SSL warnings or errors in Chrome was unacceptable, so we had to find something that worked for all those platforms – and we did. Oh and by the way, the budget was really, really tight, so we had to find something that wasn’t too expensive.

Software Development is a Job – Coding is a Passion

I'm Anders Abel, an independent systems architect and developer in Stockholm, Sweden.

profile for Anders Abel at Stack Overflow, Q&A for professional and enthusiast programmers

Code for most posts is available on my GitHub account.

Popular Posts

Archives

Series

Powered by WordPress with the Passion for Coding theme.