Invasion of the Response Body Snatchers or How I Learned to Stop Worrying and Love IIS

Today I got burned for the second time on this issue. And you know what our former Commander in Chief said about that: "Fool me once, shame on you. Fool me twice - uhh - won't get fooled again."

So in the interest of not getting fooled again. Here's the deal, all laid out in plain English for the future me to read the next time I have this problem, well, in the future.

I have a lovely little RESTful web service (ASP.NET MVC) that has some (IMHO) elegant exception handling built in. The controller action is wrapped in a nice big try-catch and when an exception is thrown the catch block passes the exception to a class that logs the failure and then creates a "Fault" message for the caller (basically an XML representation of the exception details). The response status code is set to 400 - Bad Request and the response body is set to the aforementioned XML "fault".

This code all works fine, that is, until it doesn't. When hitting the service locally everything is fine and the correct XML "fault" message gets returned in the response body, but from a remote client the response body is simply the 11-byte string "Bad Request". Pretty baffling behavior, until you figure out what's going on and understand the rationale behind it. Turns out that this behavior is by design and built into IIS.

At first blush this looks Just like remoteOnly behavior in web.config. The idea there being to prevent gifting sensitive details (like DB connection strings and the like) to potential hackers and foreign spies in the guts of an error response. All well and good. Only I couldn't fix this problem by setting customErrors mode="off". It turns out that this basic functionality is now built into IIS as well, downstream of the handler processing the request. That is, *after* the request has been processed by my code and the response created. It's like IIS sees my 400 and says to itself "Uh oh, trouble in paradise. And look, this is some shifty outsider causing this mess. I better wipe out the response body and replace it with something innocuous. Oooh, I know! How about the text 'Bad Request'? Makes me sound tough! Perfect!"

[N.B. I know, I've broken one of the cardinal rules - "Never anthropomorphize computing equipment" - but I think it's pretty innocent in this case. It's a web server after all. It's not like it's going to take over our nuclear power plants and enslave humanity or anything.]

Anyway, it turns out there's now an httpErrors element in web.config and applicationHost.config that supersedes what's in customErrors. So if you want to display the real response body on anything that has a response code of 400 or greater you now have to set this to allow detailed error messages to be displayed to remote clients (either directly in the file, or via IIS Admin).

(As a side note - I believe this is new to IIS 7.0, I haven't found any historical info on this, but I'm pretty sure that prior to IIS 7.0 things didn't work this way. Either that or I'm getting a little bit senile in my old age. Anyone know which it is?)

Why would you want to override this behavior and make your site vulnerable to terrorists? Remember, you're either against us or with us! Well in my case I was doing integration testing with a new partner deployment on QA server and needed the detailed info troubleshooting. Actually, I can think of several scenarios where you don't want this behavior, but I don't fault MS for making it the default. In fact I definitely think they made the right choice. I just wish someone over there would've picked up the phone and called me. Come on guys, one quick call to let me know about this.

Anyway, here are a couple of links that get into more detail.

• How to Use HTTP Detailed Errors in IIS 7.0


• IIS 7.0 httpErrors


• MSDN Docs on httpErrors configuration element

Or if you just want the guts...

In web.config, comment out customErrors in system.web like so:

<!-- customErrors mode="RemoteOnly" defaultRedirect="GenericErrorPage.htm">
   <error statusCode="403" redirect="NoAccess.htm" />
   <error statusCode="404" redirect="FileNotFound.htm" />
</customErrors -->

and then add to system.webServer the following:

<httpErrors errorMode="Detailed"/>

If anybody is thinking to themselves "Duh. It's always worked this way." Please let me know. I'll accept this assertion with minimal evidence, I just really don't remember ever having this problem prior to IIS 7.

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it

Disk Defrag Tools

Had to crunch down the physical size of my HDD in order to resize the partition so it would fit onto a smaller SSD. PerfectDisk worked better than any of the other defrag tools hands down (including the built-in Windows' defrag which was basically useless.)

http://www.raxco.com/

PS - SSD is a OCZ Vertex 2. Amazing speed.

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it

Enable Tracing in ASP.NET MVC

Not as obvious as I had first thought.

First, in your MVC app's web.config add this (as a child of the root
<configuration> node):

<system.diagnostics>
  <trace>
      <listeners>
          <add name="WebPageTraceListener"
               type="System.Web.WebPageTraceListener, System.Web, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"/>
      </listeners>
  </trace>
</system.diagnostics>

Next, turn on tracing. Again in web.config add the following (as a child of the <system.web> node):

<trace enabled="true" localOnly="false" mostRecent="true" pageOutput="false" />

(I won't get into thew details on this element but MSDN has all the info here: http://msdn.microsoft.com/en-us/library/6915t83k.aspx)

Now add some Trace.WriteLine() type calls to your controller action, build and run it.

Then you should be able to go to http://localhost/myapp/Trace.axd (or wherever your app resides) and see the list of recent requests and all their trace details, just like in old-skool ASP.NET web forms apps.

Of course, you could also skip all of the above and just use the built-in Controller.HttpContext.Trace class in ASP.NET MVC. It's already wired up and just basically works, but if you've got a bunch of plumbing built on top of System.Diagnostics.Trace (like NCore's Spy class, for example) then that's not going to do you any good.

PS - Yes, I know it's been a *long* time since my last post, but that's just what happens with a baby around the house. It'll get better when he's old enough for me to pay him to write my blog posts.

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it

Is that a transaction log file in your pocket, or are you just happy to see me?

So after much research and muddling around I’ve found that the following works consistently for truncating *and* shrinking the transaction log file in SQL 2008:

Do a full backup and then a transaction log only back-up, then run this (where “MyDb” is the name of your DB and “MyDb_Log” is the name of your DB transaction log file):

USE MyDb
GO
ALTER DATABASE MyDb SET RECOVERY SIMPLE
GO
ALTER DATABASE MyDb SET RECOVERY FULL
GO
DBCC SHRINKFILE(MyDb_log, 1)
GO

The DBCC SHRINKFILE should display results indicating a 1m log file at this point.

I know this seems a bit weird but I was just able to shrink the a transaction log from 1.6 gig (!) down to the default minimum size of 1 meg.

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it

LINQ + .ToList() + .ForEach() + Anonymous Methods = Serious Mojo

Just stumbled onto this combination.

XElement root = XElement.Parse(
@"<myxml>
<a/>
<b/>
<c/>
</myxml>");

root.Descendants().ToList().ForEach( delegate(XElement element){ element.Add( new XAttribute( "moo", "car" ) ); } );

Console.WriteLine( root );

Accepting the implications of .ToList'ing your LINQ query, this is some powerful stuff.

PS - If you don't know what I'm talking about with the whole "implications of .ToList'ing your LINQ query" you should really buy the LINQ Pocket Reference. And if you want to easily try the example you should download LINQPad. It's free, excellent, and written by the authors of the aforementioned book.

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it

TestDriven.Net hotkeys in VS

How did I ever manage without?!

TestDriven.NET keyboard shortcut

Thanks Jimmy!

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it

The exquisite pain of obscure framework bugs

In hopes of preventing someone else the agony and wasted time I just suffered...

It appears that there's a bug in linq-to-sql with .SubmitChanges() not saving anything. If you implement the "extensibility method" for insert on any of your entities the SubmitChanges silently fails. Actually, I don't know that "fail" is the right word. It simply doesn't save the newly created entity.

Again, the source of the problem is that the insert (i.e. partial void Insert) in your DataContext. For every entity you have the data context will have Insert, Update and Delete methods. E.G.: if you have a Foo entity in your model, the DataContext will get partial void InsertFoo(), partial void UpdateFoo() and partial void DeleteFoo() methods that get triggered when each respective event happens. The only problem is that (at least with the Insert version) if you actually implement this partial in a corresponding partial DataContext class it will *prevent the action from actually happening*.

I don't know why and I don't know the work-around. Perhaps when I have a minute I'll circle back around and try out the Update and Delete versions to confirm the behavior there as well, and maybe try to figure out what the heck is going on.

I hope this just saved you several hours of debugging!

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it

Getting -vsdoc.js VS Intellisense to work (for real)

No time for chit-chat but here's one that I don't really want to re-solve...

VS 2008 has a patch to (supposedly) allow for Intellisense on included JavaScript libraries (assuming a -vsdoc.js version is supplied - for example, jQuery).

The idea is that you include the -vsdoc.js version of the file along-side the actual version of the .js file, like this:


<script type="text/javascript" src="Scripts/jquery-1.3.2.js"></script>
<script type="text/javascript" src="Scripts/jquery-1.3.2-vsdoc.js"></script>


And you magically start getting Intellisense for your .js in VS.

Unfortunately, no magic there for me.

Then I found someone saying that it wasn't working for them either, but this worked:


<% if (false) { %>
<script src="Scripts/jquery-1.3.2-vsdoc.js" type="text/javascript"></script>
<% } %>


...ostensibly because they were "using user controls". Ugh. The approach here is obvious enough and I actually found a bunch more mentions of this issue & technique out there, even though I'm dubious about what this has to do with user controls or where the disconnect with the original, intended functionality of the patch is. Regardless, this didn't work for me either.

I started to think maybe it was because I was doing MVC, or using a master page, or some file path thing, or... Well I started to run out of ideas right about the time I started running out of new Google results, so I just decided to decompose the problem and work it out for myself. I won't re-hash my tedious and meandering thought process here, but I finally got it working by adding the following to the <head> of my master page:


<script src="%3C%%20=Url.Content%28">" type="text/javascript"></script>
<% if (false) { %>
<script type="text/javascript" src="%7E/Scripts/jquery-1.3.2-vsdoc.js"></script>
<% } %>


I know, crazy. VS seems to understand the ~ and correctly resolve the path to the -vsdoc.js file in the editor just fine. Intellisense shows up in the master and all pages that implement it and everyone's happy.

Including me. Although I'd love to know why it's not working the way it's intended. Unfortunately I don't have the time to track it down. If you do, let me know what you find.

♦Add to del.icio.us ♦DiggIt! ♦Reddit ♦Stumble This ♦Add to Google Bookmarks ♦Add to Yahoo MyWeb ♦Add to Technorati Faves ♦Slashdot it