I'm trying not to complain too much, but some times you have to. Today I decided to upgrade my main machine to Windows 7 Release Candidate, while working on the laptop. The first attempt failed due to lack of disc space - it's needs 10Gb free - but I soon solved that. Then I left the upgrade to trundle away until the final stage of transferring files, settings and programs, whien 43% of the way through (ooh, so close), I received the annoying statement that there wasn't enough disc space free and it would revert to the previous version. So, you checked how much space I needed, installed, and then changed your mind. Way to go to give me a good impression of the product.

Now I know I need to rejig my partition sizes, but it strikes me as odd that the installer reports it has enough space at the start, then doesn't at the end. It did say it would prefer to have 16Gb free, but didn't say it would fail the install. Although whether it's failed is another matter; apparantly it's "sending diagnostic information to Microsoft", but there's no progress and no indication that anything is actually happening. ooh, ooh, now wait, it's rebooting....

Nope, it's rolling back the install. So, do I now try and free up more space or just bite the bullet and install from scratch, which means installing everything.

As someone who has struggled with cross browser issues and wasted many hours, days even, on getting things to work in IE, I’ve joined the campaign to encourage people to upgrade. Specifically, to upgrade from IE6, which really does need taking out round the back and shooting; it’s for its own good. I’ve added a subtle push to remind people to upgrade.

I recently added Google Analytics to my blog and to my main site, never really having bothered with traffic information before; I don’t get that much traffic for it to be interesting. But, having added it, I noticed around 24% of my traffic was IE6, which seems high given the market I’m in: Web development, Standards, CSS, etc. I’ve only been tracking this for a few weeks, so statistically it’s not a great sample, but interesting none-the-less.

So a couple of custom reports brought up these figures for the IE6 users.

Continents:

• USA, 37%
• Asia, 34%
• Europe, 19%
• Africa, 5%
• Oceana, 3%

Operating Systems:

• XP, 90%
• Server 2003, 7%
• Windows 2000, 2%
• Windows 98, 0.3%

So, to all you IE6 users, leave a comment as to why you’re still using it? Lazyness? Corporate policy? To spite me?

Yes, WebDD is back, after a short break and with a slightly different format. We’re aiming to catch up on some of the news and maybe a session or two from Mix09, as well as a few community inspired sessions. You can both request a session as well as propose one, but be warned, we’re sticking to two tightly focused tracks, so there aren’t many speaking slots available. We’re going to arrange some sessions, but leave some open for you to choose.

And if you’re wondering why the site looks familiar, it’s the same as DDD; common code base and common membership, so if you’ve created an account to submit to DDD then you’re already registered.

This is one of the most frequently asked questions and seems a constant source of confusion for everyone, as it was for me when I first read about it. The ASP.NET SiteMap allows a navigational structure to be defined as a set of XML elements, which are perfect for describing a hierarchy of menu items. These XML items are a siteMapNode element, which has an attribute roles. It seems obvious that this defines the roles that can see this item, but the obvious is in fact wrong. Here is the most important fact about site maps:

The roles attribute does not restrict visibility of a node.

That should be clear enough, even if it still seems wrong. Here’s how it works.

All restriction to pages is handled via authorization. You can do this either in the base web.config, or in web.config files in folders. For example, assume there is an Admin folder, under which all the administration pages are kept. You only want these pages accessible to users within the Admin role. You would configure your authorization like so:

<location path="Admin">
  <system.web>
    <authorization>
      <allow roles="Admin" />
      <deny users="*" />
    </authorization>
  </system.web>
</location>

The Admin folder can now no longer be accessed by anyone who is not in the Admin role; if you aren’t in the Admin role and try to navigate to a page in the Admin folder, either via link on another page or by typing the URL directly into the browser, you’ll be redirected to the login page. You can have multiple location elements in your web.config, for different folders or even individual files; in fact if you have a restrictive site, you may want to explicitly open up certain pages, such as the login page; it’s hard to login to a site when you don’t have authorization to access the login page. If you prefer not to clutter your base web.config you can create a web.config file in the Admin folder with the same rules; you won’t need the location element since the configuration applies to the current folder.

So that’s authorization done; access to the pages is locked down. Now lets consider navigation. The ASP.NET navigation framework honours the authorization, but only if you configure security trimming on the provider, which isn’t configured by default. This means that you need to add the site map configuration to web.config:

<siteMap enabled="true" defaultProvider="AspXmlSiteMapProvider">
  <providers>
    <clear />
    <add name="AspXmlSiteMapProvider"
         securityTrimmingEnabled="true"
         type="System.Web.XmlSiteMapProvider, System.Web, Version=2.0.3600.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"
         siteMapFile="web.sitemap"/>
  </providers>
</siteMap>

Most of this is configured at the machine level when ASP.NET is installed, but crucially the securityTrimmingEnabled value is set to false by default. What the above does is clear out the existing configuration and add a new entry with the attribute set to true. At this stage the navigation framework will now honour the authorization rules, so menu items won’t be shown if the user doesn’t have authorization for that item; it doesn’t matter if you use a Menu or TreeView to display the menu items, the crucial part is using the SiteMapDataSource (or the Sitemap API if you’re building the menu manually). If you have a custom site map provider, such as a database driven one (such as this one on MSDN), then this might have to do it’s own security checking, but it depends at which base class you inherit from. That’s another story for another post though.

So if you don’t need to modify the site map elements themselves, what’s the roles attribute for? Well this works in the opposite way you probably expect, by opening up visibility of the node, showing the node if the user is in the stated role even if they don’t have authorization to access the page itself (because the authorization rule restrict them from accessing it). Why would you do this? Well, you have to understand how security trimming works. When deciding whether a user can see a node, both the authorization and the physical file permissions are checked; if either fail then the node is deemed inaccessible. There are two very common times when physical file checks fail:

1. The URL isn’t local. If the file doesn’t exist locally then no check can take place.
2. There isn’t a URL. The node could be just a container node, with child pages but no page itself.

In both of these cases the physical file checks fail so the node won’t be shown. You therefore may need to open up the visibility of the node. For example, consider the following:

<siteMapNode title="Admin" roles="Admin">
    <siteMapNode url="~/Admin/membership_CreateMember.aspx" title="Create User" />
    <siteMapNode url="~/Admin/membership_GetUsers.aspx" title="View Users" />
    <siteMapNode url="~/Admin/roleManager_CreateRole.aspx" title="Create Role" />
    <siteMapNode url="~/Admin/roleManager_AddUserToRole.aspx" title="Add User to Role" />
</siteMapNode>

Here the Admin node doesn’t have a physical page, it’s purely to allow organisation of the admin items into their own submenu. Without the additional roles attribute the node and children wouldn’t appear, but roles="Admin" states that the node should also be shown to users within the Admin role, even if the security checking fails. We don’t need the attribute on the child nodes because they have physical pages, so the file checks will succeed.

So it’s fairly straightforward if you remember the rules:

• Configure security restrictions on pages with authorization in web.config.
• Redefine the site map provider, enabling security trimming.
• Add the roles attribute to site map nodes to widen the visibility.

My new web server is Server 2008 & IIS7 and SQL 2008 and I’ve deployed a test version of an application that had a mysterious 503 Service Unavailable error; not the main app, but all pages within a specific folder and I couldn’t see why. None of the settings were different for that folder. A quick search hit Phil’s blog entry, which led me to Keith’s. It’s the second quote which kicked off an “Oh, I wonder if it’s that” moment:

I think that the main confusion here is around the purpose of http.sys reservations. Reservations are used to prevent squatting. For example, SQL doesn't want other apps, admin or otherwise, to listen on http://+:80/sql/, so they make a reservation with their creds. Reservations are not for preventing malware from listening on your machine. If you have malware on your machine it can just open a socket if it wants to receive data.

Suddenly it made sense. The folder giving the errors was called Reports and SQL Reporting Services is installed, which also has a Reports folder, with a reservation. Rename the folder and everything works. So if you’re experience unusual service errors, this might be one to check.

Watching the live stream of the PDC keynote yesterday, there were bits of Windows 7 that appealed to me. Libraries and Home Groups seems good, as does the Device Center (I notice they didn’t have a Zune connected in the demo). I like the easy switch to projects, useful for those of us who present, and the improved multi-monitor support, although they didn’t demo a smarter taskbar for the additional monitors (why don’t they just buy UltraMon?). UAC improvements, good; touch, nice but useless for most people; support for user created themes, yay – I’ve long hated the fact that you couldn’t customise without hacking your system.

All of the improvements are long awaited, but there’s one thing in Vista that annoys me beyond belief and that’s the “weird stuff” that just seems to happen for no reason. An example is the deletion of files and folders which mysteriously fails. For example, I’ve just extracted a zip archive containing a few files and folders. I look through the extracts, decide I don’t need to keep it, so delete the files. Vista tells me I don’t have permission to delete one of the folders; err, I’ve just created it, the folder structure (from the parent) is owned by me and I have full permissions. If I go into the folder and delete the files from it, that works and then I can delete the folder; but I couldn’t delete them together. Weird and annoying. This sort of thing happens on a regular basis; maybe it’s my setup, but there’s no logic in the flow of what happens.

Sadly I’ll have to wait for a download before I can play, but at least I have Visual Studio 2010 to keep my beta fix in check.

For years I’ve been recommending Jeff’s SqlSiteMapprovider from his MSDN Magazine column, which allows you to have your site map in a database. I had a request this morning on the forums for a copy in VB, so I used the convertor at the excellent DeveloperFusion site and tweaked it a little. So now you can download a copy in VB.

As I blogged earlier, DDD7, the free one day Saturday geek fest, opened for registration this morning. Less than 4 hours later it was full, with plenty of people of the waiting list. I suspect it’s the power of several blogs and tweets, rather than just mine, but it does show the power of the community. There’s no advertising for this, nor is there any need; in fact it would be a waste given the time it took to fill up. Is this a sign of the economic times? Free events fill up quick.

For those who haven’t yet registered well, too bad. I’m not on the committee and have no power over these things, so if I wasn’t speaking, I’d be in the same position, scrabbling for entry.

What does this show? For me it’s that the developer community in the UK is vibrant, alive, motivated. Sure there’s no expense, apart from travel, but that’s enough for some who come far and while you don’t have to get a day off work, it’s still effort; taking a day out of your weekend to attend a conference means you have to be motivated keen. Now not everyone who has signed up will attend, there’s always a drop off; peoples plans change, they get double booked, they are forced to work that weekend, the partner wants to go shopping/out for lunch/to the in-laws/rock-climbing, but the place always feels full, so the rate can’t be that high.

What we’re now in is a quandary. How do we continue with DDD without disappointing those who want to attend, but still having the feel of the community event. How do we find a big enough venue to hold, say, 500 people, with 4 or 5 large halls? I think the Microsoft campus currently holds around 350 people across four rooms and the fourth room comes with added complexity because it’s in the building next door and requires escorts to the secure areas of the building. And cost, don’t forget that; who’s going to pay for this venue? Microsoft are gracious enough to open their doors, but it costs them; they pay for staff to host the event and pay for the food. For DDD Ireland we were hosted in a college campus and hosted by volunteers, but we still needed the generosity of many people.

So what are the options?

• Hold a double event, repeated on the Sunday; not a two day event, that’s a whole different beast, but the same event repeated on the next day. I suspect there would be less people signing up on the Sunday, which then gets to the question of is it worth it for the second day; it would cost twice the amount to host.
• Find a different venue. But where? There are three parts to this problem:
• Facilities. It needs to hold the required number of people and have the 4 or 5 presenting rooms.
• Cost. While it would be great to live on the generosity of others, the practicality is that most places charge; who’s going to pay?
• Location. This is a no win situation really; enough people already don’t want to travel the distance to Reading and would prefer something more local. London? Costs more to host, although it might be easier for some to get to.
• Smaller, more localised events. All of the above venue issues arrive, along with the effort of running the event. DDD Scotland is well under control, DDD Ireland was a success and hopefully there will be more, but is there a case for DDD West Country, or DDD North? I think there is a case, and frankly there’s nothing stopping you putting on an event if you want to. Get together with your local user group people and see about combining an event.
• Start charging; even a small fee would probably cover the cost of a venue, but we’re now into conference territory rather than the community event. Taking payment would invariably involve more time, effort, risk, and would probably come with all sorts of legal issues too. Still, something as small as £10 could have a big impact; cover the cost of the venue, food, with what’s left over for a dinner? Or swag. I’m not sure I like this as an option, but it is an option; I just don’t feel it would be DDD anymore.

So, views?

A product I’m working on requires colours for certain items, to make them more easily identifiable and these items are often a selection in a list. This makes a great deal of sense as we are visual creatures; it’s much easier to pick out a red item from a list than having to read the text. In UI terms it may not look great, the colours glaring with the overall design, but that’s a point for another day.

So it seems sensible to have the list display those colours, but herein lies the problem. Or problems. The ListBox doesn’t have an OnItemDataBound method, so you can’t add the style attributes as each item is being bound. This leaves two choices:

1. You could loop through the items in the DataBound event afterwards, adding the style attributes.
2. Add the items manually, adding the style attributes to the ListItem before you add it.

Neither are particularly onerous; for this application there are only a few items, used on a few pages.

All looked rosy until postback when the styles just disappear; no jarring colours to help identify the items. A quick investigation reveals that the ListItem doesn’t persist the attributes as part of its ViewState, which means that although you can display the list items in colour, the colour disappears once you post back. There are ways to get around this, client side etc, but that’s just not an avenue I want to persist; the effort just isn’t worth it.

As it turns out I’m quite happy that it is a problem, because I don’t actually like the colours in the list itself; it really doesn’t look great. Now I’ve got a good excuse when the client says “why can’t the lists be in colour”.