Date: August 19, 2003
Windows Server 2003 for ASP.NET Developers...
This article looks at Windows Server 2003 and why you might want to consider upgrading your servers to use the product at this time.
Date: August 19, 2003
This article looks at Windows Server 2003 and why you might want to consider upgrading your servers to use the product at this point in time through an examination of what new features the product provides and what the upgrade consequences might be for your ASP.NET applications. As apart of this we take a quick look at ASP.NET v1.1 as this is supplied by default with server 2003 / IIS 6.
As web developers we're interested in anything improving IIS or our ability to configure IIS and anything that improves performance and security of our applications. The following new features qualify:
Finally, also included as standard is the version 1.1 upgrade to ASP.NET which has been available as a separate upgrade for some time. This includes fixes for some of the bugs and issues found in 1.0 (although these are relatively minor and will not affect most existing applications), plus some new features that I'll also consider briefly towards the end of this article.
Let's go into a little more detail regarding two of the more important changes above: IIS 6.0 and Server Roles, before looking at ASP.NETv1.1.
While the interface to IIS 6.0 remains largely the same quite a lot has changed under the surface. Key is the fact that IIS 6.0 uses a kernel level driver named http.sys to handle all incoming web requests. Being at the kernel level improves performance as process switching is minimised. http.sys redirects these requests to the appropriate instance of the World Wide Web Publishing service (W3SCV). There may be multiple instances of W3SVC running, each running in its own isolated process for robustness. Further, http.sys includes features to better manage deadlock and error situations, particular arising from ASP.NET, as well as supporting ASP.NET output caching, again minimising process switching overheads when using ASP.NET.
The ability to run multiple W3SVC processes means a change to the configuration of application pooling in IIS 6.0. In fact application protection (Low – IIS process, medoium – pooled and high – isolated) in IIS 5.0 has become application pooling in IIS 6.0, configurable at the web site or (virtual) directory properties level. In IIS 6.0 you can configure Application Pools for use with your instance of IIS which your applications can be associated with thus allowing greater flexibility in the level of isolation and protection you provide your applications.
Next the metabase is gone, replaced with an XML configuration file, and including facilities to more easily roll back to previous configuration versions.
Application mappings are still used in IIS 6.0 to associated handlers with file extensions served through IIS, configured via the properties dialog of the application or web site. IIS 6.0 extends the available functionality via web service extensions making it easier to filter set extensions as required, e.g. you may choose to disallow Server Side includes. Again this feature is inline with the general aim of 2003 Server of improving security. In the same vein, out of the box 2003 Server will tie down options such as web service extensions so you may need to undertake some configuration to ensure your existing applications will work.
As you'll know if you've ever looked at services under control panel there are a host of services installed and available on your windows 2000 Server system. This hasn't changed with 2003. However, what has changed is the ease of identifying which of these you actually need and which you can safely disable or even uninstall without detriment to your requirements of the server. This is achieved via the concept of server roles.
This concept means that you specify the role you want your server to be used for and the system figures out which software your server requires for this role, along with the appropriate file permissions and configurations settings. Examples of roles are: file server, print server, application server (IIS, ASP.NET), mail server, domain controller, DHCP server, streaming media server, etc.
Configuration of such server roles is available via the 'Manage your server' dialogue that will appear by default on server re-boot. Here you can add or remove server roles. Further the view of roles you see will depend on options taken during installation of 2003 Server.
As ASP.NET developers central to us will be Application Server which installs and configures IIS, ASP.NET and COM component services (no they haven't changed yet!) thus enabling the server to act as a web server and distributed application server. If you just install this role you will see that services such as active directory, DHCP server and DNS server are not installed as they are not strictly required to perform these roles.
Basically server roles are just a wrapper around windows components setup designed to make the task of optimally setting up your server easier. You can, of course, still use the Services dialog to configure your services as well as Add/Remove windows components.
While ASP.NET is not new it is shipped with Windows 2003 Server giving me this opportunity to review the changes. Remember that side by side execution means that you can run ASP.NET v1.0 and v1.1 applications quite happily on the same server. We might look at the further ramifications of this facility in a future distinct article.
Is a new security feature in v1.1 intended to reduce the risk from attacks that use cross-site scripting or SQL injection techniques. Now by default, all input to a page within the Request collections (QueryString, Form and Cookies) is checked against a hard-coded list of potentially dangerous strings.
If the input is invalid, an HttpRequestValidationException is raised which, if not handled, causes the standard ASP.NET error page to be displayed. Therefore existing pages that depend on accepting this kind of data may fail to work correctly under ASP.NET 1.1. To turn off input validation add an attribute to the @Page directive:
| <%@Page Language="VB" ValidateRequest="false" %> |
or configure the Pages element of the web.config or machine.config files similarly.
Some minor changes: as you may recall forms authentication uses encrypted cookies with the encryption used specified in the <machineKey> element
In version 1.1 of the Framework, by default, the validationKey and encryptionKey attribute values within the <machineKey> element contain a new modifier named IsolateApps:
|
<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey="AutoGenerate,IsolateApps" validation="SHA1"/> |
The presence of IsolateApps causes the framework to include details of the ASP.NET application within the autogenerated keys so that different applications on the same machine will use different keys improving security and application isolation. With v1.0 all applications used the same key.
This may cause an issue if your application contains nested applications relying on cookies shared between them. If this is the case you can simply remove the new modifier and behaviour will revert to that of v1.0. Alternatively you can use an explicit key.
Was previously a separate download but is included in v1.1.
New data providers:
ODBC provider class previously only available as separate beta release: now called System.Data.Odbc.
Oracle providerclass: System.Data.OracleClient
The DataReader classes expose a new property HasRows which indicates whether any rows were returned after ExecuteReader was performed.
The Connection classes contain a new method EnlistDistributedTransaction allowing greater flexibility if participating in transactions.
The System.Web.HttpBrowserCapabilities class has an extra method: GetClrVersions returns an array of version objects that describe all the versions of the .NET Framework that are installed on the client, necessary as now multiple versions can exist.
The System.Web.HttpRuntime class has an extra method: UnloadAppDomain forces the current ASP.NET application to be unloaded, effectively restarting the Web application.
The System.Web.HttpUtility class has an extra method: UrlPathEncode which encodes only the 'path' section of a URL string.
Relevant controls (DropDownList, CheckBoxList, RadioButtonList and ListBox) have an extra property: SelectedValue.
The page class has a new property named ViewStateUserKey. This can be set to a value that is unique to the current user and it is then encoded into the viewstate of the page thus providing an extra security feature.
I hope this article has been an informative introduction to the new features of Windows 2003 server of particular interest to web developers and to some of the new features of ASP.NET v1.1. As you have seen there are several areas of improvement that encourage a move. Not least of which are the changes to IIS that Microsoft claim lead to up to a 50% performance improvement over IIS 5.0 with improvements particularly noticeable when output caching is employed.
However, ultimately as developers, our choice of OS should be guided by the final production environment of our applications. As the real world is usually a little behind the Microsoft world, sometimes with good reasons as service packs are rushed out, the upgrade to 2003 Server is perhaps a little way off. This shouldn't stop you utilising the new features ASP.NET v1.1 offers when appropriate however. Plus, if you have a spare machine and a little time why not get used to those new features you'll be no doubt be using in the not too distant future?
Switching To Windows Server 2003 and ASP.NET 1.1.
Alex Homer
.NET SDK Documentation