Friday, December 2, 2016

Block access to a specific folder in your ASP.NET MVC website

One way to block access to a specific folder in your ASP.NET MVC website is by combining the <location> with an <authorization> section inside your web.config:

In fact this is not the best approach as it is possible that this configuration is not applied when the ASP.NET pipeline is not invoked.

A better approach is to block the access at the IIS level by using the following configuration inside your web.config:

Thursday, December 1, 2016

The CRAP cycle and how to break it…

Did you ever hear about the CRAP cycle, the Create/Repair/Abandon/rePlace cycle?

You build an application. Over time you accumulate some technical debt. The application becomes harder to maintain. Developers start avoiding and working around certain aspects of the code. Maintenance becomes more and more expensive. Developers complain. New features become harder and harder to write and cost more. Business complain. The application becomes too complex to maintain, we abandon it and start replacing it. Only this time “we are doing it right!”. And of course we make the same mistakes. And the loop starts again…


How can we break this circle? What can we do to avoid it? Or is it an unbreakable law of software?

I don’t think it has to be. The problem is that most of the time architecture, code quality and a common set of guidelines are only applied at the beginning of a project. Although most applications are built using an iterative approach, the time spent in guarding the quality of the project decreases over time. And when the project finally arrives in maintenance mode, no one cares. The budget is gone, so every fix should be done as cheap as possible…

One the reasons is that the best developers/architects are assigned to new projects and that the lesser gods need to maintain it. This is really unfortunate both for developers/architects that move on(because they cannot learn from their mistakes) and for the poor guys/girls that need to maintain the project(because they get little room for improvement).

When is the last time you had to maintain the code you wrote?

Wednesday, November 30, 2016

NIST is bringing some common sense to password policies

As a consultant I’m frequently confronted with strange password policies. Every company I visit has different password rules with different expiration windows and so on. Although a password manager helps me to keep my sanity, I have a hard time understanding some of the multipage password rules that customers are using.

But ok, if it makes our systems more secure, it’s a burden I’m willing to carry. Unfortunately there is enough research available that shows that most of these rules make no sense and doesn’t help to improve security at all…

So reading the following post( about NIST(the United States National Institute for Standards and Technology) and the new guidelines for password policies they published made me happy.

An extract of some of the rules:

  • A minimum of 8 characters.
  • Allow at least a maximum of 64 characters(I hate it when I cannot use passphrases)
  • No composition rules (again, I hate it when I cannot use passphrases)
  • No password hints
  • No knowledge-based authentication(questions that only you should know the answer, like your favorite color Confused smile)
  • No more password expiration without reason

Thank you NIST!

Tuesday, November 29, 2016

NUnit tests are really slow when using Microsoft.Owin.Testing TestServer

After introducing Microsoft.Owin.Testing TestServer in a Test project we noticed that our test execution time increased from a few milliseconds for all tests to multiple seconds for each individual test.

With the help of dotTrace I noticed that most time was spent inside Microsoft.Owin.Hosting.Tracing.DualWriter. This class is used by OWIN to write all OWIN related data to the console.


After removing the related tracelistener using the line of code below, I noticed that the test execution time returned back to normal:


Monday, November 28, 2016

Fun retrospectives

In my job as a consultant I visit a lot of development teams. Most of them are using a ‘Scrum-like’ approach meaning that the typical Scrum ceremony(Daily Standups, Sprint reviews, Retrospectives,…) are in place.

However I noticed that especially the Retrospective becomes boring after a while. To spice up your retrospectives and make them meaningfull again, I recommend having a look at . This site brings a lot of activies and ideas together for making agile retrospectives more engaging.


Part of the information is also available as an e-book at

Friday, November 25, 2016

ASP.NET Web API 2 Request Pipeline

I remember a time where ASP.NET WebForms was mainstream and ASP.NET MVC and Web API still had to be invented. To do a good a job as an ASP.NET WebForms developer you needed deep understanding of the ASP.NET WebForms page lifecycle. (I even got some related interview questions at the time).

These times have gone and now you should understand ASP.NET MVC and Web API both having their own lifecycle. Here is a great poster explaining the ASP.NET Web API Message Lifecycle:


And a similar one for ASP.NET MVC:


Must print material! Smile

Thursday, November 24, 2016

Xamarin Workbooks

I started experimenting with Xamarin Workbooks as a new(better) way to create my API documentation. Workbooks are an interactive combination of executable code snippets and markdown documentation.


Xamarin Workbooks is a cross platform tool both available for Windows and Mac. Download information is available here:

After installation, it is time to create your first workbook:

  • Open Xamarin Workbooks. The new C# workbook window is shown. You can choose between a Console iOS, Android or WPF app(at the moment of writing).
    • Xamarin Workbooks uses the concept of agents. Agents are responsible to inject and execute your code in a specific application type. This means there is a seperate agent for WPF, iOS, Android,…
  • Let’s start simple and choose Console.


  • You are welcomed by a blank workbook.


  • In the workbook you can add two types of cells, either an executable C# cell or a documentation cell. Click on the + or “ button to add a new cell.


  • In a C# cell you can enter your C# code. The workbook will provide code completion, syntax coloring, inline live-diagnostics, and multi-line statement support to optimize the editing experience.


  • To execute the code you can hit <enter>, click on the play button or press <control>+<return>.


  • In a Documentation cell you can enter any documentation including images. Formatting is done using the MarkDown format


Some annoyances I have at the moment:

  • I noticed that the editing experience isn’t bug free yet. I got some strange behavior.
  • I couldn’t find a way to include my own assemblies or use my own NuGet server.
  • Compilation is (too) slow.
  • No undo functionality(yet).

It will be interesting to see how this application evolves…