Académique Documents
Professionnel Documents
Culture Documents
Anything else listed additionally is based on my own observations. Links listed here may be subject to copyright
protection and access to such is up to the discretion of the authors\owners to which they pertain.
####Caveats
1. This exam targets MVC 5.1 and VS2013. A number of aspects of MVC 4 still apply, as well as the general
functionality of MVC on ASP.Net, but be aware of the MVC 5.x distinctions and how VS2013 is expected
to be utilized.
2. Where the guide mentions "Implement", be prepared to know common method and parameter usage
involved with said technology or namespace.
3. There is a good portion of this test involving Azure services and the functionality thereof.
####Additional Resources
Choose a state management mechanism (in-process and out of process state management),
plan for scalability,
use cookies or local storage to maintain state,
apply configuration settings in web.config file,
implement sessionless state (for example, QueryString)
Resources
Read and write string and binary data asynchronously (long-running data transfers),
choose a connection loss strategy,
decide a strategy for when to use WebSockets,
implement SignalR
HTTP handlers allow you to inject logic based on the extension of the file name requested, they are executed
based of file extensions, URLs and HTTP verbs. HTTP modules are event driven and inject logic before a
resource is requested.
####Preparation resources
Plan for running applications in browsers on multiple devices (screen resolution, CSS, HTML)
o Media queries
plan for mobile web applications
####Preparation resources
####Preparation resources
Search Engine Optimization Toolkit
GlobalizationSection Class
FormCollection Class
Create and run unit tests (for example, use the Assert class),
create mocks;
create and run web tests, including using Browser Link;
debug a web application in multiple browsers and mobile emulators
Collect diagnostic information by using Azure Diagnostics API and appropriately implement on demand
versus scheduled;
choose log types (for example, event logs, performance counters, and crash dumps);
debug an Azure application by using IntelliTrace, Remote Desktop Protocol (RDP), and remote
debugging;
interact directly with remote Azure websites using Server Explorer.
####Preparation resources
Using shims to isolate your application from other assemblies for unit testing
o Windows - Best for intra-net sites and websites that have access to AD controllers, built-in to
ASP.Net & IIS
o Forms - Integrates with both identity- and claims-based authentication with built-in support for
standard membership providers
o custom authentication - Allows greater flexibility in user-store access and modification
manage user session by using cookies
o Cookie storage - Allowing for 2K of data on client or can be stored at the server via Session
management
o Cookie persistence
When enabled, this allows a client to close browser and return to site, maintaining the
cookie
When disabled, the cookie expires once the session ends or the client closes the browser
o Cookie reference - Allows the cookie to remain relatively small, as it only holds a reference to the
data location on the server
configure membership providers
o SimpleMembership
o SimpleRoles
o SqlMembershipProvider
create custom membership providers
o MembershipProvider vs WebSecurity
MembershipProvider is an abstract class which can be used to create a custom provider.
WebSecurity is a wrapper of SimpleMembership which allows easy access to many of the
security methods contained therein.
DeleteAccount() is not implemented in this helper.
WebSecurity is not interoperable with MembershipProvider, only with SimpleMembership.
configure ASP.NET Identity
Transport:
Message encrypted at the transport-level, leveraging whichever security
mechanism the transport protocol uses (TCP: TLS; HTTPS: SSL)
Security is point-to-point and tends to have greater interoperability but any
message forwarded beyond the service is not automatically encrypted.
Both caller credentials and message are encrypted between access points but are
essentially separate(?)
Better performance and can benefit from hardware acceleration
Message:
Both the message and the caller's credentials are encrypted together using the
WS-Security specification
Resulting payload is encrypted, even if forwarded, resulting in better overall
security
Performance suffers:
this mechanism cannot benefit from hardware acceleration
the message must be re-encrypted before it can be forwarded to other
services
the WS-Security specification must be supported through the service
pipeline
o Security Modes
None. Messages are not secured.
Transport. Messages are secured using transport security.
Message. Messages are secured using message security.
TransportWithMessageCredential. Message protection and authorization occur at the
transport level and credentials are passed with the message.
TransportCredentialOnly. Credentials are passed at the transport level but the message is
not encrypted. This option is available only if you are using the BasicHttpBinding binding.
Both. Messages are secured using both transport level and message level security. This is
supported only if you are using Microsoft Message Queue Server.
o Credential Types (Transport)
Windows. The client uses a Windows token representing the logged in user’s Windows
identity. The service uses the credentials of the process identity or an SSL certificate.
Basic. The client passes a user name and password to the service. Typically, the user will
enter the user name and password in a login dialog box. The service uses a SSL certificate.
This option is available only with HTTP protocols.
Certificate. The client uses an X.509 certificate and the service uses either that certificate
or an SSL certificate.
NTLM. The service validates the client using a challenge/response scheme against
Windows accounts. The service uses a SSL certificate. This option is available only with the
HTTPS protocol.
None. The service does not validate the client.
o Credential Types (Message)
Windows. The client uses a Windows token representing the logged in user’s Windows
identity. The service uses the credentials of the process identity or an SSL certificate.
UserName. The client passes a user name and password to the service. Typically, the user
will enter the user name and password in a login dialog box. The service can validate the
user name and password using a Windows account or the ASP.NET membership provider.
Certificate. The client uses an X.509 certificate and the service uses either that certificate
or an SSL certificate.
IssueToken. The client and service use the Secure Token Service, which issues tokens the
client and service trust. Windows CardSpace uses the Secure Token Service.
None. The service does not validate the client.
o Config example
o <bindings>
o <netTcpBinding>
o <binding name="SecureService_Tcp"
o …
o <security mode="Transport">
o <transport clientCredentialType="Windows"
o protectionLevel="EncryptAndSign" />
o <message clientCredentialType="Windows" />
o </security>
o </binding>
o </netTcpBinding>
o <wsHttpBinding>
o <binding name="SecureService_WsHttp"
o …
o <security mode="Message">
o <transport clientCredentialType="Windows"
o proxyCredentialType="None"
o realm="" />
o <message clientCredentialType="Windows"
o negotiateServiceCredential="true"
o algorithmSuite="Default"
o establishSecurityContext="true" />
o </security>
o </binding>
o </wsHttpBinding>
o </bindings>
WCF Authorization
o Authorization Options
Role-based. Access to a service and to operations of the service is based on the user’s
role.
Identity based. Access is based on claims made within the user’s credentials. This is an
extension to role-based authorization and provides a more fine grained approach. This
approach will typically be used with issue token authentication.
Resource based. Resources, such as WCF services, are secured using Windows Access
Control Lists (ACLs).
o Role Determination Options
Windows groups. You can use the built-in Windows groups such as Administrators or
Power Users or create your own Windows groups.
Custom roles. You can create roles that are specific to your application, such as Manager,
Employee, Administrator, etc.
ASP.NET role management. You can use the ASP.NET role provider and use roles you
have defined for a Web site.
handle token formats (for example, oAuth, OpenID, Microsoft Account, Google, Twitter, and Facebook)
for SAML and SWT tokens
####Preparation resources