this print for content only—size & color not accurate spine = 1.174" 616 page count
Books for professionals By professionals
®
Pro ASP.NET MVC Framework
Dear Reader,
The brand-new ASP.NET MVC Framework represents the biggest shift in
Microsoft web development since ASP.NET was first released in 2002. It gives
us far greater control over our HTML markup, our URL schema, and our use
of requests and responses. It promotes clean application architecture, has
deep support for unit testing, and makes it easy to integrate with third-party
JavaScript libraries and Ajax toolkits.
I’ve written this book because I’m excited about ASP.NET MVC. I hope that
by reading it, you’ll gain not only the deepest understanding of what ASP.NET
MVC offers and how to use it, but also why it was designed this way, and how
you can apply its principles to improve your own code. Because I’m independent
of Microsoft, I can freely analyze what works well, what limitations you might
encounter, and what alternatives or open source tools you might need to add in.
Through discussion, documentation, and a substantial hands-on tutorial,
you’ll learn about
• The MVC Framework’s powerful facilities, including routing, controllers,
filters, views, and model binding
• Architecture: The model-view-controller (MVC) pattern, loose coupling,
testability, test-driven development (TDD), and relevant design patterns
• Extending and customizing the MVC Framework’s request processing pipeline
• Securing your MVC application and deploying it to Windows Server
• Using core ASP.NET platform features in an MVC application
• Integrating with or migrating from older ASP.NET applications
This book assumes that you have a working knowledge of C# (although LINQ
and the new syntaxes are covered briefly) and some web development experi-
ence. If you’ve previously used traditional ASP.NET, also known as WebForms,
that’s better still. Enjoy,

Pro ASP.NET 3.5
in C# 2008
Pro ASP.NET
MVC Framework
www.apress.com
SOURCE CODE ONLINE
Companion eBook

See last page for details
on $10 eBook version
Discover the biggest innovation in Microsoft
web development since ASP.NET 1.0.
ISBN 978-1-4302-1007-8
9 781430 210078
5 4 9 9 9
Pro
class="bi x0 y49 w3 h18"
Steven Sanderson
Pro ASP.NET MVC
Framework
10078fm.qxd 4/8/09 8:40 PM Page i
Pro ASP.NET MVC Framework
Copyright © 2009 by Steven Sanderson
All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,
electronic or mechanical, including photocopying, recording, or by any information storage or retrieval
system, without the prior written permission of the copyright owner and the publisher.
ISBN-13 (pbk): 978-1-4302-1007-8
ISBN-13 (electronic): 978-1-4302-1008-5
Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1
Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrence

dir
ectly or indir
ectly b
y the information contained in this work.
The source code for this book is available to readers at .
10078fm.qxd 4/8/09 8:40 PM Page ii
For Zoe, without whose love, support, and hard work
this project would not have been possible. Thank you!
10078fm.qxd 4/8/09 8:40 PM Page iii
10078fm.qxd 4/8/09 8:40 PM Page iv
Contents at a Glance
About the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
PART 1
■ ■ ■
Introducing ASP.NET MVC
■CHAPTER 1 What’s the Big Idea?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
■CHAPTER 2 Your First ASP.NET MVC Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
■CHAPTER
3
Pr
erequisites
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
■CHAPTER 4 SportsStore: A Real Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
■CHAPTER 5 SportsStore: Navigation and Shopping Cart. . . . . . . . . . . . . . . . . . . . 121
■CHAPTER 6 SportsStore:
Administration and Final Enhancements
. . . . . . . . . . 171

Contents
About the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii
About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix
Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx
Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi
PART 1
■ ■ ■
Introducing ASP.NET MVC
■CHAPTER 1 What’s the Big Idea?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
A Brief History of Web Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Traditional ASP.NET. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Wha
t’s Wrong with Traditional ASP.NET?
. . . . . . . . . . . . . . . . . . . . . . . 4
Web Development Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Web Standards and REST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Agile and
Test-Driven Development
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Ruby on Rails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
Key Benefits of ASP.NET MVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Model-View-Controller Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Extensibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Testability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Tight Control over HTML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
Powerful New Routing System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Built on the Best Parts of the ASP.NET Platform . . . . . . . . . . . . . . . . . 9
.NET 3.5 Language Innovations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
ASP.NET MVC Is Open Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Who Should Use ASP.NET MVC?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Understanding Model-View-Controller
Architecture
. . . . . . . . . . . . . . . . . . 37
The Smart UI (Anti-P
attern)
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Separa
ting Out the Domain Model
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Three-Tier Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Model-View-Controller Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Variations on Model-View-Controller . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Domain Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
An Example Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Entities and
V
alue Objects
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
45
Ubiquitous Language. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Aggregates and Simplification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Keeping Data Access Code in Repositories. . . . . . . . . . . . . . . . . . . . . 48
Using LINQ to SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Building Loosely Coupled Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
56
Taking a Balanced Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Using Inversion of Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
57
Using an IoC Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
60

Removing Unnecessary Files. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Adding the First Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Setting Up the Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
Adding the First View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Connecting to a Da
tabase
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Defining the Database Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Setting Up LINQ to SQL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
Creating a Real Repository. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Setting Up Inversion of Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
97
Creating a Custom Controller Factory . . . . . . . . . . . . . . . . . . . . . . . . . 97
Using Y
our IoC Container
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
99
Creating Automated Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Configuring a Custom URL Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
Adding a RouteTable Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Displaying Page Links. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
Styling It Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
114
Defining Page Layout in the Master Page . . . . . . . . . . . . . . . . . . . . . 114
Adding CSS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
Creating a Partial View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
■CONTENTS ix
10078fm.qxd 4/8/09 8:40 PM Page ix
■CHAPTER 5 SportsStore: Navigation and Shopping Cart. . . . . . . . . . . . . . 121

ting New Products
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
186
Deleting Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Securing the Administration Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Setting Up Forms Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Using a Filter to Enforce Authentication. . . . . . . . . . . . . . . . . . . . . . . 190
Displaying a Login Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
191
Image Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
Preparing the Domain Model and Da
tabase
. . . . . . . . . . . . . . . . . . .
195
Accepting F
ile Uploads
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
196
Displaying Product Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
■CONTENTSx
10078fm.qxd 4/8/09 8:40 PM Page x
PART 2
■ ■ ■
ASP.NET MVC in Detail
■CHAPTER 7 Overview of ASP.NET MVC Projects. . . . . . . . . . . . . . . . . . . . . . . 203
Developing MVC Applications in Visual Studio . . . . . . . . . . . . . . . . . . . . . . 203
The Default MVC Project Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
The Initial Application Skeleton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Understanding the Outbound URL-Ma
tching
Algorithm
. . . . . . . . .
241
Generating Hyperlinks with Html.ActionLink<T> and
Lambda Expressions
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
243
Working with Named Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
■CONTENTS xi
10078fm.qxd 4/8/09 8:40 PM Page xi
Unit Testing Your Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Testing Inbound URL Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
Testing Outbound URL Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
Further Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
Implementing a Custom RouteBase Entry . . . . . . . . . . . . . . . . . . . . . 251
Implementing a Custom Route Handler . . . . . . . . . . . . . . . . . . . . . . . 252
URL Schema Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253
Make Your URLs Clean and Human-Friendly . . . . . . . . . . . . . . . . . . 254
Follow HTTP Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Search Engine Optimization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
■CHAPTER 9 Controllers and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Comparisons with
ASP.NET WebForms
. . . . . . . . . . . . . . . . . . . . . . . 260
All Controllers Implement IController . . . . . . . . . . . . . . . . . . . . . . . . . 260
The Controller Base Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

ilters
. . . . . . . . .
299
The [OutputCache] Action Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Other Built-In Filter Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
■CONTENTSxii
10078fm.qxd 4/8/09 8:40 PM Page xii
Controllers As Part of the Request Processing Pipeline . . . . . . . . . . . . . . 303
Working with DefaultControllerFactory . . . . . . . . . . . . . . . . . . . . . . . 303
Creating a Custom Controller Factory . . . . . . . . . . . . . . . . . . . . . . . . 305
Customizing How Action Methods Are Selected and Invoked . . . . 306
Testing Controllers and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312
How to Arrange, Act, and Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313
Testing a Choice of View and ViewData. . . . . . . . . . . . . . . . . . . . . . . 313
Testing Redirections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
More Comments About Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Mocking Context Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
■CHAPTER 10 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
How Views Fit into ASP.NET MVC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
The
WebForms
View Engine
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322
View Engines Are Replaceable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
WebForms View Engine Basics. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Adding Content to a View Template . . . . . . . . . . . . . . . . . . . . . . . . . . 323
Five Ways to Add Dynamic Content to a View Template. . . . . . . . . 323
Using Inline Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324
Why Inline Code Is a Good Thing in MVC View Templates . . . . . . . 326

Implementing a Custom View Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358
A View Engine That Renders XML Using XSLT . . . . . . . . . . . . . . . . . 358
■CONTENTS xiii
10078fm.qxd 4/8/09 8:40 PM Page xiii
Using Alternative View Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Using the NVelocity View Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363
Using the Brail View Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Using the Spark View Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366
Using the NHaml View Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
■CHAPTER 11 Data Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Model Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Model-Binding to Action Method Parameters. . . . . . . . . . . . . . . . . . 370
Model-Binding to Custom Types. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Invoking Model Binding Directly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374
Model-Binding to Arrays, Collections, and Dictionaries . . . . . . . . . 376
Creating a Custom Model Binder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Using Model Binding to Receive F
ile Uploads
. . . . . . . . . . . . . . . . . . 381
Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
Registering Errors in ModelState. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383
View Helpers for Displaying Error Information . . . . . . . . . . . . . . . . . 386
How the Framework Maintains State in Input Controls. . . . . . . . . . 388
Performing Validation During Model Binding . . . . . . . . . . . . . . . . . . 389
Moving Validation Logic into Your Model Layer . . . . . . . . . . . . . . . . 390
About Client-Side (JavaScript) Validation . . . . . . . . . . . . . . . . . . . . . 395
Wizards and Multistep Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396
Verifica
tion

10078fm.qxd 4/8/09 8:40 PM Page xiv
Client/Server Data Transfer with JSON . . . . . . . . . . . . . . . . . . . . . . . 449
Fetching XML Data Using jQuery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452
Animations and Other Graphical Effects . . . . . . . . . . . . . . . . . . . . . . 453
jQuery UI’s Prebuilt User Interface Widgets. . . . . . . . . . . . . . . . . . . . 454
Implementing Client-Side Validation with jQuery . . . . . . . . . . . . . . . 456
Summarizing jQuery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
■CHAPTER 13 Security and Vulnerability. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
All Input Can Be Forged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
Forging HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461
Cross-Site Scripting and HTML Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . 463
Example XSS Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
ASP.NET’s Request Validation Feature. . . . . . . . . . . . . . . . . . . . . . . . 465
Filtering HTML Using the HTML Agility Pack. . . . . . . . . . . . . . . . . . . 467
Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
Defense via Client IP Address Checks . . . . . . . . . . . . . . . . . . . . . . . . 469
Defense by Setting the HttpOnly Flag on Cookies . . . . . . . . . . . . . . 469
Cross-Site Request Forgery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470
Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
Preventing CSRF Using the Anti-Forgery Helpers. . . . . . . . . . . . . . . 472
SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473
Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Defense by Encoding Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474
Defense Using P
arameterized Queries
. . . . . . . . . . . . . . . . . . . . . . . . 474
Defense Using Object-Relational Mapping . . . . . . . . . . . . . . . . . . . . 475
Using the MVC Framework Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Supporting Virtual Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498
Using ASP.NET’s Configuration Facilities. . . . . . . . . . . . . . . . . . . . . . 498
Controlling Compilation on the Server . . . . . . . . . . . . . . . . . . . . . . . . 502
Detecting Compiler Errors in Views Before Deployment. . . . . . . . . 503
Summar
y
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503
■CHAPTER 15 ASP.NET Platform Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
Windo
ws Authentication
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506
Preventing or Limiting Anonymous Access . . . . . . . . . . . . . . . . . . . . 508
Forms Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509
Setting Up Forms Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
Using Cookieless Forms Authentication. . . . . . . . . . . . . . . . . . . . . . . 513
Membership,
Roles, and Profiles
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
Setting Up a Membership Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
Using a Membership Provider with Forms Authentication . . . . . . . 520
Creating a Custom Membership Provider . . . . . . . . . . . . . . . . . . . . . 521
Setting Up and Using Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522
Setting Up and Using Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525
URL-Based
Authoriza
tion
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529
Data Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Reading and Writing Cache Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530
Using Advanced Cache Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571
■INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573
■CONTENTS xvii
10078fm.qxd 4/8/09 8:40 PM Page xvii
xviii
About the Author
■STEVEN SANDERSON first learned to program computers by copying
BASIC listings from a Commodore VIC-20 instruction manual. That was
also how he first learned to read.
Steve was born in Sheffield, UK, got his education by studying math-
ematics at Cambridge, and now lives in Bristol. He worked for a giant
investment bank, a tiny start-up company, and then a medium-sized ISV
before going independent as a freelance web developer, consultant, and
trainer. Steve enjoys the UK’s .NET community and tries to participate in
user groups and speak at free conferences whenever he has the chance.
Steve loves all forms of technological progress and will buy any gadget if it has flashing LEDs.
10078fm.qxd 4/8/09 8:40 PM Page xviii
xix
About the Technical Reviewer
■ANDY OLSEN is a freelance developer and consultant based in the United Kingdom. Andy has
been working with .NET since the beta 1 days and has coauthored and reviewed several books
for Apress, covering C#, Visual Basic, ASP.NET, and other topics. Andy is a keen football and
rugby fan and enjoys running and skiing (badly). Andy lives by the seaside in Swansea with his
wife, Jayne, and children, Emily and Thomas, who have just discovered the thrills of surfing
and look much cooler than he ever will!
10078fm.qxd 4/8/09 8:40 PM Page xix
xx
Acknowledgments
Getting this book published was a real team effort. I’ve been greatly impressed by the whole
Apress crew: Sofia did a fantastic job of keeping the whole project on course, patiently replot-

beta release, two release candidates, and now at last in March 2009, the finished 1.0 release.
Some releases were just incremental improvements on their predecessors; others were sub-
stantial shifts in the framework’s mechanics and aesthetics (e.g., the whole notion of
model
binding
, covered in Chapter 11, didn’t appear until preview 5). At each stage, the ASP.NET MVC
team invited feedback and guided their development efforts according to real-world usage
experiences. Not all Microsoft products are built this way; consequently, ASP.NET MVC 1.0 is
much more mature than the average 1.0 release.
I started work on this book in December 2007, foolishly anticipating a summer 2008 pub-
lication date. With every new preview release, the whole manuscript was updated, reworked,
expanded, polished even more—sometimes even whole chapters became obsolete and simply
had to be discarded. The project became so ingrained into my life that every conversation
with friends, family, or colleagues began by them asking “How’s the book?” shortly followed by,
“Tell me again—what’s the book about?” I hope that this finished manuscript, created in par-
allel with ASP.NET MVC itself, gives you not just a clear understanding of what the framework
does today, but also why it was designed this way and how the same principles can improve
the quality of your own code.
Who This Book Is For
This book is for pr
ofessional software developers who already have a working understanding of
C# and general w
eb development concepts such as HTML and HT
TP. Ideally, you’ll have used
traditional ASP.NET (which these days is known as WebForms, to distinguish it from MVC), but
if y
ou
’
ve used PHP, Rails, or another web development platform, then that’s fine too.
All of the code samples in this book are wr

inally
, I will assume that y
ou hav
e a r
easonable lev
el of passion for your craft. I hope
you’re not satisfied just to throw together any old code that appears at first to work, but
instead would pr
efer to hone y
our skills by learning the design patterns, goals, and principles
10078fm.qxd 4/8/09 8:40 PM Page xxi
underpinning ASP.NET MVC. This book frequently compares your architectural options,
a
spiring to help you create the highest-quality, most robust, simple, and maintainable code
possible.
How This Book Is Structured
This book comes in two parts:
• Chapters 1 through 6 are intended to get you up to speed with the big ideas in ASP.NET
MVC and its relationship with modern web application architecture and testing. Four of
these chapters are hands-on tutorials grounding those ideas in real application build-
ing. These six chapters should be read sequentially.
• Chapters 7 through 16 then dig deep into each major technology area in the MVC
Framework, exploring how you can get maximum benefit from almost every framework
feature. The last few chapters describe important ancillary topics such as security,
deployment, and integrating with or migrating from legacy WebForms code. These ten
chapters should make sense whether you read them sequentially or dip in and out as
needed.
Sample Code
You can download completed versions of each of the major tutorial applications in this book,
plus many of the more complex code samples shown in other chapters.

-
tion the book title in your message.
xxii ■INTRODUCTION
10078fm.qxd 4/8/09 8:40 PM Page xxii
Contacting the Author
Y
ou can e-mail me at
m

,
or contact me through my blog at
. I’ll do my best to reply even if sometimes there’s a bit
of a delay before I can do so!
I
f you’re looking for general ASP.NET MVC support, then instead please use the product’s
online forum, at
/>xxiii■INTRODUCTION
10078fm.qxd 4/8/09 8:40 PM Page xxiii