BlogEngine 1.4.5 and IIS7

by agrace 6. September 2008 15:57

Blog Up to now I have been using the old 1.2 version of BlogEngine and would pop in the 1.3 dll manually after deploying to fix a known security hole. I finally decided to upgrade to the latest 1.4.5 version last night. I use the SQL Server provider and usually download the source code version to my machine.

When using VS 2005 and IIS5 locally, it was easy to configure the BlogEngine.Web folder as the virtual directory. My physical path would be /CodersBarn/BlogEngine.Web and I would just point my browser to localhost. Since upgrading to VS 2008 and IIS7, this is a whole new ball game. When using the new IIS7, you will typically end up with the following under your wwwroot folder:

localhost/app1
localhost/app2
localhost/app3, etc.

You will notice that there is an extra node in the path in IIS7. The good news is that we don't have to continually go into IIS and change localhost when switching between projects. The bad news is that this causes problems with apps migrated up from the older IIS. Or am I missing something fundamental here?...

When migrating your ASP.NET 2.0 applications to IIS7, as when one moves up to VS 2008, you may also experience many of your links breaking. This is a separate issue relating to ASP.NET rebasing. If you have a link like this:

<img src="/images/mypic.jpg" alt="My Pic" />

Try changing it to:

<img src="~/images/mypic.jpg" alt="My Pic" runat="server" />

 

The ASP.NET runtime will now correctly resolve it, thanks to the addition of the runat="server". I had a blog posting on this very subject half-prepared and I plan to come back to this subject soon. In the meantime, you can find some information on K.Scott Allen's blog posting under "URL Rebasing in Master Pages"; scroll down the page to find it.

Back to BlogEngine. I have installed the full source code in my wwwroot folder many times in the past without any real hitches. This way, I can go in, tweak some code and re-deploy fairly quickly. I usually follow Al Nyveldt's BlogEngine screencasts and adjust the steps for my particular circumstances. In Al's "Installing BlogEngine.NET 1.4" screencast, he downloads the "Web" (executable) version. Normally, I follow along except that I would download the "Source" version. To make a long story short I had problems configuring the localhost in IIS7 and started getting the "It is an error to use a section registered as allowDefinition='MachineOnly' beyond machine.config" error (typical of virtual directory not correctly created). I also experienced the breaking image links described above although this was probably a side effect. FYI, Al's screencasts are the only real source of guidance out there for working with BlogEngine that I have been able to find. The problem here was with the user!

IIS7 Settings

 

FYI: BlogEngine source download is a solution with a core Web Application project and a Web Site project consisting of the main deployable part. I hate Web Site projects; they should be stamped out!!

In the end, I decided to follow Al's steps to the letter. I reckoned I could always download the source version to another folder later, make any code tweaks needed, and pop the updated core dll into the working bin folder. Even if you already have an older version of the blog engine with your own branding, your initial goal will still be to get the out-of-the-box site working with the standard theme. You can copy in your own theme folder later, after you have everything else working. The trick here is to take it slowly. Once the site is running and you have the new user account set up, you can look to updating the SQL functionality. This will involve running a db script which you can find in the setup folder of the download and running it in SQL Server Management Studio. Then all you have to do is update your Web.Config file and this is outlined in this screencast.

Add User

 

I then started to get the following error message:

Parser Error Message: Could not load the assembly 'App_Web_045byxd7'.

So, I relaxed the permissions on the project folder in @"\Windows\Microsoft.NET\Framework\v2.0.50727\Temporary ASP.NET Files" folder enough to let me delete the temp files. This still didn't fix it. Then I realized that it was picking this up from the original master page in my themes folder which I had copied in:

<%@ master language="C#" autoeventwireup="true" inherits="site, App_Web_045byxd7"%>

 

So, I changed this and saved it back as follows:

<%@ Master Language="C#" AutoEventWireup="true" CodeFile="site.master.cs" Inherits="site" %>

 

Somehow this was lost in the copy and paste process. This finally compiled on the fly and worked locally. I still had to update some of the controls in my side navigation bar. For some reason, I can never get the newer TagCloud control to render correctly with my theme so I just grab a copy of the older one. The newer one lists all the tags on separate lines and it takes up a huge amount of space plus the weighting doesn't work. I see that the disclaimer still insists on rendering every word in caps. The blog roll links are still set to open in the same window and we still can't edit them in admin. Also, the archive page is a total mess when used with my style sheet so I have a pared down version to hand. FYI: my style sheet started out as the Dirtylicious theme; I simply re-worked it to get the look and feel I wanted.

Powered By Logo

 

There definitely needs to be a single document explaining and justifying the architecture step-by-step. Why would you choose to go with a Web Site template for instance? Call me opinionated but you'd have to be pretty retarded to go for that particular option. I know, my bad ;-)

I've said it before: BlogEngine is a great piece of work: but, it's been over-engineered. Both users and developers have to jump through quite a few hoops to get it to work. The bells and whistles should be optional plug-and-play components. Perhaps the distribution model needs to be changed to something that would allow both developers and general users to download different configurations depending on their needs?

Captain's Log: One day later and both the host and myself are pulling out what's left of our hair. I have the blog working correctly on my local but failing every time I tried to deploy it, both normally and with FTP, via VS 2008. In the end, the only way I could deploy it was via FTP using a seperate FTP tool. The saga continues and I am seriously thinking of looking at a more basic and robust blog engine that I can work with. At this time of writing, the blog is really unstable and the referrer's page is crashing with an unhandled exception message: System.IndexOutOfRangeException: Cannot find table 0.

I'd really like to get the full source version working in my wwwroot folder and correctly configured in IIS7. Has anyone out there managed to do this with 1.4.5?

In the meantime, the issue has been reported so if someone has a solution/explanation, I will post it here :-)

kick it on DotNetKicks.com

Tags:

ASP.NET | Blog | IIS




Web Server Attacks From the Washington Post, April 25, 2008:

Quote... Hundreds of thousands of Web sites - including several at the United Nations and in the U.K. government -- have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors' machines. Unquote...

Apparently there have been an estimated half-million attacks on different Web sites this week alone. There seems to have been a rush to judgement in trying to point the finger of blame at a recent Microsoft Security Advisory (951306). According to Bill Staples, Product Unit Manager for IIS, "Microsoft has investigated these reports and determined that the attacks are not related to the recent Microsoft Security Advisory (951306) or any known security issues related to IIS 6.0, ASP, ASP.Net or Microsoft SQL technologies."

These attacks are not related to said security advisory but are aimed at sites, on any platform, that are open to SQL Injection. What we are really seeing is a growth in SQL Injection over other types of attack. Although around for a long time now, this technique has been gaining in popularity among hackers over the last couple of years, and seems to be more popular now than cross-site scripting or buffer overflow exploits. I would argue that this would not be the case for ASP.NET sites if basic input validation and SQL parameters in combination with stored procedures were employed, as is the recommended practice.

At the very least, even if you are still using ASP and haven't time to convert to stored procedures, check your input data! All input data is evil and when designing your application you should take time to consider where else that input may be coming from, such as query parameters, cookies, etc. Watch this space...

kick it on DotNetKicks.com




Jigsaw I neglected to point out that the code I posted for this previously was created in VS 2005 running on XP Professional. I'm going to update the code here and do a quick walkthrough of the steps necessary to get this working in Visual Studio 2008 running on Vista. You can find the download links at the end of this article.

Although I don't recommend moving projects from one version of VS to another willy-nilly (it takes very little time to get it up and running from scratch), if you are having problems moving a project between VS versions, you might want to check the version number at the top of the solution file; for VS 2005 you would find something like Version 9.00. When moving a VS 2005 project to VS 2008, you might try changing the 9 to a 10.

I plan on following up some more on this Guest Book application and showing how to develop an administrative back end for it. Right now ,the moderator functionality is built in, in that the 'live' field is not set by default. So, if you want your comment to appear, you will have to change this field value to 'true' manually in the database. The Guestbook table design is shown below.

Guestbook Table

The App_Code folder refused to play nice in the VS 2008 Web project, so I renamed the folder "Layers". Other than that, the code is the same. I've only been using Vista for a few weeks so I'll defer judgement until after the full SP1 release. For developers, I would recommend turning off the User Account Control (UAC) to get rid of those demented pop-ups. This is still a version 2.0 application, so be sure to select this option if creating your project from scratch in VS. Sometimes I will build my own project incrementally as I study other people's code that I have downloaded, just as a learning exercise :-)

VS 2008 Solution Explorer

One of the first things you will notice when moving to this environment is the completely new IIS 7 interface. It's 100% different and I'm finding it a joy to work with. In order to get the application running, you will first have to check some IIS 7 settings. ASP.NET is more integrated than ever before with IIS; no more dependency on command line line utilities like aspnet_regiis.exe – so do not run it to install ASP.NET!

IIS 7 Settings

In IIS, select the Application Pools node and set the Managed Pipeline for the DefaultAppPool to “Classic” in the Application Pools view. You will also need to create a virtual directory. You can do this (or pretty much anything else) from within the new IIS console, but I still prefer to perform this task from within the IDE. Right-click on the project node in solution explorer and select properties. On the Web tab of the properties manager, opt to create a virtual directory. Now, right-click on Default Web Site node in IIS 7 and opt to add a virtual directory. Navigate to the Guestbook folder and select it. Also, don't forget to set Default.aspx as the default page in IIS. In your browser, navigate to http://localhost/guestbook to bring up the home page.

VS 2008 Project Settings

If you start getting security errors, try adding appropriate permissions to the folder in question. If you get the following error:

HTTP 401.2 - Unauthorized: Logon failed due to server configuration
Internet Information Services


...in IIS 7, navigate to and highlight the Guestbook node. In the Category view to the right, double-click on the Authentication icon under Security. Right-click the Windows Authentication entry and opt to enable Windows Authentication. (KB 253667)

The database is very simple; one table and two stored procedures. Create the Guestbook database manually in SQL Server Management Studio (SSMS) and run the three scripts in your query window. Set up your permissions as shown below and you should be good to go.

Database Permissions

GuestBook-VS2005.zip (74.70 kb)

Guest_Book_DB.zip (3.13 kb)

kick it on DotNetKicks.com   PHP, ASP, .NET, JSP Resources, Reviews