I presented tonight (10 July 2008) to the Richmond .NET User Group. We had a pretty good turnout, I'm guessing 40 to 45 developers. I gave this same presentation at my office today as a dry run and as a training opportunity within the company. It's so good to see the developer community eager to learn. I've attached my slides and the three demonstrations projects I used in this post. I'll be giving this same presentation to the Charlottesville .NET User Group next Thursday (17 July 2008). The abstract we put on both user group websites follows:

Silverlight is a client-side technology. So it’s not really a part of your SOA strategy, right? You may want to think twice about that. SOAP and WSDL support are coming to the web desktop via Silverlight. And Silverlight has good client support for REST+ JSON/POX and RSS/ATOM-based web services, too. During this discussion, we’ll dive into data serialization, security and cross-domain access policy capabilities inside Silverlight 2 Beta 2. We also talk about the nuances and pitfalls of provisioning your web services for an Internet audience. This presentation will be heavy on coding, demonstration and interactive discussion.

Powerpoint Presentation (289KB)

Twitter solution showing how to invoke a cross-domain RESTful service by way of an in-domain SOAP service bypassing the cross-domain access policy problem. (842KB)

REST solution showing how to create RESTful services in WCF and how to consume RESTful services in Silverlight (307KB)

Silverlight syndication solution showing how to consume cross-domain RSS and Atom feeds using the SyndicationFeed class. (11KB)

This was the first time I gave this talk but the attendees seemed to be very receptive. The concerns about security in Silverlight, especially related to the protection of Intellectual Property (IP) and account access are really on peoples' minds. Based on the thoughtful question I received here and in Roanoke 2 weeks ago, I have decided to dedicate a whole chapter in my new book to Silverlight security principles.

In this talk, I discussed the various methods by which a Silverlight application can access remote web services. We didn't have time to get into RSS/Atom syndication but I'll be sure to cover it in a future talk. We also discussed cross-domain policy, another hot security topic, as it turns out. I showed how to enabled a WCF web service for RESTful delivery and then showed how to consume SOAP-based services from Silverlight. We closed by looking at the use of an in-domain, SOAP-based WCF service to act as a proxy for a cross-domain RESTful service that does not allow cross-domain access by policy. Here are the slides and sample code:

WCFRESTDEMO20080517.zip (18.89 kb) - sample code that shows how to make a WCF service RESTful; a Silverlight control is included that demonstrates how to use it; there is also a Digg.com downloader that demonstrates cross-domain functionality from Silverlight.

Twitter20080517.zip (25.59 kb) - sample code that shows how to consume an in-domain SOAP-based service from Silverlight; that SOAP-based service is really a proxy to a RESTful service at Twitter.com. And since Twitter.com's cross-domain policy doesn't allow access from my domain, this example shows how the server-side WebClient class can be used to circumvent the policy limitation.

Silverlight and WCF - NOVA Code Camp 2008.1.pptx (199.39 kb) - my PowerPoint slides from this discussion.

Accessing web services with SOAP can be just as easy as using REST with all the enterprise-class features you've come to expect from WSDL and SOAP. Who says that the cycle of metadata and proxy generation should be so hard? I gave a talk at the NOVA Code Camp 2008.1 that shows how by using the CodeDOM, and the ServiceModel.MetadataImporter, you can generate proxy code dynamically.

In this talk, I also showed how IronPython can be used to add a dynamic "lower edge" to a C# application to make it much more dynamic feeling. Finally, we finished with a discussion about features that may be added to Visual Studio 10 and the C# 4.0 language sprecification to make SOA achievable for many more developers. It was a lively discussion with lots of great questions. Here are the slides and the demo code:

ProxyGen20080517.zip (20.86 kb) - Sample code that demonstrates the use of IronPython and some custom CodeDOM code to avoid generating proxies for WCF integration via SOAP/WSDL. IronPython 2.0 Beta 1 or newer is required to compile this code.

Simple SOA with SuperSOAP by Kevin Hazzard.pptx (208.46 kb) - my PowerPoint slides from this discussion.

I stumbled on a quote today by Antoine de Saint-Exupéry, the famous aviator and author of The Little Prince which I think describes good software architecture. Here's the quote:

A designer knows he has achieved perfection not when there is
nothing left to add, but when there is nothing left to take away.

Software architecture, in my experience, is about having a passion for obscuring complexity in favor of simplicity. Apple knows this at the macro level, for sure. I wonder if they really know that down to the smallest turtle that they can perceive. I don't think so. But they are further along than most. Juval Löwy often says, "For the beginning software architect, there are many choices. For the master, there are but few." This quote expresses the same sentiment as de Saint-Exupéry's thought. Perfection in the design of anything can only be achieved when the designer is willing to strip the thing to it's essentials. Then the creation becomes a tool that will resonate with the craftsman that uses it.

At the risk of making this look like an IDesign plug, Michele Leroux Bustamante says in her Learning WCF book, "Little SOA enables Big SOA." Great book, by the way. She could not be more on target. It really is turtles all the way down. Elegance in software design at any level begets more elegance. There are few right ways of doing things and when you do them consistently at all levels of your design, you can approach perfection.

Is perfect software really achievable? Perhaps. I know that when I wrote scads of assembly language code decades ago, I achieved absolute perfection for one or two algorithms. But nowadays, I think that many people use SOA as a crutch, a tool for hiding imperfections in their designs. We wouldn't scramble to building façades all the time if this weren't true. WCF helps because it strips away so much of what Juval calls "the plumbing", allowing for a level of abstraction in the delivery of information that was previously difficult to attain. It's an exciting time to be a software architect.

One of the easiest ways to deal with cross-domain issues in Silverlight is to write a WCF service that acts as a proxy for the calls you want to make. For example, in my Twitter control, I want to be able to load XML from the RESTful Twitter service at the following address:

http://twitter.com/statuses/user_timeline/wkh.xml

However, when invoking the RESTful Twitter service from a WebClient in Silverlight, I get the dreaded "Download Failure" error when I call DownloadStringAsync. This is because the Twitter.com site doesn't have an entry in its clientaccesspolicy.xml file for my test domain. And that's never going to happen, right? To solve this problem, consider exposing a WCF service from the site from which the Silverlight control emanated. The WebClient class can be used on the server side without the same cross-domain control being applied by Twitter.com. For the example outlined above, I called my service TwitterProxy. The ITwitterProxy couldn't be simpler:

The service implementation is also quite simple. It uses the WebClient just as I would from Silverlight (if I could):

Expose an SVC file on the server to host the new service. In this example, the URL to invoke the new service is:

http://localhost/WebSite/TwitterProxy.svc

So, to invoke this service from Silverlight, add a proxy to the Silverlight control, using the service address and invoke it like this:

The dreaded "Download failure" error is gone. Nice. of course, the potentially bad side effect of this technique is that all of the Twitter service traffic will be flowing through the server that's hosting the TwitterProxy. Think about that before using this technique.

These are the slides and source code that I used in my Richmond Code Camp 2008.1 presentation called "Look Ma! No Proxy!". This presentation concerns the problems related to proxy generation for traditional web services development. In this presentation, I propose a model for the future where proxies are no longer needed, at least not pre-built proxies as we use today. A bit of dynamic code generation, some C# client code and a bit of IronPython to glue things together. Mmm, mmm, good!

Look Ma No Proxy by Kevin Hazzard.pptx (197.46 kb)

ProxyGen20080426.zip (818.56 kb)

Silverlight is a pure client technology. So, it has nothing to do with your SOA strategy, right? Not so fast. While most Service-Oriented Architectures try to remain agnostic about the clients who will approach the system, you can't be totally ignorant of the constraints that clients might impose. There are many "potential" requirements that architects have to think about. For every requirement that gets written down, there are usually two or three other implied requirements that never get expressed on paper. Architects just make sure that the plumbing of the applications help the developers to handle these cases when they arise. Of course, this is why WCF abstracts the concept of bindings as well as it does. Being able to expose any WCF service through a variety of tuneable, standards-based and proprietary bindings is one way that an architect can remove some rigidity from the system.

Silverlight is interesting because it exposes WCF client classes like ClientBase<T> and ChannelFactory<T> to a class of users who've never drunk from the services well before, so to speak, at least not directly. There is a notable exception from Microsoft in the not-too-distant past. Remember the DHTML Web Service Behavior? This was an HTML Component (HTC) script published by Microsoft just as XML Web Services were beginning to become popular. It used the XMLHttpRequest Object exposed by the browser to allow client-side script to invoke web services using WSDL and SOAP. The HTC would automatically download the WSDL contract for a service and build dynamic objects to expose the service and its operations at runtime. What an incredibly simple and powerful tool that was! It didn't support anything but simple data types for moving information between the browser and the server. But, when you have a XML Data Islands and a JavaScript Base64 codec on the browser, there's not much data that can't be expressed as a string.

I wrote many applications using the DHTML Web Service Behavior before the term AJAX appeared on the scene. Maybe this why when AJAX started to become a movement, I wasn't all that impressed. It seemed like old news to me. I remember how I designed those services. I took great care to make sure they were stateless and load-balancer friendly. I set up security protocols that would detect and prevent malicious activity. I had all sorts of profiling and logging code in there. In short, I treated those services with the same care that a good architect applies to any real web service. However, when the AJAX movement started, a lot of the scrutiny that I would have applied to real web services didn't seem to be in fashion for the many AJAX callbacks flying about. Those AJAX callbacks were somehow second-class citizens from an architectural point of view, not because I wanted them to be so but because many of the developers encapsulating callbacks into their AJAX controls didn't think of them as real service calls. And because it was up to developers, not architects, to drag and drop AJAX controls onto a design surface, the attention just wasn't there to do what was right in all cases. Hence, a lot of poorly-structured AJAX applications were written (and are still being written today).

Today, REST and POX are becoming popular for accessing web services. This is due, in large measure, to the rise in popularity of scripting languages and the somewhat duanting complexity of WSDL and SOAP. However, Microsoft proved that SOAP 1.1 could be handled via JavaScript as described before. And you can imagine that a company like Microsoft, if it decided to pursue the refinement of its DHTML Web Service Behavior, would have been able to handle the dynamic creation of data contracts via JavaScript, too. The problem wasn't the service contracts, operation contracts, fault contracts and data contracts. The real problems with dynamic, JavaScript proxies are security, reliability and transaction management. Those are the things that differentiate SOAP from all other forms of web service access today.

Back to the premise. With the WCF client classes moving to millions of desktops via the web, there's a shift coming in the SOA world. This creates for the first time what I call the Web Desktop. Being able to extend standards-based security, reliability and transaction management to the Web Desktop means that architects will feel more comfortable moving their SOA strategy up the stack. This is a very good thing. Most serious software developers love and hate the web. The deployment model is great but what's good about it sort of stops right there. HTML and JavaScript are just awful mediums for expression. And what about debugging client-side script? Nothing short of a nightmare, that is. It's no wonder that it's taken this long and hundreds of millions of dollars of research and development across the industry to get decent DHTML/AJAX applications into circulation. Event still, the quality and reliability of those applications across so many browsers and platforms is often sketchy. And the cost to implement such an application and properly test it is out of reach for all but the wealthiest companies.

The coming changes due to WCF support in Silverlight probably won't be cataclysmic but the changes will offer useful new ways of thinking for solution architects and developers who understand how poorly all of us are exposing applications over the web today. To dampen the spin a bit here, I should tell you that the Silverlight 2 Beta 1 is still a bit weak on the WCF front. It has near nil support for metadata exchange and only supports the BasicHttpBinding. But Beta 2 promises many improvements. Stay tuned.

Cross-domain WCF service calls from Silverlight are nice to have. But I don't see them being the norm for most Silverlight controls mainly because most of the time, we'll want to keep the services exposed from the web tier in lock-step with the Silverlight controls that consume them from a deployment standpoint. The simplest way to do that is to treat the WCF calls that come from the browser like any other web page or callback that the browser might consume. This will avoid having to inject a location into the container (page) for the Silverlight control or from having to use an external service locator to find it.

OK, so assuming you have a rule requiring that every service object will be located relative to the pages hosting a Silverlight control, this little bit of Silverlight code will build an EndpointAddress that targets a service called MyService.svc in the same virtual directory:

You'll need to import the System.Windows.Browser namespace to use the HtmlPage class in this way. As you can imagine, the static Document property on the HtmlPage gives you almost full access to the DOM for the containing page. We're just using the DocumentUri property of it to find out where the hosting page emanated from, lopping off the page name and adding the service (page) name. When you're debugging with the Cassini web server which assigns port addresses dynamically, this is a nice way to make sure that you always connect back to the same server instance that served the current page.

Here's my speaking schedule for the next few weeks in case anyone's interested in hearing me speak on these topics:

• March 26, 2008 - Silverlight 101 - Innsbrook .NET User Group
  6:00 to 8:30 p.m. on the ECPI Campus at 4305 Cox Road, Glen Allen, Virginia
• April 26, 2008 - Richmond Code Camp
  8 a.m. to 5 p.m. on the ECPI Campus at 4305 Cox Road, Glen Allen, Virginia
• April 26, 2008 - Richmond "Meet and Code" Dinner
  6 p.m. at the Markel Plaza Building, 4600 Cox Road, Glen Allen, Virginia
• May 1, 2008 - Silverlight and WCF - Roanoke Valley .NET User Group
  6 to 8 p.m. at the NEW Roanoke County Public Safety Building
• May 5, 2008 - Information Technology Career Symposium - Randolph-Macon College
  6 to 8:30 p.m. in Washington-Franklin Hall

In addition, I'll be attending these upcoming meetings but not presenting:

• March 27, 2008 - Richmond Sharepoint User Group
• April 3, 2008 - Richmond .NET User Group
• April 7, 2008 - Delivering Effective Presentations (Richmond Code Camp Preparation)
• April 10, 2008 - Richmond SQL Server User Group