Steven Sanderson

Pro ASP.NET MVCFramework

Pro ASP.NET MVC Framework

Copyright © 2009 by Steven Sanderson

All rights reserved. No part of this work may be reproduced or transmitted in any form or by any means,electronic or mechanical, including photocopying, recording, or by any information storage or retrievalsystem, without the prior written permission of the copyright owner and the publisher.

ISBN-13 (pbk): 978-1-4302-1007-8

ISBN-13 (electronic): 978-1-4302-1008-5

Printed and bound in the United States of America 9 8 7 6 5 4 3 2 1

Trademarked names may appear in this book. Rather than use a trademark symbol with every occurrenceof a trademarked name, we use the names only in an editorial fashion and to the benefit of the trademarkowner, with no intention of infringement of the trademark.

Lead Editor: Ewan BuckinghamTechnical Reviewer: Andy OlsenEditorial Board: Clay Andres, Steve Anglin, Mark Beckner, Ewan Buckingham, Tony Campbell,

Gary Cornell, Jonathan Gennick, Jonathan Hassell, Michelle Lowman, Matthew Moodie, Duncan Parkes,Jeffrey Pepper, Frank Pohlmann, Ben Renow-Clarke, Dominic Shakeshaft, Matt Wade, Tom Welsh

Project Manager: Sofia MarchantCopy Editor: Damon LarsonAssociate Production Director: Kari Brooks-CoponyProduction Editor: Laura EstermanCompositor: Molly SharpProofreader: Lisa HamiltonIndexer: BIM Indexing and Proofreading ServicesArtist: April MilneCover Designer: Kurt KramesManufacturing Director: Tom Debolski

Distributed to the book trade worldwide by Springer-Verlag New York, Inc., 233 Spring Street, 6th Floor,New York, NY 10013. Phone 1-800-SPRINGER, fax 201-348-4505, e-mail orders-ny@springer-sbm.com,or visit http://www.springeronline.com.

For information on translations, please contact Apress directly at 2855 Telegraph Avenue, Suite 600,Berkeley, CA 94705. Phone 510-549-5930, fax 510-549-5939, e-mail info@apress.com, or visithttp://www.apress.com.

Apress and friends of ED books may be purchased in bulk for academic, corporate, or promotional use.eBook versions and licenses are also available for most titles. For more information, reference our SpecialBulk Sales–eBook Licensing web page at http://www.apress.com/info/bulksales.

The information in this book is distributed on an “as is” basis, without warranty. Although every precaution has been taken in the preparation of this work, neither the author(s) nor Apress shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be causeddirectly or indirectly by the information contained in this work.

The source code for this book is available to readers at http://www.apress.com.

For Zoe, without whose love, support, and hard work this project would not have been possible. Thank you!

Contents at a Glance

About the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

PART 1 ■ ■ ■ Introducing ASP.NET MVC■CHAPTER 1 What’s the Big Idea? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

■CHAPTER 2 Your First ASP.NET MVC Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

■CHAPTER 3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

■CHAPTER 4 SportsStore: A Real Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

■CHAPTER 5 SportsStore: Navigation and Shopping Cart . . . . . . . . . . . . . . . . . . . . 121

■CHAPTER 6 SportsStore: Administration and Final Enhancements . . . . . . . . . . 171

PART 2 ■ ■ ■ ASP.NET MVC in Detail■CHAPTER 7 Overview of ASP.NET MVC Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

■CHAPTER 8 URLs and Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

■CHAPTER 9 Controllers and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

■CHAPTER 10 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

■CHAPTER 11 Data Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

■CHAPTER 12 Ajax and Client Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

■CHAPTER 13 Security and Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

■CHAPTER 14 Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

■CHAPTER 15 ASP.NET Platform Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

■CHAPTER 16 Combining MVC and WebForms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 555

■INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

v

Contents

About the Author. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xviii

About the Technical Reviewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xix

Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xx

Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xxi

PART 1 ■ ■ ■ Introducing ASP.NET MVC

■CHAPTER 1 What’s the Big Idea?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

A Brief History of Web Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Traditional ASP.NET. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

What’s Wrong with Traditional ASP.NET? . . . . . . . . . . . . . . . . . . . . . . . 4

Web Development Today . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Web Standards and REST. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Agile and Test-Driven Development . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Ruby on Rails . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Key Benefits of ASP.NET MVC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Model-View-Controller Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Extensibility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Testability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Tight Control over HTML. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Powerful New Routing System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Built on the Best Parts of the ASP.NET Platform . . . . . . . . . . . . . . . . . 9

.NET 3.5 Language Innovations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

ASP.NET MVC Is Open Source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Who Should Use ASP.NET MVC?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Comparisons with ASP.NET WebForms . . . . . . . . . . . . . . . . . . . . . . . . 11

Comparisons with Ruby on Rails. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Comparisons with MonoRail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

vii

■CHAPTER 2 Your First ASP.NET MVC Application . . . . . . . . . . . . . . . . . . . . . . 15

Preparing Your Workstation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Creating a New ASP.NET MVC Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Removing Unnecessary Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

How Does It Work? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Rendering Web Pages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Creating and Rendering a View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Adding Dynamic Output . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

A Starter Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

The Story . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Linking Between Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Designing a Data Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25

Building a Form . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Handling Form Submissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Adding Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Finishing Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35

■CHAPTER 3 Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37

Understanding Model-View-Controller Architecture . . . . . . . . . . . . . . . . . . 37

The Smart UI (Anti-Pattern) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38

Separating Out the Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

Three-Tier Architecture. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40

Model-View-Controller Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Variations on Model-View-Controller . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Domain Modeling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

An Example Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Entities and Value Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Ubiquitous Language. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45

Aggregates and Simplification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Keeping Data Access Code in Repositories. . . . . . . . . . . . . . . . . . . . . 48

Using LINQ to SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Building Loosely Coupled Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Taking a Balanced Approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Using Inversion of Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

Using an IoC Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Getting Started with Automated Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61

Unit Tests and Integration Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

The Red-Green Development Style. . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

■CONTENTSviii

New C# 3 Language Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

The Design Goal: Language Integrated Query . . . . . . . . . . . . . . . . . . 68

Extension Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Lambda Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Generic Type Inference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Automatic Properties. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Object and Collection Initializers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72

Type Inference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Anonymous Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Using LINQ to Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Lambda Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77

IQueryable<T> and LINQ to SQL. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

■CHAPTER 4 SportsStore: A Real Application. . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

Getting Started. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Creating Your Solutions and Projects . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Starting Your Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Creating an Abstract Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Making a Fake Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Displaying a List of Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Removing Unnecessary Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Adding the First Controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Setting Up the Default Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89

Adding the First View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Connecting to a Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Defining the Database Schema. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

Setting Up LINQ to SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94

Creating a Real Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95

Setting Up Inversion of Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Creating a Custom Controller Factory . . . . . . . . . . . . . . . . . . . . . . . . . 97

Using Your IoC Container . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99

Creating Automated Tests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

Configuring a Custom URL Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

Adding a RouteTable Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Displaying Page Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Styling It Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Defining Page Layout in the Master Page . . . . . . . . . . . . . . . . . . . . . 114

Adding CSS Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Creating a Partial View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

■CONTENTS ix

■CHAPTER 5 SportsStore: Navigation and Shopping Cart. . . . . . . . . . . . . . 121

Adding Navigation Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121

Filtering the Product List. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Defining a URL Schema for Categories . . . . . . . . . . . . . . . . . . . . . . . 125

Building a Category Navigation Menu . . . . . . . . . . . . . . . . . . . . . . . . 131

Building the Shopping Cart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Defining the Cart Entity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141

Adding “Add to Cart” Buttons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Giving Each Visitor a Separate Shopping Cart . . . . . . . . . . . . . . . . . 146

Creating CartController . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Displaying the Cart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Removing Items from the Cart. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

Displaying a Cart Summary in the Title Bar . . . . . . . . . . . . . . . . . . . 154

Submitting Orders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156

Enhancing the Domain Model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157

Adding the “Check Out Now” Button . . . . . . . . . . . . . . . . . . . . . . . . . 159

Prompting the Customer for Shipping Details. . . . . . . . . . . . . . . . . . 159

Defining an Order Submitter IoC Component . . . . . . . . . . . . . . . . . . 161

Completing CartController . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161

Implementing the EmailOrderSubmitter. . . . . . . . . . . . . . . . . . . . . . . 167

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

■CHAPTER 6 SportsStore: Administration and Final Enhancements . . . 171

Adding Catalog Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172

Creating AdminController: A Place for the CRUD Features . . . . . . . 172

Rendering a Grid of Products in the Repository . . . . . . . . . . . . . . . . 175

Building a Product Editor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179

Creating New Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186

Deleting Products. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

Securing the Administration Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Setting Up Forms Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Using a Filter to Enforce Authentication. . . . . . . . . . . . . . . . . . . . . . . 190

Displaying a Login Prompt . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191

Image Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195

Preparing the Domain Model and Database . . . . . . . . . . . . . . . . . . . 195

Accepting File Uploads . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

Displaying Product Images. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197

Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

■CONTENTSx

PART 2 ■ ■ ■ ASP.NET MVC in Detail

■CHAPTER 7 Overview of ASP.NET MVC Projects . . . . . . . . . . . . . . . . . . . . . . . 203

Developing MVC Applications in Visual Studio . . . . . . . . . . . . . . . . . . . . . . 203

The Default MVC Project Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Naming Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

The Initial Application Skeleton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

Debugging MVC Applications and Unit Tests . . . . . . . . . . . . . . . . . . 208

Using the Debugger. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211

Stepping into the .NET Framework Source Code . . . . . . . . . . . . . . . 212

Stepping into the ASP.NET MVC Source Code . . . . . . . . . . . . . . . . . 213

The Request Processing Pipeline . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Stage 1: IIS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

Stage 2: Core Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Stage 3: Controllers and Actions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

Stage 4: Action Results and Views . . . . . . . . . . . . . . . . . . . . . . . . . . . 218

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219

■CHAPTER 8 URLs and Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Putting the Programmer Back in Control. . . . . . . . . . . . . . . . . . . . . . . . . . . 221

Setting Up Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222

Understanding the Routing Mechanism. . . . . . . . . . . . . . . . . . . . . . . 224

Adding a Route Entry. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226

Using Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Using Defaults . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229

Using Constraints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230

Accepting a Variable-Length List of Parameters . . . . . . . . . . . . . . . 233

Matching Files on the Server’s Hard Disk . . . . . . . . . . . . . . . . . . . . . 234

Using IgnoreRoute to Bypass the Routing System . . . . . . . . . . . . . . 235

Generating Outgoing URLs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

Generating Hyperlinks with Html.ActionLink. . . . . . . . . . . . . . . . . . . 237

Generating Links and URLs from Pure Routing Data . . . . . . . . . . . . 239

Performing Redirections to Generated URLs. . . . . . . . . . . . . . . . . . . 240

Understanding the Outbound URL-Matching Algorithm . . . . . . . . . 241

Generating Hyperlinks with Html.ActionLink<T> and Lambda Expressions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243

Working with Named Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244

■CONTENTS xi

Unit Testing Your Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Testing Inbound URL Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245

Testing Outbound URL Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

Further Customization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251

Implementing a Custom RouteBase Entry . . . . . . . . . . . . . . . . . . . . . 251

Implementing a Custom Route Handler . . . . . . . . . . . . . . . . . . . . . . . 252

URL Schema Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Make Your URLs Clean and Human-Friendly . . . . . . . . . . . . . . . . . . 254

Follow HTTP Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255

Search Engine Optimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258

■CHAPTER 9 Controllers and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

An Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Comparisons with ASP.NET WebForms . . . . . . . . . . . . . . . . . . . . . . . 260

All Controllers Implement IController . . . . . . . . . . . . . . . . . . . . . . . . . 260

The Controller Base Class . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Receiving Input . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Getting Data from Context Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

Using Action Method Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264

Invoking Model Binding Manually in an Action Method. . . . . . . . . . 265

Producing Output. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266

Understanding the ActionResult Concept . . . . . . . . . . . . . . . . . . . . . 266

Returning HTML by Rendering a View . . . . . . . . . . . . . . . . . . . . . . . . 269

Performing Redirections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273

Returning Textual Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277

Returning JSON Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Returning JavaScript Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Returning Files and Binary Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Creating a Custom Action Result Type. . . . . . . . . . . . . . . . . . . . . . . . 283

Using Filters to Attach Reusable Behaviors . . . . . . . . . . . . . . . . . . . . . . . . 286

Introducing the Four Basic Types of Filters . . . . . . . . . . . . . . . . . . . . 286

Applying Filters to Controllers and Action Methods . . . . . . . . . . . . . 288

Creating Action Filters and Result Filters. . . . . . . . . . . . . . . . . . . . . . 289

Creating and Using Authorization Filters . . . . . . . . . . . . . . . . . . . . . . 293

Creating and Using Exception Filters . . . . . . . . . . . . . . . . . . . . . . . . . 296

Bubbling Exceptions Through Action and Result Filters . . . . . . . . . 299

The [OutputCache] Action Filter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Other Built-In Filter Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

■CONTENTSxii

Controllers As Part of the Request Processing Pipeline . . . . . . . . . . . . . . 303

Working with DefaultControllerFactory . . . . . . . . . . . . . . . . . . . . . . . 303

Creating a Custom Controller Factory . . . . . . . . . . . . . . . . . . . . . . . . 305

Customizing How Action Methods Are Selected and Invoked . . . . 306

Testing Controllers and Actions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

How to Arrange, Act, and Assert . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Testing a Choice of View and ViewData. . . . . . . . . . . . . . . . . . . . . . . 313

Testing Redirections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

More Comments About Testing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Mocking Context Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

■CHAPTER 10 Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

How Views Fit into ASP.NET MVC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

The WebForms View Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

View Engines Are Replaceable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

WebForms View Engine Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Adding Content to a View Template . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Five Ways to Add Dynamic Content to a View Template. . . . . . . . . 323

Using Inline Code. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 324

Why Inline Code Is a Good Thing in MVC View Templates . . . . . . . 326

Understanding How MVC Views Actually Work . . . . . . . . . . . . . . . . . . . . . 326

Understanding How ASPX Templates Are Compiled . . . . . . . . . . . . 327

Understanding ViewData . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

Rendering ViewData Items Using ViewData.Eval . . . . . . . . . . . . . . . 330

Using HTML Helper Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332

The Framework’s Built-In Helper Methods . . . . . . . . . . . . . . . . . . . . 333

Creating Your Own HTML Helper Methods . . . . . . . . . . . . . . . . . . . . 342

Using Partial Views . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Creating a Partial View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Rendering a Partial View Using Server Tags . . . . . . . . . . . . . . . . . . . 349

Using Html.RenderAction to Create Reusable Widgets with Application Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 351

What Html.RenderAction Does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 352

When It’s Appropriate to Use Html.RenderAction. . . . . . . . . . . . . . . 352

Creating a Widget Based on Html.RenderAction . . . . . . . . . . . . . . . 353

Sharing Page Layouts Using Master Pages . . . . . . . . . . . . . . . . . . . . . . . . 355

Using Widgets in MVC View Master Pages . . . . . . . . . . . . . . . . . . . . 356

Implementing a Custom View Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 358

A View Engine That Renders XML Using XSLT . . . . . . . . . . . . . . . . . 358

■CONTENTS xiii

Using Alternative View Engines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Using the NVelocity View Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

Using the Brail View Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Using the Spark View Engine. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Using the NHaml View Engine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368

■CHAPTER 11 Data Entry . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Model Binding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369

Model-Binding to Action Method Parameters . . . . . . . . . . . . . . . . . . 370

Model-Binding to Custom Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371

Invoking Model Binding Directly . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 374

Model-Binding to Arrays, Collections, and Dictionaries . . . . . . . . . 376

Creating a Custom Model Binder . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Using Model Binding to Receive File Uploads . . . . . . . . . . . . . . . . . . 381

Validation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

Registering Errors in ModelState. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 383

View Helpers for Displaying Error Information . . . . . . . . . . . . . . . . . 386

How the Framework Maintains State in Input Controls. . . . . . . . . . 388

Performing Validation During Model Binding . . . . . . . . . . . . . . . . . . 389

Moving Validation Logic into Your Model Layer . . . . . . . . . . . . . . . . 390

About Client-Side (JavaScript) Validation . . . . . . . . . . . . . . . . . . . . . 395

Wizards and Multistep Forms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 396

Verification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Implementing a CAPTCHA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406

Confirmation Links and Tamper-Proofing with HMAC Codes. . . . . 414

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

■CHAPTER 12 Ajax and Client Scripting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 419

Why You Should Use a JavaScript Toolkit . . . . . . . . . . . . . . . . . . . . . . . . . . 419

ASP.NET MVC’s Ajax Helpers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 420

Fetching Page Content Asynchronously Using Ajax.ActionLink . . . 421

Submitting Forms Asynchronously Using Ajax.BeginForm . . . . . . . 427

Invoking JavaScript Commands from an Action Method . . . . . . . . 428

Reviewing ASP.NET MVC’s Ajax Helpers . . . . . . . . . . . . . . . . . . . . . . 430

Using jQuery with ASP.NET MVC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Referencing jQuery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 431

Basic jQuery Theory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 433

Adding Client-Side Interactivity to an MVC View . . . . . . . . . . . . . . . 438

Ajax-Enabling Links and Forms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 442

■CONTENTSxiv

Client/Server Data Transfer with JSON . . . . . . . . . . . . . . . . . . . . . . . 449

Fetching XML Data Using jQuery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

Animations and Other Graphical Effects . . . . . . . . . . . . . . . . . . . . . . 453

jQuery UI’s Prebuilt User Interface Widgets. . . . . . . . . . . . . . . . . . . . 454

Implementing Client-Side Validation with jQuery . . . . . . . . . . . . . . . 456

Summarizing jQuery . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458

■CHAPTER 13 Security and Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

All Input Can Be Forged . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Forging HTTP Requests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 461

Cross-Site Scripting and HTML Injection. . . . . . . . . . . . . . . . . . . . . . . . . . . 463

Example XSS Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464

ASP.NET’s Request Validation Feature. . . . . . . . . . . . . . . . . . . . . . . . 465

Filtering HTML Using the HTML Agility Pack. . . . . . . . . . . . . . . . . . . 467

Session Hijacking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468

Defense via Client IP Address Checks . . . . . . . . . . . . . . . . . . . . . . . . 469

Defense by Setting the HttpOnly Flag on Cookies . . . . . . . . . . . . . . 469

Cross-Site Request Forgery. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 470

Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Defense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471

Preventing CSRF Using the Anti-Forgery Helpers. . . . . . . . . . . . . . . 472

SQL Injection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Attack. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Defense by Encoding Inputs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 474

Defense Using Parameterized Queries. . . . . . . . . . . . . . . . . . . . . . . . 474

Defense Using Object-Relational Mapping . . . . . . . . . . . . . . . . . . . . 475

Using the MVC Framework Securely . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475

Don’t Expose Action Methods Accidentally . . . . . . . . . . . . . . . . . . . . 475

Don’t Allow Model Binding to Change Sensitive Properties . . . . . . 476

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 476

■CHAPTER 14 Deployment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Server Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 477

Requirements for Shared Hosting . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

IIS Basics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 478

Understanding Web Sites and Virtual Directories. . . . . . . . . . . . . . . 478

Binding Web Sites to Hostnames, IP Addresses, and Ports . . . . . . 480

How IIS Handles Requests and Invokes ASP.NET . . . . . . . . . . . . . . . 480

■CONTENTS xv

Deploying Your Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

Copying Your Application Files to the Server . . . . . . . . . . . . . . . . . . 484

Using Visual Studio 2008’s Publish Feature . . . . . . . . . . . . . . . . . . . 485

Making It Work on Windows Server 2003/IIS 6 . . . . . . . . . . . . . . . . 486

Making It Work on IIS 7. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Making Your Application Behave Well in Production. . . . . . . . . . . . . . . . . 497

Supporting Changeable Routing Configurations. . . . . . . . . . . . . . . . 497

Supporting Virtual Directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

Using ASP.NET’s Configuration Facilities. . . . . . . . . . . . . . . . . . . . . . 498

Controlling Compilation on the Server . . . . . . . . . . . . . . . . . . . . . . . . 502

Detecting Compiler Errors in Views Before Deployment . . . . . . . . . 503

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 503

■CHAPTER 15 ASP.NET Platform Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505

Windows Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 506

Preventing or Limiting Anonymous Access . . . . . . . . . . . . . . . . . . . . 508

Forms Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 509

Setting Up Forms Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

Using Cookieless Forms Authentication. . . . . . . . . . . . . . . . . . . . . . . 513

Membership, Roles, and Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514

Setting Up a Membership Provider . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Using a Membership Provider with Forms Authentication . . . . . . . 520

Creating a Custom Membership Provider . . . . . . . . . . . . . . . . . . . . . 521

Setting Up and Using Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 522

Setting Up and Using Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

URL-Based Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 529

Data Caching . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Reading and Writing Cache Data . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Using Advanced Cache Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 533

Site Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Setting Up and Using Site Maps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 535

Creating a Custom Navigation Control with the Site Maps API . . . . . 536

Generating Site Map URLs from Routing Data . . . . . . . . . . . . . . . . . 538

Internationalization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 540

Setting Up Internationalization. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 541

Tips for Working with Resource Files. . . . . . . . . . . . . . . . . . . . . . . . . 544

Using Placeholders in Resource Strings . . . . . . . . . . . . . . . . . . . . . . 545

Performance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

HTTP Compression . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

Tracing and Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 548

■CONTENTSxvi

Monitoring Page Generation Times. . . . . . . . . . . . . . . . . . . . . . . . . . . 549

Monitoring LINQ to SQL Database Queries . . . . . . . . . . . . . . . . . . . . 550

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

■CHAPTER 16 Combining MVC and WebForms. . . . . . . . . . . . . . . . . . . . . . . . . . . 555

Using WebForms Technologies in an MVC Application. . . . . . . . . . . . . . . 555

Using WebForms Controls in MVC Views. . . . . . . . . . . . . . . . . . . . . . 556

Using WebForms Pages in an MVC Web Application. . . . . . . . . . . . 558

Adding Routing Support for WebForms Pages . . . . . . . . . . . . . . . . . 559

Using ASP.NET MVC in a WebForms Application . . . . . . . . . . . . . . . . . . . . 563

Upgrading an ASP.NET WebForms Application to Support MVC. . . . 564

Getting Visual Studio to Offer MVC Items . . . . . . . . . . . . . . . . . . . . . 568

Interactions Between WebForms Pages and MVC Controllers . . . . 569

Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 571

■INDEX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 573

■CONTENTS xvii

xviii

About the Author

■STEVEN SANDERSON first learned to program computers by copyingBASIC listings from a Commodore VIC-20 instruction manual. That wasalso how he first learned to read.

Steve was born in Sheffield, UK, got his education by studying math-ematics at Cambridge, and now lives in Bristol. He worked for a giantinvestment bank, a tiny start-up company, and then a medium-sized ISVbefore going independent as a freelance web developer, consultant, andtrainer. Steve enjoys the UK’s .NET community and tries to participate in

user groups and speak at free conferences whenever he has the chance.Steve loves all forms of technological progress and will buy any gadget if it has flashing LEDs.

xix

About the Technical Reviewer

■ANDY OLSEN is a freelance developer and consultant based in the United Kingdom. Andy hasbeen working with .NET since the beta 1 days and has coauthored and reviewed several booksfor Apress, covering C#, Visual Basic, ASP.NET, and other topics. Andy is a keen football andrugby fan and enjoys running and skiing (badly). Andy lives by the seaside in Swansea with hiswife, Jayne, and children, Emily and Thomas, who have just discovered the thrills of surfingand look much cooler than he ever will!

xx

Acknowledgments

Getting this book published was a real team effort. I’ve been greatly impressed by the wholeApress crew: Sofia did a fantastic job of keeping the whole project on course, patiently replot-ting the schedule every time it had to change. Damon herded every comma and caption intoits right place, and tactfully removed many of my British expressions that would have baffledmost readers. Laura cheerfully accepted an endless stream of last-minute edits to the beauti-fully typeset PDFs. Ewan advocated the project from the start. My technical reviewer, Andy,had great insight into how much detail was needed in each explanation, and was relentlesslythorough in verifying the correctness of my work. Needless to say, any technical errors in thisbook will be the ones that I secretly inserted after Andy had completed his reviews.

Many readers have already provided feedback on early drafts of this book publishedthrough Apress’s Alpha Program. You all deserve credit, because you’ve helped to improve thequality and consistency of explanations and terminology used throughout.

We all owe thanks to certain Microsoft staff, not just for giving us an excellent new webdevelopment framework, but also for the way they did it. Phil Haack, Scott Guthrie, and theirfrighteningly smart team continually responded to customer feedback during the develop-ment process, bravely putting their work-in-progress on show every two months, no matterwhat criticisms they had to field. They challenged our view of Microsoft by releasing the wholeframework’s source code on http://codeplex.com/, and dramatically supported the opensource community by shipping jQuery as a supported, endorsed add-on.

The final credit goes to Zoe, my wife, who took on the practical burdens of both ourlives so that I could always keep writing. I’m pretty sure she put more work into this projectthan I did.

xxi

Introduction

We’ve waited a long time for this! The first rough early preview release of ASP.NET MVC wasmade public in December 2007, and immediately the software development world was filledwith eager enthusiasm for it. Could this be the most exciting advancement in Microsoft webtechnology since ASP.NET itself was born way back in 2002? Would we, at last, have a webdevelopment framework that encourages and supports high-quality software engineering?

Since then, we’ve had five further community technology preview (CTP) releases, onebeta release, two release candidates, and now at last in March 2009, the finished 1.0 release.Some releases were just incremental improvements on their predecessors; others were sub-stantial shifts in the framework’s mechanics and aesthetics (e.g., the whole notion of modelbinding, covered in Chapter 11, didn’t appear until preview 5). At each stage, the ASP.NET MVCteam invited feedback and guided their development efforts according to real-world usageexperiences. Not all Microsoft products are built this way; consequently, ASP.NET MVC 1.0 ismuch more mature than the average 1.0 release.

I started work on this book in December 2007, foolishly anticipating a summer 2008 pub-lication date. With every new preview release, the whole manuscript was updated, reworked,expanded, polished even more—sometimes even whole chapters became obsolete and simplyhad to be discarded. The project became so ingrained into my life that every conversationwith friends, family, or colleagues began by them asking “How’s the book?” shortly followed by,“Tell me again—what’s the book about?” I hope that this finished manuscript, created in par-allel with ASP.NET MVC itself, gives you not just a clear understanding of what the frameworkdoes today, but also why it was designed this way and how the same principles can improvethe quality of your own code.

Who This Book Is ForThis book is for professional software developers who already have a working understanding ofC# and general web development concepts such as HTML and HTTP. Ideally, you’ll have usedtraditional ASP.NET (which these days is known as WebForms, to distinguish it from MVC), butif you’ve used PHP, Rails, or another web development platform, then that’s fine too.

All of the code samples in this book are written in C#. That’s not because Visual Basic or any other .NET language is inadequate, but simply because C# is by far the most popularchoice among ASP.NET MVC programmers. Don’t worry if you haven’t used LINQ or .NET 3.5yet—the relevant new C# 3 syntaxes are covered briefly at the end of Chapter 3. However, ifyou’re totally new to C#, you might also like to pick up a copy of Pro C# 2008 and the .NET 3.5Platform, Fourth Edition, by Andrew Troelsen (Apress, 2007).

Finally, I will assume that you have a reasonable level of passion for your craft. I hopeyou’re not satisfied just to throw together any old code that appears at first to work, butinstead would prefer to hone your skills by learning the design patterns, goals, and principles

underpinning ASP.NET MVC. This book frequently compares your architectural options,aspiring to help you create the highest-quality, most robust, simple, and maintainable codepossible.

How This Book Is StructuredThis book comes in two parts:

• Chapters 1 through 6 are intended to get you up to speed with the big ideas in ASP.NETMVC and its relationship with modern web application architecture and testing. Four ofthese chapters are hands-on tutorials grounding those ideas in real application build-ing. These six chapters should be read sequentially.

• Chapters 7 through 16 then dig deep into each major technology area in the MVCFramework, exploring how you can get maximum benefit from almost every frameworkfeature. The last few chapters describe important ancillary topics such as security,deployment, and integrating with or migrating from legacy WebForms code. These tenchapters should make sense whether you read them sequentially or dip in and out asneeded.

Sample CodeYou can download completed versions of each of the major tutorial applications in this book,plus many of the more complex code samples shown in other chapters.

To obtain these files, visit the Apress web site at www.apress.com/, and search for thisbook. You can then download the sample code, which is compressed into a single ZIP file.Code is arranged into separate directories by chapter. Before using the code, refer to theaccompanying readme.txt file for information about other prerequisites and considerations.

ErrataThe author, the technical reviewer, and numerous Apress staff have made every effort todetect and eliminate all errors from this book’s text and code. However, I’m sure there will stillbe one or two glitches in here somewhere! To keep you informed, there’s an errata sheet on thebook’s page on www.apress.com/. If you find any errors that haven’t already been reported,such as misspellings or faulty code, please let us know by e-mailing support@apress.com.

Customer SupportApress always values hearing from its readers, and wants to know what you think about thisbook—what you liked, what you didn’t like, and what you think could be done better nexttime. You can send your comments by e-mail to feedback@apress.com. Please be sure to men-tion the book title in your message.

xxii ■INTRODUCTION

Contacting the AuthorYou can e-mail me at mvc@stevensanderson.com, or contact me through my blog athttp://blog.stevensanderson.com. I’ll do my best to reply even if sometimes there’s a bit of a delay before I can do so!

If you’re looking for general ASP.NET MVC support, then instead please use the product’sonline forum, at http://forums.asp.net/1146.aspx.

xxiii■INTRODUCTION