.NET Fireside Chats - Nick Berardi on 'ASP.NET MVC 1.0 Website Programming'

Microsoft recently released the ASP.NET MVC Framework version 1.0. As a result, there are several recent titles which focus on the MVC Framework. One of those titles from Wiley/Wrox is 'ASP.NET MVC 1.0 Website Programming: Problem - Design - Solution' written by Nick Berardi, Al Katawazi and Marco Bellinaso. You can download a sample chapter of the book here.

Nick Berardi was kind enough to make some time to answer some questions about ASP.NET MVC, web development and his book.

DZone - How should developers choose between WebForms and MVC when planning a new ASP.NET application?

Nick Berardi - In Chapter 2 of the book I try to address this exact subject. And I came up with the following basic rules. And if a developer could answer “yes” to any of them they should strongly consider MVC over Web Forms.

• You want more control over the HTML rendering.
• You want more control over the URL.
• You want to do TDD (Test Driven Development).
• You want control over your content for SEO.
• You want to make a RESTful interface.
• You want to support multiple views of the same application through mobile, web, and REST API’s.
• You want to support separation of concerns in your code.

Even if they don’t answer “yes” to any of these statements, MVC still might be right for them in their application. So my best recommendation is to give it a chance and see if it fits naturally with the way they develop software. Like it did for me.

DZone - The .NET community really seems to be embracing MVC. What do you think they are most excited about?

Nick - I can’t really speak for them, but I can only assume their reasons for being excited are similar to mine. We finally get to take back control over the markup and the URL, something that we could only accomplish with herculean efforts of programming in ASP.NET Web Forms.

I have always been sort of a control freak. It always made me unconformable to not have control over the HTML that ASP.NET Web Forms generated. At the time I was willing to sacrifice that control for how productive the framework made me as a developer. About two and a half years ago, when I started a job at Yellow Book on the yellowbook.com team, I became increasingly aware of SEO. This awareness forced me to realize that I needed to have total control over the markup and URL, even if I had to sacrifice productivity because of it.

So for most of 2007 I forced, massaged, and mangled ASP.NET Web Forms in to acceptable HTML markup for modern Web 2.0 websites that I was working on for various clients at the time. I even went as far as to create a URL Rewriter that allowed me to have the level of control over the URL that I required to do my development. To make a long story short I created the URL Rewriter because I needed the advanced level of control that the ISAPI Rewriters provided, but I needed the rewriter to function the same on IIS as the integrated Visual Studio Web Server. So the Managed Fusion URL Rewriter and Reverse Proxy was born and open sourced at http://codeplex.com/urlrewriter. You pretty much get the picture of the level of control I wanted with ASP.NET, but I was still somewhat dissatisfied with the development experience.

So at the end of 2007, I was starting a new joint project with Vovéo Marketing Group called IdeaPipe, and as I was sitting pondering the architecture that I needed to put together I happened across an early post that Scott Guthrie (http://weblogs.asp.net/scottgu/archive/2007/10/14/asp-net-mvc-framework.aspx) did on this new thing called the ASP.NET MVC framework. I was instantly sold, and I haven’t looked back since.

Most people I talk to have a similar story of how they became increasingly dissatisfied with ASP.NET Web Forms, and how they yearned for more control over the markup and URL. They also had a similar reaction to ASP.NET MVC in that it fit like a glove to the way they wanted to develop web applications, even if they really didn’t know it before they used ASP.NET MVC.

DZone - Are there major differences in implementing security in an ASP.NET MVC application?

Nick - Actually security is 100 times easier in ASP.NET MVC, because the security is no longer loosely bound through a web.config file, which could easily be forgotten between your debug and production web.config files. Or implemented on top of the ASP.NET Web Forms with if/else statements that were not consistent across projects because they were implemented in ways that could easily cause bugs in the software.

In ASP.NET MVC the security is compiled in to the web assembly so there is no forgetting about the web.config or having it mis-configured. Also since the actions in the controller are logical blocks of code that you would have normally wrapped in something that looked like this:

if (Roles.HasRole(“Admin”)) {
    // your code<br />}

you can easily control the security of your action or the entire controller by just decorating the action or controller with the Authorize Attribute:

[Authorize(Role = “Admin”)]
public ActionResult AdminFunction (int id) {
    // your code
}

The AuthorizeAttribute by default uses the Roles & Membership Provider that came with ASP.NET 2.0, however the AuthorizeAttribute is based on an interface called IAuthorizationFilter, that you can extend to create your own custom and proprietary authorization schemes that can be easily applied to the action and controller as I demonstrated above.

I personally love this easy decoration approach of to implementing security. Because not only is it easy to look at an action and instantly see if there is some kind of authorization required to execute the method. But also you can easily automate the checking of the controller and actions for correct authorization using FxCop and/or Reflection. So it is very easy to audit your controllers for potential security holes.

DZone - Based on what you have seen in v1, what are your top three wish list items for ASP.NET MVC v2?

Nick - I would like to see the following from the next release of MVC:

1. I would like to see the concept of Area’s implemented, to provide a way of grouping controllers and views in to subsections of related content in a site.
2. Bringing back the strongly typed helpers that were in the initial bits of the MVC framework.

Overall I am thrilled with all the hard work that Phil and his team has put in to the MVC framework, and there is very little I would change at this point in time, besides what I listed above.

DZone - Do you highlight any best practices in the book?

Nick - Yes we touch briefly on many of the best practices for HTML, SEO, design, and structure of a well designed MVC website. But we specifically stayed away from best practices related to the Model. We consciously did this because opinions differ so much, and who are we to say which practices is the best for a given implementation.

DZone - Who should buy your book?

Nick - Any developer who wants to use their .NET skills on an external public facing website in the future.

Web Forms aren’t going to go away, but I personally believe they are going to be relegated to behind the firewall where things like proper URL and HTML construction don’t matter. That being said, even behind the firewall you are going to see ASP.NET MVC. I am currently working with a very large multi-national client creating a proposal system, for internal use, developed using ASP.NET MVC.

So any developer that wants to keep their skills relevant but wants a real world example as a kick start in to the world of ASP.NET MVC, our application TheBeerHouse that we cover in the book, is the perfect start for them.

DZone - Do you have any new book projects on the horizon?

Nick - Not right now. But if the right opportunity came up in the future, I would love to author another book.