The Lounge is rated Safe For Work. If you're about to post something inappropriate for a shared office environment, then don't post it. No ads, no abuse, and no programming questions. Trolling, (political, climate, religious or whatever) will result in your account being removed.
When I started to seriously write web apps, both for personal use and for my clients, I came up with three "truths":
It's got to look good and be fast.
It's got to be clean code on the client.
It's got to be clean code on the server.
The user doesn't care what's behind what they see, they want a fast and good looking UI. For that reason, I glommed onto jqWidgets (lovely controls, but there is a minor performance hit because jqWidgets doesn't support minified .js files, mitigated by turning on compression. I also use Bootstrap because it works very nicely for helping me style the UI on mobile devices. And that's it. I also code the client-side almost always as a responsive UI -- auto-update the server on a UI change, and I use HTML5's websockets for auto-syncing the client.
I also care what's on the server side. That means C#, my own web server which can run standalone or under IIS (which is nice for hosting multiple HTTPS sites), using LetsEncrypt for certs and a acme.net for cert renewal. It's in C#, I don't use EntityFramework, preferring my own as powerful but much more lightweight implementation relying on just Linq2Sql. Most importantly, everything on the back-end that the client has to talk to (or listen to) is handled by a clean API architecture.
Now, you don't have to go down the whole "re-invent the wheel" process that I went down, and it was a major decision to throw out those client-side frameworks as well as EF, as well as the Microsoft web server stack and selectively roll my own. Not very marketable on my resume, haha. But I get a very clean separation of concerns and what I consider to be very maintainable web apps. And nothing uses Nuget.
So, at the end of the day, I need to know:
We use Angular (4+) as the front end stack and today I'm busy trying to update it to v6... unsuccessfully so far And then there are all the npm packages to update as well. A bit of dll hell in a way. So I definitely see your case for not using all these fancy frameworks.
I'm working on an enterprise solution built using WebFroms, and I'm worried about not being able to keep up with the market requirements since every day a new JS framework comes out and you know, Telerik and ASPX with very little JS is not a very mainstream solution.
The interface and it's connected to many class libraries, each containing its own business logic and data access layer, respectively.
I'm interested in the possibility of separating the class libraries from the interface with a microservice architecture by providing data in JSON through APIs, would you recommend it?
My answer will make me sound like a Microsoft FanBoy but I will go ahead and offer it and attempt to back it up.
Learn ASP.NET Core (.NET Core).
1. Visual Studio Community is (basically and almost entirely) free.
2. The .NET Core includes everything you need to create true Enterprise Apps
a.) VSTudio dev environment - wraps up build, minifying JS,
b.) There's an entire plan for developing web apps but it is still open.
c.) You can build ReactJS or AngularJS later on top of your ASP.NET MVC site anyways (if you decide to go that way later
d.) Microsoft wraps up the basics you will most certainly use : C# (for backend), HTML created via generator (Razor), Asynchronous support (AJAX but better), jQuery is there, Bootstrap is there
e.) It is very modular -- only add what you need for your web app (everything is added via Dependency Injection of services)
f.) You get the package management (Nuget) to add custom things you need.
Doesn't matter what you learn: the "employer" will always require at least one more obscure tech skill that you don't have.
Eventually, you will stumble into something you haven't dealt with before and that will require you to learn a completely new skill set in a week (because saying you don't know how to do something is lame).
"(I) am amazed to see myself here rather than there ... now rather than then".
― Blaise Pascal
I ran into the same issues that you experienced with ASP.NET MVC. IN 2010 I worked on one of the largest MVC projects in the United States at the time.
Though we accomplished a lot, the project was canceled due to massive management issues between the client's management and my own firm's own management.
However, the decision to use ASP.NET MVC played a major factor in this cancellation due to the fact that there was little way to accommodate large requirement changes to the interface.
As a result, after I left this assignment I gave up working with MVC and stuck with WebForms for the rest of my years in corporate positions and consulting contracts. And now that I am retired and working on my own development projects, I still won't consider relearning MVC for web development.
To begin with, there is nothing new or radical about the MVC paradigm. It was actually designed back in the 1970s.
ASP.NET already had a complete implementation for MVC with the Castle Project's, Monorail Environment. It was Open Source and completely free to implement with full documentation but it didn't seem to register with the larger technical community.
When Microsoft introduced their own version of ASP.NET MVC it was a complete mirror image of the Castle Project's implementation. I always wondered if they had made some type of deal with the people at the Castle Project.
In any event, many developers claim that ASP.NET MVC provides better performance and a superior separation of concerns among other positives. However, this is all complete nonsense since the negative aspects of MVC detract so much from its benefits as to neutralize them completely.
If you design a WebForms application properly and use the recommended hardware and application server recommendations that have been developed over the years, ASP.NET WebForms can be blistering fast. And in some benchmarks has equaled or exceed the capabilities of its MVC sibling. And the bigger the MVC application, the larger the routing requirements, which have always been a large bottleneck for MVC since it has historically relied on Reflection (unless that has been changed in the most recent version upgrade).
The problem with WebForms is the same with most technologies; people make a mess out of their implementations and then blame the environment for the issues. This has been particularly attribute to many developers loading up Code-Behind modules with everything but the kitchen sink when in fact this module was only supposed to act as a dispatcher for other tiers. However, what happened here was that many organizations didn't support actual tiered development and threw everything onto an IIS application server even when the assemblies were supposed to act as separate tiers.
The benefit of having multiple, physical tiers was proven in the 1990s but no one was paying any attention.
ASP.NET MVC then took off because many developers, especially the newer ones to our profession, were under the misguided perception that it would cure the WebForms bloat, much of that being the fault of the developers themselves with quite a bit of help from the hardware people who wouldn't support physical tiers.
To add injury to insult, new paradigms came to the fore (ie: DevOps), which relied on the so called faster developments of MVC under the Agile paradigm. As a result, what you have now is the equivalent of a software version of the US Air Force's F-35 fighter; a development environment that was premised on an existing concept that was never designed for large scale development. In the case of the F-35, the US Marines insisted on the basis of a flawed air-frame design that had already been proven to be unfeasible for multi-role purposes (ie: the Marines Super Harrier, which was designed for immediate ground support and light interceptor work based off of the British Harrier design. This latter design was fought to a standstill by the Argentinian Air Force during the Falklands War in the 1980s.).
I suggest that Microsoft is looking for a compromise between the MVC and WebForms paradigms, considering that a whole new slew of components will have to be designed to take advantage of Blazor. And will this mean an option to return to the use of server-side controls?
And here it comes from Microsoft; a possible return to a very new WebForms...
"Microsoft is also working to implement Razor Components, or server-side Blazor, in version 3.0, which integrates Blazor into ASP.NET Core and allows it to run on the server with .NET Core. This can greatly help the compatibility of web apps, as the same code can run on many of different devices using WebAssembly, without any code changes required. .NET Core 3.0 doesn't have a set release date yet, but it will be available in public preview later this year."
Our large bank recently changed their Android app so you can no longer paste a password.
This is a MAJOR problem if you're using a password manager. I don't type passwords any more.
I contacted them (via their Twitter support) and explained that this is a security fallacy that pasting is dangerous.
Also, you can still paste a password when you login on their web site.
I wanted to mention that to them but was afraid they'd stop it there too.
May Only Prove That The Bank Devs/ Contractors Are Clueless
To me this only exposes the fact that the developers or security contractors or whatever actually have NO CLUE about WHAT SAFE PRACTICES are.
They could even remove copy functionality separately and I would be ok with that. But how could the paste functionality EVER be an exposure? They are just so clueless.
EDIT 09/24/2018 Look what I found from the National Cyber Security Centre: Let them paste passwords - NCSC Site[^]
And it provides additional links as to why pasting should be allowed.
I tweeted this to the bank site.
But accounts aren't broken into by repetitive copy and pasting. One hacker told WIRED that disabling paste on a webpage does not stop him from using automated tools to speedily gain access to users’ accounts.
A large bank will have a dedicated team of security idiots people who will listen to the latest gossip, read what is shoved under their nose and get the developers to implement the policies they think up. If there is nothing to change they will think up something to do, a team has to justify his existence.
You cannot blame the developers for such idiocy, they may even have protested the change.
Never underestimate the power of human stupidity
security idiots people who will listen to the latest gossip, read what is shoved under their nose and get the developers to implement the policies they think up. If there is nothing to change they will think up something to do, a team has to justify his existence.
That's a great explanation and exactly what I thought.
Mycroft Holmes wrote:
You cannot blame the developers for such idiocy,
Very good point and I guess I was really thinking of the security team...not the devs.
Over all it is just craziness. Making things unusable so the security team can feel like they're doing something important.
Trying to keep in front of the bastards attempting to hack the banks must be a nightmare.
Yeah, I can agree with that. But, it seems like they'd focus on creating the smallest exposed footprint and work on that instead of things like the paste feature.
I can't actually imagine the security people explaining how the paste feature could be dangerous.
Security guy: So, yes, we must remove the user's ability to paste into the pwd field because it is extremely dangerous. It's huge security hole. Bank's IT Manager: Can you give me 2 examples of how pasting into that field would be dangerous? Security guy: Well, they could paste special extended characters, maybe? Bank IT Manager: Shouldn't the back-end handle that? Security guy: well, they could paste um...errrr...well, pasting is just bad that's all. Andy why would any legitimate user want to paste? I think only crackers paste.
I swear they actually WANT their customers to have their accounts ripped off.
It really does feel that way in some of these cases, because the logic they use is so bad.
I also know that many only allow your password to be only 16 chars in length (or shorter) even though password length is the one thing that actually strengthens passwords. It's crazy.
If something has a solution... Why do we have to worry about?. If it has no solution... For what reason do we have to worry about?
Help me to understand what I'm saying, and I'll explain it better to you
Rating helpful answers is nice, but saying thanks can be even nicer.
I completely understand your frustration. I also hate websites (mostly banks) that disable pasting on their websites and just for gigs, they'll need me to type certain things like account numbers, BSB code, etc. twice.
I use Don't F*** With Paste[^] extension on Chrome and tell them straight off. I'll copy, paste, cut, do whatever the hell I want on my computer. I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice.
I'd have rambled on a bit more if this was the soapbox, but the kid sister is watching so I'll go play merry-go-round instead.
I will treat any entity that assumes an intellectual high-ground (while knowing next to nothing about security in reality) with great disdain, and will override their "security rules" with extreme prejudice.
I think disabling paste in password boxes are a great idea when it comes to securing customers, their data and money. Please tell me what you think of me now (give your best shot!).
BTW, thanks for that extension.