Developing ASP.

NET MVC Web Applications (70-486)

This guide is based, in large part, on the skills summary lists located here:

 Microsoft Learning Portal

 Microsoft Born To Learn Training and Certification Community Wiki site

Anything else listed additionally is based on my own observations. Links listed here may be subject to copyright
protection and access to such is up to the discretion of the authors\owners to which they pertain.

####Caveats

1. This exam targets MVC 5.1 and VS2013. A number of aspects of MVC 4 still apply, as well as the general
functionality of MVC on ASP.Net, but be aware of the MVC 5.x distinctions and how VS2013 is expected
to be utilized.
2. Where the guide mentions "Implement", be prepared to know common method and parameter usage
involved with said technology or namespace.
3. There is a good portion of this test involving Azure services and the functionality thereof.

####Additional Resources

 PluralSight "Learning Path" for 70-486

 Being familiar with the SOLID principles of OO programming and design will likely help with the material
covered here
 Failed The Turing Test
 Barbarian Meets Coding - Notes for 70-486 (Outstanding reference)
o Additionally, for HTML/CSS and Javascript/jQuery info, refer to Jaime's 70-480 guide
 Adnan Massod R&D - Study Notes for 70-486

##Design the application architecture (15-20%)

###Plan the application layers

 Plan data access

o Data Access Practices Using Microsoft .Net: A Nerdly Comparison
o Based on the exam ref prep book, you have a choice between using:
 an ORM (Object/Relational Mapper):
a. Entity Framework
b. NHibernate
c. Linq-to-SQL
 Roll your own DAL (using ADO.Net, etc.)
o EFMVC – ASP.NET MVC 4, Entity Framework 5 Code First and Windows Azure (Demo App)
o Understand the difference between Database-First and Code-First design strategies
 Data annotations for code first (validation and database related)
o Understand and implement the Repository Pattern
 plan for separation of concerns
o Wikipedia definition
o Intro the MVC architecture and SoC
 appropriate use of MVC components:
o models,
o views,
o controllers
 choose between client-side and server side processing;
 design for scalability
o via async request handling
o for the Database
###Design a distributed application

 Design a hybrid application (on-premises versus off-premises, including Azure)

o Cloud Hybrid Application Using Service Bus Relay

 app.config example:
 <system.serviceModel>
 ...
 <services>
 <service name="ProductsServer.ProductsService">
 <endpoint
address="sb://yourServiceNamespace.servicebus.windows.net/products"
binding="netTcpRelayBinding" contract="ProductsServer.IProducts"
behaviorConfiguration="products"/>
 </service>
 </services>
 <behaviors>
 <endpointBehaviors>
 <behavior name="products">
 <transportClientEndpointBehavior>
 <tokenProvider>
 <sharedAccessSignature keyName="RootManageSharedAccessKey"
key="yourKey" />
 </tokenProvider>
 </transportClientEndpointBehavior>
 </behavior>
 </endpointBehaviors>
 </behaviors>
 </system.serviceModel>
 App implementation example:
 namespace ProductsWeb.Controllers
 {
 using System.Linq;
 using System.ServiceModel;
 using System.Web.Mvc;
 using Microsoft.ServiceBus;
 using Models;
 using ProductsServer;

 public class HomeController : Controller
 {
 // Declare the channel factory.
 static ChannelFactory<IProductsChannel> channelFactory;

 static HomeController()
 {
 // Create shared access signature token credentials for
authentication.
 channelFactory = new ChannelFactory<IProductsChannel>(new
NetTcpRelayBinding(),
 "sb://yourServiceNamespace.servicebus.windows.net/products");
 channelFactory.Endpoint.Behaviors.Add(new
TransportClientEndpointBehavior {
 TokenProvider =
TokenProvider.CreateSharedAccessSignatureTokenProvider(
 "RootManageSharedAccessKey", "yourKey") });
 }

 public ActionResult Index()
 {
 using (IProductsChannel channel = channelFactory.CreateChannel())
 {
 // Return a view of the products inventory.
 return this.View(from prod in channel.GetProducts()
 select
 new Product { Id = prod.Id, Name =
prod.Name,
  Quantity = prod.Quantity });
 }
 }
 }
 }
 plan for session management in a distributed environment,

 plan web farms

###*Design and implement the Azure role life cycle

 Identify and implement Start, Run, and Stop events

o Startup Lifecycle of Windows Azure Role
 identify startup tasks (IIS configuration [app pool], registry configuration, third-party tools)
o How to configure and run startup tasks for a cloud service

###Configure state management

 Choose a state management mechanism (in-process and out of process state management),
 plan for scalability,
 use cookies or local storage to maintain state,
 apply configuration settings in web.config file,
 implement sessionless state (for example, QueryString)

Resources

 State Management Recommendations

###Design a caching strategy

 Implement page output caching (performance oriented)

o Duration: measured in seconds

o VaryByParam: "none", "*" (=all), "{param name};..."
o Location:
 Any
 Client
 Downstream
 Server
 ServerAndClient
 None
o OutputCaching can also be configured via profile (example):
 app.config
 <caching>
 <outputCacheSettings>
 <outputCacheProfiles>
 <add name="Cache1Hour" duration="3600" varyByParam="none"/>
 </outputCacheProfiles>
 </outputCacheSettings>
 </caching>
 controller
 using System;
 using System.Web.Mvc;

 namespace MvcApplication1.Controllers
 {
 public class ProfileController : Controller
 {
 [OutputCache(CacheProfile="Cache1Hour")]
  public string Index()
 {
 return DateTime.Now.ToString("T");
 }
 }
 }
 implement data caching,

 implement HTTP caching,

 implement Azure caching

###Design and implement a WebSocket strategy

 Read and write string and binary data asynchronously (long-running data transfers),
 choose a connection loss strategy,
 decide a strategy for when to use WebSockets,
 implement SignalR

###Design HTTP modules and handlers

 Implement synchronous and asynchronous modules and handlers,

 choose between modules and handlers in IIS (verbatim from Barbarian Meets Coding)

HTTP handlers allow you to inject logic based on the extension of the file name requested, they are executed
based of file extensions, URLs and HTTP verbs. HTTP modules are event driven and inject logic before a
resource is requested.

Some ways to differentiate when to use which:

 serve requests for specific URL/extensions => Http handler

 applies to all requests based on arbitrary rules => Http module
 need information available prior to calling to MVC code => Http module
 handle specific files differently => Http handler

####HttpHandler vs HttpModule Summary

 HttpHandler processes HTTP endpoints requests whereas,

 HttpModule gives you access to the HTTP pipeline, which allows it to inspect incoming requests and
outgoing responses by subscribing to events.

####Preparation resources

 Entity Framework Development workflows

 DataAdapters and DataReaders
 ASP.NET State Management overview
 Why use the Entity Framework? Yeah, why exactly?

##Design the user experience (20-25%)

###Apply the user interface design for a web application

 Create and apply styles by using CSS,

 structure and lay out the user interface by using HTML
 o Sending form data
 implement dynamic page content based on a design
o Canvas: An HTML5 element that works like an <img> tag, allowing the display of 2d content
dynamically
 Placing fallback context inside the <canvas> tag allows browsers which don't support
canvas to still render the static content. Browsers that do support <canvas> tags will
ingore the internal static content.

###Design and implement UI behavior

 Implement client validation,

 use JavaScript and the DOM to control application behavior,
 extend objects by using prototypal inheritance,
 use AJAX to make partial page updates,
 implement the UI by using JQuery

###Compose the UI layout of an application

 Implement partials for reuse in different areas of the application

o @Html.Partial vs. @Html.RenderPartial
 design and implement pages by using Razor templates (Razor view engine)
o BeginForm
o TextArea
o TextBox
 design layouts to provide visual structure,
 implement master/application pages

###Enhance application behavior and style based on browser feature detection

 Detect browser features and capabilities;

 create a web application that runs across multiple browsers and mobile devices
 enhance application behavior and style by using vendor-specific extensions, for example, CSS
o browser specific prefix (such as -webkit- or -moz- or -ms-)

###*Plan an adaptive UI layout

 Plan for running applications in browsers on multiple devices (screen resolution, CSS, HTML)
o Media queries
 plan for mobile web applications

####Preparation resources

 Build a better mobile browsing experience

 Display modes
 Building Modern Web Apps Jump Start

##Develop the user experience (15-20%)

###Plan for search engine optimization and accessibility

 Use analytical tools to parse HTML,

o Google Webmaster Tools
o Bing Webmaster Tools
o IIS SEO Toolkit
 view and evaluate conceptual structure by using plugs-in for browsers,
  write semantic markup (HTML5 and ARIA) for accessibility (for example, screen readers)
 SEO Ranking Guidelines
o Content is king - quality
o Good domain name
o Dynamic tags for dynamic content
 Use dynamic title and meta tags (description) when content is dynamic/changing
o Quality site structure
o Link analysis and maintenance
 Follow up and maintain good working links through SEO site analysis
o Location and history
 Make sure that redirects are handling properly (301s, not 304s)
 Consistency is rewarded
o Trustworthiness
 Do not copy content to multiple pages\domains
 Avoid keywords in titles
 Make sure titles and meta tags are accurate

###Plan and implement globalization and localization

 Plan a localization strategy

 create and apply resources to UI,
 including JavaScript resources;
 set cultures;
 create satellite resource assemblies

###Design and implement MVC controllers and actions

 Apply authorization attributes, global filters, and authentication filters;

 specify an override filter;
 implement action behaviors;
 implement action results;
 implement model binding

###Design and implement routes

 Define a route to handle a URL pattern,

 apply route constraints,
 ignore URL patterns,
 add custom route parameters,
 define areas
o
 apply routing relative to areas

###Control application behavior by using MVC extensibility points

 Implement MVC filters and controller factories;

 control application behavior by using action results, viewengines, model binders, and route handlers

###Reduce network bandwidth

 Bundle and minify scripts (CSS and JavaScript),

 compress and decompress data (using gzip/deflate; storage),
 plan a content delivery network (CDN) strategy (for example, Azure CDN)

####Preparation resources
  Search Engine Optimization Toolkit
 GlobalizationSection Class
 FormCollection Class

##Troubleshoot and debug web applications (20-25%)

###Prevent and troubleshoot runtime issues

 Troubleshoot performance, security, and errors:

o Performance profiling options (wizard):
 CPU sampling (recommended) - minimal impact to application
 Instrumentation - more invasive to working application
 .NET memory allocation (sampling)
 Resource contention data (concurrency)
 implement tracing, logging (including using attributes for logging), and debugging (including
IntelliTrace);
 enforce conditions by using code contracts;
 enable and configure health monitoring (including Performance Monitor)

###* Design an exception handling strategy

 Handle exceptions across multiple layers

o Try/Catch
o Business case (var == null)
o ControllerClass.OnException() override
o [HandleError] attribute
o Application_Error method in global.asax
 display custom error pages using global.asax or creating your own HTTPHandler or set web.config
attributes,
o HandleErrorAttribute
 *Handle first chance exceptions - registering AppDomain.CurrentDomain.FirstChanceException event in
Application_Start() in global.asax, with output to email or log file

###Test a web application

 Create and run unit tests (for example, use the Assert class),
 create mocks;
 create and run web tests, including using Browser Link;
 debug a web application in multiple browsers and mobile emulators

###* Debug an Azure application

 Collect diagnostic information by using Azure Diagnostics API and appropriately implement on demand
versus scheduled;
 choose log types (for example, event logs, performance counters, and crash dumps);
 debug an Azure application by using IntelliTrace, Remote Desktop Protocol (RDP), and remote
debugging;
 interact directly with remote Azure websites using Server Explorer.

####Preparation resources

 Using shims to isolate your application from other assemblies for unit testing

##Design and implement security (20-25%)

###* Configure authentication

 Authenticate users;

 enforce authentication settings;

 Authentication options - choose between:

o Windows - Best for intra-net sites and websites that have access to AD controllers, built-in to
ASP.Net & IIS
o Forms - Integrates with both identity- and claims-based authentication with built-in support for
standard membership providers
o custom authentication - Allows greater flexibility in user-store access and modification
 manage user session by using cookies

o Cookie storage - Allowing for 2K of data on client or can be stored at the server via Session
management
o Cookie persistence
 When enabled, this allows a client to close browser and return to site, maintaining the
cookie
 When disabled, the cookie expires once the session ends or the client closes the browser
o Cookie reference - Allows the cookie to remain relatively small, as it only holds a reference to the
data location on the server
 configure membership providers
o SimpleMembership
o SimpleRoles
o SqlMembershipProvider
 create custom membership providers

o MembershipProvider vs WebSecurity
 MembershipProvider is an abstract class which can be used to create a custom provider.
 WebSecurity is a wrapper of SimpleMembership which allows easy access to many of the
security methods contained therein.
 DeleteAccount() is not implemented in this helper.
 WebSecurity is not interoperable with MembershipProvider, only with SimpleMembership.
 configure ASP.NET Identity

 WCF Authentication Security

o Two basic mechanisms for WCF security

 Transport:
 Message encrypted at the transport-level, leveraging whichever security
mechanism the transport protocol uses (TCP: TLS; HTTPS: SSL)
 Security is point-to-point and tends to have greater interoperability but any
message forwarded beyond the service is not automatically encrypted.
 Both caller credentials and message are encrypted between access points but are
essentially separate(?)
 Better performance and can benefit from hardware acceleration
 Message:
 Both the message and the caller's credentials are encrypted together using the
WS-Security specification
 Resulting payload is encrypted, even if forwarded, resulting in better overall
security
 Performance suffers:
 this mechanism cannot benefit from hardware acceleration
 the message must be re-encrypted before it can be forwarded to other
services
 the WS-Security specification must be supported through the service
pipeline
o Security Modes
  None. Messages are not secured.
 Transport. Messages are secured using transport security.
 Message. Messages are secured using message security.
 TransportWithMessageCredential. Message protection and authorization occur at the
transport level and credentials are passed with the message.
 TransportCredentialOnly. Credentials are passed at the transport level but the message is
not encrypted. This option is available only if you are using the BasicHttpBinding binding.
 Both. Messages are secured using both transport level and message level security. This is
supported only if you are using Microsoft Message Queue Server.
o Credential Types (Transport)

 Windows. The client uses a Windows token representing the logged in user’s Windows
identity. The service uses the credentials of the process identity or an SSL certificate.
 Basic. The client passes a user name and password to the service. Typically, the user will
enter the user name and password in a login dialog box. The service uses a SSL certificate.
This option is available only with HTTP protocols.
 Certificate. The client uses an X.509 certificate and the service uses either that certificate
or an SSL certificate.
 NTLM. The service validates the client using a challenge/response scheme against
Windows accounts. The service uses a SSL certificate. This option is available only with the
HTTPS protocol.
 None. The service does not validate the client.
o Credential Types (Message)

 Windows. The client uses a Windows token representing the logged in user’s Windows
identity. The service uses the credentials of the process identity or an SSL certificate.
 UserName. The client passes a user name and password to the service. Typically, the user
will enter the user name and password in a login dialog box. The service can validate the
user name and password using a Windows account or the ASP.NET membership provider.
 Certificate. The client uses an X.509 certificate and the service uses either that certificate
or an SSL certificate.
 IssueToken. The client and service use the Secure Token Service, which issues tokens the
client and service trust. Windows CardSpace uses the Secure Token Service.
 None. The service does not validate the client.
o Config example
o <bindings>
o <netTcpBinding>
o <binding name="SecureService_Tcp"
o …
o <security mode="Transport">
o <transport clientCredentialType="Windows"
o protectionLevel="EncryptAndSign" />
o <message clientCredentialType="Windows" />
o </security>
o </binding>
o </netTcpBinding>
o <wsHttpBinding>
o <binding name="SecureService_WsHttp"
o …
o <security mode="Message">
o <transport clientCredentialType="Windows"
o proxyCredentialType="None"
o realm="" />
o <message clientCredentialType="Windows"
o negotiateServiceCredential="true"
o algorithmSuite="Default"
o establishSecurityContext="true" />
o </security>
o </binding>
o </wsHttpBinding>
o </bindings>
  WCF Authorization

o Authorization Options
 Role-based. Access to a service and to operations of the service is based on the user’s
role.
 Identity based. Access is based on claims made within the user’s credentials. This is an
extension to role-based authorization and provides a more fine grained approach. This
approach will typically be used with issue token authentication.
 Resource based. Resources, such as WCF services, are secured using Windows Access
Control Lists (ACLs).
o Role Determination Options
 Windows groups. You can use the built-in Windows groups such as Administrators or
Power Users or create your own Windows groups.
 Custom roles. You can create roles that are specific to your application, such as Manager,
Employee, Administrator, etc.
 ASP.NET role management. You can use the ASP.NET role provider and use roles you
have defined for a Web site.

###*Configure and apply authorization

 Create roles, authorize roles by using configuration,

 authorize roles programmatically
o AuthorizeAttribute
 Decorate controllers and methods, specifying roles that have access
 Roles or Users
 create custom role providers
o Implement with RoleProviderBase
 implement WCF service authorization

###Design and implement claims-based authentication across federated identity stores

 Implement federated authentication by using Azure Access Control Service;

 create a custom security token by using Windows Identity Foundation
o Token definition (in xml)

 contains the claims and signature definitions, as well as certificate information

o Custom Token managed class, derived from SecurityToken

o Custom TokenHandler managed class, derived from SecurityTokenHandler

 Override the CanValidateToken() and ValidateToken() methods for the TokenHandler to

be used and to properly parse the custom Token class, whose signature can then be
validated
o Custom TokenHandler needs to be added to app.config (Example):
o <?xml version="1.0" encoding="utf-8" ?>
o <configuration>
o <configSections>
o <!-- Registers the microsoft.IdentityModel configuration section -->
o <section name="microsoft.identityModel"
type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection,
Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31bf3856ad364e35"/>
o </configSections>
o <microsoft.identityModel>
o <service>
o <securityTokenHandlers>
o <remove type="Microsoft.IdentityModel.Tokens.WindowsUserNameSecurityTokenHandler,
Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral,
PublicKeyToken=31BF3856AD364E35"/>
 o <add
type="SimpleCustomSecurityTokenHandler.CustomUserNamePasswordValidatorSecurityTokenHandler,
SimpleCustomSecurityTokenHandler"/>
o </securityTokenHandlers>
o </service>
o </microsoft.identityModel>
o </configuration>
(Note both the Remove and Add nodes specified, which prevents the default handler from executing before the
custom handler can take action.)

 handle token formats (for example, oAuth, OpenID, Microsoft Account, Google, Twitter, and Facebook)
for SAML and SWT tokens

###Manage data integrity

 Apply encryption to application data,

 apply encryption to the configuration sections of an application
o set in the web.config or utilizes machine.config provider setting instance
o DPAPIProtectedConfigurationProvider:
 Uses the Windows Data Protection API for encryption/decryption
 Appropriate for stand-alone web instances, utilizing the machine key
o RsaProtectedConfigurationProvider:
 Utilizes the RSA encryption algorithm
 Supports exporting\importing of keys, allowing for multiple servers to share
configuration files
o aspnet_regiis with -pe switch
 enables provider encryption on specific sections of web.config
 to decrypt, replace the -pe switch with the -pd switch
 example: aspnet_regiis -pe "ConnectionStrings" -app "/TestApp" -prov
"RsaProtectedConfigurationProvider"
 sign application data to prevent tampering

###Implement a secure site with ASP.NET

 Secure communication by applying SSL certificates;

 salt and hash passwords for storage;
 use HTML encoding to prevent cross-site scripting attacks (ANTI-XSS Library);

o implement deferred validation and handle unvalidated requests, for example, form, querystring,
and URL;
 prevent SQL injection attacks by parameterizing queries;
 prevent cross-site request forgeries (XSRF)

####Preparation resources

 Introduction to ASP.NET Identity

 Chapter 5: Authentication, authorization, and identities in WCF
 Easy Web App Integration with Windows Azure Active Directory, ASP.NET & Visual Studio