Share It

Wednesday, June 25, 2014

UML Part I

UML Intro

UML stands for Unified Modeling Language. UML is a graphical language for visualizing, specifying, constructing & documenting the artifacts of a software system. It is a standard language for designing and documenting a system in an object oriented manner. UML provides blue print for Business process, System functioning, programming language statements, Database schema & reusable components.

UML is used in all phases of software development from Requirement Specification to Acceptance Test and from Designing a solution to Deploying/ Packaging. Modeling has been around for years not only in software field but also in other fields like Civil, Mechanical, etc. we get a model ready & approved before starting the production. Modeling makes complex system to break up into simple and discrete pieces that be individually understood. If we ask ourselves have we been doing/ following modeling, most of us would say NO. But all of us do modeling, the flowchart that we draw is a model for your module isn't it.

Now we should see what are the advantages of modeling:
  1. Readability: Representing the whole architecture in flowcharts, class diagrams, state diagrams, ER diagrams, etc. makes our project more readable. Especially when we have programmer's changing job, handover becomes easier.
  2. Re-usability: Once the system is readable and broken down to pieces, it becomes easier to identify redundant and similar modules. Thus increasing re-usability. We can decide of reusable components to be used across the application.Why shall we adopt UML?
Well different languages have different ways of coding and syntax's. In order to bring all languages under one roof UML comes into picture. As the term comes in UNIFIED, it unifies all different languages in one roof so people who are working on some other platforms can understand that.

There was an interesting question put up “Does UML fit in Agile/Scrum environment?” during a UML session presented by myself & one of my colleague at our office CastleRock, Kolkata.
Well the answer is yes, UML is not a methodology dependent you can apply it to any of the software development process. If we have a blueprint of the whole architecture, whenever we are required to make changes or alter a section/ module we can very easily trace which all sections/ modules would get effected & at the same time you can figure out how much time it might take to finish the job.

You can checkout the list of UML tools at http://www.sereferences.com/uml-tools.php.

In the next post I will cover different UML diagrams.

Section 508 guidelines


Section 508 Guidelines
  • (a) A text equivalent for every non-text element shall be provided (e.g., via "alt", "longdesc", or in element content).
If we properly separate our three layers, we remove most of the situations in which we would have to provide text equivalents. Markup should only include img tags when the image is actually part of the content of the page (i.e. Flickr or Boston.com's The Big Picture).
The lesson: Logos, navigation, buttons and other content elements are not proper uses of img tags. When non-text content is necessary, use title and alt attributes.
  • (b) Equivalent alternatives for any multimedia presentation shall be synchronized with the presentation.
That fancy Java slideshow applet that adds ripple effects to the slides probably isn't necessary. Simplify your life and make basic HTML pages styled with CSS instead.
The lesson: If you do need multimedia capabilities, use technologies that have accessibility options.
  • (c) Web pages shall be designed so that all information conveyed with color is also available without color, for example from context or markup.
Users with colorblindness or screen readers can't tell a red icon from a green icon. If all you have in your HTML is an img tag, you are hiding content from people that are unable to see the page. Be sure to have meaningful text content in your HTML whenever you are conveying information with color.
The lesson: Color is presentation, not content. Convey all information as text in HTML and use styles heets to make it pretty and colorful.
  • (d) Documents shall be organized so they are readable without requiring an associated style sheet.
Remember our three layers of separation?
The lesson: If you have created a page that needs CSS or JavaScript to be readable, you have violated our "HTML is content" principle. Semantic markup without styles creates HTML that is meaningful even if it is boring to look at.
  • (e) Redundant text links shall be provided for each active region of a server-side image map.
Don't use image maps as they are almost always unnecessary. As simple as that.
The lesson: Provide basic text interactions with plain old HTML. If rich interactions are necessary, enable them by using progressive enhancement techniques.
  • (f) Client-side image maps shall be provided instead of server-side image maps except where the regions cannot be defined with an available geometric shape.
The lesson: Plan/ discuss it before implementing.
(g) Row and column headers shall be identified for data tables.
Since we only use tables for the markup of tabular data and not for layout, this requirement can be satisfied by adding th, and optionally thead tags, to the table. Complicated tables can be simplified by being split into multiple tables, or by using multiple levels of headings and using the scope attribute on th tags.
The lesson: All tables should use th instead of td to markup row and column headers.
·         (h) Markup shall be used to associate data cells and header cells for data tables that have two or more logical levels of row or column headers.
As mentioned above, the tables elements have various attributes that allow complex associations between headers and content.
The lesson: Check out the id, headers, axis, and scope tags. Read up on techniques for table accessibility from WCAG.
·         (i) Frames shall be titled with text that facilitates frame identification and navigation.
Frames are generally a bad idea, but when you absolutely must use a frame, be sure to add appropriate title attributes to the frame element. This element allows a user using a screen reader to know what is content contained in the frame.
The lesson: Do not use frames. If you must, add a title attribute to all frames.
·         (j) Pages shall be designed to avoid causing the screen to flicker with a frequency greater than 2 Hz and lower than 55 Hz.
As the site is going to be for people with disabilities should take care.
The lesson: You might be in trouble if you want anything on your page to blink or flicker.
·         (k) A text-only page, with equivalent information or functionality, shall be provided to make a web site comply with the provisions of this part, when compliance cannot be accomplished in any other way. The content of the text-only page shall be updated whenever the primary page changes.
If constructed properly, your site will have no need for text-only pages. When a text-only page is absolutely necessary, use your CMS to display the same content on both the text-only and the rich pages. When the content is updated, it will be applied to both pages.
The lesson: Dynamically generated pages can ensure that the text-only pages are updated when the rest of the site content is. Build your site well and you won't have to worry about this.
·         (l) When pages utilize scripting languages to display content, or to create interface elements, the information provided by the script shall be identified with functional text that can be read by assistive technology.
As we learned in part one of this article, scripting languages (behavior) should never be used in place of content or interface (markup). Properly written, the behavior should complement and extend a functional markup-only application. This development strategy is called progressive enhancement.
The lesson: Do not rely on JavaScript to render markup or content. It is a violation of the separation of content and behavior.
·         (m) When a web page requires that an applet, plug-in or other application be present on the client system to interpret page content, the page must provide a link to a plug-in or applet that complies with §1194.21(a) through (l).
While rich content is nice, it should only come after developing a site with comprehensive access to content through traditional means. A zooming map with color overlays can enhance a users's experience, but the underlying data or analysis should also be available through accessible text-based pages. When rich content is necessary, provide links to plug-ins that have accessibility features built-in and make sure that the content rendered by those plugins takes advantage of the accessibility features.
The lesson: Only use plug-ins that have accessibility features.
·         (n) When electronic forms are designed to be completed on-line, the form shall allow people using assistive technology to access the information, field elements, and functionality required for completion and submission of the form, including all directions and cues.
Accessible and attractive forms can be quite intimidating at first. Fortunately HTML provides you with all the tools necessary to create forms that are easily read with assistive technologies: fieldset, legend, label, and others. Each form element should have a label associated with it. The for attribute of the label contains the id of the form field to which it is related. The label element also provides a convenient styling hook that removes the need to use a table for layout. Each label/element combination can be written as an item (li) within a list.
JavaScript is often used for client-side form validation, but it should only be used as a convenience to the user. The server should always validate forms as well. When there are errors in server-side validation, they should be displayed grouped together at the top of the form. This allows the user to know what the problems were without having to go through each form element. Complex forms should show the errors on individual fieldsets or at the field level.
A List Apart has a fantastic article about how to create accessible, good looking forms.
The lesson: HTML provides all the tools necessary to create accessible forms. Keep them simple and use CSS to do the layout.
·         (o) A method shall be provided that permits users to skip repetitive navigation links.
This is usually accomplished by adding an anchor to the top of the page content that takes the user to an element right past the navigation elements. The link is typically styled using CSS as to make it invisible to users that are not using assistive technologies. Once HTML 5 is widely support, the new nav element will allow users to skip past navigation without having to add a link specifically for that purpose.
The lesson: A simple anchor will get the job done.
·         (p) When a timed response is required, the user shall be alerted and given sufficient time to indicate more time is required.
On the off chance your application requires timed responses (timed sessions?), provide users with a warning that their time is about to expire. Give them the opportunity to extend their time. Mint and many banks do a beautiful job of this by letting you know when your session is about to expire and giving you the opportunity to save it.
The lesson: Never make assumptions about how long it will take your users to complete actions. Be polite and give them the option to extend their time if it is about to expire.

15 Steps for Web Accessibility


 Steps to make your website accessible 
1. Make sure all images, graphs, and other non-text items have a text equivalent.
2.  Provide synchronized captions for all video, as well as captions or a transcript of audio content.
3.  Do not use color as the only way to convey information.
4.  You can use style sheets for layout, but the page must still make sense without them.
5.  When using images as links, for example a drop down menu, make sure each link (as well as the overall image) has alt text describing the destination.  Avoid using server-side image maps.  If you do use server-side image maps, be sure to provide separate identical text links to access the same content.
6.  Label column and row headers in a data table.  Try to avoid using tables for layout purposes, but if you do then do not label headers.
7.  Make sure all cells in the table are associated with the appropriate headers. When the table is set-up correctly, screen readers can navigate through data tables one cell at a time, and they will hear the column and row headers spoken to them.
8.  Be sure to give each frame a title that identifies its purpose.
9.  Avoid any graphics, animations, movies, or other objects which have flickering, or flashing effects.
10.  Use a text-only alternative only as a last resort, and be sure to keep it up to date with other content.
11.  When using scripts, make sure all text within the script is provided as text or alt text and that any interaction can be achieved with a keyboard.
12.  Be sure to include a link to any applet or plug-in required to access content on the same page as the content. For example: Adobe Reader.  The plug-in itself must meet more specific requirements, which can be found in the official requirement.
13.  If a form can be filled out online by a user, all aspects of the form must be made accessible.  This includes labels for each field, as well as ensuring the form can be filled out using a keyboard.
14.  Include a way for the user to immediately skip to the main content of the page.
15.  When a timed response is required, alert the user and give sufficient time for them to indicate that more time is needed.

Safe SQL Literals

Manage the input data from UI  to be safe  for SQL execution has been problem in many sites which has caused lot of damage to different sites called as SQL injection. Hackers are always there looking into your website to find loop holes.

Still people don't take care to handle these small issues which cause financial loss, as well as companies loose their clients. I am laying out a sample code which would help you to handle inputs for SQL injection.

There are different samples available and the below is the one which I see to be most safest.

public string SafeSqlLiteral(string strValue)
    {
        strValue = strValue.Replace("'", "''"); // Most important one! This line alone can prevent most injection attacks
        strValue = strValue.Replace("--", "").Replace("[", "[[]").Replace("%", "[%]").Replace(" OR ", "").Replace(" or ", "");
        strValue = strValue.Replace(" AND ", "").Replace(" and ", "").Replace("\\\r\n", "").Replace("\\\r\n\r\n", "");

        string[] myArray = new string[] { "xp_ ", "update ", "insert ", "select ", "drop ", "alter ", "create ", "rename ", "delete ", "replace " };
        int i = 0;
        int i2 = 0;
        int intLenghtLeft = 0;
        for (i = 0; i < myArray.Length; i++)
        {
            string strWord = myArray[i];
            Regex rx = new Regex(strWord, RegexOptions.Compiled | RegexOptions.IgnoreCase);
            MatchCollection matches = rx.Matches(strValue);
            i2 = 0;
            foreach (Match match in matches)
            {
                GroupCollection groups = match.Groups;
                intLenghtLeft = groups[0].Index + myArray[i].Length + i2;
                strValue = strValue.Substring(0, intLenghtLeft - 1) + "&nbsp;" + strValue.Substring(strValue.Length - (strValue.Length - intLenghtLeft), strValue.Length - intLenghtLeft);
                i2 += 5;
            }
        }
        return strValue;
    }

Encrypting & Decrypting web.config

Encrypting & Decrypting  web.config

We can encrypt each section of the web.config using the encryption provided by aspnet_regiis.exe.


<!-- Encrypt Connection String -->
C:\WebPortal>aspnet_regiis.exe -pef connectionStrings c:\WebPortal-prov "RsaProtectedConfigurationProvider"
Encrypting configuration section...
Succeeded!
Here the -pe switch specifies the configuration section "connectionStrings" to encrypt.

C:\WebPortal>aspnet_regiis.exe -pdf connectionStrings c:\WebPortal
Decrypting configuration section...
Succeeded!
Here the -pef switch specifies the configuration section to encrypt and allows you to supply the physical directory path for your configuration file.




<!-- Encrypt AppSettings -->
C:\WebPortal>aspnet_regiis.exe -pef appSettings c:\WebPortal-prov "RsaProtectedConfigurationProvider"
Encrypting configuration section...
Succeeded!
Here the -prov switch specifies the provider name.

C:\WebPortal>aspnet_regiis.exe -pdf appSettings c:\WebPortal
Decrypting configuration section...
Succeeded!

Session Hijacking Prevention


 Is it possible to steal a cookie and authenticate as an administrator?
Yes it is possible, if the Forms Auth cookie is not encrypted, someone could hack our cookie to give themselves elevated privileges or if SSL is set to not required, copy some other person's cookie.
Encrypting the session value will have zero effect. The session cookie is already an arbitrary value, encrypting it will just generate another arbitrary value that can be sniffed.
 However, there are steps we can take to mitigate these risks:
On the system.web/authentication/forms element:
  1. requireSSL=true. This requires that the cookie only be transmitted over SSL
  2. slidingExpiration=false. When true, an expired ticket can be reactivated.
  3. cookieless=false. Do not use cookieless sessions in an environment where are you trying to enforce security.
  4. enableCrossAppRedirects=false. When false, processing of cookies across apps is not allowed.
  5. protection=all. Encrypts and hashes the Forms Auth cookie using the machine key specified in the machine.config or web.config. This feature would stop someone from hacking their own cookie as this setting tells the system to generate a signature of the cookie and on each authentication request, compare the signature with the passed cookie.
Note: If you so wanted, you could add a small bit of protection by putting some sort of authentication information in Session such as a hash of the user’s username (Never put the username in plain text or their password). This would require the attacker to steal both the Session cookie and the Forms Auth cookie.
Currently in portal cookie expiration is 1 year for users who have checked “Save Your User Name on This Computer” this has to be set to shorter period.

Links referred are below:

Generic Methods

Generic in C# means common to or applicable to an entire class. As most of the developers think Generic is to define type-safe data structures without committing to actual data types, but is it the only reason why Generics are for?The answer is BIG NO.

In this article we will focus on what other important aspect can be achieved in our daily programming by using Generic. We will see how to use Generic and avoid method overloading.
The below program shows the use of method overloading to display content of int, double & char array.
When we run the program output would be following:
using System;
class OverloadedMethods
{
static void Main(string[] args)
{
  // create arrays of int, double and char
  int[] intArray = { 1, 2, 3, 4, 5, 6 };
  double[] doubleArray = { 1.1, 2.2, 3.3, 4.4, 5.5, 6.6, 7.7 };
  char[] charArray = { 'H', 'E', 'L', 'L', 'O' };

  Console.WriteLine("Array intArray contains:");
  DisplayArray(intArray); // pass an int array argument
  Console.WriteLine("Array doubleArray contains:");
  DisplayArray(doubleArray); // pass a double array argument
  Console.WriteLine("Array charArray contains:");
  DisplayArray(charArray); // pass a char array argument
} // end Main
// output int array
static void DisplayArray(int[] inputArray)
{
  foreach (int element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
// output double array
static void DisplayArray(double[] inputArray)
{
  foreach (double element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
// output char array
static void DisplayArray(char[] inputArray)
{
  foreach (char element in inputArray)
      Console.Write(element + " ");
  Console.WriteLine("\n");
} // end method DisplayArray
} // end class OverloadedMethods
For Array intArray contains:
1 2 3 4 5 6

For Array doubleArray contains:
21.1, 22.2, 23.3, 24.4, 25.5
For Array charArray contains:
H E L L O
This looks pretty simple, but did you notice we had to write the same logic thrice for int, double and char. What if we had do write similar processing for all the data types, it would have taken hundred's of line.
To overcome this from C# 2.0 Generic methods have been introduced. If we have similar operation to be performed by several overloaded methods we can write a single generic method declaration that can be called at different times with arguments of different types. Based on the types of the arguments passed to the generic method, the compiler handles each method call appropriately. All generic method declarations have a type parameter list delimited by angle brackets (<> in this example) that follows the method's name.
Below we see the same code written using Generic method.
using System;
using System.Collections.Generic;

class MethodGeneric
{
    static void Main(string[] args)
    {
        // create arrays of int, double and char
        int[] intArray = { 1, 2, 3, 4, 5, 6 };
        double[] doubleArray = { 21.1, 22.2, 23.3,24.4, 25.5};
        char[] charArray = { 'H', 'E', 'L', 'L', 'O'};

        Console.WriteLine("Array intArray contains:");
        PrintArray(intArray); // pass an int array argument
        Console.WriteLine("Array doubleArray contains:");
        PrintArray(doubleArray); // pass a double array argument
        Console.WriteLine("Array charArray contains:");
        PrintArray(charArray); // pass a char array argument
    } // end Main

    // output array of all types
    static void PrintArray(E[] inputArray)
    {
        foreach (E element in inputArray)
            Console.Write(element + " ");
        Console.WriteLine("\n");
    } // end method PrintArray
} // end class MethodGeneric
This program has the same output as the previous one, but we reduced the number of lines in the program. A generic method’s body is declared like that of any other method. Just like type declarations, method declarations can be generic i.e., parameterized by one or more type parameters. A type parameter is an identifier that is used in place of actual type names. The type parameters can be used to declare the return type, the parameter types and the local variable types in a generic method declaration. The type parameters act as placeholders for the types of the arguments passed to the generic method.