After toying around with various RSS/RDF feeds over the past few days (I am doing something in that area, but I am not yet ready to say what), my conclusion was that regular expressions are the only way to parse them. It really seems that RSS != XML. Sad.

Radio's rss.xml has unescaped ampersands in the <comments> tag! :-(




Ignore this posting ;) I am just trying to figure out whether this works with Radio. My JavaScript skills are a bit rusty and I am not up to date and what works with which browser...

I really like Google News for what it does, but ...  News is very much about trust. I go to and knowing that they're both "breaking news" outlets and that what they are reporting often needs to be consumed with caution. Other news sites don't break the news as fast, but they are typically more solid in their assessment of what's happening for real and what's only a rumor. Aggregators like Yahoo! carry AP, Reuters and other news-agencies where you really know that these things come hot off the wire and are often even more speculative than what you get at CNN.

If you look, for instance, at the German media landscape, let me focus on TV, there's one TV news-show the "Tagesschau" that's among the highest rates programs (across the board) every night. It's dry news. No flashy intros, no sensational stories, no dog-breeder show reports. Very plain. They could air the show in black & white and read the news in Latin and people would still watch it. One thing you know is: They are very careful in figuring out rumors from facts and they cover the world. They've done so for 40+ years, false reports are extremely rare and trust only builds over time. The same is true for your trusted newspaper and just as much for the news website you visit most.

Now, Google News gives you an aggregated view of some 4000 different news sources and does so with almost to-the-minute accuracy. How do I sort fact from fiction? How do I tell trusted sources from speculative sources? It's difficult. News isn't news.


A picture named SoapExtWiz.JPGIt's a 0.1 version! Don't expect miracles!

Here's the C# wizard for ASP.NET Soap Extensions.

What works: It'll generate a compiling SoapExtension that will exactly do nothing. However, the code should have all the hooks to get started.

What doesn't work: (a) You need to click on "Application Options" once to initialize the settings correctly. (b) I haven't had the time to test all option combinations. (c) Any project name that isn't a single word will likely cause the wizard to create garbage. (d) The namespace from the project settings page isn't picked up. (e) Probably several bugs in the template code.

Purpose: Demonstrates that custom stuff can be plugged into VS.NET. Makes creating full SOAP Extensions a bit easier and helps understanding how they are built.

What to do with it: If you need adjustments, poke around in the wizard's templates\1033 subdir.

How to install: Unpack the archive, read the readme.txt. It's just three steps. Unpack an archive, copy one file, edit one file. Once that's done, start VS.NET and try.

And as always: It may just not work for you. If that's the case, mail me.


Martin Spedding, a good friend and excellent architect, just wrote in a chat on Messenger: "One thing I notice after September 11th a lot of weblogs mentioned the events but no mention of the atrocity in Bali...curious". He's right.


Reflecting on Web Services DevCon East. This conference was easily the best one I attended in a long time -- and I go to a lot of conferences. It's rare that I sit through nearly all talks anywhere, but this was definitely different. If any conference would ever be worth the "summit" moniker, this is it. The coolest aspect of the conference was that with all the Microsoft, IBM and Axis folks, the spirit of interop was in the air -- so much in contrast to the wars the kids in the newsgroups are waging. We may all have our own tastes regarding programming models, languages and runtimes, but we're happily agreeing on most things going on on the wire. 

Brian Jepson has a good review of all talks: Thursday, Friday.

Regarding my talk at DevCon:

I am trying to wrap up the setup for the very last demo, the "ASP.NET Soap Extension" wizard for C# in VS.NET today. Tim Ewald suggested that I make the various options switchable ([X] Extend WSDL, [X] Handle BeforeSerialize, etc.) before code generation and that's what I want to add before releasing it. The wizard will help you jump start writing the type of extensions that I have been developing over the past six months and which I showed in my talk. The Security and Transaction packages come with free source code and the Session and Management extensions come as a free binary package right now.

I was stunned by the way my stuff was received and how most people in the audience hadn't seen those extensibility points in ASMX yet -- or at least not "in action". I would like to encourage everyone who hasn't done so yet to grab the security package and peek into the source code to find out what ASMX can do for you.

Issues with my WS-Security stuff

Having said that, there are a couple of issues with the current state of the security extensions that I am going to fix (and am already fixing) for a future build. These are mostly related to the Kerberos aspects and don't really affect functionality, but are rather related to the WS-Security mapping per se.

  1. WS-Security mandates that the session tickets are packaged as "raw" RFC1510 session tickets. The problem is that neither GSSAPI nor the Kerberos SSP will give you those. So, I am currently sending GSSAPI-interoperable session tickets and have already had some feedback from third parties that this indeed works. What I am going to correct is not my implementation, but I am actually going to add a "Kerberos V5 ST, GSSAPI wrapped" ticket type, since I think that's the proper way to do it right now.
  2. I don't support signatures, because, again, I can't implement that on top of the Kerberos SSP. The WS-Security spec mandates that signatures are created using the Kerberos session key, which isn't exposed by the Kerberos SSP. Instead, the Kerberos SSP provides a signature function that creates a wrapped signature that can't be made compliant with the spec. For this, I am yet again going to make a spec extension to make that work for me.

Like it or not, these standards are all in a 0.x release state and if I can't implement them on the current technology set, I am going to make them work for me. As long as I am using the defined extensibility points as defined in the specification (inventing your own security tokens is just fine) and as long as I don't cause collisions, all is cool. 

In a future build I'll also likely retire my own "user-name authentication" implementation and integrate the whole stuff with the Microsoft WSDK, including an attribute-driven mapping for Microsoft's X.509 authentication.

The other stuff

I showed how to use WMI to monitor you web services' activities for performance, logging and exception monitoring using the management extensions I wrote. Now, this stuff along with the session extensions is explicitly not "open source" and the license for the free download restricts use to evaluation, because ... well .. I am not as much Mother Teresa as it may seem. The current license is sufficient for demo purposes and that's what they were built for. If there is enough interest (enlist here:, and it seems so right now, all of the extensions and a few more that we have brewing will be promoted from "demo status" to "production status", will get a serious review and some real QA, and they'll be available for commercial licensing as part of an "SDK subscription" (with full source), which will also include the Enterprise Services Utilities. As much as I enjoy doing these things and share them with everyone, we need to start covering our development cost in some way. Watch this space for this status going from "maybe" to "we'll do it". 


We have a "Web Services Architectural Guidance" workshop format available as part of our training & education portfolio. The workshop covers architectural considerations and challenges for building both public and intranet based web services. This workshop format has been co-developed with CBDi and Microsoft EMEA and can be customized for decision maker, architect and developer audiences. The architect and developer tracks include in-depth coverage of all the extensibility tips & tricks for ASP.NET-based Web Services (this is what the extension stuff was really built for). The workshop is immediately available for in-house delivery by us anywhere in the world. Based on interest by individuals, we'll also consider setting up central workshops at some locations. (


Sharing a little secret from our calendar: Atlantis .NET Code Week: Nov 11th - Nov. 17th in Radovljica, Slovenia. (interactive map). While all advertising for this event is in Slovenian, the event itself is run in English with newtelligence material by myself and my partner Achim Oellers and open to anyone. The location is conveniently close to the Austrian and Italian borders. It's a week-long bootcamp on "all things .NET". The price is approx. USD/€ 2700 (625.000 SIT) plus applicable tax; registration is handled by Atlantis, seats are very limited.

Roger Sessions writes about WS-Transactions in his ObjectWatch news letter and the article shocks me a bit. First, his "Shootout at the Transaction Corral" has a pretty confusing lead-in story for a story about transactions. It starts with how to get breakfast from two places at the same time and how that is a real life coordinated transaction -- it may be so, but why make a "real life analogy" if that by itself is so far fatched that it's somewhat losing the point.

If you're still reading once you made it through the introduction it getting interesting:

"The complexity would be justified if WS-C showed that it was a useful generic framework that could be specialized for purposes other than WS-T. But no such justification is included, other than the fact that WS-C forms the basis for both AT (atomic transactions) and BA (business activity). "

It takes little to none visionary talent to see that WS-Coordination is about setting up general-purpose service contexts for all sorts of things and not only for transactions. Synchronization services, session and object state and such things can very well be attached to WS-Coordination. As in J2EE and COM+ a transaction is just a property that is associated with a context.

"However, as anybody who is familiar with the software fortress model would know, one would never, never, never allow true atomic transactions to move from one web service to another. To do so is to violate the trust chasm that naturally separates web services. ATs thus have absolutely no place in a web service transaction specification."

That's a pretty short-sighted statement, because that says that a fortress (I personally prefer the cuter term "fiefdom" coined by the guy who actually came up with this model: Pat Helland) is always implemented as a homogeneous system. Not so: A "fortress" is a system which can very well be implemented as a heterogenous assembly of services implemented on different machines, different OSses and different platforms. If that's so, you will need AT to coordinate local, distributed transactions across, for instance, J2EE and .NET. Web Services are about interop, not the internet!

"Problem three with the WS-T specification is that it includes features that are likely to cause database corruption. I am referring to the so-called phase-0 protocol, part of the AT specification. [...] This implies that the server is caching data. "

Phase0 is called that way because it happens before transaction coordination starts. Befort the coordination phase begins, every data sink can do whatever it wants with the data, including holding local caches as long as it has a proper strategy for dealing with concurrency on its local data store. Each store is responsible for doing it's thing for "ACI" at that time. If that's achieved through optimistic locking and in-memory cached keys, etc. that's perfectly legal. Phase0 is triggered so that you can take all of your current transient work and make it part of the transaction before 2PC starts - that's a Good Thing.

"I can tell you what SHOULD happen. IBM, Microsoft, and BEA SHOULD redo their model and make three changes: eliminate the WS-C specification, remove the WS-T dependency on WS-C, and put atomic web service transactions (ATs) where they belong, in the trash. "

I think that Roger Session may not fully understand the interconnections of web services, transactions and real world system complexity here. Even inside the "fortress", interop counts.

Transactions with support for synchronous ACID transactions must, are and will remain to be a core feature of all major enterprise technology stacks - whether the transport is RMI, CORBA, DCOM or anything with an XML payload. Compensation has always been a real-life requirement long before Web services came along. What web services change is that they enable cross-organization integration by lowering development and infrastructure cost; hence, such transaction problems now become mainstream.

Web services standards are about making transport interop happen and about making service and security negotiation work across systems. This is true for both, inside and outside the firewall. Web services don't fundamentally change all of the world as we know it.


Scott Hanselman is a great guy. Subscribed.

Preparing for the Web Services DevCon today.

I just wrote a little C# project wizard for VS.NET that's the giveaway with my talk: "ASP.NET Soap Extension" creates a SOAP extension complete with format extension (WSDL annotation), WSDL importer (client), WSDL reflector (server), project installer (for use with MSI) and a "headers.xsd" to contain the header schema. The resulting projects don't do much (of course) but it a few hundred code lines of work already done and the tricky things like machine.config installation already covered.


Richard Stallman and myself are on the same page. That's very rare and very funny. At least to me. 

HELP!  So, after looking at this for a bit it seems that the content pages are still in the cloud but that my calendar is broken and that there is indeed no local backup of things. Why is that backup option in Radio off by default? It's not that I am posting megabytes of stuff. I want to get the blog back to what it was. Help! 

I restored a backup of my Radio files after rebuilding the machine (needed to be done). I was thinking everything is XML based and that I could simply restore all files.... Doesn't seem to be that way. I don't have the time to look at this closely now, but it is disturbing that apparently most things were lost....