.NET Performance Blog

April 5, 2011

OpenFaq (Part 3): Custom Membership Provider in Entity Framework Code First

Filed under: ASP.NET MVC,BDD,DDD,General,TDD — Eric P @ 4:33 am

Previous posts in OpenFaq series
OpenFaq (Part 1): The beginning
OpenFaq (Part 2): Business Requirements in Code
Source code in Codeplex

Why Custom Membership Provider

When creating new MVC web site – it is automatically configured to use SqlMembershipProvider. Before it can actually be used, the default tables need to be created in DB using spnet_regsql.exe tool here.
That creates a whole bunch of tables, views and stored procs. See link above.

I would like to be pretty consistent in my approach to how the database is accessed (through Entity Framework) and how my tables are named and structured. So I am going to use a flexible Provider model supplied my mine and your friends at Microsoft to implement a custom membership provider that will be driven by Code First Entity Framework.

YAGNI says only to implement things I need and worry about “things I don’t need” when I need them. So at this point in my application I just want to be able to register users, log them in and possibly change their password.

The acceptance tests written in part 2 of this series should still work.

Getting Samples from the Holy Book of MS (MSDN)

I used several examples provided by Microsoft for guidance:
http://msdn.microsoft.com/en-us/library/6tc47t75.aspx – simple example of ODBC Membership provider (C# after VB.NET code)
http://msdn.microsoft.com/en-us/library/aa478948.aspx – toolkit that includes fully featured example of Sql Membership/Role/Profile providers

A couple of interesting discoveries during implementation.

1. Some business logic code that should be re-usable is not provided in base MembershipProvider class

Two major cases of this were:
– Password Validation – like checking that password must be greater then 6 chars
– Password hashing – using Clear/Encrypted/Hashed

Both samples from Microsoft implement their own versions of validation and hashing.
In my case I had to implement my own (mostly by copying the toolkit sample).

I was hoping that provider model would allow to override these scenarios, but provide basic implementation which would be applicable in 90% of the cases.
Unfortunately that’s not the case.

2. Bad coding practices in sample

In Tooklit example there were a couple of things, that would make some developers punch the wall with their head.

The “Code Duplication” is the only major one, but since many developers are looking to microsoft for guidelines on how to write good code, I think MS should really make sure that their code has been properly reviewed and updated whenever there are new .NET features and guidelines. For ex. ODBC Membership provider sample is still using Hungarian notation which MS has been saying not to use for a while now.

Here are some examples of bad coding practices from Toolkit sample:

Code Duplication

Password validation logic is duplicated in CreateUser and ChangePassword

-- In CreateUser

           if( password.Length < MinRequiredPasswordLength )
                status = MembershipCreateStatus.InvalidPassword;
                return null;

            int count = 0;

            for( int i = 0; i < password.Length; i++ )
                if( !char.IsLetterOrDigit( password, i ) )

            if( count < MinRequiredNonAlphanumericCharacters )
                status = MembershipCreateStatus.InvalidPassword;
                return null;

            if( PasswordStrengthRegularExpression.Length > 0 )
                if( !Regex.IsMatch( password, PasswordStrengthRegularExpression ) )
                    status = MembershipCreateStatus.InvalidPassword;
                    return null;

            string salt = GenerateSalt();
            string pass = EncodePassword(password, (int)_PasswordFormat, salt);
            if ( pass.Length > 128 )
                status = MembershipCreateStatus.InvalidPassword;
                return null;

-- In ChangePassword

            if( newPassword.Length < MinRequiredPasswordLength )
                throw new ArgumentException(SR.GetString(

            int count = 0;

            for( int i = 0; i < newPassword.Length; i++ )
                if( !char.IsLetterOrDigit( newPassword, i ) )

            if( count < MinRequiredNonAlphanumericCharacters )
                throw new ArgumentException(SR.GetString(

            if( PasswordStrengthRegularExpression.Length > 0 )
                if( !Regex.IsMatch( newPassword, PasswordStrengthRegularExpression ) )
                    throw new ArgumentException(SR.GetString(SR.Password_does_not_match_regular_expression,

            string pass = EncodePassword(newPassword, (int)passwordFormat, salt);
            if ( pass.Length > 128 )
                throw new ArgumentException(SR.GetString(SR.Membership_password_too_long), "newPassword");

The logic from both functions should be combined into one method like ValidatePassword, which returns enough information to generate proper exception or return error code in calling function.

Using try/catch with no logic in catch

Throughout the toolkit sample there is code like

try {
               //some code
} catch {

If you ever stumble over code like above, I would recommend rewriting it like this and then sending it to original coder for review:

//some code

private void DoNothing()
     //Do nothing

On the bright side, it is not as bad as

try {
               //some code
} catch {
              //do nothing, to make sure that no exceptions are ever visible to user or the poor poor developer who will be maintaining this code

but nothing really is…

functions that have 10 input and 10 out parameters

   private void GetPasswordWithFormat( string       username,
                                            bool         updateLastLoginActivityDate,
                                            out int      status,
                                            out string   password,
                                            out int      passwordFormat,
                                            out string   passwordSalt,
                                            out int      failedPasswordAttemptCount,
                                            out int      failedPasswordAnswerAttemptCount,
                                            out bool     isApproved,
                                            out DateTime lastLoginDate,
                                            out DateTime lastActivityDate)

Uncle Bob just started spontaneously crying…

Not sure when this sample was written, but unless it was written on punch cards, they must have heard about passing in and returning structures, instead of 10+ args.
Also things like single responsibility principle – why does function called GetPasswordWithFormat return lastLoginDate.

Implementing the beast

From business requirements perspective, at this point I would like to support:
Change password

So I implemented the following functions in new CustomMembershipProvider class:

Naming Unit Tests

For each function that I implemented in CustomMembershipProvider I created unit tests first.
I used format
for ex…

Then I found a nicer format:
[MethodName_StateUnderTest_ExpectedBehavior] from:

So the previous example is now:

I also wanted to include “given” conditions (used in BDD), so it would be:

At the end I changed “With” to “When”, so that we would use the same language for both BDD and TDD and I ended up with:
so example would be:

Here are all the unit tests that should demonstrate what is currently implemented, for your viewing pleasure:

		public void CreateUser_GivenDefaultMembershipProviderSettings_WhenValidData_ReturnsUser();

		public void CreateUser_GivenPasswordRequiresMin6Chars_WhenPasswordHasLessThen6Chars_ReturnsNullAndStatusInvalidPassword();

		public void CreateUser_GivenPasswordRequiresMin6Chars_WhenPasswordHasMoreThen6Chars_ReturnsUser();

		public void CreateUser_GivenPasswordRequiresOneNonAphaNumericCharacter_WhenPasswordHasNoNonAlphaNumericCharacters_ReturnsNullAndStatusInvalidPassword();

		public void CreateUser_GivenPasswordRequiresOneAphaNumericCharacter_WhenPasswordHasOneAlphaNumericCharacter_ReturnsUser();

		public void CreateUser_GivenPasswordRequiresMatchRegularExpressions_WhenPassswordNotMatchingRegularExpreation_ReturnsNullAndStatusInvalidPassword();

		public void CreateUser_GivenPasswordRequiresMatchRegularExpressions_WhenPassswordMatchingRegularExpreation_ReturnsNullAndStatusInvalidPassword();

		public void CreateUser_WhenUsernameNotUnique_ReturnsNullAndStatusDuplicateUserName();

		public void CreateUser_GivenPasswordFormatHashed_HashesPassword();

		public void ChangePassword_WhenValidArguements_ChangesPassword();

		public void ValidateUser_WhenUserWithUsernameAndPasswordExists_ReturnsTrue();

		public void ValidateUser_WhenUserWithUsernameAndPasswordDoesNotExist_ReturnsFalse();

Deep Thoughts

In this episode of OpenFaq (The Series), we looked at how to create a simple Custom Membership Provider that uses EF Code First for back-end.
Coding crimes committed by MS where brought to light with appropriate punishment being administered as we speak.
TDD and BDD is still being followed.

For now you can get all the code discussed in this post from here:

Coming up next…

Now that we have the basic framework down, we are gonna implement us some FAQ goodness…

Current project road map is here:


March 28, 2011

OpenFaq (Part 2): Business Requirements in Code

Filed under: .NET,ASP.NET MVC,BDD,General,TDD — Eric P @ 3:38 am

Previous posts in OpenFaq series
OpenFaq (Part1): The beginning

There has been a lot of discussion about self documenting code. You can use good class/method names, proper unit tests and comments to make it clear what the code does.
But how do you specify and enforce what the code is SUPPOSED to do from business perspective, versus what it does? Usually there is a separate Business requirements document with a set of User Acceptance criteria that is used to QA the application. What if you could automate user acceptance criteria tests and run them from beginning (even before writing any code). That’s where BDD comes in.

The Joy of BDD

Brandon Santrom has a nice presentation on using SpecFlow, WatiN with MVC to write acceptance tests:

Video is here:

MSDN article (that covers a bit different scenario) is here:

In the presentations, Brandon Santrom promotes the following way of doing devlelopment:
BDD Approach

The first module I wanted to implement for OpenFaq was UserModule which will handle CRUD for User and related objects and will also implement Custom Membership Provider that will use EF4.
But before doing that, following BDD, I will write some UAC tests to make sure that user can login and register using default Membership Provider that can be used with MVC 3.

Setting up solution

Before writing any tests I am going to setup a new solution/project for OpenFaq.
Following YAGNI, I will only create projects as I need them.

To Start I am going to have 3 projects:

  • OpenFaq.Web – MVC 3 project
  • OpenFaq.Web.Tests – unit tests for controllers
  • OpenFaq.AcceptanceTests – acceptance tests

I also setup NUGet package manager that ScottGu mentioned many times in his blog.
I used it to add references to WatiN, SpecFlow for “OpenFaq.AcceptanceTests” project. I noticed that NUGet was installing packages into “packages” directory under solution directory. Since my project structure is:

\src – solution goes here
\lib – external dependencies go here

So I changed NuGet package directory to put packages into “\lib” using instructions here:

Login & Register – Starting BDD

Before writing any new code I create the following two Features using SpecFlow:

Login Feature

Feature: Login a site user
	In order to use OpenFaq features
	As a site user
	I want to be able to login to the OpenFaq site

Scenario: Login with valid information
	Given I am on the site home page
	When I click the "Log On" link
	And I complete the form with the following information:
		| Field           | Value							|
		| UserName        | openfaquser1					|
		| Password        | password1						|
	And I click the "Log On" button
	Then I should see a link with the text "Log Off" on the page

Scenario: Login with invalid information
	Given I am on the site home page
	When I click the "Log On" link
	And I complete the form with the following information:
		| Field           | Value							|
		| UserName        | unknowuser						|
		| Password        | password1						|
	And I click the "Log On" button
	Then I should see a validation summary "Login was unsuccessful"
	And  I should see a field error "The user name or password provided is incorrect"

Register Feature

Feature: Register a new site user
	In order to ask/answer questions
	As a site user
	I want to be be able to register new account

Scenario: Register with valid information
	Given I am on the site home page
		And I click the "Log On" link
		And I click the "Register" link	
	When I enter a random username
		And I complete the form with the following information:
			| Field				| Value					|
			| Email				| openfaquser@test.com	|
			| Password			| p@bla12				|
			| ConfirmPassword	| p@bla12				|
		And I click the "Register" button
	Then I should see a link with the text "Log Off" on the page

SpecFlow uses language called Gerhkin to describe business requirements. Not quite English and not quite code it is meant to bridge a gap between software developers and business analysts.
When you create SpecFlow feature files above, SpecFlow automatically creates CS files that interpret Gerhkin into C# code. When you run the tests, each step Given, When, Then… expects there to be a function that actually implements this functionality.

So to implement “Scenario: Login with valid information”, here is the file you would provide with Step Definitions:

using Microsoft.VisualStudio.TestTools.UnitTesting;
using OpenFaq.AcceptanceTests.StepHelpers;
using TechTalk.SpecFlow;
using WatiN.Core;

namespace OpenFaq.AcceptanceTests.Steps
	public class Login

		[Given(@"I am on the site home page")]
		public void GivenIAmOnTheSiteHomePage()

		[When("I click the \"(.*)\" link")]
		public void WhenIClickALinkNamed(string linkName)
			var link = WebBrowser.Current.Link(Find.ByText(linkName));

			if (!link.Exists)
				Assert.Fail(string.Format("Could not find '{0}' link on the page", linkName));


		[When(@"I complete the form with the following information:")]
		public void WhenICompleteTheFormWithTheFollowingInformation(Table table)
			foreach (var tableRow in table.Rows)
				var field = WebBrowser.Current.TextField(Find.ByName(tableRow["Field"]));

				if (!field.Exists)
					Assert.Fail(string.Format("Could not find {0} field on the page", field));


		[When("I click the \"(.*)\" button")]
		public void WhenIClickAButtonWithValue(string buttonValue)
			var button = WebBrowser.Current.Button(Find.ByValue(buttonValue));

			if (!button.Exists)
				Assert.Fail(string.Format("Could not find '{0}' button on the page", buttonValue));


		[Then("I should see a link with the text \"(.*)\" on the page")]
		public void ThenIShouldSeeALinkWithTheTextOnThePage(string linkText)
				string.Format("The following link text was not found on the page: {0}", linkText));

You may have noticed that in many cases instead of specifying actual text, I use a regular expression to pass Button value or link text to the function.

[Then("I should see a link with the text \"(.*)\" on the page")]

//instead of

[Then("I should see a link with the text \"Log On\" on the page")]

This will allow me to re-use the steps, in many different scenarios.

MembershipProvider – where art thou

When I ran acceptance tests I received errors having to do with MembershipProvider not being setup. To set it up on my local Sql Server DB I used steps here:

Now all acceptance tests have passed.

Tests Passed

Yes, I do use Resharper 5.1.

Did they live happily ever after?

Not quite yet…

In next part of this series I will replace SqlMembershipProvider with the one that supports EF 4.0 Code First.

For now you can get all the code from here:

Current project road map is here:

March 27, 2011

OpenFaq (Part 1): The beginning

Filed under: .NET,ASP.NET,ASP.NET MVC,DDD,General,TDD — Eric P @ 1:43 pm

It is time to learn some new technologies.

For this task I am going to write FAQ applicaton called OpenFaq.

OpenFaq – The future of FAQ

Whenever we buy any new product there is usually some questions or issues that come up, that may not be covered in manual or by asking the uncle who (supposedly) knows everything. How do I …? Why am I getting this f#$x error? etc…

In some cases you may go to product’s website and try to find an answer there. In about 5 minutes (depending on how quickly you reach the boiling point) you give up and just do a google search.

Why are so many sites so bad in helping you find what you need?

The problem(s) this application will try to solve is:
On many sites FAQ is created early on and not frequently updated. It quickly becomes forgotten.
The questions are grouped according to how website administrator feels like they should be grouped. Not based on frequency of asking.
User interaction is limited to reading an answer

The Solution
Make FAQ dynamic, so admin can edit questions and answers without doing rollout
Get users involved with asking, answering, voting and comments (similar to stack overflow)
Use voting and other statistics to determine which questions are frequent/popular and which are not

Some Business Requirements

Some preliminary requirements for this application are:
* User can login
* User can post question
* User can answer question
* User can comment on question and answer
* User can vote on question and answer
* User can use keyword search to quickly find questions, answers

Maybe a touch of Technology

In this series I will try out some new technologies from MS and use some of the latest methodologies in application development.

For a while now I have been reading about many new technologies and approaches for software development. Here is the list that I plan to use for OpenFaq.


  • BDD – behavior driven development
  • TDD – test driven development


  • YAGNI – you are not going to need it
  • KISS – keep it simple stupid
  • DRY – don’t repeat yourself


For this project I am going to use Microsoft stack.

  • ORM – EF 4 Code First
  • Web Framework – MVC 3
  • Template Engine – Razor
  • Package/Dependecy Manager – NuGet
  • BDD – SpecFlow
  • UI Testing/Acceptance test – WatiN
  • Unit testing – MS Test
  • Version Control – Mercurial
  • Project Site – Codeplex.com

Create a free website or blog at WordPress.com.