I've just run into one of the problems of using the integrated dev server (Cassini) in VS and would like to see if there are any solutions.
We're using asp.net authentication to secure the site. However, Cassini runs in integrated pipeline mode, meaning that requests for all files go through the asp.net isapi. The result of this is that it's securing files that would otherwise not be secured in a production environment (.htm .js .css etc..).
Now I understand that we can run the project on a local IIS instance, but we would like to avoid this if possible. But, because of the problem above, this is looking like the only solution.
Does anybody have any ideas about how to get Cassini working with authentication that can be easily moved to a production environment when ready. (I'd also like to avoid having a different development web.config that specifically allows access to these files).
We're using VS2010 by the way.
Many thanks.
Instead of using Cassini, you can download and install IIS Express:
IIS Express is a lightweight, self-contained version of IIS optimized for developers. IIS Express makes it easy to use the most current version of IIS to develop and test websites. It has all the core capabilities of IIS 7 as well as additional features designed to ease website development
You can wire up to the HttpApplication.PostAuthenticateRequest event in your global.asax or an IHttpModule. PostAuthenticateRequest event on MSDN
In the event handler, check the file extension for the one that you want to be unsecured. If the file extension is a match then give set the HttpContext.User to an IPrincipal instance that has the roles required for accessing a file in the specified directory.
Can anyone please tell me the difference between IIS Server and Development server provided by Visual Studio.
Here is a few links to read up on :-)
Core Differences Between IIS and the ASP.NET Development Server
ASP.NET Development Server or Localhost IIS?
What are the (dis)advantages of using Cassini instead of IIS?
I don't know why your looking into this but you might want to take a look at IIS Express - Introducing IIS Express
There are MANY differences, some of them:
Local access in Cassini
Cassini does not support S
Cassini runs as your account (whoever is logged on), IIS runs as a service which means some things change quite a bit
Does not support authentication methods like Basic, Digest, etc.
Does not run any of the IIS Modules, which means you will not be able to do things like URL Rewrite, Default Documents, Directory Browsing, Custom Errors for static pages, etc
Does not support things like Virtual Directories, etc.
What I would recommend for anyone wanting something as simple as Cassini, yet more compatible is to use IIS Express which supports almost all features from IIS yet with a much simplified model suited for development http://weblogs.asp.net/scottgu/archive/2010/06/28/introducing-iis-express.aspx. Visual Studio will include support for it.
I'm developing a web site in a high-security environment. For example, we use CAC cards to authenticate users over SSL.
The site is a mix of VB.NET and C# on .NET 3.5 with some AJAX. The AJAX parts are now calling web services for things like Cascading Drop Down Lists.
We've been running VS2008 configured on our local PCs to use IIS instead of the default server (Cassini). However, some security policies were rolled out to the desktops over the weekend and, suddenly, we're not allowed to run IIS on our PCs anymore.
I already have some of our IT people trying to appeal for waivers for developers. In the meantime, I need to find a way to keep developing.
If I turn off the SSL requirement to the 'secure' part of the application (locally, my PC only) I can serve up some of the pages (using Cassini) when I hit "F5", but pages with web services just bring up "server application unavailable".
I need to be able to add some more functions into the existing web services, among other things, so the ability to single-step through the code is still a necessity.
I'm sure someone who is limited to using Cassini has found a way to Build/Debug pages in VS2008 when webservices are involved.
Thanks in advance.
EDIT: As it turns out, some links had "HTTPS://" hard-coded in them (I inherited these). Changing the link to "~\folder\page.aspx" allowed Cassini to properly serve things up.
Note that using Cassini is the default for VS2k8, even for Web Services. Try starting a new HelloWorld web service project and confirm if you can debug it.
OK So that worked. Then change the debugging options of your real project back to using Cassini rather than IIS. I wouldn't move the project (although backing it up might not be a bad idea) as you might be able to get IIS working again.
EDIT: So your actual problem wasn't to do with web services, just hard-coded URLs. (We have similar problem where much of the site works where ever the root of the website is, but some places, such as "main menu" links, expect the root to be the root of the webserver.)
You proabbly need to contact your IT department and have them open up something on the network so you can call the services - a port on a firewall, for instance.
We do ASP.NET Development using Visual Studio.
A discussion point we've just had is whether or not our developers should have IIS installed.
With the ASP.NET Development Server you can run your web apps without IIS. Once you're happy with everything you can then deploy it to a test server running IIS and then onto Live.
In my opinion, all developers should also have IIS installed on their own machines as that will eventually be the end platform for the application.
The arguments are basically if the developer should have as close to "live" an environment as possible, or if the developer should only have the tools they require and not be cluttered with other things.
None of this is missions critical and I'm sure everyone will have a differing opinion. I'm just interested to hear some of them!
Robin
I'm going to say unequivocally yes. IIS and Cassini are not the same and not exposing your code to production conditions can cause you problems. Better to get yourself in the habit as early as possible.
(obviously you can replace "IIS" with "Apache" or whatever your webserver tech is)
I would say that you don't need to have IIS installed, but that you should test on IIS at some point.
The Development Web Server has two "issues":
it only works for local requests
ALL requests are passed through ASP.net
Especially the second point can really open ways to shoot you in the foot. "Why can people access SuperSecretPicture.jpg? I have a Handler in my Web.config that blocks that!".
But if you know about those limitations, then I find that the Development Web Server is better to start with since you can first focus on your code and then about your environment, but YMMV.
The bottom line is if your application is served by IIS, you should be testing on IIS. If that means IIS on your local machine or a dev server is up to you.
What harm can it do having it installed? At least if you have it installed you can choose to use it or not. The day you need to debug a webservice call from an externally hosted application you don't want to be messing around installing it.
Depends - are you running server versions of windows for you dev boxes?
Because, e.g. the XP version of IIS is different from 2000/2003 server, so you'll get a different experience. Similarly, if you develop on Vista but plan to deploy on 2003, it won't be a "complete" experience.
We have IIS installed on our local machines at our work for development purposes. We need to test the web applications against IIS, but neither do we want to release it to our live server, or to our test server as that requires a lot of work. Instead, we just host it locally and everytime we modify a file through Visual Studio we can then instantly see the changes without having to go through a file copying process.
I don't think it's a bad thing at all, as long as everything's secure you'll be fine.
Ideally your test server should mirror your production server. That should go without saying. In my opinion, your dev environment should come as close as possible, while fulfilling your needs first (I prefer to keep the dev environment as self-sustaining as possible, in case I am disconnected from the network).
I have no problem using the dev server for development, and IIS (locally or remote, as the case may be) for testing - but it depends on the project requirements too. I prefer to host web services on the local IIS server, for example. YMMV.
We develop on laptops using virtual machines. This way, if the virtual OS crashes (or the host OS, for that matter) you just copy your vpc back over from the network (where we have backups) and you are good to go. also, it makes it WAY easier to run a "standard" development platform wich is as close to production as possible.
For us, we HAVE to have IIS installed, as we are developing Sharepoint '07 webparts.
I've found that on some occasions I can edit the source while debugging. Are there any other advantages of using the Visual Studio built-in webserver instead of a virtual directory in IIS?
I'm using Windows XP on my development environment, and a local instance of IIS 5. I work on several projects, so I use multiple virtual directories to manage all the different sites.
Are there any disadvantages?
The built-in web server for Visual Studio is called Cassini and here are a few of its limitations...
It can host only one ASP.NET
application per port.
It does not support HTTPS.
It does not support authentication.
It responds only to localhost
requests.
It is slow startup compared to IIS
All the previous responses are great answers - here's one gottcha with Cassini that might require IIS on the destkop.
Cassini runs in the context of the developer, not as the IIS user (IUSR_, IWAM, or in WinXP x64, the w3wp process). This can be a bit painful if you've got a web site that is accessing external files or creating temp files. It is most evident when your developer is running as an Admin of their desktop.
When you move to the server IIS, something that you would have had access to in Cassini doesn't work the same. CACLing with the IIS_WPG usually is all it takes to fix, but if your developer is not thinking about this, they will quickly get quite frustrated with their deploy.
Cassini does not support virtual directories.
It looks like a third option is coming soon:
IIS Express.
Another disadvantage I've run into is on a Forms authenticated website using custom IPrincipal/IIdentity. Cassini will switch the AppDomains without warning (or notice).
Check this blog post for more.The headache on this made me drop Cassini and stick with IIS.
The Visual Studio web server is less forgiving about // in the path.
It will refuse to serve a link like
http://localhost:52632/main//images/logo.jpg where IIS will do.
That's pretty obscure, but it means we have a lot of fixing to do to get rid of all the // occurrences.
The built-in server works well for larger corporations that don't want to give developers any administrator access on their own machines to configure IIS.
There's a bug in the way the built-in server handles HTTPModules - there is a workaround, but I hate having to put in code that'll never be needed in production.
You need to have Visual Studio running to use it (under normal circumstances)
It only responds to localhost, so you can't give the link http://simon-laptop:37473/app1 to a friend to view your site over the network
Big disadvantage: it's harder to get fiddler working, because localhost traffic isn't sent through the proxy.
Using http://ipv4.fiddler:37473 is the best way to get Fiddler working with it.
You cant use virtual directories :(
Cassini also does not support ASP Classic pages. This is only an issue for legacy projects where old ASP Classic pages still exist (like our web application at work).
The built-in server means the developer doesn't have to know how to set up IIS to test their site.
You could argue this is a disadvantage, and that a Windows developer should know at least that much IIS. Or you could argue that a developer who isn't a system administrator shouldn't be messing around with the web server at all.
If you 'web reference' the URL for web services that are on the built-in webserver, the port might change. Unless you have set a "Specific port" mentioned in menu Project → Properties options page.
This is something I've gotten used to now. I always set a specific port. Now when sometimes the webserver crashes (I've had that happen), I simply change the port number, and all is well. I reckon restarting will also fix this.
If you do hobby work at home using XP Home, you can't install IIS locally.
When you use IIS in Vista or Windows 7 with UAC enabled, you must run Visual Studio with administrative rights. If you do this, you can't drag an drop from your shell to Visual Studio (even if you run an instance of explorer.exe as administrator).
For this reason I use Cassini for most projects.
FYI, Windows XP 64-bit comes with IIS 6.
This is an old thread started 2 years ago. I just stumbled upon UtilDev Cassini while googling. Looks promising to me. At least it has the ability to run multiple sites simultaneously. That feature is really useful for me, because I work on 2 different sites and have to continuously switch between them using IIS.
Here's a reason for a third way: although UWS Pro is probably closer to IIS than Cassini (although inspired by Cassini and is from the vendor of the UltiDev Cassini fork), its main purpose is to be redistributable along with ASP.NET applications.
Cassini is meant to be a lightweight test webserver. The idea is that a developer does not need to have IIS installed and configured to test his/her application.
Use IIS if you are familiar with it and you have it set up and your box can handle it. Cassini is not meant to be a replacement.
I often take the best of both worlds and create an application in IIS, and use the built-in web server for more efficient debugging.
The built-in server isn't as configurable, and it runs on an odd port, so if you're counting on specific behavior it can be troublesome.
Install IISAdmin, and you can setup separate sites in IIS 5, instead of using virtual directories.
The built-in webserver is a little less robust than IIS, but requires no setup so it is just a tradeoff.
You may not always want your development projects exposed on your IIS server (even your local IIS server) so the built-in server is good for that.
However, if your application is going to access resources outside of the norm for a web app then you may want to debug frequently in IIS so that your app will run with restricted permissions and you can see where the pain points will be.
One difference I've found is that the development server handles uploading files differently than IIS does. You can't trap the error if the file being uploaded is bigger than your Max_File_Size setting. The page just dies and returns a 500.
Another dis-advantage is that it sends every request through the gloabal asax file which includes all requests for images and stylesheets. This means if you have code in there which does things with the file names, such as a look up, then the auxillary files willget processed too.
Also via IIS, you don't have to worry about automatically remembering and setting a stupid port number in your localhost url. That's something funky directly relied upon with Cassini...big pain in the ass. Who wants to remember some abritrary port number. Just run the damn site in IIS..plain and simple.
We've also seen some issues with Visual Studio built-in server regarding some third-party controls which put their scripts in the \aspnet_client folder.
Since the folder isn't there when you're not running under IIS, the controls didn't work. It seems a lot simpler to always work with IIS and avoid strange problems.
If your project resides in the IIS directory you can still edit code. It just depends if it has been published or not.
You will run into so many issues on the Cassini vs. IIS when you are debugging certain permission based scenarios, like Kerberos and NTLM authentication as well as issues like server compression, etc. All in all, the Cassini is still okay to develop with, but make sure you do extensive testing when publishing to IIS.