DPS907 WSA500 Lab 3 Fall 2013

Lab 3 enables you to demonstrate that you understand something about media handling and security. .


DPS907 WSA500 Lab 3 – due Tue Oct 15

Assigned: During Week 6

Due date: Tuesday, October 15, at 9:30am ET

Grade value: 4% of your final course grade

Grading method: The following will be checked:

  • Your Lab 3 project, which is an ASP.NET Web API
  • Correct implementation of the specifications
  • Code writing quality, including commenting



Prove that you can implement recently-covered concepts and techniques:

  • Handle an image media type
  • Implement security


Introduction to the problem that you will solve

You will create a simple web service that will manage your music collection.

It will be a simple one-entity app. The entity is “Album”. The app enables users to view, add, or change items in the collection.



Here are some general comments about the tasks you must complete:

Follow best practices.

It is expected that you will use AutoMapper. You must also use data annotations.

Methods that handle user input must manage the quality and format of the incoming data.

It is also expected that you will test your work, using Fiddler or another HTTP inspector.

Make sure that your code is well-commented.


Getting started by creating a project ‘TemplateV1’ 

Create an ASP.NET Web API project named ‘TemplateV1’. This will be a project that you can use as a template for your ‘Lab3’ app, described below.

Add the code assets that you typically find in an ASP.NET Web API project, including:

  • App domain model class source code file (which can be mostly empty)
  • DbContext class (which will also be mostly empty)
  • A Web.config connection string for your app’s database
  • StoreInitializer class (which will also be mostly empty)
  • A reference to the AutoMapper library
  • A repository base class


Use your ‘TemplateV1’ project to make ‘Lab3’ 

Follow the procedure that you first learned in an earlier class to create a copy of your project, named ‘Lab3’.


Design the app domain data model class

As noted above, there will be one entity, ‘Album’, with (at least) these properties:

  • identifier
  • album name
  • artist(s)
  • year released
  • genre
  • image/photo of album cover
  • internet media type of the image/photo
  • a ‘rating’ value, which is an integer between 1 and 5
  • a value to indicate whether this album’s info is shared

Continue by coding the DbContext and StoreIntializer classes.

Your StoreInitializer must create two albums in the collection. Album cover images can be obtained from many sources (and copied into your project). One suggested source is Amazon.com. Its images (on the search results page) are 200px square, which is an ideal size for this app.


A preview of the security configuration

Your web service will use the professor’s OAuth infrastructure to validate access tokens for some tasks.

Unauthenticated requests will be able to get-one and get-all, in various media formats.

Request authenticated in the “Publisher” role will be able to:

  1. add a new album to the collection,
  2. edit an album’s information, and
  3. delete an album.

Requests authenticated in the “Editor” role will be able to:

  1. set its ‘rating’ value, and
  2. indicate whether an album’s info is shared.


Implement the public get-one and get-all request handlers 

The ‘Album’ entity includes an image property. Best practices tell us that you MUST NOT include the property’s value when an object is returned. Instead, the image must be fetched in its own HTTP request.

You can return all other non-image properties.

Add the code (controller + view model + repository) to enable a ‘get-all’ request. Sort the results in a meaningful way.

Add the code to enable a ‘get-one’ request. Normally, this kind of request will return JSON or XML.

Modify the code to enable the requestor to accept an image response. You are permitted to use your professor’s image media formatter. You may have to edit the code to enable it to work in your web service.


Enable a “Publisher” to add a new album

You will need to implement OAuth security and use the professor’s OAuth infrastructure. You will need the handler code from the SecurityUsingOAuth code example. (You have permission to use it as-is. You may have to edit the code to enable it to work in your web service.) Obviously, you will need to use the appropriate [Authorize] attribute on some controller methods.

Add the code to enable a “Publisher” to add a new album.

Remember the best practice: When adding an object that includes an image property, it must be done as two separate steps:

  1. add the object in the usual way (HTTP POST etc.), then
  2. update the new object with the image bytes


Enable a “Publisher” to edit an album

Add code to enable a “Publisher” to edit an album, but only certain properties:

  • album name
  • artist(s)
  • year released
  • genre

Tip: Use a view model to implement this.


Enable a “Publisher” to delete an album 

Add code to enable a “Publisher” to delete an album.


Enable an “Editor” to edit an album

An “Editor” can set a rating value (e.g. 1 is a low rating, 5 is a high rating), and a value to indicate whether the album info can be shared.

In this task, you will learn a way to implement the ‘command’ part of the CQRS pattern.

Read an introduction to CQRS in this Wikipedia article before continuing.

For many weeks, we have been learning to code a web service by thinking of it as an API to a database-like data store. You have learned how to handle the typical CRUD operations (create, retrieve, update, delete) normally associated with data management. The HTTP methods map nicely to these operations, and that familiarity has helped you make progress.

It’s time to expand our thinking, beyond data management. How? By adding the ability to handle commands and operations that may or may not be easily mapped to data management.

In this section, you’ll get a gentle introduction to this concept, by coding commands that feel like commands, but end up changing the (data) state of the targeted resource. This will prepare you for more interesting scenarios in a few weeks.

Sharing an album’s info, or setting a rating value, are both examples of ‘commands’. In other words, we want to assert our intent to share an album’s info. There are two ways to look at this task:

  1. As a command, where we state our intent – ‘share’ the album’s info
  2. As a data management task, where we specifically, technically, and atomically set the sharing property to a specific value

Which is the more natural concept to understand? Everyone can understand #1. Only programmers would care enough to understand #2.

How do we map commands to resources? To preview, we typically send a PUT request to a resource. The underlying method has code that carries out our intent. CQRS states that a command does something but does not return data to the caller. Therefore, the controller method return type will be void, which automatically creates an HTTP 204 status code. In other words, when handling a ‘command’, we simply execute the command silently, without any data feedback to the requestor (other than the HTTP 204).

Here’s a few other things to know about HTTP:

  • In HTTP, the GET method is ‘safe’. A safe method does not change the state of a resource.
  • These methods are ‘unsafe’: POST, PUT, DELETE.
  • We must also consider idempotence. In brief, a method is ‘idempotent’ if repeated execution has the same effect. In HTTP, GET, PUT, and DELETE are idempotent. (Why? Think about it.)
  • POST is not idempotent.


In summary, your controller will have two additional methods. Each will handle a specific resource URI.

We suggest that the following URI can be used to set the rating value:


Its method signature must handle that URI, and validate the incoming data (integer, ranging from 1 to 5).

We suggest that the following URI can be used to set the info-sharing setting:


Its method signature must handle that URI, and validate the incoming data (string, ‘yes’ or ‘no’).

How can you test your work? After you send a ‘command’ request, simply execute another ‘get-one’ request to the affected resource, and look at the response.


Testing your work 

Use Fiddler to test your results. For this Lab 3, you do not have to include your Fiddler tests.


Reminder about academic honesty

You must comply with the College’s academic honesty policy. Although you may interact and collaborate with others, you must submit your own work.


Submitting your work

Here’s how to submit your work, before the due date and time:

1. Locate the folder that holds your “Lab3″ project files.

2. Make a copy of the folder, and name it by using the following format:
For example, your professor’s folder name will be “Lab3_pmcintyr”

3. Remove the “packages” folder from this folder (it’s too big to email, and I don’t need it to grade your work); also, remove the “bin” and “obj” folders

4. Compress/zip the folder. The zip file SHOULD be about 1MB in size. If it isn’t, you haven’t followed the instructions properly.

5. Login to My.Seneca. Open the Web Services Architecture course area. Click the “Assignments” link on the left-side navigator. Follow the link for this lab. Submit/upload your zip file.










  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: