DPS907 WSA500 Test Answers

Weekly test answers. The most recent test is at the top of the page.

When your test is marked, we are looking for an answer that captures the essence of the example answers (in red, below). Your answer does not necessarily have to be exactly the same, and part marks are possible. You should strive to improve your explanations, as that will improve your academic and career prospects.


Test 11 – November 29, 2016

Answer questions worth four (4) marks.


1. Scenario: You’re working in a software developer job, and you are in a meeting with your client/employer to discuss the design for a new web service that will be used by internal and external users.
You could choose a modern design, or a legacy SOAP XML design.
Briefly discuss the benefits of each design (i.e. why you would choose that design), the weaknesses of each, and the differences. Write a nicely-organized answer (for example, you can use a table). (2 marks)

Feature Modern web API Legacy SOAP XML
Philosophy Faithfully implements HTTP RPC that uses HTTP
Data package JSON or XML, hypermedia representation SOAP XML
Complexity * Simple to complex Medium to complex
Interaction All HTTP methods POST
Uses cache * Yes No
Endpoint Hypermedia-driven resources Single endpoint
Documentation Hypermedia-driven Static, WSDL
Mobile-friendly * Yes Not as much
Security Flexible WS-Security etc. (complex)
Request package format HTTP request SOAP package, names the method, includes argument(s)
Response package format Negotiated SOAP package


2. We know that a modern “web API” service can format a response as XML. Briefly compare its response content and format with a response from a SOAP XML web service. (1 mark)

Web API XML: Customized schema, developer determines the schema.
SOAP XML: MUST conform to SOAP packaging format (schema).


3. In a SOAP XML web service, can you continue to use the existing best-practice features of a project, including its manager class, resource models, and data storage components? Answer, and discuss your reasons. (1 mark)

Yes, must do that.
Simplifies your code.
However, you can implement your own view/resource models if you need to.


4. Briefly describe the process to add a SOAP XML web service endpoint to an existing ASP.NET Web API project. (1 mark)

To the project, add a WCF Service item.
In its interface, describe the methods that will be supported.
In its class, implement (code) the methods.
Make use of the existing project infrastructure (manager, models, etc.).


5. Briefly describe how to configure a client app so that it can interact with a SOAP XML web service. (1 mark)

Add a “service reference”.
In the manager, and in a method…
Create an instance of the web service proxy class.
Call its method(s).
Handle and deliver the response (results).


Test 10 – November 22, 2016

Answer any four (4) questions.


1. Name and briefly explain the purpose of the browser object/API that enables JavaScript to interact with a web service.

Enables requests to be created, configured, and sent.


2. Answer this question if you personally have past experience using a public web API. Which web API did you use (i.e. its name)? What was its purpose? What client(s) did you write/use to interact with the web service? What was the hardest task to implement?

Answers will vary.


3. Scenario: You are writing software that will use a public web API. Name and explain at least two activities that you must do to prepare for and then use the public web API.

We covered these:
Learn about the resources
Overall design
Security considerations
Hypermedia representations


4. Briefly describe the design and coding approach that you would use when creating an iOS or Android app that interacts with a web service. While we’re looking for a brief answer, make sure that it has enough details to explain the important tasks that need to be done.

Answers will vary.


5. What is CORS? Briefly explain. Then, briefly explain what you must do to support CORS.

Cross-origin resource sharing.
Ability to share a resource with a client/request that is outside your current origin/domain.
Must configure your app to support CORS. Essentially, it will add response headers that will allow JavaScript in a browser to successfully make requests in your web service.


6. Briefly name or list the important tasks that you normally do when using an HTTP client object on any platform. (Yes, the tasks are similar, although the implementation details differ.)

prepare for response,
send request,
handle response.


7. Using JavaScript code or pseudocode, write out (as best you can) the code for making a web service request.

// create an xhr object
// configure it
// define the callback method that will run when the response comes back
// send the response


Test 9 – November 15, 2016

Answer any five (5) questions.


1. Briefly describe the purpose or benefit of the new RequestUser class that is in this week’s code example.

This class will make it far easier to expose often-used data in a user account.


2. Briefly explain how you can restrict viewing and editing an object to its owner or creator. There are several concepts and components involved, so do your best to mention all of them.

App must use security.
Object to be controlled must have a string property that holds the owner/creator identifier.
In the Manager class, all methods (except “add new”) must match the security principal to the owner/creator.


3. Can you anticipate and then describe a situation where claims will help with a problem that is difficult to solve when using (traditional) role-based or user-based access control?

Answers will vary, and could include…
Roles don’t scale well (avoid proliferation). Users aren’t global in scope. Conflicts can arise.
Security infrastructure and client app(s) have different security purposes.
Names and roles in the security infrastructure have no meaning in the client app.
Client app needs a modern, flexible, and descriptive way to identify security concerns.


4. Scenario: An entity class includes a property to store the object’s owner (e.g. a user name) This also means that this value is stored in the database table. A decision has been made to remove the user name, for security and/or legal reasons. Briefly discuss a possible solution that somehow retains the ability to know or discover the owner. (Be creative. There is no single right answer.)

Answers will vary.
Looking for something like tokenization/hashing. Would need another database table to hold the mappings. And logic to go back-and-forth.
As much as possible, deeply embed the handling of the mapping table in a manager, so that it doesn’t leak username data.
Also, must change view/resource models.


5. Briefly describe how code in a controller or manager (your choice) can get access to the security context of the current request.

Controller: The top-level User object (property).
Repository: HttpContext.Current.User object (property).
Either: The new User property in the manager, based on the RequestUser class.


6. Briefly discuss the process to adapt a non-secure web service project, so that it can use a separated Identity and Authentication Server.

Initial assumption is that it is a project that was NOT created with “Individual User Accounts”.
Using NuGet Package Manager, get the security-related packages.
Add a Startup class, to “activate” bearer token processing.
Edit the class in WebApiConfig.cs to use bearer tokens.
Ensure that the project and the Identity Server are using the same machineKey.


7. Scenario: Working with an entity collection that offers privacy to an object’s owner. You have learned that an unsuccessful query will return null, which bubbles up as HTTP 404. Briefly explain why this is an appropriate strategy, when comparing it to the alternative, HTTP 401.

HTTP 404 will not leak information about the data store. (There’s a big difference between “not found” and “unauthorized” when asking for a specific object. “Not found” will likely end the fetch attempt. In contrast, “unauthorized” may invite additional attempts to bypass security measures.)


8. Recently, we learned how to create AppClaim objects in a secured app. Briefly explain the purpose of this work – what benefit(s) does it deliver? Also, please comment on its effect on the quality of your security environment.

Purpose is to configure a “master list” of allowable claims in the app.
Benefit is to filter or control the claims that get used in user accounts.
Quality is or should be improved, more consistency, more guidance, less unknowns.
Answers will vary.


Test 8 – November 8, 2016

Answer any four (4) questions.


CPA: 1. In the ASP.NET Identity system, the authentication process can be divided into two distinct sub-tasks. Briefly describe how the user account credential validation task works.

Web app, /account/login will match or validate the credentials.
Then, it creates a cookie that’s included with the response, and typically redirects.

Web service, /token will match or validate the credentials.
Then, it creates an access token as the response.


BSD: 1. Name and briefly describe the purpose and functionality of one of the sub-tasks of the authentication process in the ASP.NET Identity system.

User account credential validation:
Web app, /account/login will match or validate the credentials.
Then, it creates a cookie that’s included with the response, and typically redirects.
Web service, /token will match or validate the credentials.
Then, it creates an access token as the response.

Cookie/token validation:
Web app, request will include a cookie. The cookie is decrypted and validated.
If valid, it creates a ClaimsPrincipal, and attaches it to the request thread.
Web service, request will include an access token. The access token is decrypted and validated.
If valid, it creates a ClaimsPrincipal, and attaches it to the request thread.


CPA: 2. In the ASP.NET Identity system, the authentication process can be divided into two distinct sub-tasks. Briefly describe how the cookie/token validation task works.

Web app, request will include a cookie. The cookie is decrypted and validated.
If valid, it creates a ClaimsPrincipal, and attaches it to the request thread.

Web service, request will include an access token. The access token is decrypted and validated.
If valid, it creates a ClaimsPrincipal, and attaches it to the request thread.


BSD: 2. Assume that a not-so-nice person has somehow obtained the plain text of a month-old access token from an external/foreign web service that uses the ASP.NET Identity system. The person attempts to use it in a request to their own organization’s local web service (which also uses ASP.NET Identity). Briefly discuss whether you think the request will be successful or not, and write your reasons for your opinion.

Probably will not succeed.
First the observed typical lifetime of an access token is two weeks.
Next, the “machine key” will be different, so the attempt to decrypt the token will fail.
Then, the content of the access token is an identity with claims, which may be valid on the foreign system, but most certainly will not be valid on the local system.


3. Briefly name and discuss one potential benefit or advantage to creating a separate server app to handle identity management and authentication (cookie/token issuing).

Principle of separation of concerns. Modularity.
Scale – one IA Server can be used by many other sharing and trusting apps.
Others answers are possible.


4. Briefly explain the purpose and role of a “machine key” in the cookie/token encryption and decryption process.

Cryptographically unique value that is used in the encryption and decryption process.
Data is encrypted by using the machine key, resulting in a value that can be sent to a remote system.
The remote system can decrypt the value, to restore the data to its original form.


5. Name and briefly describe any two of the tasks that can be done to add access token validation to a new or existing web service.

Using the NuGet Package Manager, add some packages. Mostly Owin and OAuth. These include the access token validation components.
Create a “startup” class that loads the access token validation component. Done in the Startup.cs source code file.
Configure the app to use the just-loaded component. Done in the WebApiConfig.cs source code file.
Add a new “machine key” value to the app’s Web.config file. Identical to the IA Server. Enables it to share the same security context.


CPA: 6. or BSD: 7. This question is about the IA Server app. What was the most interesting code feature in the app? Explain.

Answers will vary.


BSD: 6. This question is about the SecuredCustomer code example, which implements the procedure to add access token validation to a web service. Were you surprised that the procedure was relatively simple and easy to implement? Explain.

Yes, should be surprised, especially after learning other complex security topics.


Test 7 – November 1, 2016

Answer any five (5) questions.


1. In the LoadUserAccounts() method, it is possible to add many user accounts, when the app runs for the first time. Briefly discuss whether this is a good idea, and state your reason(s).

Yeah, good idea. Saves picky work. Can guarantee a consistent experience.
No, bad idea. Takes decision-making away from the admin of the deployed app.


2. The class notes presented a design for claims management in an app. Do you agree or disagree with the design? Briefly discuss your reasons, and please be specific.

Structured, guided. Not chaotic.
Can build in business rules and app domain logic.
Authorization will be easier to express and manage in the future.


3. It was argued that a “Role” claim would be suitable for coarse-grained access control, and that a custom claim (e.g. “OU” or “Task”) would be suitable for fine-grained access control. Briefly explain the reason(s) for this recommendation.

Limit the growth and proliferation of role claims.
Custom claims offer more flexibility, adaptability, and change tolerance.


4. Assume that you want to configure the allowed claim for the apps, when the app runs for the first time. How would you design this ability? Where does the code go? (You can assume that the app already has the AppClaim design and resource model classes.)

Use the existing IdentityInitialize class.
Add another method, LoadAllowedClaims().


5. Briefly describe how the new user account creation/registration process changes, after implementing the claims management design (that uses a master list).

Before adding the new user account, each requested claim is validated.
Our current rule is that any invalid claim results in an error, and the user account is NOT added.


6. The notes and ManageUserAccounts code example implemented a small number of use cases for user account management. What use cases are missing? (What should we add?)

Claim – all users with a specific claim.
Claim – all users without a specific claim.
Claim – list of all claims, ordered first by type, then by value.
Claim – add/edit/remove claim from a selection of users (some or all).
User account – delete.
User account – unlock.
(there are probably others)


7. Code example question: From either of today’s code examples, name and briefly discuss something that you learned, or thought was interesting and/or useful. This is a free-form question, with many acceptable answers.

Answers will vary.


8. Code example question, user account management: Assume that you must implement the “get all users with a specific role claim” use case. Write your coding plan (pseudocode or whatever) for the Manager class method that will do the work.

Very similar to the existing get-all-by-surname method…
Parameter will accept the name of the role claim
Fetch the user collection into memory
Query it to match the name of the role claim
Return the results as a collection


Test 6 – October 18, 2016

Answer any four (4) questions.


CPA: 1. The notes describe ASP.NET identity as having three (3) components or functional pieces. Name them.

Identity management


BSD: 1. Compare the authentication (login) process in a web app and a web service.

In a web app:

  • There is a user interface, a login page
  • The Account controller’s Login method processes the authentication request
  • Successful authentication results in a response that has an HTTP cookie

In a web service:

  • No user interface, but there is a token endpoint, /token
  • The authentication provider (class) processes the authentication request
  • Successful authentication results in a response that is an access token


2. What is the purpose of the Startup class in a project that uses ASP.NET Identity security?

Enables the configuration of the security environment.
In other words, can turn on/off 1) identity management, 2) authentication, and 3) authorization.


3. Where is the user account information stored in an app that uses ASP.NET Identity security? How is the storage scheme declared and initialized?

In a database, in specially-named database tables.
The IdentityDbContext<TUser> class causes these to be initialized when the database is accessed for the first time.


CPA: 4. In a web app, authentication is done by the Login method in the Account controller. In a web service, where is authentication done?

In a web service:

  • No user interface, but there is a token endpoint, /token
  • The authentication provider (class) processes the authentication request
  • Successful authentication results in a response that is an access token


CPA: 5. and BSD: 4. Briefly describe how code in a controller or manager (your choice) can get access to the security context of the current request.

Controller: The top-level User object (property).
Manager: HttpContext.Current.User object (property).


5. Please describe the request-processing pipeline in configuration with security, starting with the web server receiving the request, up to the controller action invocation/execution. You can either draw a simple diagram, or write a sequenced list of tasks done in the pipeline.

Diagram is the “message processing pipeline” PDF, or…
Full list, which does not have to be in the answer…

1. IIS receives the request, identifies it as request for an ASP.NET app, and passes it to…
2. The ASP.NET runtime, which determines that the app has been configured to use OWIN
3. OWIN, acting as the app’s host/server, begins handling the request
4. An HTTP Request object is created (seen as an HttpRequestMessage object in the ASP.NET runtime)
5. The route (request URI) is inspected, if OK, continue…
6. The controller is determined, and initialized/instantiated
7. The controller action (method) is determined
8. Authentication happens (using a OWIN module/component)
9. Authorization happens for the selected controller action (if it fails, HTTP 401 or 403)
10. Model binding happens, which extracts data from the HTTPRequestMessage
11. The controller action is invoked/executed


Test 5 – October 11, 2016

BSD: Answer question 1 (for 2 marks), and any three (3) others.
CPA: Answer any five (5) questions.


BSD: 1. Last week and this week, you have learned how to add link relations to objects and collections. There are other ways to do this – some programmers recommend creating a media type formatter to do the job. Please think about the two alternatives, and discuss the possible benefits and problems of each design. (2 marks)

Recently-learned “current” design requires manual coding, and following a number of rules and conventions.

Current benefits: Understandable, deliberate, no magic.
Current problems: Must create linked classes for each entity. Convention-based and therefore possibly limiting.

Alternative benefits: Simple controller methods. Content negotiation can determine whether to return a hypermedia type.
Alternative problems: Access to current request URI. Access to nested object(s) URI(s).

(After marking the test, I noted that the answer quality for this question was low, and that surprised me. The notes and code example provided a good amount of guidance and information, which should have provided a good base for adding your thoughts. Also, some answers focused on the functionality of the ByteFormatter class, which was not asked for – we were asking about link relations.) 


CPA: 1. Briefly discuss any two “documentation” techniques that a web service programmer can implement, to make it easier for users/requestors.

Link relations – add link relations to objects or collections, to create a “hypermedia representation”.

Initial URI – add and configure a “root” controller, at the app’s entry URI, to notify users/requestors (using link relations) what resources are available, and for what purpose.

Help Page – activate and configure the “help page”, and use XML code comments to provide good descriptions.

“Add new” template – in certain responses (e.g. “get all”), notify users/requestors what data must be provided in an “add new” scenario.


2. Briefly define content negotiation, and how it is implemented.

The process of negotiating the media type of a response.
Requestor asks for a media type with the Accept header. Server responds with it, if possible.


3. What is the extra work that must be done to add link relations to a nested object or collection? Try to be as descriptive as possible.

The nested object or collection must be the “…WithLink” type, to hold a link relation.
Then, the add work is done in the controller, manually-coded.
Just before returning the result, go through the nested object or collection, and add link relations.


4. Scenario: A “get one” controller method is returning a result, with link relations. You would like to notify the user/requestor that they can use two “commands” on the current resource URI. How would you do this? If it helps your answer, you can use sample code and comments.

Manually create and add two new links to the object’s “Links” collection. For example:

o.Links.Add(new Link  { Href = “api/blurb/{id}/dosomething”, Rel = “command”, Method = “PUT” });


5. Scenario: Assume that you have a happy and working ASP.NET MVC web app. It has a “Products” controller and a number of views that handle the /products URI segment. Now you want to add a Web API controller for “Products”, to handle the /api/products segment. Briefly describe how you could complete this task.

Add a Web API controller, initially named ProductsApiController, which will create a source code file.
Then, in the source code file…
Add the “.Api” suffix to the namespace name.
Change the controller class name, to remove the “Api” characters.


BSD: 6. What was the most interesting thing you learned when reviewing/studying the HTML5Client code example?

Answers can vary.


CPA: 6. What was the most interesting thing you learned when reviewing/studying the HypermediaObjectGraph code example?

Answers can vary. 


7. Briefly describe how to implement this Roy Fielding REST rule: Can enter and use the web API with no knowledge other than root/entry-point URI.

Create “Root” controller.
Edit the default route in the WebApiConfig class.
Manually code/add the link relations that will be visible/available at the root/entry-point URI.


Test 4 – October 4, 2016

Answer any four (4) of the following.


1. Briefly explain the meaning of this statement: Modern web APIs must be hypermedia-driven.

Response includes data and links that enable the requestor to determine what to do next.
This is the plain-language way of saying that “hypermedia is the engine of application state”.


2. Roy Fielding published a document (blog post) titled “REST APIs must be hypertext-driven”. Briefly discuss any one of his rules, and why it was memorable to you.

Any one of these…
Should not depend on a single communications protocol.
Should not change the selected communications protocol.
Should fully describe how to change application state, without out-of-band info.
Must not rely on fixed resource names, and instead use link relations.
Communicate only standardized media types and relations.
Can enter API with no knowledge other than root/entry-point URI, link relations used from there.


BSD: 3. Scenario: You are on a development team, creating a web service that will be used by the public, and by developers of other apps. Briefly explain whether a hypermedia-driven design should be used, or not.

Yes, should be used.
For public consumption and use.
Deliver information about resources and state changes in-band with the results.


CPA: 3. Name any five IANA-standardized link relation names.

Edit, first, last, item, previous, next, self, related, start, etc. (see the IANA list for more)


BSD: 4. Briefly explain the purpose of the LinkedItem abstract base class in the LinkRelationsMore code example. How does this class get used?

It’s the base class for an “entity linked” resource model class.
It’s a “factory”, because it constructs an object that includes link relations.


CPA: 4. Assume that a PersonBase resource model includes these properties for a “person” entity: Id, Name, Age. Write out a simple rendering of a collection with two objects (maybe you and your professor) with link relations, similar to the way that Fiddler renders a result on the JSON tab/view.



5. What is the purpose of the HTTP OPTIONS method? Why must we handle it in our app?

From RFC 7231:
The OPTIONS method requests information about the communication options available for the target resource…  This method allows a client to determine the options and/or requirements associated with a resource, or the capabilities of a server, without implying a resource action.

Other than the last sentence (above), it serves as documentation.


6. If you added the HTTP OPTIONS handler to an app, how do you initialize it so that it becomes part of the request-processing pipeline?

Must be added to the app’s configuration.
This is done in the WebApiConfig class (the source code is in the App_Start folder).


Test 3 – September 27, 2016

Answer any four (4) of the following.


1. There are at least two important rules that you must follow when working with media items. Briefly state them.

Do not package bytes inside another container. Deliver the media as is.
When storing, must store bytes AND the internet media type name.


2. Assume that you are writing a controller method that accepts a media item for the recently-learned “object with one media item” scenario. Name the method’s parameters, and their purpose.

Identifier, for the object.
Byte array, for the media item data.


3. Assume that a client (smartphone) app wants to use a web service that delivers media items. For a specific entity object, you want both data and a media item. How do you request what you need?

This must be done with two separate requests.
One request for the object’s data.
The other request for the media item.


4. Draw a simple diagram that shows the location of a media type formatter relative to other components in the message-handling pipeline.

(See diagrams from the class notes)


5. Briefly explain how a media type formatter class works, by discussing its methods. (The explanation should not be too general, and not too technical. In other words, no syntax.)

The constructor declares the internet media types that it will handle.
A Reader transforms data coming in from a request.
A Writer transforms data that’s returned in a response.


Test 2 – September 20, 2016

1. Name and briefly describe two examples of real-life entities that can be modeled with an association that we are covering this week. (For example, many-to-many, one-to-one, self-referencing to-one and to-many.) We already know about the Employee-Address-JobDuty entities in the AssociationsOther code example, so do not name those as your answer.

Self-referencing to-many: Person, a collection of Children.
Self-referencing to-one: Person, a Mother or Father.
Many-to-many: School of ICT academic Program and Course
One-to-one: User Account and preferred Credit Card


2. Assume that you are writing the classes for two associated entities. It is possible to configure a navigation property as “required”. Why would you do that? What effect does it have on your coding task, and/or on the stored object?

Why? To prevent an object that depends upon another from being created if you do not have a reference to the associated object.
Or, when you must have a reference to the “required” associated object.
For example, adding an object on the “to many” side needs a reference to the “to one” object.
In the data store, the foreign key property constraint gets configured by the EF façade and manager.


3. Question about the manager class: Assume that you want to fetch one object, with an associated collection. What is your coding strategy? If you wish, you can also include a line of code to supplement your answer.

Use the Include method, with the name of the navigation property as the argument. For example:
var fetchedObject = ds.Suppliers.Include(“Products”).SingleOrDefault(p => p.Id == id);


4. Briefly discuss the reasons for using the command pattern, as you learned in this week’s topic notes. Assume that you are attempting to explain “why” to use this pattern to your team.

Higher level of abstraction, higher than thinking about atomic data tasks
Do a task that does not naturally map to a CRUD task on a resource
Encapsulate functionality in a container


5. Briefly discuss the technical design features of the command pattern, as you learned in this week’s topic notes. Assume that you are attempting to show your team “how” to use this pattern.

Design a resource model for the data needed by the use case
Write a controller method, for HTTP PUT, a void return type, and a custom route
Write a manager method that does the work
Also, try to design the command to be idempotent


Test 1 – September 13, 2016

Worth 3%. Answer all three questions.

Briefly explain the value proposition of the IHttpActionResult type, when compared to simply returning an object or collection.

The request-handling pipeline configures the response with the correct HTTP status code.
Or, coding consistency. The helper methods (OK, NotFound, etc.) are more expressive.
Also, these helper methods can add response headers, where appropriate.


Briefly describe request routing. (Or put another way, how does ASP.NET Web API route HTTP requests to controllers?)

App domain uses the front controller pattern to receive the request.
Front controller inspects the URI, and compares it to routes defined by the app (and also by convention in the runtime).
Then, it attempts to locate a matching route, based on reflection over all the controller types found in the app.
The matching controller is initialized, and the matching method is called with the request’s data.


Scenario: A user agent requests (GET) a collection resource. There are no items in the collection. What is the correct response, and why?

The data package will be an empty container. For example [] in JSON. 
The absence of objects in the collection does not imply an error condition. It simply means that the collection resource is empty.























%d bloggers like this: