Glimpse 1.8.4 released

Another month has gone by since our last release and this time round its a smallish one. Mostly bug fixes and a couple of usefully additions, but most of our time lately has been focused on v2.

By way of a small update on v2, we have almost finished the work we want to do on the backend and starting to look at the UI of v2. If you are interested in seeing exactly where things are at or seeing where you can get involved, feel free to take a look.

Getting back to the release, here is what we have this time around:
Release Notes

  • Glimpse.Core – Featherweight release 1.8.4
    • Fix up edge case where UI would not be resizable
    • Extending the ContentTypeElement to include optional RuntimePolicy
  • Glimpse.ASP.NET – Bantamweight release 1.8.1
    • Update to RouteInspector to ignore non AspNet routes doesn’t work for WebHosted WebAPIs
  • Glimpse.EF* – Bantamweight release 1.6.1
    • Fixed bug when using DbGeography type in some edge cases

Special Thanks
In terms of pull requests, I have to say a big thanks to:

  • Paul Atkins
    • #736 The update to RouteInspector to ignore non AspNet routes doesn’t work for WebHosted WebAPIs
  • Björn Holdt
    • #746 Migrate Build to use Automatic Package Restore
  • James Chambers
    • Update to contributing documentation

And for the great issue reports, I want to thank:

Release Details
Well I think that is a wrap. For a full list of changes, issues and commits see below:

Thanks to everyone involved and enjoy the release!

Glimpse 1.8.3 released – Insights removed

Today we had an unscheduled release of Glimpse. This was to remove the Insights “feature” which was introduced in the last release – 1.8.2. Its removal is based on the feedback we received from the community since going live.

Background
For a long time now, we have been trying to work on ways to get better feedback about how people use Glimpse. We routinely hear from people on Twitter, via the issue list and at conferences, unfortunately, this feedback is fairly anecdotal and hard to quantify. We decided to try and get usage analytics directly from the client itself.

In thinking about this, we decided to ask the community what they thought. Before we release 1.8.2, we posted our thoughts on this blog – Getting greater insights into Glimpse – and out on Twitter, asking for feedback, and received no negative response.

This morning, we received feedback from the community that the Insights feature isn’t desired (at least in its current form) and until we can make a decision as a community, we have removed the feature and released this update.

Moving Forward
From this experience, its clear that the communication channels that we have, and the process of lazy consensus, can’t adequately cover all situations. In addition, for changes such as this, we should work much harder to get/force a response from the community before moving forward.

I’m happy that the we where able to respond to community feedback quickly and hope that we can continue to do so in the future.

Thanks to those who participated in the discussion and I’m glad we came to a good outcome.

Putting WebForms DataBinding front and centre

The previous release of Glimpse saw the introduction of first class WebForms support, bringing with it a contextualized view of both the Control Tree hierarchy and the Page Life Cycle. Glimpse WebForms development has been continuing apace and with this new release we’re delighted to shed some light on the previously dark art of WebForms DataBinding.

WebForms ‘DataBlinding’
DataBinding is to WebForms what ModelBinding is to MVC and is an essential ingredient in building maintainable and testable WebForms code. But until now, understanding when a DataBind occurs has been pretty much a mystery. For example, a change to the Page’s PostBack status or a Control’s ViewState mode can have dramatic effects on when DataBinds are triggered. Changing a DataBound Parameter value is another way to fire a DataBind, the Text of a TextBox for example, but keeping track of these values as the Page moves through its Life Cycle hasn’t been easy.

Glimpse to the rescue
We’ve added a new DataBinding section to the Control Tree tab. Alongside each DataBound Control we list the Page Life Cycle Events during which a DataBind was triggered for that Control. The screenshot below shows that the categoryList was DataBound once during the Page PreRender Event.

DataBinding Event

You may be thinking this information can only be displayed if you’re using the latest .NET 4.5 DataBinding approach, more akin to the ModelBinding architecture of MVC. But you’d be wrong. The Event information is displayed for all Controls inheriting from DataBoundControl, for example the ListView and FormView (but not the DataGrid or DataList), irrespective of how they were DataBound.

We haven’t stopped there. Together with the Event we also display the Parameters in play at the time the DataBind happened. The screenshot below shows the breakdown of the Parameters used when the productList was DataBound in the PreRender phase. The first Parameter looked for, but didn’t find, the id field in the QueryString; the second Parameter found a value of ‘Cars’ in the RouteData categoryName field.

DataBinding Parameters

Once again, this Parameter display isn’t limited to .NET 4.5 DataBinding. Provided the Parameters are registered using an ObjectDataSource, LinqDataSource or SqlDataSource the information can be extracted just the same.

Glimpse 1.8.2 released

Its a new year and we have a new release ready to go out the door. This time around, we have a ton of bug fixes and a few new features here and there. This release represents the most contributions Glimpse has ever had in a single release, as well as having the greatest number of contributors.

WebForm support for DataBinding
Since our initial support for WebForms was released, the response from the community has been amazing. Not only have we discovered that WebForms developers have been seeking innovations in the space, but have been wanting to get involved. This has lead to Graham Mendick and Steve Ognibene stepping forward to make sure the WebForms package keeps moving forward.

This has lead to DataBinding visualization being added to the Control Tree tab within Glimpse. More details will com in a future blog post, but the short version is that we can now see all the actions that WebForms takes to bind your controls.
WebForms_DataBinding

ASP.NET Server tab
In a previous release, we removed the old version of the Server tab. This was removed as a lot of the data we where displaying was being shown elsewhere. Since then, we have found that some users missed the data that wasn’t being displayed elsewhere. Hence, the Server tab has made a come back and has received a bit of a facelift thanks to Bryan Hogan.
ServerTab

Glimpse Insights support
Along with this release, we are putting out Glimpse Insights. As discussed in the post, this is the means by which we hope to better understand how people use Glimpse and where we should be focusing out efforts.

As much as we need these insights to make better decisions and ultimately a better product, if its something that you don’t want to take a part in, you can completely opt-out. Simply update the Glimpse section in your web.config to have the following addition:

    <clientScripts>
      <ignoredTypes>
        <add type="Glimpse.Core.ClientScript.Insight, Glimpse.Core"/> 
      </ignoredTypes>
    </clientScripts>

If you do opt-out, there will be no traces of Insights in your code base. Insights was designed not simply to be a switch on or off, but to be a complete removal. Meaning no traces of the Insights code will remain if you choose to opt out.

Release Notes

  • Glimpse.Core – Featherweight release 1.8.2
    • Update to disabled Glimpse when request init is bypassed
    • Update client to only modify local ajax requests
    • Add initial support for Glimpse.WindowsAzure and Glimpse.WindowsAzure.Storage
    • Update to show friendly message if current async implementation is not supported
    • Added initial Insights support to client
    • Update client to delayed tab rendering till glimpse open
    • Update client to added more blacklist items for target chars that should be ignored by case processor
  • Glimpse.ASP.NET – Welterweight release 1.8.0
    • Update Route Inspector to ignore non AspNet based routes (this fixes problems with Glimpse and WebAPI)
    • Added updated Server Tab which shows common server variables
    • Clean up web.config transform to remove volume of commented out config in the glimpse section
    • Update Request Tab serialization to handle request validation failures
  • Glimpse.MVC* – Flyweight release 1.5.3
    • Added updated support for IUnvalidated and IEnumerable ValueProviders
    • Fixed problem where Response.RedirectToRoute() in Global.asax could throw a NullReferenceException
  • Glimpse.WebForms – Lightweight release 1.1.0
    • Added visualization for DataBinding in the ControlTree Tab
    • Improve basic ViewState processing for SqlDataSource, LinqDataSource and ObjectDataSource

Special Thanks
In terms of pull requests, I have to say a big thanks to:

  • Christophe Gijbels
    • #704 Disabled Glimpse when request init is bypassed
    • #702 Update Request Tab serialization to handle validation failures
    • #701 Added update for IUnvalidated and IEnumerable ValueProviders
  • Keith Dahlby
    • #688 Show friendly message if current async implementation is not supported
  • Paul Atkins
    • #723 Update Route Inspector to ignore non AspNet based routes
  • Bryan Hogan
    • #712 Adding updated Server Tab which shows common server variables
  • Graham Mendick and Steve Ognibene
    • #716 Update WebForms Control Tab to visualize DataBinding

And for the great issue reports, I want to thank:

Release Details
Well I think that is a wrap. For a full list of changes, issues and commits see below:

Thanks to everyone involved and enjoy the release!

Client side development just got easier

For those who are contributing to the client or writing client side plugins, things just got a little easier. Today we committed to master an update that adds a feature to the client test page which shows all the client pub/sub events that occur and who is subscribed.

The client has a loosely coupled architected based on top of a pub/sub model. Pub/sub has many advantages, but one of its biggest disadvantages is visibility into what events are occurring, the data being passed and who is subscribed. This tab reveals all of this information and more. It even updates live as events are occurring and as the client lifecycle moves on.

Here is a preview of what you can expect:
PubSubTab

At the moment, this tab is currently only available in the client test page. In the future, we are looking at the possibility of shipping this within the server implementation and allow developers to toggle it on and off as required. But this will be done some time in the future based on feedback.

Getting greater insights into Glimpse

It’s the start of another year for Glimpse, and like last year, we are gearing up for more big things. In the first half of the year, we are expecting to get version two out the door – plus more support for new frameworks and platforms.

In 2013, Glimpse version one shipped in February, and since then it’s been a roller-coaster ride of support for additional frameworks (ADO.NET, EF, ASP.NET MVC4, MVC5 and WebForms), great new new features and a design overhaul. In addition we’ve been keeping up with new paradigms and rethinking established ones (support for async, and the new visualizations of WebForms information released in October and November). Some amazing work has gone into all this, and while there are a few names that do stand out (we brought on two new full time contributors Christophe Gijbels and Björn Holdt), it’s all down to you guys – so thank you, and we hope you had very Happy Holidays!

With the start of 2014, we are focusing on how we get you the information you need to better understand your application. Most of this boils down to what we are currently calling “context aware UI”. This is based on a realization that we are currently siloing information that can better be represented when shown together, in a unified view.

Currently, this is happening in HUD and the various popup views. Here, we merge together information from the several tabs (such as the execution and SQL tabs), to build a unified picture. But we want to carry this vision beyond just HUD and forward into the main Glimpse UI. Exactly what form this will take, we aren’t sure yet, but it’s something that we are actively working towards.

To this end, we want to better understand how people use and interact with Glimpse. With this information, we feel we can better make the decisions on how to move forward and what impact potential changes will have. To help in doing this, we feel the most effective tool we can introduce is system analytics.

In the past, we’ve made all Glimpse improvement decisions based on anecdotal evidence that hear in the the issues list/forum and by chatting with users at conferences. While this information has been enlightening and hugely helpful, we’re never been able to be quite certain whether we’re helping the majority of you, or just those of you who are active in voicing your opinions.

Removing the Server tab is a great example of where we might not have made the best decision that we could have. We made the change based on feedback from users who said that they didn’t use it. Once it was done, we had a large number of users come back saying that they regularly use this tab. We had no idea these users existed or used Glimpse in the way that they do.

To remedy this, we’d like to introduce metrics into Glimpse to allow us to more fully understand usage, what tabs are being used and what mostly gets thrown by the wayside. This will help us to create a Glimpse that works best for you, based on what you want and need, rather than what we think might be useful. This, we hope, will help us move forward and take Glimpse to the next level.

Being the type of project we are, we will be fully transparent with our findings and what the data is revealing to us. We expect that the metrics will flow through to our site, but we haven’t worked out the exact technical details yet. Additionally, like any similar effort, if for what ever reason you don’t want to participate in providing anonymous usage data, we will provide a simple means to completely opt-out. Lastly, it is intended that none of this effort will impact the runtime or execution of your application which we deem as a key criteria for success.

Like always we would love your feedback and ideas. If anyone is interested in helping out with the dev effort, let us know, as there are several technical challenges that are going to be interesting to work through.

A Glimpse into Windows Azure

With Glimpse, we  can peek into all things server side. We can inspect ASP.NET, ASP.NET MVC, Entity Framework, ADO.NET and much more through plugins. Since many developers are making use of Windows Azure to host their web applications, we are happy to announce a first public preview of two Windows Azure tabs in Glimpse!

Glimpse.WindowsAzure.Storage

The Glimpse.WindowsAzure package will display runtime information for a Cloud Service or Web Site. Glimpse.WindowsAzure.Storage collects and displays information about traffic from and to storage and gives best-practice advice. More information about the information offered through these new tabs can be read on Maarten’s blog.

It would be great if you could give these two packages a try and give us feedback! Here’s how:

Note that the Windows Azure tabs are still in a preview phase and rough edges may be in there. We’re still looking at load balanced environments. You can implement Glimpse’s IPersistenceStore but we would like to have a zero-configuration setup in place.

Enjoy the new year!

Glimpse ASP.NET 1.7 Released – Cache Tab

The community around Glimpse is continuing to swell as each release includes the effort of more and more people. This release is comprised almost entirely of contributions from outside the “founders team” of Anthony and I (who have been focusing much of our effort on the forthcoming release of version 2.0).

Caching Tab
The big feature in this release is the new Cache tab, which provides insight into the state of the application’s usage of data caching via the HttpRuntime.Cache object.

Cache Screen Shot

Async Patch
Additionally we have release a patch fix for a small number of users which have experienced problems with the Async support we released in 1.8.0 and crossing AppDomain boundaries. This has come up for users when they navigate to a page that contain a ReportViewer control, or using VS2010/12 Dev Web Server (instead of IIS Express or full IIS), or a couple of other edge cases.

A full fix for this will come in v2 but if you run into an exception that reads something similar to:

Type 'System.Web.HttpContextWrapper' in assembly 'System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a' is not marked as serializable.

you simply need to add the following as an app setting element:

<appSettings>
    ...
    <add key="Glimpse:DisableAsyncSupport" value="true" />
    ...
</appSettings>

If this affects you and you are interested in reading more details on it, head over and take a look at issue #632.

Lastly, we’re also releasing Glimpse.Core 1.8.1 and version 1.5.2 of our MVC packages, each which with several bug fixes. Here’s the full details:

Release Notes

  • Glimpse.ASP.NET – Middleweight release 1.7.0
    • New data caching tab for HttpRuntime.Cache
    • Improved handling of connection strings in Configuration tab including the ability for a user to define which keys/values inside a connectionString which should be obfuscated
  • Glimpse.Core – Featherweight release 1.8.1
    • Fixed style issue which forced Glimpse tables to be full width
    • Added new client events around HUD init process
    • Fixed encoding issue in the AJAX HUD ticker
    • Fixed issues with certain CORS requests failing due to unexpected header modifications
    • Fix to HUD’s poor wrapping on small screens
    • Fixed possible in-memory persistence store thread issue
    • Update structured layouts so titles can have the new casing logic applied
    • Updates to make Glimpse.axd compliant with content security policies
    • Allow users to disable use of Logical Call Context via Glimpse:DisableAsyncSupport AppSettings switch
  • Glimpse.MVC* – Featherweight release 1.5.2
    • Fixed bug with model binding tab and some complex models

Special Thanks
As mentioned above, this release was a big team effort. In particular we’d like to thank:

  • Christophe Gijbels
    • #676 Made in-memory persistence store thread-safe
    • #658 Update Glimpse.axd to CSP compliant
    • #671 Improved handling of connection strings in Configuration Tab
    • #655 Updated complex models processing to work correctly in the model binding tab
  • Bryan Hogan
    • #675 Update the Cache Tab ready for release
    • #649 Removing commented out from request tab
    • #648 Update resource result to not generate null reference exception when dealing with QueryString
  • Steve Ognibene
    • #641 Improve WebForms viewstate smoke tests
    • #636 Addition coverate for improving WebForms viewstate smoke tests
  • Andrew Ma
    • #104 Prototype implementation for caching tab
  • Dorin Manoli
    • #677 Update HUD wraps to fix incorrectly on small screens

And for the great issue reports, we’d also like to thank:

Release Details
For a full list of changes, issues and commits you can use any of these links into GitHub:

Thanks to everyone who helped out with this release and the Glimpse team would like to wish you and yours a happy holiday and bug-free New Year!

dj

Protect Glimpse.axd with your custom runtime policy

Let’s first start with a quick recap on how Glimpse decides whether or not to aggregate and store diagnostic data for a specific request and how it protects its own resources for unauthorized access. (Glimpse resources are, for instance, the Glimpse client JavaScript file, the metadata that makes up the Glimpse panel, but most importantly the aggregated diagnostic data of the last and previous requests.)

To make sure Glimpse doesn’t show possibly sensitive diagnostic data, it allows you to create a custom runtime policy. This, based on your rules, authorizes or prevents the Glimpse Runtime from returning the aggregated data or even from running in the first place – all of this is determined per request. The Glimpse cookie for instance, which is what drives the “Turn Glimpse On” button, is checked by the ControlCookiePolicy, and is not used to prevent access to aggregated data but rather to inform the Glimpse Runtime whether or not it should collect information during the execution of a request.

All is not lost however. Glimpse is secure by default because it registers, out of the box, the LocalPolicy. The LocalPolicy is a runtime policy that checks whether or not a request has been made from the local machine and if this is not the case, then Glimpse will not aggregate data and certainly not return (previously) aggregated data. This is also the policy that must be ignored in the web.config if you would like to get Glimpse diagnostics from a remote server.

Now if you remove the LocalPolicy, then basically everything is out in the open. There is nothing protecting you from having Glimpse gathering diagnostics and returning this to the person making the request. You could disable Glimpse completely in the web.config by setting the defaultRuntimePolicy=”Off” in the glimpse config section, but then there is not much for you to personally get either.

So you need to replace the LocalPolicy with your own custom security policy. Which sounds harder than it is – usually only a few lines of code are involved. There might already be an example of such a policy in your project (albeit commented out) if you installed the Glimpse.AspNet NuGet package, just look for a file named GlimpseSecurityPolicy.cs

GlimpseSecurityPolicyExample

What does this example policy do? Well if you compile this as is, then Glimpse will discover this policy and will ask the policy, by calling Execute at then end of a request (ExecuteOn has a value of RuntimeEvent.EndRequest), whether the client is allowed to see the aggregated data or not. This example will only allow this if the current authenticated user is a member of the Administrator role, but you can put any kind of logic in there if you want, just keep in mind that this will be called for every request that is being monitored by Glimpse.

In case you’re wondering why the check is done at the end of the request instead of the beginning (as Glimpse might already have monitored the request then), it’s because some things like the current User might not yet be set in the beginning, hence disabling Glimpse for every request. But depending on your logic (IP check for instance) you can change this value to RuntimeEvent.BeginRequest

Securing Glimpse.axd

Now all of this was already possible with previous versions of Glimpse. But there was one thing that was not protected by such a custom security policy and that was the Glimpse.axd. This was due to the fact that if the same runtime policies would have been applied, then the Glimpse.axd might not be accessible in the first place because the ControlCookiePolicy could not find the Glimpse cookie and you need (at least to begin with) the Glimpse.axd to set the cookie (and maybe add the bookmarklets to your favorites bar for later use). This is why the runtime policies were explicitly being ignored by Glimpse for the default resource aka Glimpse.axd

You might wonder why you would secure the Glimpse.axd in the first place? Although it doesn’t give you access to the aggregated data, there is still quite some information being shown that might be useful to persons with bad ideas. Today the Glimpse.axd shows you how Glimpse is configured, maybe tomorrow we would like to provide you with the possibility to make changes to the configuration at runtime, who knows.

Securing Glimpse.axd as we used to do
There were several ways to lock the Glimpse.axd down because Glimpse wouldn’t. I’ll only show two of them, because some others are a little bit hacky and those two mentioned below can still be used today if you want to:

  1. Leverage the ASP.NET Security Model : By adding a location element to your web.config you can restrict access to the Glimpse.axd to Administrators only. Of course this is only possible if your authorization checks can be satisfied with a role checkglimpseaspnetlocation
  2. Security by obscurity : We’ve been talking about Glimpse.axd but there is no compelling reason to keep it named like that, you can name it whatever you like as long as you adapt your web.config accordingly you are good to go. But again, it’s not bullet proof if somebody can guess really wellSecurityByObscurity

Securing Glimpse.axd the way forward
As of release 1.7.0 of Glimpse, you can now secure the Glimpse.axd by using the same custom security policy as shown above. This has the benefit that your authorization rules with regards to Glimpse are stored in one place being your custom security policy and you no longer need to rely on security by obscurity or role checks (if that was even possible). And there is only one thing that you need to do for that which is modifying the ExecuteOn property of your custom security policy, so that it will not only be called at BeginRequest or EndRequest but also when a resource is being executed (our default resource aka Glimpse.axd) by updating ExecuteOn to:

public RuntimeEvent ExecuteOn
{
    // The bit flag that signals to Glimpse that it should run on either event
    get { return RuntimeEvent.Endrequest | RuntimeEvent.ExecuteResource; }
}

GlimpseSecurityPolicyExampleWithExecuteResource

Voila, that’s all there is to it

Now there are no more reasons why your Glimpse.axd can’t be secured. If there is something not clear or working, don’t hesitate to contact us on our issues list

Glimpse: What’s the current status?

Have you looked at the Glimpse issue list on Github recently? New issues are being posted daily, which means the list is constantly changing. How do you know what is going to be released next and who is contributing to it?

Introducing the Status Dashboard

No more filtering, confusion, searching! The status dashboard makes it clear what is currently being developed for the next release.

What is going to be released next?

When you submit an issue on github, the Glimpse team will categorise the issue into the core nuget packages: Core, EF, ADO, ASPNET, MVC and Webforms.

Packages

If one of the packages is broken at the moment this will be highlighted in red and we will indicate what exactly the bigger issue is.

Who is contributing?

We have a lot of people contributing to Glimpse and we want to acknowledge them in every way possible. The bottom half of the status dashboard acknowledges all those that have reported issues

StatusBoard-Reporters

or contributed to the code base

StatusBoard-PullRequests

This last part of the status dashboard is really important for us, as we want to acknowledge those who contribute in whatever way they can to the project.

Feedback

The next time you are wondering what will be released next or if your issue will be resolved soon, take a look at the status dashboard.

As always we welcome your comments and suggestions! Any insights are welcome.