Alan Cooper introduced personas as a user interaction/product design technique a few years ago.  Here's a good definition:

"A persona is a user archetype you can use to help guide decisions about product features, navigation, interactions, and even visual design. By designing for the archetype—whose goals and behavior patterns are well understood—you can satisfy the broader group of people represented by that archetype." 

They are a very effective method of getting developers to focus on a particular person when building software, rather than a class of user (e.g 'How would Steve the crazy trader use this trading screen', instead of 'What features does a trader want?').  Microsoft have been a keen adopter, especially in the core Windows group as this presentation highlights (they go to the point of developer posters and even a live email account for their personas, and rate product features using a feature-persona priority matrix).

What I hadn't realised until recently was that they are using personas in the Visual Studio group.  They are often backed up by more hard-core usability work (such as this presentation BradA mentions on Describing and evaluating API usability at Microsoft). Walter Moise, a contract developer with Microsoft, writes about the personas:

"Every group has personas. In the developer tools, we have Mort, Elvis, and Einstein. These guys are respectively, the typical VB developer, the typical C# developer and the typical MC++ developer. We have a detailed description of them in very specific vivid detail, which include not only the relevant job habits, but also their lifestyles (how they have fun, what they do on weekends). These get very specific, that you wonder if they are talking about a real person.

Mort is your most common developer, who doesn't have a CS background, may even be a recent newcomer, and doesn't quite understand what the computer is doing under the covers, but who writes the dinky IT programs that make businesses run. Elvis, more knowledgeable, cares about code quality, but has a life too. Einstein writes some serious-ass piece of code like device drivers, wants to get things done, needs to be able to go low level and high level, needs a language without restrictions to get his job done."

Mort seems an unfortunate name for the VB.NET developers.  I can't imagine anyone aspiring to be a Mort.

I find it interesting that there isn't much talk of personas within the XP/Agile world.  The agile processes are 'people friendly' but this is mostly if those people are developers.  Admittedly personas may have more impact on consumer shrink-wrapped applications, but I believe that the investment is still worthwhile in enterprise software projects (it's not a big investment for the potential pay-back).  There's still a lot (too much) responsibility placed on the client representative to know what the clients actually want.  Personas seem like an incredibly easy, but powerful tool that would fit well into the XP/Agile arsenal and help ensure that what the developers built is likely to "delight the customer" (to steal Steve Balmer's phrase).

Somehow I'd failed to update my RSS feed for John Bristowe's site so I'd missed the last few months postings.  He's been done a heap of work with WSE.  John's presentations helped me get started with WSE.

The post that most caught my eye was on custom policy assertions.  This is a great piece of functionality that lets developers hook their own XML Security tokens into a WS-Policy xml file.  So you can write statements like 'only let in a SOAP message that has an X509 digital certificate and one of my own XML tokens' in an XML file rather than having to write any custom code (I know I bang on about this point, but it's such a good one).  There's very little documentation (say, none) on this one (I relied on Reflector, the copy and paste button and a judicious set of breakpoints to work out what was going on).  John also comments on using policy to describe roles. 

The observant amongst you may notice that my new site redesign has a resemblance to John's.  I'm hoping that John will be at the PDC so I can buy him a beer.

Why is always more important than what ...Technical people are smart and used to figuring out things on their own. ... What they can't figure out is what was going on in your [the designer's] mind when you wrote a feature, and knowing that [the designer's intention] is the most important part.

As an audience we can use this time before Microsoft open the Kimono to start thinking about what Microsoft's strategies are in each of the areas (OS/dev tools/Web Services) and what design challenges they have to think about.  This helps generate questions so that when we're listening to the endless days of PowerPoint we have a reason to listen and engage.  As Dare has mentioned there's plenty of opportunities to ask the Microsoft developers questions at these conferences (like at Tuesday night's Ask the Experts).  Doing some work before hand to develop understanding and frame some questions is a good investment.

Tim Sneath has already started the questioning, asking will Yukon kill the business tier and put in the database?  Mehran isn't convinced, but it is the dialogue that is important. 

Background to Indigo:

• Read the speculations, and more speculations and  work out what is known from the session outlines

• Try and understand the WS-* standards that Indigo will be based on, especially WS-ReliableMessaging.

• Look at the EAI vendors and work out what problems they are currently solving that Indigo will try and solve.  I suggest the CapeClear's whitepapers site especially the Web Services and EAI paper on Web Services technologies and it's impact on applicaiton integration and Web Services Messaging Strategy.  Jorgen Thelin CapeClear's Chief Scientist has recently joined the Indigo team. 

• Get up to speed on the Architectural buzz-words: Message Oriented Middleware (MOM), Service Oriented Architecture (SOA).  Roger Session's latest ObjectWatch newsletter has a crack at defining What is SOA.  Clemens is a great source of information, as is Ingo's recent architecture briefings: 'SOAP is not a remote procedure call' and one on using other message patterns than just request/response.

• Enterprise Integration Patterns - a site by Gregor Hohpe from ThoughtWorks, describing 65 patterns to do with Enterprise Integration in a vendor-neutral way.  Going through this material should help fill us in on the space that Microsoft are trying to move Indigo into.  For example, since we know Indigo is a message bus, why not find out what a message bus is and how they can be usefully used in projects.

Specific questions I've got based on WSE:

• We know that WSE is a small 'bouquet of flowers' for us as developers, but what have Microsoft learned from WSE that they are going to put into Indigo?
• Will Indigo have the same modular, open approach to its architecture as WSE?  Will it be made of the same 'pliable building materials'?
• Gregor mentions that 'config file hell' is a major problem in Enterprise Integration projects.  Will Indigo be doing anything to address this (like WSE's very helpful Visual Studio Add-In and user tools?

It's a good thing to hear Microsoft people asking what they could do better.  It’s important to note that the current situation isn't necessarily a criticism of anything Microsoft are currently doing.  Blogs are making a big difference to the Microsoft community (both the MS blogs and others), the conferences like the PDC are great, the material on MSDN (MSDN-TV, the full presentations from TechEd 2003), the MSDN newsgroups with responses from the development teams, the patterns and practices group are all great things.

I think Larry nailed it when he says that the Java community has grown organically, without central sponsorship, and that communities involve people communicating with each other.  I think it's a tough ask to say what Microsoft could do itself to overcome these obstacles.

What I like about the Java communities that I've seen so far:

• Open source development plays a large part in this.  The Java developers seem to be comfortable using Open Source technology.  They are comfortable finding and learning about new Open Source tools, or even writing them if they are not available.  I was surprised at the XTC group to find out how few of the Java guys dislike J2EE.  The view I got was that when they need any Enterprise Software they just download an Open Source piece of software that handles the function they need.
• There's more interest in how you develop software, with ideas like XP or Agile Development and the tools: Nant (which MS are finally catching up on with MSBuild), CruiseControl, NUnit and others.
• Here's an excample of the kind of community event that I think it is exciting.  A group of open source developers hold a  weekend in Amsterdam, which from reports sounds really interesting.  Or a weekly GeekNight (admittedly, sponsored by ThoughtWorks, a development services company) where developers get together with their laptops and code.

Here are some issues I think the Microsoft communities  have (based on my very self-focused point of view):

• All of the technology comes out of a central organisation with long release cycles, making it hard to dynamically incorporate new technologies.  Although the PDC is great for 'opening the kimono' it's hard to create a community around this (while the PDC bloggers is good fun, it's also pretty tiring when there's no concrete information about the new technologies). 
• The communities are mostly sponsored by Microsoft.  They focus is on everyone getting closer to the source, rather than establishing a community in the place where they are.  For example, the MVP program and Partner programs seem to be about connecting people up to Microsoft so that they can take that information and push it back out again.  This is another complex point to overcome - 'how can MS create communities without making them look created'
• There's so much good information available that it breeds a kind of laziness amongst developers.  We don't need to go out and learn about it, it will come to us when we need to.  I admit this is a tough criticism to overcome (don't do less, but find ways to encourage developers to engage and do more).
• Microsoft is good at making complex technologies simpler so that they can be accessed by a wider audience.  We've seen it already in areas like relational databases, OLAP technology, distributed transactions, hosted environments and we'll see it again with many of the new technologies like Indigo with its message bus.  The problem is that sometimes Microsoft over-evangalise the wrong message.  This leads to the situation where too many VB projects were using MTS when they weren't getting any benefit from it (or the converse now where COM+ seems to be ignored in favour of 'cooler' new technologies).

So, how could Microsoft improve? Here are some random thoughts:

• Provide more opportunities for developers to speak to each other.  Provide events where the focus is on getting the audience to talk rather than the traditional User Group Expert-Lectures-With-PowerPoint-For-2-Hours.  Perhaps use this strategy adopted by John Bristowe when he ran the .NET group in Melbourne:

"An independently run volunteer user group, MDNug holds informal gatherings once a month where the focus is not on one speaker or subject but on several. To do this, members break into groups gathered around whiteboards. In small groups members are more likely to ask questions, present ideas and professionally critique the work of others, says Bristowe." Source

• Encourage more local dialogues on practices and architecture.  Why not have a 'developer hypothetical' evenings with MCS consultants where a problem is raised and the group (or teams) have to come up with architectures?
• Provide developer drop-in centres - space where teams of developers could come and work on small public projects (e.g. improving DasBlog - why not sponsor Clemens a trip to London to talk to a developer group who would implement new features, similar to Erich Gamma's campaign for Eclipse addin developers)?
• Encourage more open projects.  What about having someone like Eric Gunnerson managing public projects for development tool add-ins.  Things that the MS team didn't have time to do, but were requested by customers?
• Encourage more public discussion about the direction of future tools.  So not just about the bugs in the product today, but the future directions and the advantages/disadvantages of various approaches?
• Provide more opportunities to talk with MCS developers about architecture and approaches.
• As I was writing this John Porcaro a Microsoft Marketing guy posted about this issue, saying its about:

"letting the customers--the ones who just love your products or services--do it for you. It's about giving them something to talk about and making it easy for them to do it (even rewarding). It's giving them permission and rewards and social standing (the MVP program). It's removing barriers and maybe just as important not standing in their way."

These are just my thoughts, I'm interested in what others have to say (especially on how things could be improved, this is the tough one).

Continuing the theme of what the .NET community can benefit from the Java community comes news there will be a version of IntelliJ for C#.  IntelliJ is regarded as the best Java IDE by many people. Here's Martin Fowler's response:

"I know lots of ThoughtWorkers who are dying for this tool. While Visual Studio has a lot of nice features, the programming capabilities seem primitive when you've used a tool like IntelliJ or Eclipse. Of course, I find I really miss the refactoring capabilities, but there's much more than just the refactoring that makes IntelliJ such a stunning tool. Having a tool like this as a plug in to Visual Studio will make .NET programming much better."

I also noticed today that Martin Fowler is coming to the PDC to be part of an architecture discussion panel on What is Service-Oriented Analysis and Design?

Larry O'Brien suggests that Microsoft and Microsoft developers look at what they can learn from the Java community.  The key point for me is when Microsoft will support proper refactoring tools within their development environment.  Martin Fowler, who wrote the first major book on the topic, defines Refactoring as:

“…the process of changing a software system in such a way that it does not alter the external behavior of the code yet improves its internal structure.”

When combined with the practice of Test Driven Development (supported by automated testing frameworks like NUnit) Refactoring is an essential tool in any developers tool kit.  If you take the position that software development is a craft then Refactoring is like a painter discovering a new type of brush, or a carpenter discovering a new type of hammer.

The Eclipse project, an IBM backed project to develop a new IDE, they have superb support for refactoring, as shown on their help page.  While there are products available for .NET such as C# Refactory, they are still too buggy to use reliably.  I'm hoping that we'll be seeing the addition of Refactoring to Whidbey at the PDC.  Actually, after Googling on it I found that Alan Dean, fellow UK-based Microsoft Developer and PDC attendee has done the hard work of reading the PDC abstracts which state:

Visual C# "Whidbey" includes improvements to the code editor and debugger that cater to the code-focused needs of the C# developer. With support for refactoring in the code editor, advanced visualizations in the debugger, and more, Visual C# "Whidbey" supplements its modern syntax and component-oriented features with new and powerful productivity-enhancing IDE features. Source

The other point that I enjoyed Larry's article was that Java and Open Source have a much better sense of community:

With GotDotNet and other sites in "The .NET Code Wise Community," Microsoft’s presence is palpable and can be somewhat stifling, like a sanctioned school event where the principal is sitting in a corner reading a magazine.

This is definitely something I notice when visiting the Extreme Tuesday Club in comparison to the Microsoft User Groups.

Good to see that Hervey Wilson the Development Lead for WSE has a blog.  Hervey helped me out a couple of times on my last project to implement WSE in a multinational bank.  He's a great developer who really cares about how people are using his product.

Lest I be accused of falling for the 'link to a Microsoft person and expect everyone to know and care who they are' trap that Cameron Purdy spelt out, here's some interesting content that Hervey's already mentioned on his blog:

• A design goal of WSE was to open up the product so that it was easy for other people to open it up and use it in different ways.  He higlights the x509 certificate support that can be used by any project that needs a  managed object model to access the Certificate Stores regardless of whether they need Web Services or not.
• WSE can use this open approach because it has a short maintenance cycle and can have breaking changes across releases.  Herevey mentions other products (I'm thinking Indigo) have to think harder about what goes in the product.
• Hevery links to an article on David Stutz's site (ex Microsoft developer, including Rotor) about software as pliable building material (sounds like a metaphor for Service Oriented Architecture), where David talks about Indigo as part of the 'wave of network integration standards'
• He's been working on making WSE interoperate with other vendors against the OASIS Web Services Security scenarios.  Interestingly he notes that other vendors were pretty lacking (I can believe this - my recent project had a Java team also working on Web Services Security and the client went through a terrible time trying to drag a major Java vendor through the WS-Security specs (they ignored the 'mustUnderstand' SOAP header for goodness sake!)).  I hope Microsoft are helping OASIS push the other vendors to support the standard.  The WS-* standards are only useful to the extent that all vendors adopt and implement them.
• WSE is already being used by customers to handle transactions worth millions of dollars.

Sorry to blog about blogging, but here's a humorous rant from Cameron Purdy on some annoyances in .NET and Java blogs. Some highlights:

• There's too much terminiology for the sake of it which creates an artificially high barrier to entery.  Chris argues the terminology "is all a bunch of stupid made-up acronyms designed to keep 'new' people out by scaring the sh*t out of them".
• "half of [the .NET blogs] are by Microsoft employees trying to make it appear that there is a .NET community"
• "I despise the implication that I should be able to keep track of everyone on a first name basis that currently or has ever or may ever work at Microsoft or with Microsoft products, and further that I should be able to remember past, present and future project names that have been picked from a plethora of idiotic bags such as "river names," "mountain names," "city names," "country names," "old girlfriend names," etc"  Actually, here's a list of the Microsoft code names for those who are trying to keep up.
• a very funny spoof of Don Box's blogging style (here's a thoughtful discussion of the reasons behind Don's style I found by Stu Charlton, who's blog has many interesting comments on .NET community, SOA Architectures and software architectures amongst other topics)

Here are the presentation slides from my Test First Programming with .NET talk at the .NET London user group.  As I finished the talk, where I was demonstrating the Nunit and the NUnit Addin when the organiser said the guy who wrote it, Jamie Cansdale, was in the audience.  Talk about the choir preaching to the minister!  Luckily Jamie is a really nice guy.

We had a chat at the pub afterwards where Jamie said he understood my concern that the Nunit addin didn't have the 'green bar' of the original GUI.  He lamented that his girlfriend didn't really understand the work he did (a common problem in development), but that she did understand the green bar.  In my talk I shared that both my wife and mum know about the green bar.  I compare its affect to the sound of a bell to a Pavlovian dog. Jamie said he'd had to switch back to the GUI after the addin broke when Nunit was upgraded, and it made him realise he missed the green bar as well!

The good news is that Jamie's working on a way to provide a view of the tests inside Visual Studio, so as part of these changes we may see the green bar appearing in the Addin.

I was reminded of mind mapping after reading Tim Sneath's blog.  Last week I did a bit of Google and found a free mind mapping tool called Freemind (it’s written in Java but still has a decent UI response time!).  The keyboard shortcuts (INSERT for a new node, arrow keys for moving around, F2 for editing) make it very quick to use - I'm even thinking of using it for some talks at the PDC.

I've been using it for the last the last week to structure notes for an article, a review of the Extreme Programming Refactored book (review coming!) and even for TechEd talk that I've been listening to.  Here's a mindmap I did while I read recent articles on Test First development, for my talk at the .NET London User Group:

Just as I was singing Ingo's praises in the last posting my SharpReader icon turned yellow with news of Ingo's a new MSDN article on role-based security with WSE 2.0.  The article is mostly on using X.509 tokens together with roles and policy files.   The latest project I worked on used the WSE custom token managers to authenticate a SAML token as well as a custom XML token (a substitute for the ASP.NET Session Id HTTP Header, but for web services).  However, I wasn't sure whether you could use the same technique for X.509 Certificates as this seemed to be handled automatically by the WSE framework. 

The solution Ingo demonstrates is to derive a class from WSE's X509SecurityTokenManager and override it's AuthenticateToken method, calling the WSE implementation after doing any custom code, as follows:

public class X509RoleBasedSecurityTokenManager:
  X509SecurityTokenManager
{
 protected override void AuthenticateToken(X509SecurityToken token)
 {
    base.AuthenticateToken(token)
    // do some custom work, like setting the token.Principal
 }
}

Once a TokenManager's authenticate (for binary tokens) or validate (for Username tokens) method has been fired (it's hooked up using the AppDomain's config file, usually the web.config file, or using WSE Visual Studio add-in) then the policy file is applied.  This allows you to make declarations in the policy file about the roles the authenticated/validated user must be in to access the method, without having to write any code on the [WebMethod].  Ingo uses the WSE Policy Editor tool rather than writing the Policy XML by hand (good choice), but just to make it real, the policy file would have the following:

<wsp:Policy wsu:Id="CertificateRoles" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
  <wsse:Integrity wsp:Usage="wsp:Required" xmlns:wsse="http://schemas.xmlsoap.org/ws/2002/12/secext">
    <wsse:TokenInfo>
      <SecurityToken xmlns="http://schemas.xmlsoap.org/ws/2002/12/secext">
        <wsse:TokenType>wsse:X509v3</wsse:TokenType>
        <wsse:Claims>
          <wse:Role value="Accountant" xmlns:wse="http://schemas.microsoft.com/wse/2003/06/Policy" />
        </wsse:Claims>
      </SecurityToken>
    </wsse:TokenInfo>
    <wsse:MessageParts Dialect="http://schemas.xmlsoap.org/2002/12/wsse#part">wsp:Body()</wsse:MessageParts>
  </wsse:Integrity>
</wsp:Policy>

This snippet defines a policy that says a soap request must contain an X.509 certificate security token that plays the role of Accountant in this application and that the soap:body of the request must be digitally signed with this certificate.

As I've mentioned before, this is is a great idea as it separates the code from the security settings. 

In the article, Ingo maps from the incoming certificate to some server-side certificate-role mappings to look up the roles that the user (represented by the certificate) is authorised to play in the application.  In his case he stores mappings between the certificate thumbprint (think Certificate Id) and roles in the configuration file.   I was thinking that it would be better to carry the role information inside the XML that represents the X509 binary security token (for example, SAML tokens have a collection of attributes that can be used for this value).  Perhaps it is better that each application map the certificate to local application roles as Ingo demonstrates rather than carry these with the tokens.  If the roles are defined with the tokens it means the issuer/creator of the tokens has to understand what roles the application's roles, which might be too tight a coupling between the token issuer and the application.

This was another good article from Ingo (he's certainly got his finger on the pulse.  I wonder if WSE and Service Oriented Architectures are part of his new book?).  It's great to see more articles on using WSE 2.0.  I can't wait for the other articles that Matt Powell mentioned.

One of the questions I've had with .NET is where has the COM Scripting Control gone.  Tonight Ingo Rammer helped me see the answer - there's no scripting control, but there is the ability to dynamically compile code.  So instead of using VBScript or JavaScript back in the land of COM, it's not possible to use and .NET language (VB.NET, JScript.NET) to script the application.  This is both a plus and a minus (it's more powerful, but also hard to learn to user).

Check out Ingo's presentation on Extensible Application with Scripting, CodeDom and Reflection.

if(this.Request.UrlReferrer != null)
{
    //Use the property's value.
}

Using a decompilation tool it's clear that the UrlReferrer property is doing some lazy evaluation of a URI member variable that represents the referrer.  The problem is that the .NET code is checking for the wrong type of exception.  If the URI object experience a problem in its constructor (such as a null or empty referrer value) then the documentations states that a NullArgumentException or a UriFormatException will be thrown.  However, the actual code only catches an HttpException:

try
{
   if (text1.IndexOf("://") >= 0)
   {
      this._referrer = new Uri(text1);
   }
   else
   {
      this._referrer = new Uri(this.Url, text1);
   }
}
catch (HttpException)
{
   this._referrer = null;
}

This is a downside of not having Java style exceptions, where each class must declare which exceptions it might throw and the compiler checks that all calling code handles it.  Describing the exception in the code is not a foolproof way of doing it.

Jason's article was on .NET 1.0, but it's still a problem in .NET 1.1.  Shame, Microsoft, shame ;)

It's been a busy week - Extreme Tuesday Club, Patterns study group, and now today, some great news about some 'alpha software' that's coming into my life.  I'll put up a review of the Extreme Programming Refactored soon - it's a great book.

Suzanne Cook is a Microsoft developer who works on the assembly binding code within the .NET Framework.  She writes some fantastic blogs, right up there with Chris Brumme (though thankfully not as long!).  Fumiaki agrees that her content is top quality and that she's prepared to go out of her way to help solve problem, including replying to email on a Sunday night.

In a code review with Mark White from MCS last week we were looking at some code I'd written to dynamically load an assembly.  In the XP spirit of 'do the simplest thing that works' I had used Assembly.LoadWithPartialName to load in my assembly since I was working on a development version that wasn't strong named or signed.  However this is a bad idea because as Suzanne says, it's the pathway back to DLL Hell.  As she says:

Assembly.LoadWithPartialName() ... uses partial binding. ... A partial bind is when only part of the assembly display name is given when loading an assembly. ...  First, it calls Assembly.Load(). But, if that fails to find the assembly, it will return the latest version of that assembly available in the GAC.

So, in the end I changed to use Activator.CreateInstance.  This works with partial binding for now until I strong name the assembly when I can use the full assembly display name.  Here's a sketch of the code (minus the error handling):

// Get the type from the config file value
Type remoteAssembly = System.Type.GetType(remoteAssemblyTypeFromConfiigFile);
string assembly = remoteAssembly.Assembly.ToString();
string typeReference = remoteAssembly.FullName;
// Get an object handle to this type
ObjectHandle wrapper = Activator.CreateInstance(assembly, typeReference);
// Unwrape the object handle into the interface we need
IRemoteInterface remote = (IRemoteInterface)wrapper.Unwrap();