This project is read-only.

Is it possible to using Orchard to develop a LOB application?

Jan 17, 2011 at 2:55 PM

Hi Eveyone, I see the statement "Orchard is a free, open source, community-focused project aimed at delivering applications and reusable components on the ASP.NET platform.", so I'd like to know currently is it possible to develop a big LOB application like CRM using this Orchard application framework? Can it help me built the LOB application more fast?

Thanks in advance for your help.

Jan 17, 2011 at 6:07 PM
Edited Jan 17, 2011 at 6:30 PM

Speaking as an outside observer who has only scratched the surface of Orchard, I think that while that description is not false, neither is it fair. Orchard is a CMS that locks you into its CMS paradigm. This is consistent with nearly all CMS's. But you can't throw in an .aspx file (or .cshtml file) side-by-side with Orchard and see it run as Orchard takes over the HTTP request routing; instead, you have to create a nested MVC project (an MVC "Area") and register a route. You're also encouraged to use Orchard's data access layer which is extensible but equally unique to Orchard, so there is an awkward learning curve, where instead of writing code in C# you write code in a DSL; once learned, it should be fairly straightforward to leverage. But forget LINQ-to-SQL or other O/RMs if you want to play well/richly with Orchard. Under the covers, Orchard uses nHibernate, but I don't know how exposed nHibernate is to Orchard users.

So my opinion is, yes you can, but it'll be awkward, and what you gain from Orchard by using it is (limited to?) a ready-made platform for managing content, adding commenting to custom content types and similar features and modules, additional modular extensibility of your web app, etc.

Jan 17, 2011 at 6:19 PM



doesnt sound good

Jan 17, 2011 at 8:03 PM

That is not true. Orchard is not taking over routing.

Of course if you want to integrate with Orchard, you need to adopt some of its conventions. Duh.

Jan 17, 2011 at 8:31 PM
Edited Jan 17, 2011 at 8:32 PM
bertrandleroy wrote:

That is not true. Orchard is not taking over routing.

 It does. As was observed with these threads:

.. indeed we found that if we customized the layout cshtml file to ensure that jQuery and jQuery plug-ins were included on all pages we had to add a web.config file to the scripts and styles folders that enabled the static file routing. And that's just for static routes.

Of course if you want to integrate with Orchard, you need to adopt some of its conventions. Duh.

 I hope that as this project matures, its maintainers can continue to carry forward a tone of dignity and respect with the community. I personally abhor such statements as "RTFM", etc., which fortunately no one on the Orchard team has devolved into using.

Jan 17, 2011 at 8:48 PM

It does not. It's only the default configuration of the application that is locked down to lower the security attack surface. You can go into web.config and relax it if you need to. I apologize if my answer seemed rude to you. That wasn't my intention.

Jan 17, 2011 at 8:51 PM
Edited Jan 17, 2011 at 8:52 PM

If you turn off this configuration, can the *source* of cshtml files be exposed to web browsers?

Jan 17, 2011 at 9:00 PM

Well, I think the only way you could make that happen would also stop them from working at all.

Jan 17, 2011 at 10:00 PM

I'm just trying to understand what security vulnerability footprint the default configuration solved. So in other words, if we removed this "feature" from the default configuration, what vulnerabilities are exposed? Feasability of removing this default configuration while maintaining moderate security confidence seems to hang in the balance.

Jan 17, 2011 at 10:04 PM

It's not a specific vulnerability, it's reducing the attack surface by removing what you don't need until you need it. One place where there is a known risk though is the media folder: as some of your users may have uploading rights there, you don't want to serve anything from there that is not static contents. Does this help?

Jan 17, 2011 at 10:21 PM
Edited Jan 17, 2011 at 10:22 PM

In this example, we can lock down just the media folder with a custom web.config to go through a secure route filter (e.g. a member access rights / ACL filter), this filter implemened as a module.

Yes it does help.