Security

Labels
AJAX(112) App Studio(7) Apple(1) Application Builder(245) Application Factory(207) ASP.NET(95) ASP.NET 3.5(45) ASP.NET Code Generator(72) ASP.NET Membership(28) Azure(18) Barcode(2) Barcodes(3) BLOB(18) Business Rules(1) Business Rules/Logic(140) BYOD(13) Caching(2) Calendar(5) Charts(29) Cloud(14) Cloud On Time(2) Cloud On Time for Windows 7(2) Code Generator(54) Collaboration(11) command line(1) Conflict Detection(1) Content Management System(12) COT Tools for Excel(26) CRUD(1) Custom Actions(1) Data Aquarium Framework(122) Data Sheet(9) Data Sources(22) Database Lookups(50) Deployment(22) Designer(177) Device(1) DotNetNuke(12) EASE(20) Email(6) Features(101) Firebird(1) Form Builder(14) Globalization and Localization(6) How To(1) Hypermedia(2) Inline Editing(1) Installation(5) JavaScript(20) Kiosk(1) Low Code(3) Mac(1) Many-To-Many(4) Maps(6) Master/Detail(36) Microservices(4) Mobile(63) Mode Builder(3) Model Builder(3) MySQL(10) Native Apps(5) News(18) OAuth(8) OAuth Scopes(1) OAuth2(11) Offline(20) Offline Apps(4) Offline Sync(5) Oracle(10) PKCE(2) PostgreSQL(2) PWA(2) QR codes(2) Rapid Application Development(5) Reading Pane(2) Release Notes(180) Reports(48) REST(29) RESTful(29) RESTful Workshop(15) RFID tags(1) SaaS(7) Security(80) SharePoint(12) SPA(6) SQL Anywhere(3) SQL Server(26) SSO(1) Stored Procedure(4) Teamwork(15) Tips and Tricks(87) Tools for Excel(2) Touch UI(93) Transactions(5) Tutorials(183) Universal Windows Platform(3) User Interface(338) Video Tutorial(37) Web 2.0(100) Web App Generator(101) Web Application Generator(607) Web Form Builder(40) Web.Config(9) Workflow(28)
Archive
Blog
Security
Sunday, October 20, 2013PrintSubscribe
Allowing Access to Data Controller Views on Public Pages

The client library of apps created with Code On Time allows only authenticated users to interact with data. If a user is not authenticated by the app then a request to retrieve data will be denied. There are scenarios when anonymous users must be allowed to interact with application data.

Let’s create a public Customer Sign Up Form in the Northwind sample to illustrate this situation.

Select the project on the start page of the app generator and activate Project Designer. Create a new page with the following properties:

Property Value
Name SignUpForm
Roles ?

Value “?” specified in Roles will allow anonymous users to access page with signing in.

Right-click Customers data controller on Controllers tab and choose Copy in the menu.

Copying data controller reference to the clipboard.

Switch back to Pages tab, right-click Sign Up Form and choose Paste in the context menu.

Pasting a data controller reference on page of an app.

A data view view1 in container c101 will be created under the page node Sign Up Form.

A data view on the page on app created with Code On Time app generator.

Configure the data view as follows.

Section Property Value
Startup Action Command Name New
Startup Action Command Argument createForm1

Click Generate on the Project Designer toolbar.

Annonymous users are not authorized to access application data by default in Code On Time apps in Mobile and Desktop client.

The exception at the top of the page indicates that the view createForm1 is private. The anonymous user is not authorized to access data.

If you click Login and sign in as user / user123%, then an empty New Customers form will be displayed.

If we want to allow anonymous users to create new customer records using createForm1, then the view must be configured for Public access. Also the standard actions of the data controller Customers need to be adjusted to work in a perpetual “new customers” loop. The user will be prompted to create a new customer after a successful entry of a new record instead of displaying a list of existing customers.

Select the view Sign Up Form / c101 / view1 (Customers) in Project Explorer.

A data controller view selected on page in Project Explorer of Code On Time app generator.

Change the Access property of the view.

Property Value
Access Public

Now configure the action state machine of the data controller.

Create a new action in action group Sign Up Form / c101 / view (Customers) / Actions / ag2 (Form) with these properties:

Property Value
Command Name New
Command Argument createForm1
When Last Command Name Insert
When HRef (Regex) SignUpForm

The action Sign Up Form / c101 / Actions / ag2 (Form) / a100 will be activated only when the page Sign Up Form is loaded in a web browser. The action will display createForm1 in New mode every time a new record is created.

Then select each of the actions ag2 (Form) / a8, ag6 (ActionBar) – New / a3, and  ag6 (ActionBar) – New / a4 shown in the picture to configure them to be inactive on the page SignUpForm.

Property Value
Whe HRef (Regex) false:SignUpForm

Data controller actions that must be deactivated when SignUpForm is displayed to the user.

Property When HRef (Regex) is a regular expression evaluated against the current URL loaded in the address bar of the browser. If there is match then the action is active and taken into consideration by the action state machine. Otherwise the action is considered to be inactive. Placing “false:” in front of the property value will make an action inactive if the regex following after “false:” is matched to address bar URL.

Browse the app without signing in and confirm that new customers can be entered on Sign Up Form by anonymous users.

Customer 'Sign Up Form' in action.

The form will remain in “New” mode after a new customer is created.

Log in to verify that the record is stored in the database.

Authenticated users can interact with a full list of customers in our sample.

Labels: Application Builder, Application Factory, Security, Web Form Builder, Workflow
Friday, October 18, 2013PrintSubscribe
Universal Mobile/Desktop Client, Mobile Factory, Active Directory, Synchronization Service

Code On Time release 8.0.0.0 introduces support for Universal Mobile/Desktop Client. The unique architecture of generated apps allows re-interpreting of the application user interface presentation. The original “Desktop” client library now has a “Mobile” counterpart. Apps created with Unlimited edition will automatically detect a mobile device and render an alternative touch-friendly GUI for the app.

The mobile client library is based on popular jQuery Mobile framework. The current implementation of the library allows read-only access to data. We are finalizing the editing capabilities and expect to have them rolled out by the middle of November 2013. Sorting, filtering, and advanced search will be included in the mobile client in the next couple of weeks.

The new project Mobile Factory allows creating apps with “mobile-only” user interface. This project is available without restrictions in Premium and Unlimited editions. Free and Standard editions allow creating Mobile Factory projects with up to ten tables.

Membership and authentication options have been extended to include Active Directory. Application users can sign-in with the standard fly-over login window or custom login. User identity is authenticated by Active Directory server. User roles are derived from Active Directory groups assigned to the user. This feature is available in Unlimited edition only.

New cloud-based Synchronization Service allows automated synchronization of Project Designer logs to simplify team development. Single users will also benefit from a cloud history of designer logs. Online portal allows management of design revision. The new service is designed to complement existing source control systems, such as Team Foundation Server. The synchronization service is offered at no charge. Organizations interested in hosting their own designer synchronization service may request pricing here.

Unlimited edition now includes SaaS (Software as a Service) support with full user authentication. Code On Time apps can be integrated into external web sites while running side-by-side. Examples will be available in the near future.  We expect to use this model to support the newest version of Microsoft SharePoint and other similar products in the future releases.

This release includes the following features, enhancements, and bug fixes.

  • Web App Factory, Azure Factory, and Web Site Factory support “_mobile” URL parameter. The “true” value will enable mobile GUI on desktop computers. Value “false” can be used to disable mobile GUI on mobile devices when needed. Empty value will delete the cookie.
     
  • Mobile Client displays “Call” context option for the fields tagged as mobile-action-call. Data fields with “Phone” in the name are tagged automatically.
     
  • Mobile Client supports tags mobile-item-heading, mobile-item-desc, mobile-item-label, mobile-item-count, mobile-item-aside, mobile-item-thumb and mobile-item-para to enable easy formatting of grid views presented on mobile devices. By default, the Mobile Client will automatically choose the fields to display based on their Show In Summary flag. Presence of any tag on a data field will override the default behavior.
     
  • New “Device” property of pages supports “Auto”, “Desktop”, and “Mobile” options. The default value is “Auto”. “Desktop” pages are not accessible in the menu or address bar from mobile clients and vice versa. This allows implementing pages that work only on mobile or only on desktop devices.
     
  • The current implementation of Mobile Client is based on jQuery Mobile 1.4 beta.
     
  • Class ApplicationServices implement EnableMobileClient static Boolean property that allows disabling Mobile Client UI. Create a partial class ApplicationServices in a dedicated class file, override method RegisterServices and assign “false” to he EnableMobileClient to disabled mobile client.
     
  • Standard TableOfContents and Welcome user controls include markup of mobile content.
     
  • New JavaScript and CSS versioning system is available in Web App Factory, Web Site Factory, and Azure Factory. File “DataAquarium.Version.xml” is included in the root of the projects. The file stores the application version number. The number starts at zero. It is incremented every time the application is published from the app generator. JavaScript and CSS references are enhanced with a suffix to force seamless re-loading on the client machines after deployment. For example, the suffix of a 7th revision of an app may look as follows in the actual combined script reference:
     
    ”../appservices/combined-8.0.0.7.en-us.js?_mobile”
     
    The  first part “8.0.0” reflects the version of the app generator. The last number “7” if the application revision.
     
  • Data controller service will not create data controller requests if a client is not authenticated by the app.
     
  • App services are exempt from "Authenticated user" requirement imposed by Controller.CreateConfiguration method.
     
  • Desktop Client correctly selects a record in a grid view if the record was created or changed in a modal form.
     
  • Active Directory authentication and groups are supports in Web App Factory, Web Site Factory, and Azure Factory apps created with Unlimited edition.
     
  • Combined script is integrated in Web App Factory, Web Site Factory, and Azure Factory in apps created with Unlimited edition. A single compressed script is returned to the client browser. This improves the download speed of pages. The combined script name accounts for user interface culture, “mobile” flag, and version.
      
  • App generators now supports Azure SDK 2.1
     
  • REST serialization processor correctly serializes Guid values.
     
  • User Controls are correctly opened in Visual Studio when selected in Project Designer.
     
  • Membership bar will detect and clear anchors from the URL when reloading a page.
     
  • Missing “type” attribute on “command” node of a data controller will not cause a runtime error.
     
  • Project Designer will clear contents of "empty" nodes when an empty text is assigned to an element. This eliminates the need to create unnecessary revisions in source control systems.
     
  • Solutions files are not re-generated anymore to allow modifying the solutions contents.
     
  • All projects types will now correctly reload if the source code has been opened in Visual Studio at the time of code generation.
     
  • BLOB Adapter implementation has been enhanced to work better with MySQL databases.
     
  • EASE auditing will correctly work with read-only fields.
     
  • Multiple business rule firing has been corrected. Caused by business rule blacklisting by ID instead of name.
     
  • Method MembershipProvider ResetPassword in custom membership providers has been fixed to support hashed passwordAnswer.
     
  • jQuery 10.2 and jQuery UI 1.10.3, are integrated in the client library.
  • New Watermark property is now available for data fields.
     
  • Fixed Oracle 4.5 projects not correctly hooking up ODP assembly. 
      
  • Desktop Client makes use of jQuery when dealing with various dimension calculations. We are abandoning Ajax Control Toolkit in the future releases.
Labels: Application Builder, Mobile, Release Notes, REST, Security, Teamwork, Web Application Generator, Web Form Builder
Tuesday, June 11, 2013PrintSubscribe
Password Recovery

Code On Time web apps using ASP.NET Membership automatically come configured with a password recovery form. This form can be opened by clicking on the Forgot your password? link on the dropdown login form.

The Forgot your password? link access the Password Recovery form.

When the user enters their User Name and Password Answer correctly, a new password will be sent to the email on file.

The Password Recovery form.

There are situations in which it may be necessary to allow users to access this form from a different location within the web app. In addition, if Custom Membership is used, the Forgot your password? link is not present. Let’s place the password recovery form in a custom user control and add this control to the home page.

Start the Project Designer. In the Project Explorer, right-click on Home / container2 node, and press New Control.

Adding a new control to the Home page.

Next to the User Control lookup, click on the New User Control icon.

Creating a new user control.

Assign a name to the user control:

Property Value
Name PasswordRecoveryForm

Press OK to save the user control. Press OK again to instantiate the user control on the Home page.

On the toolbar, press Browse to generate the user control. When complete, right-click on Home / container2 / control3 – PasswordRecoveryForm node and press Edit in Visual Studio.

Editing the user control in Visual Studio.

The file will open in Visual Studio. Replace the existing code after the <%@ Control %> element with the following:

<asp:PasswordRecovery runat="server" />

Press OK to save the file. Switch back to the browser. Notice that the Password Recovery form is placed after the Instructions text box on the Home page.

The standard password recovery form on the home page.

Note that you must configure SMTP settings in order for the password recovery email to be sent by the application.

Labels: Application Builder, ASP.NET Membership, Security, Web Application Generator
Continue to Custom Login Form
© 2024 Code On Time LLC. All rights reserved. All trademarks mentioned on this website are property of their respective owners.
Watch | Blog | Roadmap | Learn | Community | Support