Code On Time: Security

Blog

Security

Monday, January 2, 2017Print Subscribe

Every application requires a list of user accounts that have been granted (or denied) access to the data. In order to maintain membership consistency, every user needs to be associated with a password. Recommended practices for passwords dictate that every password must be unique, contain a long series of mixed alphanumeric characters, and that users should change their passwords regularly. It is likely that many users do not follow these recommended practices, and tend to reuse simple and easy to remember passwords across various systems. This can lead to a security issue if one of the systems becomes compromised – malicious users can then gain access to all systems that share the same password.

In an attempt to solve solutions to the problems mentioned above, authentication can be delegated to a “higher authority”. Application admins can register their app to accept responses from a federated authentication server. When a new user attempts to sign up to the application, they can choose to register an account using their federated account. They will be redirected to the authentication server’s login page, and grant permission for the app to gain access to their email. This information is then used to automatically create an account in the app and sign them in. Therefore, the user simply has to ensure that their account in the federated system is secure.

Applications created with Code On Time can use OAuth 2.0 to register their users. Simply define a resource under the Content Management System (CMS) that lists your client ID, client secret, and redirect URI. A local redirect URI can be defined for testing purposes.

Registering Your App With Facebook

The first step to configuring Facebook Login is to register your app with Facebook. Navigate to https://developers.facebook.com. In the top-right corner, hover over “My Apps” and press “Add a New App”.

Specify a Display Name, Contact Email, and Category, and press “Create App ID”.

On the “Add Product” screen, press “Get Started” next to “Facebook Login”.

Under “Valid OAuth redirect URIs”, add a URI for your app URL, with the path “/appservices/saas/facebook”. It is recommended to add a test redirect URI when running the app locally on your PC.

Next, press “Dashboard” section on the navbar on the left side of the screen. Take note of the App ID and App Secret values.

Enabling Facebook Authentication in your App

Navigate to your website, and navigate to your Site Content page. Create a new record with the following properties:

Property	Value
File Name	facebook
Path	sys/saas
Text	Client Id: 1234567890 Client Secret: 12345mysecret67890 Redirect Uri: https://demo.codeontime.com/appservices/saas/facebook Local Redirect Uri: http://localhost:30195/appservices/saas/facebook

Make sure to replace the values in the “Text” property with the correct values for your app. Save the new record, and log out of the app.

Logging In With Facebook

On the login screen, the “LOGIN WITH FACEBOOK” action will now be displayed at the top of the form.

Press the “LOGIN WITH FACEBOOK” button, and the app will redirect to authenticate with Facebook. Once signed in, it will display a permissions popup.

Press “Continue as XXX” button to grant access to your profile and email address for that app. It will redirect back to your app and attempt to log in as a user with that email. If the user does not exist, it will be created. The password and password answer will be randomly generated.

Note that in order to allow Facebook users other than the app creator to authenticate with the app, the app must be marked as “Public” under the App Review section of the developer site.

Labels: Application Builder, ASP.NET, Features, Security, Web Application Generator

Monday, October 27, 2014Print Subscribe

Handling Login and Logout

In order to log into a web app generated with Code On Time, the user must first activate the login modal window. When using Touch UI, click on the Menu button in the top left corner.

Then, select the Login button in the menu.

This will open the modal login window. Enter the username and password in the fields provided, and press Login to initiate the login process.

The Desktop UI uses a flyover login dialog. Mouse over the top right corner of the screen, next to the words “Login to this website”, and enter the user credentials when the dialog appears.

If a standalone login page has been generated, then the username and password fields will be visible in the top right corner of the Login page. Enter the user credentials and press Login.

Once the user clicks the Login button, the $app.login JavaScript method will be called on the client. The login() meth0d invokes the web service on the server and executes DataControllerService.Login method, seen below.

public bool Login(string username, string password, bool createPersistentCookie)
{
    return ApplicationServices.Login(username, password, createPersistentCookie);
}

The DataControllerService.Login method then calls ApplicationServices.Login method, which creates an instance of ApplicationServices and calls the virtual method UserLogin.

public static bool Login(string username, string password, bool createPersistentCookie)
{
    ApplicationServices services = new ApplicationServices();
    return services.UserLogin(username, password, createPersistentCookie);
}

The UserLogin method’s default implementation will validate the user using the application’s Membership class. If successfully validated, it will set the authentication cookie and return true. Otherwise, it will return false.

public virtual bool UserLogin(string username, string password, bool createPersistentCookie)
{
    if (Membership.ValidateUser(username, password))
    {
        FormsAuthentication.SetAuthCookie(username, createPersistentCookie);
        return true;
    }
    else
        return false;
}

Any custom user control can call the $app.login method in order to log in the user – an example of this would be the standalone login page.

If it is necessary to the project requirements of your application, the UserLogin method can be overridden to extend the functionality. This allows setting of session variables, executing custom scripts on the server, logging user access, to name a few examples.

Logging In From JavaScript

Suppose that we want to add a button to the home page of the app that allows the user to log in with “user” account without having to use the standard login form.

The first step will be to add a page and a custom user control to the page. Start the Project Designer. In the Project Explorer window, click on the New Page button.

Specify these properties:

Property	Value
Name	LoginPage
Roles	?

Press OK to save the page. In the Project Explorer, drag and drop the new page to right of Home page to place it second in the site menu.

Right-click on the new page and press New Container.

Preserve the default settings and press OK to save. Right-click the new container and press New Control.

Next to the User Control field, click on the New User Control icon.

Enter a name of “CustomLoginButton” and press OK to save the user control. Press OK again to bind the control to the page.

On the toolbar, press Browse to generate the web app and the new user control file. When complete, right-click on the control and press Edit in Visual Studio.

The file will open in Visual Studio. Replace the contents after the <%@ Control … %> element with the following:

<div id="CustomLoginButton" data-app-role="page" data-activator="Button|CustomLoginButton">
    <div data-role="content">
        <p>
            <button id="login-admin-button">Login As Administrator</button>
        </p>
    </div>
</div>

<script type="text/javascript">
    (function () {
        $(document)
            // attach event to button
            .on('click', '#login-admin-button', function () {
                // call login method
                $app.login('admin', 'admin123%', true, function () {
                    // on success, navigate to Home
                    window.location.replace('/Pages/Home.aspx');
                }, function () {
                    // on failure, show an alert
                    alert('Login failed!');
                });
                return false;
            });
    })();
</script>

Run the project by pressing F5, and navigate to the Login Page. The page will have a single button present.

Click on the button. The page will successfully log in the user with “admin” account and redirect to the Home page.

Extending Login

The Login authentication method can also be overridden to implement custom functionality.

For example, suppose that we need to allow anyone to take the name of any user if they provide a secret key. Let’s override the Login method to check for presence of the secret key in the password. If the password is the key, then the user will be authenticated. Otherwise, the base method will be called to check for the user’s actual password.

Start the app generator. Click on the project name, and press Develop to open the project in Visual Studio.

In the Solution Explorer of Visual Studio, right-click on ~/App_Code folder and press Add | Class.

Assign a name to the class file.

Replace the contents of the file with the following:

C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Security;

namespace MyCompany.Services
{
    public partial class ApplicationServices
    {
        public override bool UserLogin(string username, string password, bool createPersistentCookie)
        {
            if (password == "secret")
            {
                FormsAuthentication.SetAuthCookie(username, createPersistentCookie);
                return true;
            }
            else
                return base.UserLogin(username, password, createPersistentCookie);
        }
    }
}

Visual Basic:

Imports Microsoft.VisualBasic

Namespace MyCompany.Services
    Partial Public Class ApplicationServices
        Public Overrides Function UserLogin(username As String, password As String, createPersistentCookie As Boolean) As Boolean
            If password.Equals("secret") Then
                FormsAuthentication.SetAuthCookie(username, createPersistentCookie)
                Return True
            End If
            Return MyBase.UserLogin(username, password, createPersistentCookie)
        End Function
    End Class
End Namespace

Save the file, and press F5 on your keyboard to start the application. Login to the application with the username “admin” and the password “secret”.

The application will log you in successfully and grant you access to the user’s pages.

Logging Out

The logout procedure is very similar to login. To log out from a Touch UI web app, click on the Menu button in the top right corner of the page, and click Logout from the menu panel.

When a user clicks on the Logout button, the JavaScript method $app.logout is called. The method will invoke the web service to trigger the DataControllerServices.Logout method.

public void Logout()
{
    ApplicationServices.Logout();
}

The Logout() web method will invoke ApplicationServices.Logout().

public static void Logout()
{
    ApplicationServices services = new ApplicationServices();
    services.UserLogout();
}

The ApplicationServices.Logout static method will create an instance of ApplicationServices and invoke UserLogout virtual method.

public virtual void UserLogout()
{
    FormsAuthentication.SignOut();
}

The UserLogout method will trigger the SignOut method of forms authentication, which will remove the authentication cookie.

Logging Out From JavaScript

Let’s add a logout button to the user control that was created previously. Switch back to the user control file open in Visual Studio, and replace the contents after the <% Control %> element with the following:

<div id="CustomLoginButton" data-app-role="page" data-activator="Button|CustomLoginButton">
    <div data-role="content">
        <p>
            <button id="login-admin-button">Login As Administrator</button>
            <button id="logout-button">Logout</button>
        </p>
    </div>
</div>

<script type="text/javascript">
    (function () {
        $(document)
            // attach login event to button
            .on('click', '#login-admin-button', function () {
                // call login method
                $app.login('admin', 'admin123%', true, function () {
                    // on success, navigate to Home
                    window.location.replace('/Pages/Home.aspx');
                }, function () {
                    // on failure, show an alert
                    alert('Login failed!');
                });
                return false;
            }).on('click', '#logout-button', function () {
                $app.logout(function () {
                    // refresh the page
                    window.location.reload();
                })
            });
    })();
</script>

Save the file, and open the page in your browser. Note that there are now two buttons.

Click on the first one and you will be logged into the app as “admin”. Click on the second one and it will log the user out, and refresh the page.

Extending Logout

The UserLogout method can also be overridden to add custom functionality. For example, suppose that we need to record when a user logs out. In the class file created in the previous section, add another overridden class after UserLogin method:

C#:

public override void UserLogout()
{
    Trace.WriteLine(String.Format(
                        "User {0} has logged out.", 
                        HttpContext.Current.User.Identity.Name));
    base.UserLogout();
}

Visual Basic:

Public Overrides Sub UserLogout()
    System.Diagnostics.Trace.WriteLine(String.Format(
                        "User {0} has logged out.",
                        HttpContext.Current.User.Identity.Name))
    MyBase.UserLogout()
End Sub

Press F5 to run the app in debug mode. Log in to the application, and then log out. Switch back to Visual Studio and you will notice that the line has been printed to the Output window.

Note that the line may not print in Web Site Factory apps.

Labels: Data Aquarium Framework, Security, Tips and Tricks, Web Application Generator

Friday, September 12, 2014Print Subscribe

Announcing Workflow Register

Workflows in Line-of-Business Applications

Workflow is a repeatable pattern of business activity. Business applications mirror the real-world patterns through data collection performed in sequences of user-interface screens.

Software developers create hard-coded data structures and data entry forms based on the input from business users. A line-of-business application represents the current understanding of a business process by a development team.

A successful line-of-business application eventually evolves to match the requirements of business processes in organization. The dynamic nature of a business life-cycle will require constant tweaks and fine tuning even in a successful implementation.

Application customization and deployment are very expensive and frequently disruptive. Line-of-business applications must include built-in tools to allow changing application behavior without modifying the core application code.

Procedural Workflows

Many software packages include implementations of procedural workflows. Procedural Workflow allows non-developers to describe sequences of application operations with optional conditions and loops. Procedural workflows can be presented as visual workflow diagrams or text-based scripts. Procedural workflows offer a great tool that allows altering application behavior without changing the core application.

Complexity of procedural workflows grows exponentially when business users are trying to express various exceptions that exist in real-world business processes. Procedural workflows do not offer the means of limiting access to data.

State Machine Workflows

State Machine workflows are composed of rules triggered by the state of data, user identity, and time. Each rule defines a test that allows inspecting the state of data. If the test has passed, then the rule is “triggered”. The triggered rules affect application behavior. If there is no state test, then a rule is considered to be “triggered” by the mere fact of association with the current user identity.

A state-driven rule effects a specific type of application functionality. For example, a rule with Allow type can define a filter that reduces a set of records to a smaller subset based on user identity. If the rule is “triggered”, then the filter is applied to any SQL statement reading data from the application database. A rule with Transform type may remove data modification actions from a data entry form. If the rule is triggered, then the end user will not be able to Edit, Delete, Import or create New data records.

A large collection of rules affecting application behavior can be developed. Developers organize related rules in groups. Groups of rules are associated with users and optional schedules. Association of end users with rule groups and scheduling can be outsourced to application administrators.

The standard end user experience is defined by the implementation of line-of-business application. The rules of the state machine workflow will alter user experience based on user identity, time, and state of data.

State-based rules hide the complexity of the real-world business processes by breaking them down into small and manageable bits of functionality. State-based rules are great when it comes to implementing real-world exception. A state-based rule can define data filters, user interface alterations, business rule injection, and much more.

Adaptive Line-of-Business Apps

For the past few years we have worked on an integrated solution that will enable declarative state-machine workflows in the generated applications out-of-the-box. The goal is to enable adaptive customization of live apps without making changes to the code that require re-deployment.

We have identified the following customization requirements that must be available in a live application:

Ability to define Allow/Deny filtering rules that can be applied to any data retrieved by application.
Ability to create customization rules applied to XML definition of a data controller.
Ability to replace an entire data controller with a substitute.
Ability to create “content” and “data” pages in a live app.

Several prototypes have been developed but appeared too complex to operate.

Meanwhile developers working with Code On Time had an option to implement requirements (1), (2), and (3) on their own:

Dynamic Access Control Rules - http://codeontime.com/learn/security/multi-tenant-applications/dynamic-access-control-rules
Data Controller Virtualization - http://codeontime.com/learn/workflow/virtualization-node-set-plugins
Substitution of controllers - http://codeontime.com/learn/data-controllers/virtualization

Requirement (4) can be satisfied in SharePoint Factory and DotNetNuke Factory Projects. Both products are content management systems that allow creating pages at runtime.

This year we have finally arrived to a solution that will become integrated in the apps created as Azure Factory, Mobile Factory, Web App Factory, or Web Site Factory projects.

The solution will be rolled into a single feature called “Workflow Register”.

It will include an integrated Content Management System (CMS) as a core component of generated apps. CMS will allow creating dynamic “data” and “content” pages at runtime.

“Data” pages will include markup that uses “data-“ attributes to define data views. For example, master-detail page at http://demo.codeontime.com/northwind/Pages/Categories.aspx is defined as follows:

<div data-flow="NewRow">
    <div id="view1" data-controller="Categories" data-view="grid1" data-show-in-summary="true"></div>
</div>
<div data-flow="NewRow" style="padding-top: 8px">
    <div data-activator="Tab|Products">
        <div id="view2" data-controller="Products" data-view="grid1" 
            data-filter-source="view1" data-filter-fields="CategoryID" 
            data-page-size="5" data-auto-hide="container" data-show-modal-forms="true"></div>
    </div>
</div>

“Content” pages may contain arbitrary HTML.

Here is the screen shot of a “content” page based on popular Bootstrap framework, which will be integrated in the Code On Time release 8.0.9.0 due out at the end of September 2014.

If workflow Register is enabled in a project, then the app generator will install a custom database schema to the primary database. The tables will have “ease_” prefix. The schema includes tables to support the following features:

Workflows - specifies Allow, Deny, Transform, Define rules that are applied to various application components, such as pages, menu items, controllers, etc.
Content Management System – provides storage for dynamic content, such as pages and menu items.
Register - global registry that associates user identity references (user IDs and roles) with workflows and optional schedules.
Permissions – a collection of workflow rules associated with users.

Register

The purpose of workflow Register is to enable management of various permissions by application administrators at runtime.

All users will have access to the Register entries associated with their user ID. Only administrators will have access to all entries in the Register.

Entries created by administrators have “Approved” status. Users will also be able to assign workflows to themselves. Such entries will be created with “Pending” status. Only “Approved” workflow register entries will be taken into account by the application framework.

A person assigning a workflow to a user or role does not need to know the details of workflow implementation. An entry in Register may read:

Workflow Human Resources is assigned to John Doe on Tuesday, Wednesday, and Thursday starting on November 15, 2014 and ending on February 1, 2015.

User John Doe will have have access to human resources pages on the specified dates. The workflow may allow or deny access to data records exposed on the pages.

Developers will be able to create workflow rules that delegate management of Register entries to the users other than administrators.

Workflow Register comes with pre-defined data controllers and management pages exposed through “Register” menu option in generated apps.

Workflows

Workflows are collections of rules defined by application developers. A developer can create a set of pre-defined workflows as a part of application at design time. New workflow rules can be created and existing ones can be customized at runtime as needed.

Rules may affect application behavior in multiple ways. For example:

A filter that allows or denies access to data can be specified
New pages can be made available to end users
Data controller actions defined in the application can be dynamically altered at runtime.
New SQL, JavaScript, and Email business rules can be introduced in data controllers.

The rule definition system if very simple and exceptionally extensible to fit the most demanding customization requirements.

Content Management System

Content management system allows populating an application with new “content” and “data” pages.

CMS may also store images, style sheets, JavaScript, and any other files or documents.

Application workflows determine access to the content. Content may be publicly available or limited to specific individuals or groups of users.

Permissions

Permissions are collections of workflow rules matched to a user identity.

Permissions are evaluated by application framework when users access various applications resources. Application framework matches workflow Register entries with the user identity and resource type. Matched workflow rules are automatically engaged by application framework.

For example, if “Allow” rule defines a filter limiting visibility of customer records, then the filter is included in SELECT statements executed by the framework when application tries to read a list of customers.

If a workflow assignment has an associated schedule, then permission engagement will be time-sensitive.

Permissions are created by application framework on-demand directly from the workflow Register entries. Permissions are refreshed when associated workflows are changed.

Availability

We are planning to release various components of Workflow Register with each upcoming release.

The upcoming release 8.0.9.0 due out by the end of month in September will include several elements of Workflow Register:

Support for content pages.
Support for declarative data pages.
Integrated Bootstrap framework to allow creation of compelling responsive content pages.
One-to-One entities support in data controllers. This particular feature is introduced to support “ease_” database tables.

Our production schedule indicates that Workflow Register will become available in November of 2014 or a sooner.

Labels: Application Builder, Application Factory, BYOD, Deployment, EASE, Security, Web App Generator, Web Application Generator, Web Form Builder, Workflow