Blog

Labels
AJAX(112) App Studio(7) Apple(1) Application Builder(245) Application Factory(207) ASP.NET(95) ASP.NET 3.5(45) ASP.NET Code Generator(72) ASP.NET Membership(28) Azure(18) Barcode(2) Barcodes(3) BLOB(18) Business Rules(1) Business Rules/Logic(140) BYOD(13) Caching(2) Calendar(5) Charts(29) Cloud(14) Cloud On Time(2) Cloud On Time for Windows 7(2) Code Generator(54) Collaboration(11) command line(1) Conflict Detection(1) Content Management System(12) COT Tools for Excel(26) CRUD(1) Custom Actions(1) Data Aquarium Framework(122) Data Sheet(9) Data Sources(22) Database Lookups(50) Deployment(22) Designer(177) Device(1) DotNetNuke(12) EASE(20) Email(6) Features(101) Firebird(1) Form Builder(14) Globalization and Localization(6) How To(1) Hypermedia(2) Inline Editing(1) Installation(5) JavaScript(20) Kiosk(1) Low Code(3) Mac(1) Many-To-Many(4) Maps(6) Master/Detail(36) Microservices(4) Mobile(63) Mode Builder(3) Model Builder(3) MySQL(10) Native Apps(5) News(18) OAuth(8) OAuth Scopes(1) OAuth2(11) Offline(20) Offline Apps(4) Offline Sync(5) Oracle(10) PKCE(2) PostgreSQL(2) PWA(2) QR codes(2) Rapid Application Development(5) Reading Pane(2) Release Notes(180) Reports(48) REST(29) RESTful(29) RESTful Workshop(15) RFID tags(1) SaaS(7) Security(80) SharePoint(12) SPA(6) SQL Anywhere(3) SQL Server(26) SSO(1) Stored Procedure(4) Teamwork(15) Tips and Tricks(87) Tools for Excel(2) Touch UI(93) Transactions(5) Tutorials(183) Universal Windows Platform(3) User Interface(338) Video Tutorial(37) Web 2.0(100) Web App Generator(101) Web Application Generator(607) Web Form Builder(40) Web.Config(9) Workflow(28)
Archive
Blog
Wednesday, November 7, 2012PrintSubscribe
Comparing Fly-Over Login and Dedicated Login Page

If custom membership and role providers are enabled for a project then the application is configured to expose the page with the name Home to anonymous users. A link on a membership bar allows activating the fly-over Login window.

A fly-over login window in web app with custom membership and role providers created with Code OnTime application generator

Developers can re-design the page Home by removing the standard user controls and adding the custom ones. Standard user controls display a site map and login instructions.

Additional pages can be exposed to end users if their Roles property is set to “?”.

For example, create a new page MySiteMap, set its Roles property to “?” (do not copy the double quotes). Activate User Controls tab in Project Explorer, right-click the user control node TableOfContents and choose “Copy”. “Paste” the user control on the new page. Right-click the page and choose “View in Browser”.

The new page will be visible to anonymous users along with Home page.

A page of a web app is exposed to anonymous users if its 'Roles' property is set to '?'

A dedicated login page can “greet” users when they access the web app.

Select the project on the start page of application generator, choose Settings, and proceed to Authentication and Membership. Choose Login Window section and enable a dedicated login page instead of a fly-over login window. Click Finish button.

Select Refresh action to ensure that the dedicated login page is included in the application design. Do not choose any data controllers in Refresh Dialog and simply proceed to refresh the project by clicking on Refresh button.

Generate the project. A dedicated page will be displayed asking users to sign in.

A standard dedicated login page created by application generator

If you need to change the layout of the login page, then activate Project Designer. Select User Controls tab in Project Explorer. Right-click Login user control node and select “Edit in Visual Studio” option in context menu.

Activating Visual Studio to modify the 'Login' user control

Visual Studio will start and display the definition of the user control. The user control is configured to be generated “First Time Only”. Any changes done in Visual Studio will persist between sessions of code generation.

Notice that the pages available to anonymous users are still accessible if the URL of the page is known.

For example,  an anonymous user can access MySiteMap page created above by entering the URL directly in the address bar of a web browser without being required to sign in.

A page can be accessed directly in web app with a dedicated login page if its 'Roles' property is set to '?'

An attempt to access a protected page will redirect an anonymous user to the dedicated login page.

Labels: Application Factory, ASP.NET Membership, Security, User Interface, Web Application Generator
Wednesday, November 7, 2012PrintSubscribe
Introducing Custom Membership and Role Providers

Internet web applications require an integrated user management. Anonymous users are denied access to protected site pages. Registered users may see a subset of protected pages that depends on user roles.

About ASP.NET Membership

Microsoft ASP.NET Membership is a powerful pre-packaged option for user and role management available to developers. With little effort a set of required tables and stored procedures can be installed in an application or a standalone database. ASP.NET membership providers are a native part of the security framework of Microsoft.NET. Many database vendors include custom implementations of ASP.NET membership providers with their software.

It takes only a few clicks to integrate ASP.NET Membership in a web app using Project Wizard.

A requirement to maintain “alien” tables and stored procedure in the application database causes some developers to embark on  a path to develop custom membership and role providers for a project. This is not a trivial effort - cutting corners is not recommended.

A table with a list of users is frequently a centerpiece  in many databases and creates another incentive to build a custom membership provider.

Sample Custom Membership Configuration

Code On Time web application generator can produce integrated membership and role providers straight from the application database tables.

Consider the Northwind sample web application. The database table Employees is a perfect example of a source of user identities.

Table 'Employees' from 'Northwind' sample may be used as a source of user identities in an web app

An application can treat the Last Name as a “User Name” and Extension as a “Password”.

Here is the list of employees.

The list of employees stored in the 'Northwind' sample database table 'Employees'

Start creating a new Northwind project.

As you go through the steps of the project wizard, pause on the page Authentication and Membership. Select option “Enable custom membership and role providers.”

Enter the following in the configuration box.

table Users=Employees
column [int|uiid] UserID = EmployeeID
column [text] UserName = LastName
column [text] Password = Extension

role Administrators = Fuller
role Users = *

option Create Standard User Accounts = false
option Password Format = Clear

The configuration of membership and role providers maps the columns of the physical table Employees to logical table Users. Application generator will use the the logical table mapping when creating the source code of the providers.

The configuration also defines two roles – Administrators  and Users. A minimal custom membership implementation does not require a physical table to hold a list of user roles.  This simple declaration states that the user with the last name of Fuller is the “administrator”. It also declares that all employees are “users”.

The automatically generated implementation of providers will try to register two standard user accounts “admin” and “user”. Option “Create Standard User Accounts” is set to “false” to prevent that.

The provider implementation will also try to “hash” the passwords for added security. The employee phone extensions are stored in a “clear” format. Therefore the “Password Format” option disables “hashing”.

Complete the application configuration and activate Project Designer. Using Project Explorer, select page Users and enter Administrators in Roles property, click OK button to save the page configuration. This will ensure that only an administrator can access the page.

Generate the app and login as Davolio with password 5467 when prompted.

Sign in process in a web app with custom membership and role providers

Page Employees will not be visible in the site menu.

Non-administrative users do not have access to 'Employees' page

Log out and sign in as Fuller / 3457 to manage employees on Employees page.

image

Users, Roles, and User Roles

The example above will have to be extended when dynamic roles are required.

Consider these database tables.

A basic set tables of an implementaton of custom membership and role providers

The following configuration of custom membership and role providers will be sufficient to equip a web application with dynamic users and roles.

table Users=Users
column [int|uiid] UserID = UserID
column [text] UserName = UserName
column [text] Password = Password

table Roles=Roles
column [int|uiid] RoleID = RoleID
column [text] RoleName = RoleName

table UserRoles=UserRoles
column [int|uiid] UserID = UserID
column [int|uiid] RoleID = RoleID

Select the project name on the start page of the app generator, choose Authentication and Membership, proceed to modify the configuration of custom membership and role providers. Generate the application and sign in with one of the standard user accounts – admin/admin123% or user/user123%.

Application home page is presented to a standard account 'user' after successful login

Tables Users, Roles, and UserRoles provide a foundation for the integrated security system of the web application.

Tables in the foundation of the security system of a web app with custom membership and role providers created with Code On Time application generator

Labels: Application Factory, ASP.NET Membership, Security, Web Application Generator, Workflow
Wednesday, November 7, 2012PrintSubscribe
Implementing User Management for a Web App With Custom Membership Provider

Create “Users” table in the application database using one of the scripts of a minimal membership and roles provider . Configure custom membership and generate the project.

Minimal Membership Provider in Action

The application will open in a default web browser. Move mouse pointer over the “Login” link and sign in using one of the two accounts automatically created by the app.

A fly-over login dialog of a web app with custom membership and role providers created with Code On Time application generator

Optional standard user accounts are created when the application starts. Use SQL Management Studio to select records from “Users” table. Passwords “admin123%” and “user123%” of the corresponding user accounts are hashed by the membership provider.

Standard user accounts registered by custom membership provider in web app created with Code On Time

User Manager

Management of users can be seamlessly integrated in an application.

Select the project name on the start page of generator and choose Refresh. The Refresh window of Northwind project with selected Users table is shown next.

Click Refresh button to create Users data controller in the application.

Adding 'Users' table as a data controller to an existing project created with Code On Time web app generator

Select Design to activate the Project Designer.

Press “Ctrl” and “comma” keys simultaneously (Ctrl+,) to active the Navigate To window. Enter “users” in Search terms and click on the first match.

Locating "Users" page in project configuration of an app created with Code On Time

The corresponding page node will be displayed in Project Explorer. Drag the the page node to the desired location in the navigation menu.

Page "Users" in the application navigation menu

In the page properties enter Administrators to restrict access to the page. Only a user in Administrators role will be authorized to access the page. This snippet form the provider configuration does the job.

role Administrators = admin
role Users = admin, user
role Everybody = *

Right-click Users page node and choose View in Browser, sign in as admin / admin123% and click on user account. The form view editForm1 of data controller Users is shown in the screen shot

A user account displayed in 'editForm1' of data controller 'Uses'

The user manager will require some work:

  • The Password field is displayed as plain text. The value of the field must not be revealed to the users.
  • If a password is changed by administrator then the value must be hashed before it is stored in the database.
  • A new password must be validated according to the membership provider configuration.

Switch to Project Designer and navigate to Users data controller.

Data controller 'Users' with selected 'Password' data fields

Change Text Mode property of data field nodes Users / Views / editForm1 / c1 – Users and Users / Views / createForm1 / c1 – New Users to “Password”.

The password encryption and validation will require writing some code. Right-click Users / Business Rules node and choose “New Business Rule” option.

Configure the following properties:

Property Value
Type C# / Visual Basic
Command Name Update|Insert
Phase Before

Click “Generate” button on the designer tool bar. Wait for the app to display in the Preview Window and switch back to Project Designer. The placeholder file for the implementation of the business rule has been created. Right-click the business rule in Project Explorer and choose Edit in Visual Studio.

Activating Visual Studio to edit a 'code' business rule

Visual Studio will start with business rule code file ready for modification. Replace the contents with the following.

C#:

using System;
using System.Data;
using System.Collections.Generic;
using System.Linq;
using System.Text.RegularExpressions;
using System.Web;
using System.Web.Security;
using MyCompany.Data;
using MyCompany.Security;

namespace MyCompany.Rules
{
    public partial class UsersBusinessRules : MyCompany.Data.BusinessRules
    {
        
        /// <summary>
        /// This method will execute in any view before an action
        /// with a command name that matches "Insert|New".
        /// </summary>
        [Rule("r100")]
        public void r100Implementation(System.Guid? userID, string userName, 
            FieldValue password)
        {
            if (password != null && password.Modified)
            {
                ApplicationMembershipProvider.ValidateUserPassword(userName, 
                    (string)password.NewValue);
                password.NewValue = 
                    ApplicationMembershipProvider.EncodeUserPassword((string)password.NewValue);
            }
        }
    }
}

Visual Basic:

Imports MyCompany.Data
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Linq
Imports System.Text.RegularExpressions
Imports System.Web
Imports System.Web.Security
Imports MyCompany.Security

Namespace Rules

    Partial Public Class UsersBusinessRules
        Inherits MyCompany.Data.BusinessRules

        ''' <summary>
        ''' This method will execute in any view before an action
        ''' with a command name that matches "Update|Insert".
        ''' </summary>
        <Rule("r100")> _
        Public Sub r100Implementation(ByVal userID As Nullable(Of Integer), 
                                      ByVal userName As String, ByVal password As FieldValue)
            If Not password Is Nothing And password.Modified Then
                ApplicationMembershipProvider.ValidateUserPassword(userName, password.NewValue)
                password.NewValue = 
                     ApplicationMembershipProvider.EncodeUserPassword(password.NewValue)
            End If
        End Sub
    End Class
End Namespace

The highlighted namespace MyCompany.Security links the namespace with the membership provider implementation to the code file.

The original type of the argument password has been changed from “String” to “FieldValue” to allow access to Modified and NewValue properties describing the password value submitted by the client application.

A call to the static method ValidateUserPassword checks conformance of a password with the membership provider configuration requirements. By default, a password must be at least seven characters long, and have at least one non-alphanumeric character. Use provider configuration options Min Requires Password Length and Min Required Non Alpha Numeric Characters to change that.

Next, the business rule will encode the password value according to the membership provider configuration. The default option requires password hashing.

Save the code file and refresh the Users page. Try creating a new user.

Password validation exceptions will be displayed to users.

Password validation errors displayed in a user manager in the app with custom membership and role providers

A successfully created user account will have its password “hashed”.

User password is 'hashed' when created in a user manager in a web app with custom membership and role provider

Labels: Application Factory, ASP.NET Membership, Business Rules/Logic, Security, SQL Server, Web Application Generator
Continue to Minimal Membership Provider for SQL Server
© 2024 Code On Time LLC. All rights reserved. All trademarks mentioned on this website are property of their respective owners.
Watch | Blog | Roadmap | Learn | Community | Support