Security

Labels
AJAX(112) App Studio(9) Apple(1) Application Builder(245) Application Factory(207) ASP.NET(95) ASP.NET 3.5(45) ASP.NET Code Generator(72) ASP.NET Membership(28) Azure(18) Barcode(2) Barcodes(3) BLOB(18) Business Rules(1) Business Rules/Logic(140) BYOD(13) Caching(2) Calendar(5) Charts(29) Cloud(14) Cloud On Time(2) Cloud On Time for Windows 7(2) Code Generator(54) Collaboration(11) command line(1) Conflict Detection(1) Content Management System(12) COT Tools for Excel(26) CRUD(1) Custom Actions(1) Data Aquarium Framework(122) Data Sheet(9) Data Sources(22) Database Lookups(50) Deployment(22) Designer(178) Device(1) DotNetNuke(12) EASE(20) Email(6) Features(101) Firebird(1) Form Builder(14) Globalization and Localization(6) How To(1) Hypermedia(2) Inline Editing(1) Installation(5) JavaScript(20) Kiosk(1) Low Code(3) Mac(1) Many-To-Many(4) Maps(6) Master/Detail(36) Microservices(4) Mobile(63) Mode Builder(3) Model Builder(3) MySQL(10) Native Apps(5) News(18) OAuth(9) OAuth Scopes(1) OAuth2(13) Offline(20) Offline Apps(4) Offline Sync(5) Oracle(11) PKCE(2) Postgre SQL(1) PostgreSQL(2) PWA(2) QR codes(2) Rapid Application Development(5) Reading Pane(2) Release Notes(184) Reports(48) REST(29) RESTful(29) RESTful Workshop(15) RFID tags(1) SaaS(7) Security(81) SharePoint(12) SPA(6) SQL Anywhere(3) SQL Server(26) SSO(1) Stored Procedure(4) Teamwork(15) Tips and Tricks(87) Tools for Excel(3) Touch UI(93) Transactions(5) Tutorials(183) Universal Windows Platform(3) User Interface(338) Video Tutorial(37) Web 2.0(100) Web App Generator(101) Web Application Generator(607) Web Form Builder(40) Web.Config(9) Workflow(28)
Archive
Blog
Security
Sunday, January 23, 2011PrintSubscribe
Mixed Authentication

Code On Time web application generator supports ASP.NET Membership and several other authentication mechanisms. ASP.NET Membership is an attractive option for Internet applications and can be also successfully used in intranet applications deployed within network boundaries of an organization for use by a specific group of business users.

Web application administrator can use the advanced user manager provided with each generated application to create user accounts and manage roles.

Large organizations frequently mandate the need for a single sign-on mechanism to eliminate the need to manage multiple passwords and users accounts.

  1. Typically a user name token is created and validated by the authentication software deployed to the local network. The user name token is embedded into each web request coming to a server. The authenticated user name can be found in a page request header variable.
  2. Another option is to use the active directory identity name that can be available if Windows Authentication is enabled in your web application.

You can take advantage of either option to implement a mixed authentication based on ASP.NET Membership option available in Code On Time database web application. Only the users registered in the ASP.NET Membership database of your application can access the application.  User roles will also be derived from the membership database.

Users can self-registered to use the application and  will be able to access the application page when the user account is approved by administrator. Administrator can also create all authorized user accounts and assign the same “secret” password to all user.

Single sign-on is enabled through changes to the login user control. Open file ~/App_Code/Controls/Login.ascx and modify the code-behind file as shown below.

C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;
using System.Security.Principal;

public partial class Controls_Login : System.Web.UI.UserControl
{
    
    protected void Page_Load(object sender, EventArgs e)
    {
         // Mixed authentication sample
        if (!Page.User.Identity.IsAuthenticated)
        {
            string userName = null;
            // 1. read the identity from the page request header variable
            userName = Request.Headers["UserName"];
            // 2. read the identity from the identity of the current Windows user
            userName = WindowsIdentity.GetCurrent().Name;
            // simulate the user name and ignore methods (1) and (2)
            userName = "admin";
            if (!String.IsNullOrEmpty(userName))
            {
                MembershipUser user = Membership.GetUser(userName);
                if (user != null)
                    FormsAuthentication.RedirectFromLoginPage(user.UserName, false);
            }
        }
    }
}

Methods of “silent” authentication are marked as (1) and (2). This particular example ignores the obtained information and simply assigns explicitly the user name “admin” to variable “userName”.  Application makes a lookup request to identify the user as a valid ASP.NET Membership user. If that is the case then the user is automatically signed into the web application.

The login control is generated the first time only. Your changes to the code-behind file will stay intact with subsequent code generations.

Adjust the sample to reflect your actual single sign-on method.

Labels: Application Factory, Security
Thursday, November 18, 2010PrintSubscribe
Detecting Attempts to Access a Protected Page

Q. I built an application using web site factory. The application has a
dedicated login page. If I login as "admin" and navigate to the
membership page, then log out and log back in as "user" (which does
not have rights to the membership page), I get stuck. I think because
"user" does not have rights to visit the last page I visited before I
logged out, I can not get past the login page without logging back in
as admin, navigating off of membership page, then logging back out.

A.

This is the standard ASP.NET behavior. You are signed in as a "user" but the redirect URL still tries to access the membership page, which "user" is not accessible to "user" account.

There are two options to fix that:

1) Offer a static link to the home page of your application in ~/App_Code/Controls/Login.acxs. User can click on the link to access the home page and break the login auto-redirects.

2) Add the following line of code into ~/App_Code/Controls/Login.ascx.cs:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;

public partial class Controls_Welcome : System.Web.UI.UserControl
{
    
    protected void Page_Load(object sender, EventArgs e)
    {
        if (Page.User.Identity.IsAuthenticated && 
                !String.IsNullOrEmpty(Request.Params["ReturnUrl"]))
            Response.Redirect("~/Pages/Home.aspx");
    }
}

The code will detect the RedirectUrl parameter in the page URL and redirect the user to home automatically.

Labels: Security, Tips and Tricks
Friday, May 21, 2010PrintSubscribe
Configuring Mail Settings

Q. Can you tell me in which component, file, etc is it that I configure the mail host that should be used to send out the password reminders.

A.

You can configure mail settings of your application as follows:

  1. Run Code OnTime Generator and select your project.
  2. Click Next button a few times until your reach Web Server page in the project wizard.
  3. Paste the text from the sample below into Web.Config modification instructions field. Make sure to use your own SMTP server settings as values.
  4. Generate your project. The section system.net will be integrated into Web.Config file of your project whenever you generate the project next time.

InsertAfter: /configuration/connectionStrings
  <system.net>
    <mailSettings>
      <smtp deliveryMethod="Network" from="ben@contoso.com">
        <network
          host="localhost"
          port="25"
          defaultCredentials="true"
        />
      </smtp>
    </mailSettings>
  </system.net>

Note that InsertAfter instruction will insert the XML snippet just after the connectionStrings section in Web.Config configuration file of your application.

You can learn more about configuring mailSettings at http://msdn.microsoft.com/en-us/library/w355a94k.aspx.

Labels: Application Factory, Security, Tips and Tricks, Web.Config
Continue to Dedicated Login Page, Membership Customization Options
© 2025 Code On Time LLC. All rights reserved. All trademarks mentioned on this website are property of their respective owners.
Watch | Blog | Roadmap | Learn | Community | Support