Security

Labels
AJAX(112) App Studio(7) Apple(1) Application Builder(245) Application Factory(207) ASP.NET(95) ASP.NET 3.5(45) ASP.NET Code Generator(72) ASP.NET Membership(28) Azure(18) Barcode(2) Barcodes(3) BLOB(18) Business Rules(1) Business Rules/Logic(140) BYOD(13) Caching(2) Calendar(5) Charts(29) Cloud(14) Cloud On Time(2) Cloud On Time for Windows 7(2) Code Generator(54) Collaboration(11) command line(1) Conflict Detection(1) Content Management System(12) COT Tools for Excel(26) CRUD(1) Custom Actions(1) Data Aquarium Framework(122) Data Sheet(9) Data Sources(22) Database Lookups(50) Deployment(22) Designer(177) Device(1) DotNetNuke(12) EASE(20) Email(6) Features(101) Firebird(1) Form Builder(14) Globalization and Localization(6) How To(1) Hypermedia(2) Inline Editing(1) Installation(5) JavaScript(20) Kiosk(1) Low Code(3) Mac(1) Many-To-Many(4) Maps(6) Master/Detail(36) Microservices(4) Mobile(63) Mode Builder(3) Model Builder(3) MySQL(10) Native Apps(5) News(18) OAuth(9) OAuth Scopes(1) OAuth2(13) Offline(20) Offline Apps(4) Offline Sync(5) Oracle(11) PKCE(2) Postgre SQL(1) PostgreSQL(2) PWA(2) QR codes(2) Rapid Application Development(5) Reading Pane(2) Release Notes(183) Reports(48) REST(29) RESTful(29) RESTful Workshop(15) RFID tags(1) SaaS(7) Security(81) SharePoint(12) SPA(6) SQL Anywhere(3) SQL Server(26) SSO(1) Stored Procedure(4) Teamwork(15) Tips and Tricks(87) Tools for Excel(2) Touch UI(93) Transactions(5) Tutorials(183) Universal Windows Platform(3) User Interface(338) Video Tutorial(37) Web 2.0(100) Web App Generator(101) Web Application Generator(607) Web Form Builder(40) Web.Config(9) Workflow(28)
Archive
Blog
Security
Monday, May 2, 2011PrintSubscribe
SQL Anywhere Membership Configuration

You can find detailed instructions about development of applications with SQL Anywhere 12 and ASP.NET at http://www.sybase.com/detail?id=1080238.

This tutorial outlines the steps required to configure ASP.NET Membership features in a database that will become a part of web application created with Code On Time web application code generator.

Start Windows Explorer and navigate to “C:\Program Files\SQL Anywhere 12\Assembly\V2” folder.

image_thumb[13][5]

Start SASetupAspNet.exe configuration utility.

Select the language for the ASP.NET security schema configuration.

image_thumb[6]

Connect to the database. The screen shot below shows how to connect to a default demo database created by SQL Anywhere installation program. Enter dsn=SQL Anywhere 12 Demo and test the connection.

image_thumb[5]

Add Membership and Roles to the configuration. Select other options if you are planning to use profiles, web part personalization, and health monitoring.

image_thumb[9]

Finish configuration of your database.

image_thumb[16]

If you are performing configuration on Windows 7 then you may see the following dialog at the end of the configuration process. Ignore the warning and select “This program installed correctly”.

image_thumb[19]

Labels: ASP.NET Code Generator, ASP.NET Membership, Security, SQL Anywhere, Web App Generator
Wednesday, February 9, 2011PrintSubscribe
Secure RSS, Spreadsheet, and CSV Data Feeds

The follow-up release of Code On Time introduces significant security enhancements to user identity validation performed when RSS , CSV, and live Microsoft Excel data feeds are generated.

The feeds are retrieved by external applications such as browsers, RSS readers, and Excel via a URL generated by application. User identity is not embedded into the data feed URLs.

These are the examples of the data feeds:

Click on any of the links and you will be prompted to enter a name and password if your application is using ASP.NET Membership authentication. The application framework will detect access to data export resources and will request user name and password through Basic Authentication.

Enter the user name and password and the credentials will be authenticated against the ASP.NET Membership database. The URLs above will allow access to data if you enter admin / admin123% or user / user123% when prompted for username/password. These user accounts are registered on our demo server.

If you sign into the application at http://dev.codeontime.com/demo/websitefactory6 using one of the accounts listed above then try the following.

Live RSS Feed

Select the list of customers and choose Action | View RSS Feed option on the action bar.

image

The RSS feed will be presented.

image

Do not close the feed and return to the browser window with the application, click Logout link on the membership bar. You will be logged out and a fly-over login dialog will be displayed.

image

Return to the RSS feed and click Refresh button. You will be prompted to login via Basic Authentication.

image

Live Excel Spreadsheet

Select Export to Spreadsheet option from the action bar of the customer list.

image

The prompt to download an IQY file will be displayed. The file extension stands for “Internet Query” and is recognized by Microsoft Excel. Click Open button.

image

Microsoft Excel will start and will present an additional warning about security risks linked to the content that comes from Internet. We do know the source of data that we are downloading. The data itself is a simple XML data feed. Click Enable button.

image

Code On Time application will request the user identity. Enter one of the accounts that we have used above.

image

If the user name and password are matched to an ASP.NET Membership record then the data will be downloaded.

image

Use Excel to create dynamic and impactful business charts and refresh charts on-demand to see changes in the live data to reflect in your chart. You can email the spreadsheet to users in your organization. Users with valid application accounts will be able to refresh the data as well.

image

Conclusion

Business users can take full advantage of amazing data reporting and analytical capabilities available in Code On Time applications. Secure data feeds ensure safe shared environment.

Developers can create sophisticated virtual views that will utilize the user identity to filter the data accessible to the user.

Labels: Application Factory, Reports, Security, Web 2.0
Sunday, January 23, 2011PrintSubscribe
Mixed Authentication

Code On Time web application generator supports ASP.NET Membership and several other authentication mechanisms. ASP.NET Membership is an attractive option for Internet applications and can be also successfully used in intranet applications deployed within network boundaries of an organization for use by a specific group of business users.

Web application administrator can use the advanced user manager provided with each generated application to create user accounts and manage roles.

Large organizations frequently mandate the need for a single sign-on mechanism to eliminate the need to manage multiple passwords and users accounts.

  1. Typically a user name token is created and validated by the authentication software deployed to the local network. The user name token is embedded into each web request coming to a server. The authenticated user name can be found in a page request header variable.
  2. Another option is to use the active directory identity name that can be available if Windows Authentication is enabled in your web application.

You can take advantage of either option to implement a mixed authentication based on ASP.NET Membership option available in Code On Time database web application. Only the users registered in the ASP.NET Membership database of your application can access the application.  User roles will also be derived from the membership database.

Users can self-registered to use the application and  will be able to access the application page when the user account is approved by administrator. Administrator can also create all authorized user accounts and assign the same “secret” password to all user.

Single sign-on is enabled through changes to the login user control. Open file ~/App_Code/Controls/Login.ascx and modify the code-behind file as shown below.

C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.Security;
using System.Security.Principal;

public partial class Controls_Login : System.Web.UI.UserControl
{
    
    protected void Page_Load(object sender, EventArgs e)
    {
         // Mixed authentication sample
        if (!Page.User.Identity.IsAuthenticated)
        {
            string userName = null;
            // 1. read the identity from the page request header variable
            userName = Request.Headers["UserName"];
            // 2. read the identity from the identity of the current Windows user
            userName = WindowsIdentity.GetCurrent().Name;
            // simulate the user name and ignore methods (1) and (2)
            userName = "admin";
            if (!String.IsNullOrEmpty(userName))
            {
                MembershipUser user = Membership.GetUser(userName);
                if (user != null)
                    FormsAuthentication.RedirectFromLoginPage(user.UserName, false);
            }
        }
    }
}

Methods of “silent” authentication are marked as (1) and (2). This particular example ignores the obtained information and simply assigns explicitly the user name “admin” to variable “userName”.  Application makes a lookup request to identify the user as a valid ASP.NET Membership user. If that is the case then the user is automatically signed into the web application.

The login control is generated the first time only. Your changes to the code-behind file will stay intact with subsequent code generations.

Adjust the sample to reflect your actual single sign-on method.

Labels: Application Factory, Security
Continue to Detecting Attempts to Access a Protected Page
© 2024 Code On Time LLC. All rights reserved. All trademarks mentioned on this website are property of their respective owners.
Watch | Blog | Roadmap | Learn | Community | Support