Code On Time: Security

Blog

Security

Tuesday, November 27, 2012Print Subscribe

Advanced User Manager for Custom Membership and Role Provider: Overview

Create “Users”, “Roles”, and “UserRoles” tables using one of the scripts for Advanced Membership and Tables. Configure the custom membership map and generate the project.

Advanced Membership Provider in Action

When the website is first initialized, the standard user accounts admin and user will be created, and can be used to sign in to the web application. Two roles will be created: Administrators and Users. Both accounts will be assigned Users role, and admin will be assigned Administrators role.

View the details for any user.

Let’s perform the following enhancements:

The user should not be able to view the fields Password and Password Answer.
The data fields will be separated into several categories.
Is Approved and Is Locked Out will be changed to a check box.
All date and count fields will be read-only.
Roles will be added as a many-to-many field.

In addition to these changes, the Users page will be moved to the end of the menu, and will only be visible to administrators.

The final step would be to prevent default CRUD operations from being performed, and create business rules that will use the ASP.NET Membership API to perform updates to the Users and UserRoles table.

This is the final Users grid view.

The final Users form will look like the picture below:

Labels: Designer, Security, SQL Server, Web Application Generator

Wednesday, November 21, 2012Print Subscribe

November 2012 Enhancements

The following bug fixes and enhancements are incorporated in the Code On Time release 7.0.5.0:

RepresentationalStateTransferBase class implements IRequiresSession interface to enable access to session variables when handling REST API calls.
Fixed the runtime bug in Visual Basic version of ActionResult.Refresh method.
Added a fix for “missing buttons” exception in Designer.
Library downloader uses temporary files when downloading code generation library updates from http://codeontime.com to minimize the file locking.
Visual Studio 2012 detection has been enhanced to work correctly on system with Visual Studio 2010 only.
Client library uses "-" instead of "$" in the CSS classes of UI elements rendered for all actions.
Custom membership provider correctly maps Email field.
Custom membership provider correctly implements the version of method GetUser that accepts a provider key as an argument.
“Data sheet” lookup will not automatically close when displayed for the first time.

Labels: Application Builder, Release Notes, REST, Security, Web Application Generator

Friday, November 9, 2012Print Subscribe

Advanced Membership Provider for MySQL

Requirements

An advanced membership and role provider requires three tables.

One table keeps track of user information. This information includes the UserName, Email, and a Comment. Additional columns allow for implementation of a password question and answer in order to recover a forgotten password. When users are created, they can not be approved by default. Additional information is captured about the most recent login, activity, and change of password. When a user inputs an incorrect password past the limit, the user will become locked out. The number of failed attempts and most recent failed attempt will be stored.

Two tables are required to keep track of roles and associations of users with roles.

These are the advanced membership and role provider tables with “identity” primary keys.

SQL:

create table Users (
    UserID int not null AUTO_INCREMENT primary key,
    UserName varchar(128) not null,
    Password varchar(128) not null,
    Email varchar(256),
    `Comment` text,
    PasswordQuestion varchar(256),
    PasswordAnswer varchar(128),
    IsApproved bit not null,
    LastActivityDate datetime not null,
    LastLoginDate datetime not null,
    LastPasswordChangedDate datetime not null,
    CreationDate datetime not null,
    IsLockedOut bit not null,
    LastLockedOutDate datetime not null,
    FailedPasswordAttemptCount int not null,
    FailedPasswordAttemptWindowStart datetime not null,
    FailedPasswordAnswerAttemptCount int not null,
    FailedPasswordAnswerAttemptWindowStart datetime not null
    );
    
create table Roles (
    RoleID int not null AUTO_INCREMENT primary key,
    RoleName varchar(128) not null
    );

create table UserRoles (
    UserID int not null,
    RoleID int not null,
    primary key (UserID, RoleID),
    foreign key (UserID) references Users(UserID),
    foreign key (RoleID) references Roles(RoleID)
    );

These are the advanced membership and role provider tables with “unique identifier” primary keys.

SQL:

create table Users (
    UserID varchar(36) not null primary key default '',
    UserName varchar(128) not null,
    Password varchar(128) not null,
    Email varchar(256),
    `Comment` text,
    PasswordQuestion varchar(256),
    PasswordAnswer varchar(128),
    IsApproved bit not null,
    LastActivityDate datetime not null,
    LastLoginDate datetime not null,
    LastPasswordChangedDate datetime not null,
    CreationDate datetime not null,
    IsLockedOut bit not null,
    LastLockedOutDate datetime not null,
    FailedPasswordAttemptCount int not null,
    FailedPasswordAttemptWindowStart datetime not null,
    FailedPasswordAnswerAttemptCount int not null,
    FailedPasswordAnswerAttemptWindowStart datetime not null
    );
    
create table Roles (
    RoleID varchar(36) not null primary key default '',
    RoleName varchar(128) not null
    );
    
create table UserRoles (
    UserID varchar(36) not null,
    RoleID varchar(36) not null,
    primary key (UserID, RoleID),
    foreign key (UserID) references Users(UserID),
    foreign key (RoleID) references Roles(RoleID)
    );
    
delimiter $$ 
create trigger userinsert
before insert on Users
for each row
begin
    set New.UserID = UUID();
end $$

create trigger roleinsert
before insert on Roles
for each row
begin
    set New.RoleID = UUID();
end $$

Configuration

Use one of the scripts above to create the membership and role provider tables in your database.

Start Code On Time web application generator, select the project name on the start page, and choose Settings. Select Authentication and Membership.

Select “Enable custom membership and role providers” option and enter the following configuration settings.

table Users = Users
column [int|uiid] UserID = UserID
column [text] UserName = UserName
column [text] Password = Password
column [text] Email = Email
column [text] Comment = Comment
column [text] PasswordQuestion = PasswordQuestion
column [text] PasswordAnswer = PasswordAnswer
column [bool] IsApproved = IsApproved
column [date] LastActivityDate = LastActivityDate
column [date] LastLoginDate = LastLoginDate
column [date] LastPasswordChangedDate = LastPasswordChangedDate
column [date] CreationDate = CreationDate
column [bool] IsLockedOut = IsLockedOut
column [date] LastLockedOutDate = LastLockedOutDate
column [int] FailedPasswordAttemptCount = FailedPasswordAttemptCount
column [date] FailedPasswordAttemptWindowStart = FailedPasswordAttemptWindowStart
column [int] FailedPasswordAnswerAttemptCount = FailedPasswordAnswerAttemptCount
column [date] FailedPasswordAnswerAttemptWindowStart = FailedPasswordAnswerAttemptWindowStart

table Roles = Roles
column [int|uiid] RoleID = RoleID
column [text] RoleName = RoleName

table UserRoles = UserRoles
column [int|uiid] UserID = UserID
column [int|uiid] RoleID = RoleID

The configuration will guide the code generator in mapping the logical tables Users, Roles, and UserRoles to the physical tables in the database.

Generate the project to create the custom membership and role provider.

Labels: Application Factory, ASP.NET Membership, Designer, MySQL, Security, Tutorials, Web Application Generator