security

Labels
AJAX(112) App Studio(9) Apple(1) Application Builder(245) Application Factory(207) ASP.NET(95) ASP.NET 3.5(45) ASP.NET Code Generator(72) ASP.NET Membership(28) Azure(18) Barcode(2) Barcodes(3) BLOB(18) Business Rules(1) Business Rules/Logic(140) BYOD(13) Caching(2) Calendar(5) Charts(29) Cloud(14) Cloud On Time(2) Cloud On Time for Windows 7(2) Code Generator(54) Collaboration(11) command line(1) Conflict Detection(1) Content Management System(12) COT Tools for Excel(26) CRUD(1) Custom Actions(1) Data Aquarium Framework(122) Data Sheet(9) Data Sources(22) Database Lookups(50) Deployment(22) Designer(178) Device(1) DotNetNuke(12) EASE(20) Email(6) Features(101) Firebird(1) Form Builder(14) Globalization and Localization(6) How To(1) Hypermedia(2) Inline Editing(1) Installation(5) JavaScript(20) Kiosk(1) Low Code(3) Mac(1) Many-To-Many(4) Maps(6) Master/Detail(36) Microservices(4) Mobile(63) Mode Builder(3) Model Builder(3) MySQL(10) Native Apps(5) News(18) OAuth(9) OAuth Scopes(1) OAuth2(13) Offline(20) Offline Apps(4) Offline Sync(5) Oracle(11) PKCE(2) Postgre SQL(1) PostgreSQL(2) PWA(2) QR codes(2) Rapid Application Development(5) Reading Pane(2) Release Notes(184) Reports(48) REST(29) RESTful(29) RESTful Workshop(15) RFID tags(1) SaaS(7) Security(81) SharePoint(12) SPA(6) SQL Anywhere(3) SQL Server(26) SSO(1) Stored Procedure(4) Teamwork(15) Tips and Tricks(87) Tools for Excel(3) Touch UI(93) Transactions(5) Tutorials(183) Universal Windows Platform(3) User Interface(338) Video Tutorial(37) Web 2.0(100) Web App Generator(101) Web Application Generator(607) Web Form Builder(40) Web.Config(9) Workflow(28)
Archive
Blog
security
Friday, March 9, 2012PrintSubscribe
Using ConnectionStringSettingsFactory in “Database per Tenant” Apps

Multi-tenant web applications can be constructed using one of the two methods:

  • Tenants co-exist in the same database. Data is segregated based on the user identity.
  • Each tenant has a private database.

Code On Time web applications offer excellent support for multi-tenant data segregation.

Let’s discuss how to implement a multi-tenant application with private databases.

Internet users arrive to your web application protected with ASP.NET Membership. If the user is not authenticated then there is no way to know, which private database is the final destination for this user. Therefore you either need to implement a single database of user accounts (for example an ASP.NET Membership database) or rely on the elements of the user name (for example the domain portion of the email address) to authenticate the user.

The second solution is more complex when it comes to implementing the user authentication. We will consider the first scenario and assume that the main database of the application has ASP.NET Membership installed already. Follow instructions at http://codeontime.com/learn/sample-applications/northwind to create an application with the membership feature.

The main application database will have the application tables and views. We will call it a “master” database. You will develop your application using the master database. Create additional databases with the same schema but do not include the membership infrastructure in them.

Private Database Derived From DNS Records

Deploy your application. Create CNAME records in the DNS configuration of your Internet domain for each client that must have a private database. Point the CNAME record of each client to the name of your web application. Instruct your clients to sign in the application using their dedicated domain name defined in the CNAME record.

For example, if your main application name is myapp.contoso.com then a client with a dedicate database can access your application as clientname.contoso.com. Also make sure that the name of the master database is myapp.constoso.com and the private database names for the clients use the format clientname.contoso.com.

Unauthenticated users will be authenticated against the master database membership. If you do nothing else then the authenticated users will see the contents of the master database while navigating through the application pages.

Implement the following class in your application to redirect authenticated users to the private database.

C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Configuration;
using System.Data.SqlClient;
namespace MyCompany.Data
{
    public partial class ConnectionStringSettingsFactory
    {
        protected override ConnectionStringSettings CreateSettings(string connectionStringName)
        {
            ConnectionStringSettings settings = base.CreateSettings(connectionStringName);
            // if the user is not authenticated then use the default database
            if (HttpContext.Current.User.Identity.IsAuthenticated &&
                HttpContext.Current.Request.Url.Host.Contains("contoso.com"))
            {
                SqlConnectionStringBuilder csb = 
                    new SqlConnectionStringBuilder(settings.ConnectionString);
                csb.InitialCatalog = HttpContext.Current.Request.Url.Host;
                settings = new ConnectionStringSettings(null, csb.ToString(), 
                    settings.ProviderName);
            }
            return settings;
        }
    }
}

Visual Basic:

Imports Microsoft.VisualBasic
Imports MyCompany.Data
Imports System.Data.SqlClient

Namespace MyCompany.Data
    Partial Public Class ConnectionStringSettingsFactory
        Protected Overrides Function CreateSettings(
            connectionStringName As String) As System.Configuration.ConnectionStringSettings
            Dim settings As ConnectionStringSettings = 
                MyBase.CreateSettings(connectionStringName)
            If (HttpContext.Current.User.Identity.IsAuthenticated AndAlso
                HttpContext.Current.Request.Url.Host.Contains(".contoso.com")) Then
                Dim csb As SqlConnectionStringBuilder =
                    New SqlConnectionStringBuilder(settings.ConnectionString)
                csb.InitialCatalog = HttpContext.Current.Request.Url.Host
                settings = New ConnectionStringSettings(Nothing, csb.ToString(), 
                    settings.ProviderName)                
            End If
            Return settings
        End Function
    End Class
End Namespace

This code inspects the name of the host specified in the URL of the current request. If the authenticated user is trying to access the production deployment and “*.contoso.com” is detected in the host name then the code will create a database-specific connection string and change the database name to the name of the host.

Our example uses Microsoft SQL Server database. That is why we are creating SqlConnectionStringBuilder class instance. Use the class that matches your back-end database. The name of the SQL Server database is specified in InitialiCatalog property. Implementations of connection string builder for other database engines may use a different property for the same purpose.

If your clients do have a web presence then you can instruct them to create their private CNAME Records that point to your application. Make sure to use the client’s CNAME Record as the name of the private database instance. Your clients will be able to access your web application as myapp.clientdomain.com where “clientdomain” is the client’s own domain name.

Private Database Derived From User identity

You can also implement a table in the master database that will associate the user accounts with the private databases available in the app. This table will effectively play the role of the DNS for your own application. Users will access the application via the same URL. 

create table UserDatabases
(
    UserName varchar(50),
    DatabaseName varchar(50),
    primary key (UserName, DatabaseName)
)

The following code will lookup the UserDatabases table for authenticated users and adjust the connection string accordingly.

C#:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Configuration;
using System.Data.SqlClient;
namespace MyCompany.Data
{
    public partial class ConnectionStringSettingsFactory
    {
        protected override ConnectionStringSettings CreateSettings(string connectionStringName)
        {
            ConnectionStringSettings settings = base.CreateSettings(connectionStringName);
            // if the user is not authenticated then use the default database
            if (HttpContext.Current.User.Identity.IsAuthenticated)
            {
                SqlConnectionStringBuilder csb =
                    new SqlConnectionStringBuilder(settings.ConnectionString);
                using (SqlConnection connection = new SqlConnection(settings.ConnectionString))
                {
                    connection.Open();
                    SqlCommand command = connection.CreateCommand();
                    command.CommandText =
                        "select DatabaseName from UserDatabases where UserName=@UserName";
                    SqlParameter p = command.CreateParameter();
                    command.Parameters.Add(p);
                    p.ParameterName = "@UserName";
                    p.Value = HttpContext.Current.User.Identity.Name;
                    csb.InitialCatalog = Convert.ToString(command.ExecuteScalar());
                }
                csb.InitialCatalog = HttpContext.Current.Request.Url.Host;

                settings = new ConnectionStringSettings(null, csb.ToString(), 
                    settings.ProviderName);
            }
            return settings;
        }
    }
}

Visual Basic:

Imports Microsoft.VisualBasic
Imports MyCompany.Data
Imports System.Data.SqlClient

Namespace MyCompany.Data
    Partial Public Class ConnectionStringSettingsFactory
        Protected Overrides Function CreateSettings(
            connectionStringName As String) As System.Configuration.ConnectionStringSettings
            Dim settings As ConnectionStringSettings =
                MyBase.CreateSettings(connectionStringName)
            If (HttpContext.Current.User.Identity.IsAuthenticated) Then
                Dim csb As SqlConnectionStringBuilder =
                    New SqlConnectionStringBuilder(settings.ConnectionString)
                Using connection As SqlConnection =
                        New SqlConnection(settings.ConnectionString)
                    connection.Open()
                    Dim command As SqlCommand = connection.CreateCommand()
                    command.CommandText =
                        "select DatabaseName from UserDatabases where UserName=@UserName"
                    Dim p As SqlParameter = command.CreateParameter()
                    p.ParameterName = "@UserName"
                    p.Value = HttpContext.Current.User.Identity.Name
                    csb.InitialCatalog = Convert.ToString(command.ExecuteNonQuery())
                End Using
                csb.InitialCatalog = HttpContext.Current.Request.Url.Host
                settings = New ConnectionStringSettings(Nothing, csb.ToString(),
                    settings.ProviderName)
            End If
            Return settings
        End Function
    End Class
End Namespace

Notice that we are using the native ADO.NET classes that are specific to SQL Server: SqlConnection and SqlCommand. Code On Time web applications can take advantage of SqlText class that wraps the ADO.NET components in a compact database-independent implementation. The class is the component of the framework of the generated web application and takes advantage of ConnectionStringSettingsFactory. We have to use the native ADO.NET classes to prevent the re-entrance in the ConnectionStringSettingsFactory. Adjust the sample with the native ADO.NET classes that match your database backend if you are not programming with Microsoft SQL Server.

Labels: Application Factory, Security, Web Application Generator
Tuesday, March 6, 2012PrintSubscribe
User ID, User Name, and Portal ID in Business Rules

Traditional ASP.NET application can determine the identity of the user by inspecting Page.User.Identity property of the page or user control class implementation.

Code On Time applications separate the business logic implementation from the presentation. An application page defines a markup with data placeholders. Page components inject the JavaScript client library initialization instructions in the output when a page is rendered. The JavaScript code is executed by the web browser. Initialized JavaScript classes start communicating with the business rules attached to the application data controllers by executing JSON requests.

Developers can access the user identity by inspecting the Context property available in the  BusinessRules class.

Example:

namespace MyCompany.Rules
{
    public partial class SharedBusinessRules : 
        MyCompany.Data.BusinessRules
    {
        public SharedBusinessRules()
        {
            string userName = Context.User.Identity.Name;
        }
    }
}

User ID can be determined by inspecting the properties of classes System.Security.Principal.WindowsIdentity and System.Web.Security.Membership.

Class BusinessRules offers convenient shortcuts. Static properties UserId, UserName, and PortalId.

The following implementation of SharedBusinessRules shows the examples of accessing identity properties of the base business rules class in a DotNetNuke Factory project. The same example will work in any other project with the exception of the line inspecting the Portal ID.

C#:

using System;
using System.Data;
using System.Collections.Generic;
using System.Linq;
using MyCompany.DnnDemo.Data;

namespace MyCompany.DnnDemo.Rules
{
    public partial class SharedBusinessRules : 
        MyCompany.DnnDemo.Data.BusinessRules
    {
        
        public SharedBusinessRules()
        {
            object uid = UserId;
            string uname = UserName;
            int pid = PortalId;
        }
    }
}

Visual Basic:

Imports MyCompany.DnnTestVB.Data
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Linq

Namespace Rules
    
    Partial Public Class SharedBusinessRules
        Inherits MyCompany.DnnTestVB.Data.BusinessRules
        
        Public Sub New()
            Dim uid As Object = UserId
            Dim uname As String = UserName
            Dim pid As String = PortalId
        End Sub
    End Class
End Namespace

Use these properties to implement access control rules that will filter data in multi-tenant web applications.

For example, the following access control rule will be invoked whenever the UserID data field is detected in the view of any data controller.

C#:

using System;
using System.Data;
using System.Collections.Generic;
using System.Linq;
using MyCompany.DnnDemo.Data;

namespace MyCompany.DnnDemo.Rules
{
    public partial class SharedBusinessRules : 
        MyCompany.DnnDemo.Data.BusinessRules
    {
        [AccessControl("", "UserId", "[UserID] = @UserID")]
        public void FilterByUserUserID()
        {
            RestrictAccess("@UserID", UserId);
        }
    }
}

Visual Basic:

Imports MyCompany.DnnTestVB.Data
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Linq

Namespace Rules
    
    Partial Public Class SharedBusinessRules
        Inherits MyCompany.DnnTestVB.Data.BusinessRules

        <AccessControl("", "UserId", "[UserId]=@UserId")>
        Public Sub FilterByUserId()
            RestrictAccess("@UserId", UserId)
        End Sub
    End Class
End Namespace
Labels: Business Rules/Logic, DotNetNuke, Security, Web Application Generator
Thursday, March 1, 2012PrintSubscribe
View Filter Expressions

The alternative method of filtering is available in the data controller views. Property “View Filter” allows specifying an expression that will be embedded in the SQL statement composed by the application framework at runtime.

Suppose you want to filter a list of customers by a specific country.

Start the application generator and select your project, choose Design.

Locate the page Customers in Project Explorer, expand container1 and view1 nodes.

Double-click grid1 to active its properties.

Grid view "gird1" selected in Project Explorer

Enter the following expression in Filter Expression property of the Sort and Filter section.

Country = 'USA'

Sort and Filter section of a data controller view

Click OK button to save the changes and click Browse button on the tool bar. The generator will start the app in your default browser.

Navigate to Customers page and observe that only customers from the USA are displayed.

List of customers affected by the view filter Country = 'USA'

Select any customer by clicking on a link in the first column. The form view editForm1 will be activated.

Form view 'editForm1' inherits the filter from the last view 'grid1'. 

Notice that only customers from the USA are visible when you navigate between records in the form view with the help of navigation buttons.

Form view navigation buttons

The form view automatically inherits the value of Filter Expression from the last view that was presented to the user.

Static view filters work great when you need to present several alternative views of data. Users cannot remove the view filters and apply their own criteria on top of the view filter expressions.

View filter can also reference properties of the business rules class associated with the data controller of the view.

For example, you can define the following filter that contains a parameter.

Country = 'USA' and Region = @RegionName

If you generate the application and navigate to the Customers page then you will see the following exception:

View 'grid1' uses a filter with 'RegionName' parameter. Business rules class of the controller must provide a value for this parameter. The filter is defined as (Country = 'USA' and Region = @RegionName).

The application framework does not know how to determine the value of RegionName.

Right-click the data view view1 in the Project Explorer and choose Show Controller option.

"Show Controller" option in the context menu of data view node

Double-click Customers controller on the Controllers tab of Project Explorer.

"Customers" controller selected on the Controllers tab of Project Explorer

Enter CustomersBusinessRules in the Handler property of the controller and click save.

Definition of business rules class name

Exit the Designer and proceed to generate the project.

Select the project name on the start page of web application generator and click Develop.

Visual Studio or Visual Web Developer will start.

Open ~/App_Code/Rules/CustomersBusinessRules.cs(vb) class and enter the definition of RegionName read-only property.

C#:

using System;
using System.Data;
using System.Collections.Generic;
using System.Linq;
using MyCompany.Data;

namespace MyCompany.Rules
{
    public partial class CustomersBusinessRules : MyCompany.Data.BusinessRules
    {
        public string RegionName
        {
            get
            {
                return "OR";
            }
        }
    }
}

Visual Basic:

Imports MyCompany.Data
Imports System
Imports System.Collections.Generic
Imports System.Data
Imports System.Linq
Imports System.Xml
Imports System.Xml.XPath

Namespace MyCompany.Rules

    Partial Public Class CustomersBusinessRules
        Inherits MyCompany.Data.BusinessRules

        Public ReadOnly Property RegionName As String
            Get
                Return "OR"
            End Get
        End Property

    End Class
End Namespace

Navigate to the Customers page and observe that only customers from the state of Oregon are now visible.

List of customers affected by view filter (Country = 'USA' and Region = @RegionName)

Notice that the value returned by RegionName property of the business rules class does not become a part of SQL statement.  The application will compose a SELECT statement that incudes the view filter expression text with the resolved names of the data fields. An actual command parameter will be created . The property value will be assigned to the parameter value.

If you want to create a filtering expression as a dynamic fragment of SQL at runtime then consider using dynamic access control rules.

If more than one value needs to be passed to the view filter then consider changing the filter definition as follows (we have replaced “=” with “in”).

Country = 'USA' and Region in @RegionName

Change the property definition to return a list or an array of values.

C#: 

public List<string> RegionName
{
    get
    {
        List<string> regions = new List<string>();
        regions.Add("OR");
        regions.Add("WA");
        return regions;
    }
}

Visual Basic:

Public ReadOnly Property RegionName As List(Of String)
    Get
        Dim regions As List(Of String) = New List(Of String)
        regions.Add("OR")
        regions.Add("WA")
        Return regions
    End Get
End Property

Customers from the states of Oregon and Washington are now available in the list.

List of customers filtered by array of (WA, OR)

The application framework will list a separate parameter in the composed SELECT statement for each value in the list returned by the RegionName property of the business rules class.  In our example the actual fragment of SQL will look as follows:

("Customers"."Country" = 'USA' and "Customers"."Region" in (@RegionName0,@RegionName1))

Labels: Business Rules/Logic, Security, Tips and Tricks
Continue to Dynamic On-Demand Filtering with Access Control Rules
© 2025 Code On Time LLC. All rights reserved. All trademarks mentioned on this website are property of their respective owners.
Watch | Blog | Roadmap | Learn | Community | Support