Wrox Programmer Forums

Need to download code?

View our list of code downloads.

Go Back   Wrox Programmer Forums > ASP.NET and ASP > ASP.NET 4 > BOOK: Beginning ASP.NET 4 : in C# and VB
Password Reminder
Register
Register | FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read
BOOK: Beginning ASP.NET 4 : in C# and VB
This is the forum to discuss the Wrox book Beginning ASP.NET 4: in C# and VB by Imar Spaanjaars; ISBN: 9780470502211
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: Beginning ASP.NET 4 : in C# and VB section of the Wrox Programmer to Programmer discussions. This is a community of tens of thousands of software programmers and website developers including Wrox book authors and readers. As a guest, you can read any forum posting. By joining today you can post your own programming questions, respond to other developers’ questions, and eliminate the ads that are displayed to guests. Registration is fast, simple and absolutely free .
DRM-free e-books 300x50
Reply
 
Thread Tools Search this Thread Display Modes
  #1 (permalink)  
Old February 27th, 2012, 09:41 PM
Friend of Wrox
Points: 1,905, Level: 17
Points: 1,905, Level: 17 Points: 1,905, Level: 17 Points: 1,905, Level: 17
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: May 2011
Posts: 411
Thanks: 13
Thanked 7 Times in 7 Posts
Default Chapter 16 Security Authorization Question

Hypothetical question and practical real world example: Suppose that you have 8 or maybe 9 different user groups that you wanted to display certain database information to on your hypothetical website of say something like "ImarProductions.com"?
The first user group is a group that is just regular subscribers and they only get to see just basic general basic information that is contained in the main database. The second group belongs to users that want to see online CD sells and only that part of the database. The third group wants to see the latest concert information and you only want to supply information to them about the latest concert information and nothing else. The fourth group is only interested at looking at the online reviews of the latest concerts and CD. The fifth group of people are only interested in finding out more information about ticket sales. The sixth group of people is only interested in purchasing CD, Ipads, Iphones and Xbox gaming equipment. The Seventh group of persons logging in to your website is only interested in purchasing Concert Posters, T-shirts and Conert Photos, and the eighth group of people are interested are inverstors in your website and they are only interested in logging in to see user statistics and financial information and other things of that nature. The ninth group of people are subscribers and have paid a subscription fee to see certain inside information and inside scoops from your website on the newest music groups that are the big item performers. How would you create separate user groups that saw different sets of data from the database using different SQL queries that only pertained to them and their specific interests based on their login profiles?
Reply With Quote
  #2 (permalink)  
Old February 27th, 2012, 09:54 PM
Friend of Wrox
Points: 1,905, Level: 17
Points: 1,905, Level: 17 Points: 1,905, Level: 17 Points: 1,905, Level: 17
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: May 2011
Posts: 411
Thanks: 13
Thanked 7 Times in 7 Posts
Default Or better yet

Let me use a better example of what I am talking that is more clear than it was in the previous example.
Lets just say for instance that your company, ImarProductions.com has thirty different departmets like HR, Sales, Engineering, Marketing, Distribution, payroll, accounting, etc, etc. How would you manage it when someone logs into the company's internal website that they saw information pulled back from the database only about the department they worked in and not other information about a different department? Like say for instance if I work in the accounting department and I log into the company's internal website then how do you arrange it using authorization and security so that I can only see information and data pulled back from the database that only is pertaining to the accounting department and not any of the other departments? So if for example I want to look at company personnel information, the only company personnel information that I am going to see will be just the people that work in the accounting department and not the other people in other departments? How could you accomplish something like that using Security and Authorization logins? You are obviously going to need seperate database queries for each department are you not?
Reply With Quote
  #3 (permalink)  
Old February 27th, 2012, 10:03 PM
Imar's Avatar
Wrox Author
Points: 72,022, Level: 100
Points: 72,022, Level: 100 Points: 72,022, Level: 100 Points: 72,022, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,076
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

I sorta got the idea after your second group.

But anyway, yes you'd need different queries for this scenario. Or at least, a different WHERE clause. Depending on how you wanrt to implement it, you could simply restrict access to pages that the user doesn't belong to. Alternatively, you could dynamically build your SQL statements and include the roles the user belongs to.

Either way, you'll find it difficult to use the SqlDataSource control for this as it's a bit difficult to dynamically change the SQL statement (it can certainly be done but requires more work than I typically care to put into it).

I would recommend using EF which makes this simpler. Or you could use ADO.NET directly and use objects such as the SqlConnection and SqlDataReader to get data out of the database.

Hope this helps,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
Reply With Quote
  #4 (permalink)  
Old February 27th, 2012, 11:37 PM
Friend of Wrox
Points: 1,905, Level: 17
Points: 1,905, Level: 17 Points: 1,905, Level: 17 Points: 1,905, Level: 17
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: May 2011
Posts: 411
Thanks: 13
Thanked 7 Times in 7 Posts
Default This is a really tough question but I think that I might have a solution:

Given the following code for the Webmaster page in the markup view
Code:
<div class="Menu">
        <asp:LoginView ID="loginView" runat="server">
          <LoggedInTemplate>
            <asp:LoginName ID="loginName" runat="server"
                FormatString="Hello, {0}!" />
                 (<asp:LoginStatus ID="loginStatus" runat="server" />)
            <asp:SiteMapDataSource id="ImarProductionsSiteMap" runat="server"
                ShowStartingNode="false" />
            <asp:Menu id="ImarProductionsMenu" runat="server"
                DataSourceID="dorknozzleSiteMap">
              <StaticItemTemplate>
                <img src="Images/book_closed.gif" alt="+"
                    width="16" height="16" style="border-width: 0;" />
                <%# Eval("Text") %>
              </StaticItemTemplate>
            </asp:Menu>
         </LoggedInTemplate>
          <AnonymousTemplate>
            <asp:LoginStatus ID="loginStatus" runat="server" />
          </AnonymousTemplate>
        </asp:LoginView> 
      </div>
      <!-- Content -->
      <div class="Content">
As you can see I can capture the user LoginName in the LoginTemplate how would I capture the Password using the code example up above so that the password is is not displayed? This way after they logged in successfully and go to the Default.aspx page, I can use their password (which in case is their EmployeeID) and put it in a query in the form load so that I can find out which department they belong to? Here is the code to the Default.aspx page:
Code:
protected void Page_Load(object sender, EventArgs e)
  {
    // Read the employees list when initially loading the page
    if (!IsPostBack)
    {
      LoadEmployeesList();
//loading a DropDown list box with the Employee Names and their UserIDs
    }
  }
  private void LoadEmployeesList()
  {
    // Declare objects
    SqlConnection conn;
    SqlCommand comm;
    SqlDataReader reader;
    // Read the connection string from Web.config
    string connectionString =
        ConfigurationManager.ConnectionStrings[
        "ImarProductionsEmpDatabase"].ConnectionString;
    // Initialize connection
    conn = new SqlConnection(connectionString);
    // Create command
    comm = new SqlCommand(
        "SELECT EmployeeID, Name, DepartmentID FROM Employees where DepartmentID = [COLOR="Sienna"]Password[/COLOR]", conn);
    // Enclose database code in Try-Catch-Finally
    try
    {
      // Open the connection
      conn.Open();
      // Execute the command
      reader = comm.ExecuteReader();
      // Populate the list of categories
      employeesList.DataSource = reader;
      employeesList.DataValueField = "EmployeeID";
      employeesList.DataTextField = "Name";
      employeesList.DataBind();
      // Close the reader
      reader.Close();
    }
    catch
    {
      // Display error message
      dbErrorLabel.Text =
          "Error loading the list of employees!<br />";
    }
    finally
    {
      // Close the connection
      conn.Close();
    }
    // Disable the update button
    updateButton.Enabled = false;
    // Disable the delete button
    deleteButton.Enabled = false;
    // Clear any values in the TextBox controls
    nameTextBox.Text = "";
    userNameTextBox.Text = "";
    addressTextBox.Text = "";
    cityTextBox.Text = "";
    stateTextBox.Text = "";
    zipTextBox.Text = "";
    homePhoneTextBox.Text = "";
    extensionTextBox.Text = "";
    mobilePhoneTextBox.Text = "";
  }

 protected void selectButton_Click(object sender, EventArgs e)
  {
    // Declare objects
    SqlConnection conn;
    SqlCommand comm;
    SqlDataReader reader;
    // Read the connection string from Web.config
    string connectionString =
        ConfigurationManager.ConnectionStrings[
        "ImarProductions"].ConnectionString;
    // Initialize connection
    conn = new SqlConnection(connectionString);
    // Create command
    comm = new SqlCommand(
        "SELECT Name, Username, Address, City, State, Zip, " +
        "HomePhone, Extension, MobilePhone FROM Employees " +
        "WHERE EmployeeID = @EmployeID", conn);
    // Add command parameters
    comm.Parameters.Add("@EmployeeID", System.Data.SqlDbType.Int);
    comm.Parameters["@EmployeeID"].Value =
        employeesList.SelectedItem.Value;
    // Enclose database code in Try-Catch-Finally
    try
    {
      // Open the connection
      conn.Open();
      // Execute the command
      reader = comm.ExecuteReader();
      // Display the data on the form
      if (reader.Read())
      {
        nameTextBox.Text = reader["Name"].ToString();
        userNameTextBox.Text = reader["Username"].ToString();
        addressTextBox.Text = reader["Address"].ToString();
        cityTextBox.Text = reader["City"].ToString();
        stateTextBox.Text = reader["State"].ToString();
        zipTextBox.Text = reader["Zip"].ToString();
        homePhoneTextBox.Text = reader["HomePhone"].ToString();
        extensionTextBox.Text = reader["Extension"].ToString();
        mobilePhoneTextBox.Text = reader["MobilePhone"].ToString();
      }
      // Close the reader 
      reader.Close();
      // Enable the Update button
      updateButton.Enabled = true;
      // Enable the Delete button
      deleteButton.Enabled = true;
    }
    catch
    {
      // Display error message
      dbErrorLabel.Text =
          "Error loading the employee details!<br />";
    }
    finally
    {
      // Close the connection
      conn.Close();
    }
  }
This is a really, really tough question I know, since it is not very easy to follow my logic, but I like to have a go at a very tough creative challenge every once in a while.
Reply With Quote
  #5 (permalink)  
Old February 28th, 2012, 12:56 AM
Friend of Wrox
Points: 1,905, Level: 17
Points: 1,905, Level: 17 Points: 1,905, Level: 17 Points: 1,905, Level: 17
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: May 2011
Posts: 411
Thanks: 13
Thanked 7 Times in 7 Posts
Default I am getting a head of myself.

I am getting way ahead of myself on all of this and for that I really do apologize. I guess the question I am really asking is there any way to capture the value that is in the password field of the Login control and put it in a session object so that it can be passed arount to other webpages so that the password value from the Login control can then be used as a parameter in SQL queries? That is really the question I was trying to ask. Sorry about that. My bad.
Reply With Quote
  #6 (permalink)  
Old February 28th, 2012, 02:54 AM
Imar's Avatar
Wrox Author
Points: 72,022, Level: 100
Points: 72,022, Level: 100 Points: 72,022, Level: 100 Points: 72,022, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,076
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

That's pretty easy to do. Just handle the LoggedIn event and add the password to a session variable:
Code:
 
protected void LoginUser_LoggedIn(object sender, EventArgs e)
{
  Session["UserPass"] = LoginUser.Password;
}
Question is: why would you want to do this? IMO, it would be much better to use the user name instead, which you can always retrieve from User.Identity.Name.

Cheers,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
Reply With Quote
  #7 (permalink)  
Old February 28th, 2012, 06:19 PM
Friend of Wrox
Points: 1,905, Level: 17
Points: 1,905, Level: 17 Points: 1,905, Level: 17 Points: 1,905, Level: 17
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: May 2011
Posts: 411
Thanks: 13
Thanked 7 Times in 7 Posts
Default The Reason being is that....

I want to use the password as being interchangeable with their EmployeeID#. The EmployeeID# is unique onto itself. So by knowing the Password, I also know the EmployeeID# and I can extract information from the database about their names, the department they work in, the Department ID etc, etc. Once I know their password/EmployeeID# and can pass it to the other page as part of a session object then I can insert into parameterized SQL queries and Stored Procedures. User names do me no good because of the simple fact that there can be more than one person with the same name in the our database. There are currently probably at least five Karen Rodriguez's in our database. Putting in Karen Rodriguez as parameter to a SQL query or a stored procedure would probably pull back five different people with the same name. The question I now have to you would be very simple is the LoginUser_LoggedIn is that event that I can access via the properties page in the properties explorer, you know the little yellow lightening bolt thingy? Also on the example as explained on page 584-6, after you successfully login, how does the application know to redirect you to the Default.aspx page? I can't find where that exists in the code. No response.redirects anywhere.
Reply With Quote
  #8 (permalink)  
Old February 28th, 2012, 06:22 PM
Friend of Wrox
Points: 1,905, Level: 17
Points: 1,905, Level: 17 Points: 1,905, Level: 17 Points: 1,905, Level: 17
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: May 2011
Posts: 411
Thanks: 13
Thanked 7 Times in 7 Posts
Default Session objects

I just wanted add that the no two Employees of the firm have the same EmployeeID#. That is the one primary key that separates themselves from one another on the Database. Also I noticed that you didn't go to deep into session objects in your book. Just curious, any reason why? Or is that more of an advanced topic for more of an advanced book?

Thanks once again.
Reply With Quote
  #9 (permalink)  
Old March 1st, 2012, 01:37 PM
Imar's Avatar
Wrox Author
Points: 72,022, Level: 100
Points: 72,022, Level: 100 Points: 72,022, Level: 100 Points: 72,022, Level: 100
Activity: 100%
Activity: 100% Activity: 100% Activity: 100%
 
Join Date: Jun 2003
Location: Utrecht, Netherlands.
Posts: 17,076
Thanks: 80
Thanked 1,587 Times in 1,563 Posts
Default

I still do not understand (and agree) why you need the password. The user ID should be unique, and should be enough to determine user specific content.

I didn't talk about sessions in my book. Not because it's too advanced, but because you should typically stay away from them if you can.... ;-) They can easily be abused and cause problems when you start storing large objects in them.

Cheers,

Imar
__________________
Imar Spaanjaars
http://Imar.Spaanjaars.Com
Follow me on Twitter

Author of Beginning ASP.NET 4.5 : in C# and VB, Beginning ASP.NET Web Pages with WebMatrix
and Beginning ASP.NET 4 : in C# and VB.
Did this post help you? Click the button below this post to show your appreciation!
Reply With Quote
  #10 (permalink)  
Old March 1st, 2012, 06:44 PM
Friend of Wrox
Points: 1,905, Level: 17
Points: 1,905, Level: 17 Points: 1,905, Level: 17 Points: 1,905, Level: 17
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: May 2011
Posts: 411
Thanks: 13
Thanked 7 Times in 7 Posts
Default The Reason being is that....

I still do not understand (and agree) why you need the password. The user ID should be unique, and should be enough to determine user specific content.

The reason being is that the Users are stored in the Employee Database as:
User ID EmployeeIDNo./(Password)
Karen Rodriguez 1345894 ----> Which is also the Employee ID# that is on their Employee ID badges

So hence you have a Employee Database that looks something like this:
Employee Table:
USER ID EmployeeIDNo DepartNo. Department(table)
Karen Rodriguez 1348488 PK 1 1 Accounting
Karen Rodriguez 1383383 5 Fk--->PK 5 Marketing
Karen Rodriguez 14773838 12 12 Sales
Karen Rodriguez 17663636 7 7 Payroll
Karen Rodriguez 84894949 9 9 Research


How do you determine which Karen Rodriguez to pull back from the database?
Good question. You have to use the EmployeeID# which is unique and sets apart the different Karen Rodriguez's from one another. The Employee ID# is the primary Key for the Employee table in the database. The Department column shown up above is normalized and is in a different database table with the DepartNo. in the Employee Table being the foreign keyed link to the Departments table. In the departments table you have the primary key being a SQL server seeded # and different attribute for the description such as Accounting, Payroll, Research, etc, etc. It may not be the best way to set up a database, but I didn't do it, the the DBA did. So you live with what you have to deal with. I don't maybe this might make a good real world example to use when you publish your new ASP.NET 4.5 book later on.
Reply With Quote
Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chap 16 Security Question missing jkoyle BOOK: Beginning ASP.NET 4 : in C# and VB 2 November 11th, 2011 08:19 PM
Chapter 16 related question AriJay BOOK: Beginning Microsoft Visual Basic 2010 3 October 16th, 2010 12:03 PM
Chapter 16 Page 576 Question jsymons BOOK: Beginning ASP.NET 3.5 : in C# and VB BOOK ISBN: 978-0-470-18759-3 3 September 25th, 2009 03:20 AM
Security Problem(URL Authorization) A.Doroudian ASP.NET 1.0 and 1.1 Basics 0 May 31st, 2006 06:17 AM
Chapter 16 Question SomeDude BOOK: Beginning VB.NET 2nd Edition/Beginning VB.NET 2003 4 October 24th, 2005 06:13 PM



All times are GMT -4. The time now is 02:11 AM.


Powered by vBulletin®
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
© 2013 John Wiley & Sons, Inc.