|
|
|
|||||||||||||||||||||||||||||
| ASPRunner.NET: Overview | Try now | Buy now | Tutorial | Screenshots | Live demo | FAQ | Articles | Forum | ||||
| ||||
|
Back to list of Articles Security models in ASP.NET. Authentication.
Windows Authentication Forms authentication with Web-services Let's assume you are working for XYZ company. You got a task to develop application managing your company's personnel info. You are working on this project for 7 months already and suddenly due to security reasons you was instructed to publish user information on another server which is actively used by another department of your company. You were not provided with the direct access to the server that is why your project can not address directly user info database published on this server. To resolve this problem it was decided to give you possibility to develop Web-service for you to control users' authentication. This fictitious story discovers one more authentication model - using Web-services. Web-services become more valuable when you or your clients lack full access to the server. Apart from this, Web-services can be used not only with Web-applications, they can be used also by software products working on different platforms. It became possible due to SOAP (Simple Object Access Protocol) technology which uses TCP/IP ports and HTTP protocol. To work with Web-service, first of all, you need to create it. To do it, start new ASP.NET Web Service project.
Now, insert the code of login button click even handler from the previous example into Web-service source code after changing it slightly to the following form: AuthSrvc.asmx:
Imports System.Web.Services
Imports System.Data.SqlClient
<System.Web.Services.WebService(Namespace := "http://tempuri.org/AuthSrvc/Service1")> _
Public Class Service1
Inherits System.Web.Services.WebService
#Region " Web Services Designer Generated Code "
Public Sub New()
MyBase.New()
'This call is required by the Web Services Designer.
InitializeComponent()
'Add your own initialization code after the InitializeComponent() call
End Sub
'Required by the Web Services Designer
Private components As System.ComponentModel.IContainer
'NOTE: The following procedure is required by the Web Services Designer
'It can be modified using the Web Services Designer.
'Do not modify it using the code editor.
<System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
components = New System.ComponentModel.Container()
End Sub
Protected Overloads Overrides Sub Dispose(ByVal disposing As Boolean)
'CODEGEN: This procedure is required by the Web Services Designer
'Do not modify it using the code editor.
If disposing Then
If Not (components Is Nothing) Then
components.Dispose()
End If
End If
MyBase.Dispose(disposing)
End Sub
#End Region
' function that checks if user with given name and password exists
<WebMethod()> Public Function Authenticate(ByVal UserName As String, ByVal Password As String,
ByRef ErrMessage As String) As Boolean
Dim cn As New SqlConnection("server=localhost;database=FormAuthUsers;uid=sa;pwd=;")
Dim cm As New SqlCommand("FindUser", cn)
Dim n As Integer
' Open connection
Try
cn.Open()
Catch ex As SqlException
' If there is exception, pass its description to ErrMessage parameter
ErrMessage = ex.Message
Exit Function
End Try
' Set command typr
cm.CommandType = CommandType.StoredProcedure
' Add name parameter
Dim prmName = New SqlParameter("@Name", SqlDbType.NVarChar, 50)
prmName.Value = UserName
cm.Parameters.Add(prmName)
' Add password parameter
Dim prmPass = New SqlParameter("@Password", SqlDbType.NVarChar, 50)
prmPass.Value = Password
cm.Parameters.Add(prmPass)
' Execute request
n = cm.ExecuteScalar
' Close connection
cn.Close()
' Analyze result we got
If n > 0 Then
' If we found somebody, then registration was successful
Return True
Else
' if no, then error occurred
Return False
End If
End Function
End Class
You can check service efficiency right on the spot, just start it in Visual Studio .NET environment. If there were no errors in your service, you will see the screen with 2 hyperlinks on it. One of them lead to Web-service description by means of WSDL (Web Service Description Language), and another (Authenticate) allows testing service. Click second hyperlink and enter parameters into the table on the page that appeared on the screen (fig.). If you enter John into the field UserName and type one as password, then the function will return True value: http://localhost/AuthSrvc/AuthSrvc.asmx/Authenticate: <?xml version="1.0" encoding="utf-8" ?> <boolean xmlns="http://tempuri.org/AuthSrvc/Service1">true</boolean> If you change any of the values in these fields to invalid, i. e to the one that is absent in the database, the result will be opposite - False. I think, there is no point in detailed discussion of this function code, because it has much in common with its predecessor from the previous example. But nevertheless, we should pay attention to the exception handler. In the listing with database it displayed appropriate message when any exception occurred, while in the Web-service we pass error message to(as) ErrMessage parameter in Authenticate function, which was declared in the link:
' Open connection
Try
cn.Open()
Catch ex As SqlException
' If there is exception, pass its description to ErrMessage parameter
ErrMessage = ex.Message
Exit Function
End Try
We will add exception check to the applications which will use this service and in case they are found we will display appropriate message.
Now let's create application which will use this Web-service, but this time let's step aside our topic and for a change create Windows application:
3. In the SolutionExplorer window right-click the References folder and choose Add Web Reference command in the context menu that appeared on the screen.
5. Click Add Reference and the reference to specified Web service will appear in your project.
Public Class Form1
Inherits System.Windows.Forms.Form
#Region " Windows Form Designer generated code "
Public Sub New()
MyBase.New()
'This call is required by the Windows Form Designer.
InitializeComponent()
'Add any initialization after the InitializeComponent() call
End Sub
'Form overrides dispose to clean up the component list.
Protected Overloads Overrides Sub Dispose(ByVal disposing As Boolean)
If disposing Then
If Not (components Is Nothing) Then
components.Dispose()
End If
End If
MyBase.Dispose(disposing)
End Sub
'Required by the Windows Form Designer
Private components As System.ComponentModel.IContainer
'NOTE: The following procedure is required by the Windows Form Designer
'It can be modified using the Windows Form Designer.
'Do not modify it using the code editor.
Friend WithEvents Label1 As System.Windows.Forms.Label
Friend WithEvents Label2 As System.Windows.Forms.Label
Friend WithEvents txtName As System.Windows.Forms.TextBox
Friend WithEvents txtPassword As System.Windows.Forms.TextBox
Friend WithEvents cmdExit As System.Windows.Forms.Button
Friend WithEvents cmdLogin As System.Windows.Forms.Button
<System.Diagnostics.DebuggerStepThrough()> Private Sub InitializeComponent()
Me.Label1 = New System.Windows.Forms.Label
Me.Label2 = New System.Windows.Forms.Label
Me.txtName = New System.Windows.Forms.TextBox
Me.txtPassword = New System.Windows.Forms.TextBox
Me.cmdExit = New System.Windows.Forms.Button
Me.cmdLogin = New System.Windows.Forms.Button
Me.SuspendLayout()
'
'Label1
'
Me.Label1.Location = New System.Drawing.Point(8, 8)
Me.Label1.Name = "Label1"
Me.Label1.Size = New System.Drawing.Size(40, 16)
Me.Label1.TabIndex = 0
Me.Label1.Text = "Name:"
'
'Label2
'
Me.Label2.Location = New System.Drawing.Point(8, 40)
Me.Label2.Name = "Label2"
Me.Label2.Size = New System.Drawing.Size(64, 16)
Me.Label2.TabIndex = 1
Me.Label2.Text = "Password:"
'
'txtName
'
Me.txtName.Location = New System.Drawing.Point(80, 5)
Me.txtName.Name = "txtName"
Me.txtName.Size = New System.Drawing.Size(216, 20)
Me.txtName.TabIndex = 2
Me.txtName.Text = ""
'
'txtPassword
'
Me.txtPassword.Location = New System.Drawing.Point(80, 37)
Me.txtPassword.Name = "txtPassword"
Me.txtPassword.PasswordChar = Microsoft.VisualBasic.ChrW(42)
Me.txtPassword.Size = New System.Drawing.Size(216, 20)
Me.txtPassword.TabIndex = 3
Me.txtPassword.Text = ""
'
'cmdExit
'
Me.cmdExit.DialogResult = System.Windows.Forms.DialogResult.Cancel
Me.cmdExit.Location = New System.Drawing.Point(216, 72)
Me.cmdExit.Name = "cmdExit"
Me.cmdExit.Size = New System.Drawing.Size(80, 24)
Me.cmdExit.TabIndex = 4
Me.cmdExit.Text = "Exit"
'
'cmdLogin
'
Me.cmdLogin.Location = New System.Drawing.Point(128, 72)
Me.cmdLogin.Name = "cmdLogin"
Me.cmdLogin.Size = New System.Drawing.Size(80, 24)
Me.cmdLogin.TabIndex = 5
Me.cmdLogin.Text = "Login"
'
'Form1
'
Me.AcceptButton = Me.cmdLogin
Me.AutoScaleBaseSize = New System.Drawing.Size(5, 13)
Me.CancelButton = Me.cmdExit
Me.ClientSize = New System.Drawing.Size(304, 103)
Me.Controls.Add(Me.cmdLogin)
Me.Controls.Add(Me.cmdExit)
Me.Controls.Add(Me.txtPassword)
Me.Controls.Add(Me.txtName)
Me.Controls.Add(Me.Label2)
Me.Controls.Add(Me.Label1)
Me.FormBorderStyle = System.Windows.Forms.FormBorderStyle.FixedDialog
Me.MaximizeBox = False
Me.MinimizeBox = False
Me.Name = "Form1"
Me.Text = "AuthSrvc Test application"
Me.ResumeLayout(False)
End Sub
#End Region
Private Sub cmdLogin_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles cmdLogin.Click
' Add reference to the object
Dim au As New localhost.Service1
Dim sErr As String, bln As Boolean
' Making check
Cursor = Cursors.WaitCursor
bln = au.Authenticate(txtName.Text, txtPassword.Text, sErr)
Cursor = Cursors.Default
' - But first let's take into account (consider,allow) possible exceptions
If sErr <> "" Then
MsgBox(sErr)
Exit Sub
End If
' - And now let's start basic check
If bln = True Then
MsgBox("Hello " & txtName.Text, MsgBoxStyle.Information)
Else
MsgBox("Wrong data!", MsgBoxStyle.Exclamation)
End If
End Sub
Private Sub cmdExit_Click(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles cmdExit.Click
End
End Sub
End Class
In this example you can see very simple code which is a usual call for function that executes all necessary operations. As I said above, Web services are based on SOAP technology and that is why they can be executed by the applications working on different platform. We will not go too far, stepping back from Windows, but let's try to call this Web service without using .NET technologies, i.e. through SOAP directly. To do it, create the following scenario file in Visual Basic Script Edition (VBScript) language and run it: SOAP.vbs:
' Create instance of SoapClient object
Set sc = CreateObject("MSSOAP.SoapClient")
' Connect to web service and call Authenticate method
sc.mssoapinit "http://localhost/AuthSrvc/AuthSrvc.asmx?WSDL"
If sc.Authenticate ("John", "one", s) = True Then
MsgBox "Hello John", 64
Else
MsgBox "Wrong data!!", 48
End If
' Delete object reference
Set sc = Nothing
As you can see, using SOAP object model, you can use (connect, access, turn to) Web services, using a variety of programming languages (even scripts!) and platforms. But everything is not as ideal as it seems to be. Under Web services' beautiful cover hidden dangers exist, first of all - their own security. Web services have low security (unprotected) XML-structure, and after tapping it, it is easy to understand and to receive the data transmitted. To exclude, or to be more precise, to decrease the probability of such information leakage, it is necessary to provide web service security. There is a number of technologies for this purpose, but the most wide-spread are only three of them: Firewall rules, Secure Sockets Layer (SSL), andVirtual Private Network (VPN). If you know for sure what computers will use your Web service, in this case the most convenient is option that uses Firewall rules, where you can set restrictions and permissions for certain IP-addresses, that is why this option is mostly applicable for local nets where you don't need to worry to much about confidentiality of data transferred. Microsoft Security and Acceleration (ISA) Server is very convenient tool for this purpose. It provides extended policy rules that allow restricting or, vice versa, opening access to the information for certain clients. SSL suits Internet nets most of all. While using it, data are encrypted and transferred between server and client, afterwards, received data pass authentication, thus checking if these data are from the proper source. This is taking place using certificates that both server and client should have, because from one side, certificates guarantee that data will come to the proper hands, but from another side - you need to be sure that receiver has appropriate certificate. So, you need the following to use SSL:
1. Get certificates: certificates can be commercial and trivial. The difference is that commercial will be officially registered on the buyer name and will cost some money, and trivial certificate can be received free, but without official registration. Certificate can be obtained at: http://www.verisign.com/. But never mind what type of certificate you order, you will need to load 2 of them: one for server, another - for the clients (it is also called Certificate Authority (CA)). Comment
But, despite the lack of official registration, trivial certificate is legal. Comment
Only those operation systems are included into the list of the recommended ones, starting from which these protocols became available, i. e. these OS should include later versions, for example, Windows XP, Windows 2003 Server. |
||||
|
 |
| © 1999 - 2005 XLineSoft. All rights reserved. | All comments send to webmaster@xlinesoft.com |