27
1 CS 3870/CS 5870: Note 07 Lab 3 Lab 4 Test 1: Two Tables
1
CS 3870/CS 5870: Note 07
Lab 3
Lab 4
Test 1: Two Tables
2
Lab 4
Authentication
and
Authorization
Sample Web Site: https://xray.ion.uwplatt.edu/CS3870/lab4/
3
Lab 4
Copy folder Lab3 as Lab4
Modify master page
Modify other pages
(top line of the source file)
Create new pages
Modify NavigationURL of master page
(Page Properties)
(Click on Page in Source View)
Database
• Same database as Lab3
• Using both tables
4
Accessing Multiple TablesUsing Multiple Sets of Variables
Private Const ConStr As String = "Provider=Microsoft.ACE.OLEDB.12.0; ” & _
“Data Source=|DataDirectory|\UWPCS3870.accdb"
‘ One connection for one database
Private Shared con As New Data.OleDb.OleDBConnection
‘ One set of variables for each table
Private Shared prodAdapter As System.Data.OleDb.OleDbDataAdapter
Private Shared prodBuilder As System.Data.OleDb.OleDbCommandBuilder
Private Shared prodCmd As New Data.OleDb.OleDbCommand
Public Shared tblProduct As New Data.DataTable
Private Shared memberAdapter As System.Data.OleDb.OleDbDataAdapter
Private Shared memberBuilder As System.Data.OleDb.OleDbCommandBuilder
Private Shared memberCmd As New Data.OleDb.OleDbCommand
Public Shared tblMember As New Data.DataTable
5
Accessing Multiple TablesUsing One Set of Variables
Private Const ConStr As String = "Provider=Microsoft.ACE.OLEDB.12.0; ” & _
“Data Source=|DataDirectory|\UWPCS3870.accdb"
‘ One connection for one database
Private Shared con As New Data.OleDb.OleDBConnection
‘ Could use one set of variables for multiple tables
Private Shared myAdapter As System.Data.OleDb.OleDbDataAdapter
Private Shared myBuilder As System.Data.OleDb.OleDbCommandBuilder
Private Shared myCmd As New Data.OleDb.OleDbCommand
Public Shared tblProduct As New Data.DataTable
Public Shared tblMember As New Data.DataTable
6
Database
• Same database as Lab3
• Using both tables
• I used one set of variables
and one data table only for Lab4
7
8
Function GetUserRole Public Shared Function GetUserRole(. . .) As String
‘ Setup the command
Try
con.Open()
GetUserRole = cmd.ExecuteScalar()
Catch ex
Throw ex
Finally
con.Close()
End Try
End Function
9
Query of GetUserRole
SQL Query Select Role from Member
Where UserName = username
And Password = password
VB.NET command text
cmd = “Select Role from Member ” &
“Where UserName = ‘” & username & “’ ” &
“ And Password = ‘” & password & “’”
10
Using DataTable ‘ Need Try-Catch-Finally
Public Shared Function GetUser(byVal UserName As String,
ByVal Password As String,
ByRef role As String) As String
‘ using adapter to fill tblLogin
If tblLogin.Rows.Count > 0 Then
‘ Role is the 4th column
role = tblLogin.rows(0)(3)
Return role
else
role = “”
End If
End Function
Query of GetUserSelect * from Member
Where UserName = username
And Password = password
11
Using DataTable Method Find
‘ Table tblMember is loaded already (all records)
‘ May miss recent updates to table Member
Protected Sub btnLogin(. . .) Handles btnLogin.Click
. . .
‘ username is the PK
row = DataClass.tblMember.Rows.Find(username)
If Not row Is Nothing Then
. . .
Else
. . .
End If
End Sub
12
Function GetUserCount
Public Shared Function GetUserCount(byVal UserName As String,
ByVal Password As String) As Integer
Try
Dim num As Integer
num = cmd.ExecuteScalar()
Return num
Catch ex As Exception
. . .
Finally
con.close()
End Try
End Function
Query of GetUserCount (Not for Lab4)Select count(*) from Members
Where UserName = username
And Password = password
13
Web.Config• Machine.config
– Machine level settings
– Default settings for all Web applications
• Application Web.config
– Under the application root directory
– Apply to the entire application
– Overwrite some settings set in Machine.config
• Local Web.config
– A sub-folder can have its own Web.config file
– Overwrite some settings set in higher level Web.config
– Not every setting can be set in local Web.config
• AUTHENTICATION must be set in application Web.config
• AUTHORIZATION can be different for different sub-folders
• Page Directives
– Apply to the page only
– Overwrite settings set in Web.config
14
Web.Config• Application Configuration
• Authentication
<system.web>
<authentication mode="Forms" >
<forms name="formsAuth"
loginUrl="lab4/login.aspx"
path="/"
protection="All"
defaultUrl="~/Lab4/Default.aspx"
timeout="60"/>
</authentication>
</system.web>
15
Authentication
• To identify the user
• Four Modes
– Windows: IntraNet
– Forms : Internet
– Passport: MS
– None
16
Web.Config
Forms Based (Cookies) – name : cookie's name
– loginUrl : default is login.aspx
– path : the location to save the cookie, default is /
– protection: the amount of protection applied to the cookie • Encryption
• Validation
• All (both, default)
• None
– timeout : minutes (default 30)
a durable cookie could be issued
– DefaultUrl: if the user requests the login.aspx page
Otherwise, go to the requested page
17
Authorization
• What the user can do
• Application Configuration
</system.web>
<authentication mode="Forms">
</authentication>
</system.web>
<location path="Lab4">
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
</location>
<!–- could have multiple locations -->
18
Authorization
• Web.Config inside a subfolder
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
19
Authorization
<deny users="*" />
<allow users="*" />
<allow users="[comma separated list of users]"
roles="[comma separated list of roles]"
verbs="[comma separated list of roles]"/>
<deny users="[comma separated list of users]"
roles="[comma separated list of roles]"
verbs="[comma separated list of roles]"/>
* : everyone
? : anonymous
verbs: POST, GET, HEADER, DEBUG
20
Authorization
In Web.config for a sub-folder
<authorization>
<allow users="10001" />
<deny users="*" />
</authorization>
<!-- allow anonymous user even authentication is required in application Web.config -->
<allow users="?" />
Not needed any more after using location tag.
Master Page
• The page is loaded before each content page using the master page
• Controls on master page
• Event procedures on master page
21
22
Loading Lab4MasterPage
Protected Sub Page_Load(…) Handles Me.Load
If Session("UserName") = "" Then
‘ UserName and Password
‘ Login
‘ And others
Else
‘ UserName and Role
‘ Logoff
‘ And others
End If
End Sub
23
Button Login on the Master Page
Protected Sub btnLogin_Click(…) Handles btnLogin.Click
Dim username, password, role As String
‘If Session(“UserName”) = “” Then
If btnLogin.Text = “Login” Then
‘ Login
Else
‘ Logoff
End If
End Sub
24
LoginProtected Sub btnLogin_Click(…) Handles btnLogin.Click
Dim username, password, role As String
. . .
If btnLogin.Text = “Login” Then
role = DataClass.GetUserRole(username, password)
If role = “Admin” or role = “Customer” Then
‘ set Session variables
‘ Redirects an authenticated user back to the requested URL
‘ UserName: Name of the user
‘ True to create a durable cookie (one that is saved across
‘ browser sessions); otherwise, false
FormsAuthentication.RedirectFromLoginPage(username, False)
Else
‘ message
Else
‘ Logoff
End If
End Sub
25
Logoff
Protected Sub btnLogin_Click(…) Handles btnLogin.Click
Dim username, password, role As String
If btnLogin.Text = “Login” Then
‘ Login
Else
FormsAuthentication.SignOut()
‘ Session_End?
Server.Transfer("Login.aspx")
End If
End Sub
26
Removing Child Node From TreeView
‘ on master page
Protected Sub Page_Load(…) Handles Me.Load
If Session("UserName") = "" Then
‘ UserName and Password
‘ Login
Else
‘ UserName and Role
‘ Logoff
If Session("Role") <> "Admin" And ? Then
TreeView1.Nodes(2).ChildrenNodes.RemoveAt(2)
End If
End If
End Sub
27
Rejecting Customer Accessing Page Updating.Aspx
‘ Does not allow user to come to the page
‘ Even the link is removed,
‘ the user may know the page
Protected Sub Page_Load(…) Handles Me.Load
If Session("Role") <> "Admin" Then
Server.Transfer(“Default.aspx")
'Response.Redirect(“Default")
End If
End Sub
