Login | Register   
RSS Feed
Download our iPhone app
Browse DevX
Sign up for e-mail newsletters from DevX

By submitting your information, you agree that devx.com may send you DevX offers via email, phone and text message, as well as email offers about other products and services that DevX believes may be of interest to you. DevX will process your information in accordance with the Quinstreet Privacy Policy.


Manage Custom Security Credentials the Smart (Client) Way : Page 4

By default, you can only manage the security credentials of the SQL Server database that ships with ASP.NET 2.0 using a local instance of Visual Studio 2005. This article shows how to extend the management capabilities by wrapping the ASP.NET 2.0 providers with a Web service and using a Windows Forms application to manage the credentials store.




Application Security Testing: An Integral Part of DevOps

The Credentials Manager Application
The source code available with this article contains the Credentials Manager application—a rich user interface Windows Forms application that uses the Web service interfaces described in the previous sections to manage the security credentials store for any number of applications.

The application imports the definition of the five Web interfaces, and it uses those interfaces exclusively. The application has a Web service proxy class called AspNetSqlProviderService that targets the service. You need to manually add the derivation from the imported interfaces to the service.

Figure 4. The Applications Tab: This tab lets you select which application to configure.

partial class AspNetSqlProviderService : SoapHttpClientProtocol,IMembershipManager, IUserManager,IPasswordManager, IApplicationManager,IRoleManager { public AspNetSqlProviderService() { Credentials = CredentialCache.DefaultCredentials; Url = Settings.Default.AspNetSqlProviderService; } //Rest of the implementation }

To support Integrated Windows authentication, the constructor of the proxy class sets the Credentials property using the static property DefaultCredentials of CredentialCache, which simply reads the security token from the current thread. In addition, the constructor reads the Web service address from the application configuration class utilizing the Designer-generated Settings class.

Figure 5. The Users Tab: This tab lists all the users in the selected application.
Using the application is intuitive enough, so I will just walk you through the main screens and options. The Applications tab (see Figure 4) allows you to select which application to configure.

Selecting an application here affects all the other tabs—that is, all users and roles in the other tabs pertain to the selected application in the Applications tab. You can create and delete an application or delete all applications. The Users tab lists all the users in the selected application.

You can create or delete a user. If you delete a user but leave the "All Data" checkbox unchecked, it will delete the user but maintain its role membership information. You can update a user account or delete all users. Depending on the password policy returned from the AspNetSqlProviderService Web service, you may or may not be able to change or reset the password, and may or may not need the password answer. The buttons on the Users tab and the dialogs it displays are enabled or disabled accordingly.

On the right-hand side of the Users tab are statistics such as the current number of users on-line. The Roles tab allows you to add roles to the application.

Figure 6: The Roles Tab: This tab lets you add roles to the application.
When deleting a role, if the "Fail if populated" checkbox is checked, it will not let you delete the roles if it has any members. The left-side list view shows all the users in the application. You can add or remove a user from a role, or remove a user from all the roles. At the bottom, the "Users in role" combo box shows all the users in the selected role above, and the "Roles for User" combo box shows all the roles for the selected user above (see Figure 3).

The Passwords tab shown in Figure 7 lists the configured password policy and allows you to generate a password that complies with the specified password strength policy.

Figure 7. The Passwords Tab: You use this tab to generate a password.
The Credentials Service tab lets you select the Web service to use. Upon startup, the Credentials Manager application reads that address from the application configuration file. This tab displays the selected Web service. If the address is invalid, that is, the service does not support all the required functionality, then all controls in the application are empty and disabled. You can provide a different address, and the Web browser control below will display that service. However, you can only select a Web service address (by clicking the Select button) if the service supports the required Web methods (a valid Web service). If the service is invalid, the Select button is disabled.

Figure 8. The Credentials Service Tab. Use this tab to select which Web service to use.
Unfortunately, there is no built-in support in .NET 2.0 for validating that a service supports a particular binding or Web interface, so I had to do that manually. Listing 6 shows the RefreshSelectButton() and ContainsInterface() helper methods. RefreshSelectButton() first disables the Select button and the matching menu item. It then verifies that the specified address is that of a .NET Web service. Next, it accesses the content of the page displayed in the Web browser control and verifies that it contains methods that support all the interfaces. This is done by calling the ContainsInterface() method, providing it with the content of the page and the interface type to verify. ContainsInterface() verifies the type is that of an interface and obtains an array of MethodInfo objects identifying each method on the interface. It then defines an anonymous method that accepts a single MethodInfo instance and verifies that the content contains that method using the Contains() method of the string class. ContainsInterface() uses the static TrueForAll<T>() method of the array class.

public delegate bool Predicate&lt;T>(T obj); public abstract class Array : ... { public static bool TrueForAll&lt;T>( T[] array,Predicate&lt;T> match); }

ContainsInterface() provides TrueForAll() with the array of MethodInfo objects and the predicate in the form of the anonymous method. TrueForAll<T>() will return true only if all the methods were found in the content.

Some finesse details: When the Credentials Manager application starts up, it connects to the Web service and retrieves all the information required to populate the various tabs. Since this might take a bit of time, (especially if the service is not running) the Credentials Manager application first displays a splash screen. I wanted to spice up the various menu items and list boxes with graphics and icons (see Listing 2). To that end, Visual Studio 2005 ships with a comprehensive graphics library that you can use in your applications. The library contains all the icons used by Visual Studio 2005 itself, as well as many Office and Windows icons. You can find the library after a normal installation under <Program Files>\Microsoft Visual Studio 8\Common7\VS2005ImageLibrary

Juval Lowy is a software architect and the principal of IDesign, Inc., a consulting and training company focused on .NET architecture consulting and advanced .NET training. His latest book is "Programming .NET Components, 2nd Edition" (O'Reilly, 2005). Juval is a frequent presenter at development conferences and Microsoft's Regional Director for the Silicon Valley. Over the last two years Juval has been part of the Indigo Strategic Design Review process. Microsoft recognized Juval as a Software Legend as one of the world's top .NET experts and industry leaders. Contact him at www.idesign.net
Comment and Contribute






(Maximum characters: 1200). You have 1200 characters left.



We have made updates to our Privacy Policy to reflect the implementation of the General Data Protection Regulation.
Thanks for your registration, follow us on our social networks to keep up-to-date