Security |
Security is one of the main topics when accessing a remote information system. The main questions about security when logging in are:
|
Authentication |
| Authentication is used to know who is logging into the system. A web page offers to methods: Basic and Digest. Basic authentication is based on text and can be safely used in Intranet or web sites where the information does not require a high level of security. |
Login Dialog (Form) |
| The login dialog collects a username and a password. If the the pair username-password is correct, access to the system is granted. Typically, the GUI has an OK button with the property Default Button so that the user can use the Enter key to diminish the dialog. |
| Problem 1 |
| Create a program called Login to shown the list of employees in the Best Buy database. To login into the system, the program must prompt for a username and password. The system should provide three chances to login in. Once the employee has successfully login in, the program shows the list of employees in a list view control. If the employee is an administrator, the system must display the employee passwords. |
| Step A |
| Add a Wintempla Dialog called LoginDlg as shown. |
| Step B |
| Edit the file LoginDlg.h |
| LoginDlg.h |
| #pragma once //_____________________________________________ LoginDlg.h #include "resource.h" class LoginDlg: public Win::Dialog { public: LoginDlg() { tryCount = 0; } ~LoginDlg() { } int tryCount; public: // PUBLIC TO GIVE ACCESS TO tbxUsername ... }; |
| Step C |
| Edit the LoginDlg.cpp file. |
| LoginDlg.cpp |
| ... void LoginDlg::Window_Open(Win::Event& e) { this->Text = L"Login"; } void LoginDlg::btOK_Click(Win::Event& e) { //_________________________________________________________ 1. User can try three times if (tryCount >= 3) { this->EndDialog(FALSE);//dlg.BeginDialog(hWnd) will return FALSE return; } //_________________________________________________________ 2. Be sure, there are an username and a password if (tbxUsername.Text.length() <= 1) return; if (tbxPassword.Text.length() <= 1) return; tryCount++; //_________________________________________________________ 3. Create SELECT statement wstring cmd; Sys::Format(cmd, L"SELECT COUNT(*) FROM employee WHERE username = \'%s\' AND user_passw = \'%s\'", tbxUsername.Text.c_str(), tbxPassword.Text.c_str()); //_________________________________________________________ 4. Execute SELECT Sql::SqlConnection conn; int count = 0; try { //conn.OpenSession(DSN, USERNAME, PASSWORD); //Control Panel>Administrative Tools>Data Sources (ODBC)>Create dsn_myDatabase conn.OpenSession(hWnd, CONNECTION_STRING); count = conn.GetInt(cmd); if (count == 1) { this->EndDialog(TRUE);//dlg.BeginDialog(hWnd) will return TRUE return; } else { tbxUsername.ShowBalloonTip(L"Login", L"Invalid username or incorrect password", TTI_ERROR); } } catch (Sql::SqlException e) { this->MessageBox(e.GetDescription(), L"Error", MB_OK | MB_ICONERROR); } } void LoginDlg::btCancel_Click(Win::Event& e) { this->EndDialog(FALSE); } |
| Step D |
| Edit the Login.cpp file. Be sure to compile and run the program using the Release version of your program. |
| Login.cpp |
| ... void Login::Window_Open(Win::Event& e) { //#ifndef _DEBUG LoginDlg dlg; if (dlg.BeginDialog(hWnd) == TRUE) //__________________ Give Access { this->Text = L"Welcome "; this->Text += dlg.tbxUsername.Text; } else { this->Destroy(); //_________________________________ Deny Access } //#endif //____________________________________________________ 1. Column Setup ... //____________________________________________________ 2. Create SELECT statement wstring sqlCmd; #ifdef _DEBUG sqlCmd = L"SELECT is_admin FROM employee WHERE username = \'jimmy\'"; #else Sys::Format(sqlCmd, L"SELECT is_admin FROM employee WHERE username = \'%s\'", dlg.tbxUsername.Text.c_str()); #endif //____________________________________________________ 3. Execute SELECT Sql::SqlConnection conn; try { //conn.OpenSession(DSN, USERNAME, PASSWORD); //Control Panel>Administrative Tools>Data Sources (ODBC)>Create dsn_myDatabase conn.OpenSession(hWnd, CONNECTION_STRING); //_____________________________________________ Is Admin? const bool isAdmin = conn.GetBool(sqlCmd); if (isAdmin == true) { ... } else { ... } } catch (Sql::SqlException e) { ... } } |
| Problem 2 |
| Create a program called LoginWeb to shown the list of employees of Best Buy using a list view control. To login into the system, the program must prompt for a username and password using Basic Authentication. Please see Wintempla > Publishing a Web Site to learn more about Access Authentication. Publish the web application to a web server using Basic Authentication. In this case, we will not use the username and password stored in the database; instead you must create two user accounts in the web server (the local computer if you have a laptop.), one for Jim Ferry (username: jimmy, password: 123) and another for Laura Lou (username: laura, pasword: abc). You need also to modify the best_buy.sql file to allow the user account to connect to the SQL server. If you test this application using Microsoft Visual Studio, you need to provide a valid username; however you can provide any password. This will be corrected once you publish the web application. |
| Index.cpp |
| ... void Index::Window_Open(Web::HttpConnector& h) { //_______________________________________________________________ 1. By default all users are Unauthorized h.httpCode = 401; // 401 Unauthorized //_______________________________________________________________ 2. Get AUTH_USER or LOGON_USER wstring username; if (h.GetServerVariable("AUTH_USER", username) == false) return; if (username.empty() == true) return; //_______________________________________________________________ 3. User is authenticated h.httpCode = 200; // 200 OK //_______________________________________________________________ 4. Column setup lvEmployee.Cols.Add(LVCFMT_LEFT, 20, L"First name"); lvEmployee.Cols.Add(LVCFMT_LEFT, 20, L"Last name"); lvEmployee.Cols.Add(LVCFMT_RIGHT, 20, L"Username"); //_______________________________________________________________ 5. Create SELECT statement wstring cmd; Sys::Format(cmd, L"SELECT is_admin FROM employee WHERE username = \'%s\'", username.c_str()); //_______________________________________________________________ 6. Execute SELECT Sql::SqlConnection conn; try { //conn.OpenSession(DSN, USERNAME, PASSWORD); //Control Panel>Administrative Tools>Data Sources (ODBC)>Create dsn_myDatabase conn.OpenSession(NULL, CONNECTION_STRING); // this->Title = L"Welcome "; this->Title += username; //_____________________________________________ Is Admin? const bool isAdmin = conn.GetBool(cmd); // if (isAdmin == true) { lvEmployee.Cols.Add(LVCFMT_RIGHT, 20, L"Password"); conn.ExecuteSelect(L"SELECT employee_id, first_name, last_name, username, user_passw FROM employee", 100, lvEmployee); } else { conn.ExecuteSelect(L"SELECT employee_id, first_name, last_name, username FROM employee", 100, lvEmployee); } } catch (Sql::SqlException e) { this->MessageBox(e.GetDescription(), L"Error", MB_OK | MB_ICONERROR); } } |