ASP.NET MVC project (part 2)


In this part we will look into the security of the project and the admin interface. This will include working with the database of the project. Let’s jump into it.

[HttpPost]
public ActionResult Login(ldapModels model, string ReturnUrl)
{
// Kontrollieren ob der Nutzer im AD eingetragen ist
if (Membership.ValidateUser(model.UserName, model.Password))
{
// Kontrollieren ob der Nutzer in der Gruppe "xxx" ist
if (GetAdGroups(model.UserName, model.Password).Contains("xxx"))
{
//aktive Session setzen
FormsAuthentication.SetAuthCookie(model.UserName, false);
if (this.Url.IsLocalUrl(ReturnUrl) && ReturnUrl.Length > 1 && ReturnUrl.StartsWith("/")
&& !ReturnUrl.StartsWith("//") && !ReturnUrl.StartsWith("/\\"))
{
return this.Redirect(ReturnUrl);
}
return this.RedirectToAction("Index", "Admin");
}
//NUR FÜR DIE ENTWICKLUNGSPHASE
else if (model.UserName == "me")
{
FormsAuthentication.SetAuthCookie(model.UserName, false);
if (this.Url.IsLocalUrl(ReturnUrl) && ReturnUrl.Length > 1 && ReturnUrl.StartsWith("/")
&& !ReturnUrl.StartsWith("//") && !ReturnUrl.StartsWith("/\\"))
{
return this.Redirect(ReturnUrl);
}
return this.RedirectToAction("Index", "Admin");
}
}
// Error Nachricht
this.ModelState.AddModelError(string.Empty, "Der eingegebene Nutzername oder Passwort sind inkorrekt.");
return this.View("Index");
}

This is our Login function. To explain this we will have to show another function called GetAdGroups. I had to create this function because the standard asp.net library didn’t offer me an AD option I needed.

public string[] GetAdGroups(string username, string password)
        {
            List<string> groups = new List<string>();
            foreach (DomainController dc in DomainController.FindAll(new

DirectoryContext(DirectoryContextType.Domain, "uni-trier.de", username, password)))
            {
                string path = string.Format("LDAP://{0}/CN=Users,DC=uni-trier,DC=de", dc.Name);

                try
                {
                    using (DirectorySearcher searcher = new DirectorySearcher(new DirectoryEntry(path, username, password)))
                    {
                        searcher.Filter = string.Format(@"(&(ObjectClass=user)(sAMAccountName={0}))", username);
                        foreach (string result in searcher.FindOne().Properties["MemberOf"])
                            groups.Add(result.Substring(3, result.IndexOf(',') - 3));

                        if (groups.Count > 0) break;
                    }
                }
                catch { }
            }

            if (groups.Count == 0) return null;
            else return groups.ToArray();
        }

Now let’s jump back to the first code snippet. We are using the directoryservices from asp.net and first we control if the entered credentials are an user existing in the ad. If the user exists and the password ist correct we continue wich the second code snippet.
We connect to the domain controllers and then start a directory searcher.
This searcher then filters out the logged in user and grabs all Groups the user a member of.
As we can see we check in the first code snippet if the user is in a specific group and then continue. When the user has the priviliges to gain access we set an authentification cookie and an session. The Part with //NUR FÜR DIE ENTWICKLUNGSPHASE is a testing area where I give myself access to the admin hub. I’m not in the group but need to gain access for testing, this part will be deleted when the software is deployed.

Now before we can continue with the Admin interface let’s understand the database.

DB Concept

DB Concept

besides the openinghours all tables are in a relationship. the primary tables are printer, printertype and room.


Printer table

Our printer table contains an ID, a field for a number which is the unique printernumber and a field to save which picture will be used there.


Printertype table

This table contains an ID again, a field for the manufactor of the printer and a field for the actual type of the printer. Every series of printer has different models which we identify through the type.


Room table

This table contains an ID, a field for the roomname and a field for the bulding the room is in because there might be a room with the same name in different buildings.


Location table

This table contains an ID which isn’t used because in this table we only care about the IP adress. When the system rolls out our devices get static IP adresses we will save in the database.


FAQ table

This table maybe seems a little bit weird but that was the best option I could find. We have an ID to identify an FAQ, we have one field for an headline, to display at the homepage and we have a field for the answer, which in our case will be a link to an document in our Content folder.


Now why did I organize my database like this? The primary role are the printers but they have to be associated with a room, because the IP also needs to be associated with an room I thought about splitting these three. Now we have the printertype and the FAQ left. These were split because there might be printer with different types and even manufactors and the FAQs are strictly bound to the printertype. To assign faq to more printers we assign them to the type which then will be assigned to the printers.


More to come in the next part. Stay tuned!

Leave a comment

Your email address will not be published. Required fields are marked *