erotik film
bodyheat full moves www xxx kajal video la figa che sborra ver video de sexo porno
Luxury replica watches
sex
asyabahis
escort antalya

When you buy this book you support this site! - Thank You for your support!

Sep 2

Written by: kchristo
Friday, September 2, 2011  RssIcon

This is my approach to making screen authorization (show/hide) more effective and robust that hard-coding permission names in the “_CanRun” partial methods. The library and sample code is published here. As with my previous post the code is posted to msdn and here I will explain in detail how to use the library and what the sample does.

First let’s prepare. After downloading the sample and before you can run you must create a database I use for storing screen security information. Create a database named LSSecurity and then open and execute the script found in the zip at the path Files\LSSecurity.script.sql. Then you have to go to your ServerGenerated\Web.Config and change the connection string from localhost\clcadlocal to the name of your SQL server. This database is imported by the sample Lightswitch application in a datasource called LightSwitchSecurity. The entities from this datasource are used to implement the class implementing the ISecureScreenService interface in the sample.

Note here that the ideal implementation would be one that would integrate this schema to the ASP.NET security database used by LightSwitch but I didn’t go that far.

Now you are ready to run the application.

Before you do though take a look to the Access Control settings:

SecuritySettings

You can see Authentication is enabled. Windows Authentication is selected for convenience. The infrastructure can be used in any authentication scenario and the implementation presented in the sample is also compatible with any scenario.

When you first run your application, no security service is defined and you see all options available in the Navigation Pane.

 Running with Administrator Permissions

In this sample the screens All Screens, All Permissions, My Screen Permissions have the SecureScreenAttribute defined. This means that if you don’t define any permissions for them they are only available to a Security Administrator. When you first run the sample SecurityAdministration permission is granted for debug by the settings. That’s why all screens appear. If you remove the SystemAdministration permission from debug mode permissions

No Permissions Defined

then the resulting startup screen should look like this:

Running with Customer and Product Manager Permissions

The Manage Customers and Manage Products screens don’t have the SecureScreenAttribute defined. That’s why when no security service is defined they appear.

To prove this do the following:

  1. Change the SecureScreens project view to FileView
  2. Open SecureScreens\Client\UserCode\Application.cs
    FileView
  3. Uncomment the line of code in the partial Application_Initialize method
    partial void Application_Initialize() {
      InitializeScreenSecurity();
      // Do not uncomment this line before reading the remarks of the blog post.
      //MonitorScreenOpenedNotification();
    }
  4. Run the application again.

You will see exactly the same screen. The reason is that the 2 screens have no SecureScreenAttribute defined and they are not handled by the screen security service yet. Our security infrastructure is empty.
Let’s change that. Add the SystemAdministration permission to the set of permissions granted for debug.

Open the All Screens screen. Right now it should look like this (except for the red arrowSmile)

Empty Screens

Now press the Synchronize Screens button. All screens implemented in the application will be listed:

Imported Screens

Notice the securable column. Manage Products and Manage Customers should have false in the Securable column. The reason is that by default only screens with the SecureScreenAttribute set are imported as securable screens. But you can change that by using the buttons shown by the red arrow in the left. The reason that this buttons are used instead of using checkbox in the Securable column of the grid is that defining if a screen is Securable or not, should (and it’s implemented as you can see going up and down the lines of the grid) only be allowed for screens that do not have the SecureScreenAttribute set.

Now that you have imported the screens, make Manage Products and Manage Customers securable (pressing the little lock button) remove the Security Administration permission and run your application again.
You should be left with no items in the navigation pane. Correct but not nice. Let’s fix this.

First, let’s import permissions. Close the application, add the SecurityAdministration permission (this is getting boring I know but no other way to test), and run the application.

Open the All Permissions screen. This should also be empty

Empty Permissions

Press the Synchronize Permissions button. All Permissions defined in the Access Control tab should be listed

Imported Permissions

Save the permissions. (Note you can make the Microsoft.LightSwitch.Security:SecurityAdministration permission inactive but that will have no effect)

Now open My Screen Permissions.

No Screen Permissions

You should be able to notice that in the list left all secure screens are listed (attribute or user secured). But no permissions defined for any of these. Now select the Manage Customers screen and press the add (plus) button to add a new screen permission. Select the LightSwitchApplication:CustomerManager permission from the combo-box and save.

New Screen Permission

And now FOR THE LAST TIME change the Access Control settings to grand the CustomerManager permission to debug user:

Customer Manager Settings

Run the application. You should be seeing this:

Running with Customer Manager Permissions

You can experiment now with permissions (if you stand messing with Access Control settings again Smile) and see what happens.

 

Points to Notice

  • In the Base.SL.Security.Implementation  namespace you can see the implementation of 3 classes: BasePermission, BaseScreen and BaseScreenPermission. This classes are very simple container classes used to “proxy” the Entities in the LightSwitchSecurity DataSource (that all of the above screens handle) to the ISecureScreenService implementation found in the same namespace. These classes implement the IPermission, ISecureScreen, ISecureScreenPermission. The reason these classes are used, instead of adding the ISecureScreen interface to LightSwitchSecurity:Screen type for example, is done for convenience, since if we did that then we should add references to the Base.SL.Security assembly to almost all projects, as the entity definitions are running across almost all projects (Client,Common,Server, ServerGenerated etc).
  • In the same namespace the GenericSecureScreenService and BaseSecureScreenService are implemented. The first one is a generic implementation of the ISecureScreenService interface whereas the second is an explicit declaration of the generic class for the Base… classes mentioned in the previous bullet.
  • In the SecureScreens\Client\UserCode\Application.cs the method LoadScreenPermissions converts all the entities from LightSwitchSecurity DataSource into Base… objects and then using the lists created initializes the BaseSecureScreenService instance, which after that is passed to the extention class that is responsible for providing security for the application screens.
  • In All Screens screen in the grid there is a column named Display Name. During screen synchronization this property is set either automatically (the camel-case LightSwitch way) or from the SecureScreenAttribute which can take a display name as a parameter. The actual display name of the screen cannot be retrieved by reflection as only an instance of the screen could provide the display name defined in design time. Look to MyScreenPermissions screen partial class to see the SecureScreenAttribute used with a display name.
  • The code executed when the Synchronize Screens and Synchronize Permissions buttons are pressed is optimized for updating the security database with the less possible trouble. In my schema, the ScreenPermission table relations to Screen and Permission tables have cascade delete enabled. One can modify the relations, disabling cascade, and have more control over permission changes and less surprises like screens not appearing while they should or vice versa.
  • In this sample the ISecureScreenService is implemented to be initialized in memory by the client application. It’s easy (not very but easy) to implement a WCF (or not) service to communicate with, that will not have to be initialized by the client either.
  • Notice the remark in the msdn post for automatically generating a partial class that would include all _CanRun partial methods for all screens. If you don’t include any other code in this partial implementation file (unlike the sample) the file can be regenerated every time news screens requiring security have to be handled.
  • In the client application partial class there is a line in the Application_Initialize that is intentionally commented out: MonitorScreenOpenedNotification(). Uncommenting this line you ensure that a screen that is not allowed to open for the current user, even if it appears in the navigation pane (because someone forgot to ament the respective _CanRun partial method), will automatically close when user tries to open it. The implementation is rather brute but effective. One can change this to something more elegant (after closing the screen not allowed), redirecting to an informational security error page. The reason I have this line commented out is because lately I have been reading (I had to deal with it to) complains about composition (which is used in the method) sometimes failing to find an IServiceProxy instance. I also faced this issue and I had to include the blank extension to my project. Looks like some special assemblies must be added for composition to be able to recognize IServiceProxy but I am still trying to find out who are they. Anyway, if you are not facing a similar problem, you can uncomment the commented line and have extra security added to you application.
  • After publishing/deploying your application you can handle all the changes made by hand, in the Access Control tab of the project’s property pages, by using roles and assigning permissions to them. Like this.

Roles Permissions

This way the user defined (yes it’s me Be right back) is granted the Customer Manager and Product Manager permission and you don’t have to (actually you cannot after deploying) play with permissions granted for debug.

 

If you managed to read all the way down here I have to congratulate you and hope it was worth it Winking smile.

Tags: Advanced
Categories:

13 comment(s) so far...


Gravatar

Re: Securing Screens Effectively with LightSwitch

I did read all the way down, and it was more then worth it!
What an amazing article you wrote here! Can't wait till later this weekend to find some time to dive into your sample! Thank you very much!

By Jan Van der Haegen on   Friday, September 2, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

I am very glad to read this Jan. I hope the sample will not disappoint you either. The great thing with LightSwitch, although not well documented, is that, being a great application framework indeed, the more you dig in the more you discover great potentials. You've got to love LightSwitch.

By kchristo on   Tuesday, September 6, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

I'm enjoying working my way through the article. I've encountered two issues however.

The LSSecurity script hung until I wrapped some settings around SET ENABLE_BROKER:
ALTER DATABASE [LSSecurity] SET SINGLE_USER WITH ROLLBACK IMMEDIATE
GO
ALTER DATABASE [LSSecurity] SET ENABLE_BROKER
GO
ALTER DATABASE [LSSecurity] SET MULTI_USER
GO

I found that fix due to a post by Avinash P.H. at http://social.msdn.microsoft.com/Forums/en/sqlservicebroker/thread/97f6a441-50e3-47f5-a4b0-8df68653a56d

The second issue was I was getting an error that the ISSecurable column does not exist. I added an ISSecurable colum of type bit to the Screens table and I'm past that error.

Great article, Thanks.

By Richard Waddell on   Saturday, September 3, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

Hi Richard.Sorry about the script issues. I don't know what the first one is, but the second I know what it is and how it happened. I prepared all the files (along with db script) a day before preparing the post and I made this change afterwards and did not change the script. Sorry for any trouble and thanks for sharing here so that others having same problem (they will) can read it. I am very happy you like the article. After all, It was after reading your post in this site regarding custom modal windows that I started getting into sharing with the LightSwitch community. Thanks again for the comments.

By kchristo on   Tuesday, September 6, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

Hi Kostas,

I'm flattered that I was an influence. Keep sharing, because although I've worked my way through the tutorial, where everything works as advertised, I'm still looking forward to understanding the code. Anyone who is hesitating on working through this article because it seems too much should go ahead, because it's very straightforward if you just work your way through it. And there's a wealth of learning experience in the code behind it.

It's great that you can keep teaching because you obviously got good at it while teaching Microsoft technical courses. Thanks again.

RIchard

By Richard Waddell on   Sunday, September 4, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

Ok, now all I can say is thanks a bunch for the comments.

By kchristo on   Tuesday, September 6, 2011
Gravatar

How to add an existing screen in vs lightswitch?

hiiii,

can we add an existing screen in vs lightswitch?

we 2 people are working on 2 different module and now we want to integrate it into one....

how can we integrate in lightswitch?

please Help..

By shannon on   Sunday, October 9, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

What exactly do you mean 2 different modules? 2 different screens? 2 different projects. In LightSwitch you cannot realy work on same or different screens concurrently. There is only one file containing the model of your application. If you have a screen and you want to add it, given that there is the same data model and, I suppose, you have code written in files what you can do is add (by the designer) all the screen objects from the one screen to the other (commands, queries, parameters) with the names and properties (e.g. images of command buttons) originally used and then either copy the code from the ScreenName.cs file or add both files in the Client\UserCode folder the second with a different name (ScreenName.Part2.cs for example) and just remove any duplicate code like InitializeComponent etc. This is the best I can offer :-). I would also ask Michael Washington if I were you, maybe he has something better to suggest, but I am afraid you are not going to get any better news than these. You could manually merge the 2 ApplicationDefinition.lsml files but this would most probably result in losing all the work you have done...IF (I do NOT propose this) you decide to do this be sure to keep backup copies of both files.If you were working under source control you would immediately see that you can not work on designer tasks concurrently with any other user. If I can help any further...

By kchristo on   Monday, October 10, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

Hello! Can i use RolePermission Table in Firebird database? Can i connect LightSwitch App with RolePermissions Firebird table?

By Tatiana on   Wednesday, December 7, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

Hello! Can i use RolePermission Table in Firebird database? Can i connect LightSwitch App with RolePermissions Firebird table?

By Tatiana on   Wednesday, December 7, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

Tatiana, I cannot answer exactly to your question as I have to experience with FB. What I can tell you is that my implementation is not dependent to ASP.NET authorization. All I need is an authenticated user with specifc permissions. But LS is. You can implement a custom security provider and pass it to your application.

By kchristo on   Wednesday, December 7, 2011
Gravatar

Re: Securing Screens Effectively with LightSwitch

Hello,

I am getting an exception while trying to get an instance of IServiceProxy -

>>
The composition produced a single composition error. The root cause is

provided below. Review the CompositionException.Errors property for more detailed information.

1) Unable to find any implementation of the contract: 'Microsoft.LightSwitch.Sdk.Proxy.IServiceProxy'
>>

I saw that you briefly mentioned seeing this problem intermittently. Were you able to find any solution to it?

According to the examples I found using this interface, it should just work. Not sure what am I missing.

By Orion on   Tuesday, July 3, 2012
Gravatar

Re: Securing Screens Effectively with LightSwitch

Hi Orion
This error I something no one managed to provide me with a complete answer either. What I did back then when I was writing this sample was using the blank extension provided by LS team. I would suggest trying to include some extension package in your project. Maybe Microsoft LightSwitch Extensions (having image, email and other business types). It's a composition issue and from what I managed to understand it has to do with the version of IServiceProxy interface. Sorry I cannot be of more help.

By kchristo on   Wednesday, July 4, 2012

Your name:
Gravatar Preview
Your email:
(Optional) Email used only to show Gravatar.
Your website:
Title:
Comment:
Security Code
CAPTCHA image
Enter the code shown above in the box below
Add Comment   Cancel 
Microsoft Visual Studio is a registered trademark of Microsoft Corporation / LightSwitch is a registered trademark of Microsoft Corporation