270 likes | 568 Views
TULIP. The UI Login Portal. Presented by: Adam Huffman McKendree University May 21, 2013. Introduction - TULIP - The UI Login Portal. TULIP is a website that adds additional security to any web resource Developed for UI 4.4 but can be used for any web resource
E N D
TULIP The UI Login Portal Presented by: Adam Huffman McKendree University May 21, 2013
Introduction - TULIP - The UI Login Portal TULIP is a website that adds additional security to any web resource Developed for UI 4.4 but can be used for any web resource Technologies Used: IIS 7+ with the IIS URL Rewrite, HTML 5, CSS 3, C# .NET 4.0, Microsoft Active Directory, and Microsoft SQL
Agenda – TULIP • The need for TULIP • High-level overview • Demonstrations • GitHub • How McKendree University uses TULIP • Code • GitHub • What customizations need to be made
The need for TULIP How to allow for offsite access to UI 4 without giving student workers access offsite or in their residence hall?
The need for TULIP Provide offsite access to UI 4.X Prevent student workers from accessing UI 4.X in their residence halls and off campus Prevent anonymous access to the UI 4.X login
High-level overview How it works
High-level overview 1 of 4 default.aspx Login Campus Login redirect.aspx windows_authentication.aspx
High-level overview 2 of 4 redirect.aspx Insert into database to create a new GUID with usernameand timestamp Retrieve the newly created GUID Protected Page Redirect to the protected page appending the GUID to the URL GET request as the ?key=
High-level overview 3 of 4 Parts of the Protected Page begin_key_security.asp Protected Page Page to be protected (.asp) end_key_security.asp
High-level overview 4 of 4 Protected Page Retrieve the timestamp from the database that correlates to the GUID Verify that the GUID is not older then ten seconds The Protected Page’s Content
Demonstrations Show and tell.
Demo – GitHub – default.aspx 1 of 3 default.aspx windows_authentication.aspx
Demo – GitHub – Protected Page 2 of 3 /default.asp?key=9775826a-111e-4d25-98fc-fb6a434dd32a Example of the GUID The GUID was valid and less than 10 seconds old *Instead of Success! the page that is meant to be protected would be displayed. The GUID was invalid or more than 10 seconds old
Demo – GitHub– Demo 3 of 3 GitHub Demo A temporary demo site will be available during the ellucianIL presentation.
Demo – McKendree – default.aspx 1 of 3 default.aspx windows_authentication.aspx This takes the place of index.asp page that is delivered with UI 4
Demo – McKendree – launch.asp 2 of 3 The Protected Page is now launch.asp which is in its own application live43 /live43/launch.asp?key=9775826a-111e-4d25-98fc-fb6a434dd32a Example of the GUID The GUID was valid and less than 10 seconds old
Demo – McKendree 3 of 3 McKendree Demo The link will be available during the ellucianIL presentation.
The Code Not as scary as it sounds.
The Code – Overview 1 of 8 • GitHub • Servers IIS 7+ and MS SQL • Files to modify (C#) • web.config • tulip.cs • windows_authentication.aspx.cs • redirect.aspx.cs • begin_key_security.asp
The Code – GitHub 2 of 8 • Create an account • Go to github.com/adam-huffman/tulip • Download the zip file or use GitHub for Windows • Setup IIS 7+ and Microsoft SQL Server • Open project in Microsoft Visual Studio • Tweak, Deploy, Repeat
The Code – IIS 7+ and SQL 3 of 8 • Microsoft IIS • 7+ (Server 2008+) • IIS URL Rewrite • AppPool with .Net 4 and Integrated Pipeline • Microsoft SQL Server • SQL Server 2005 • Should be compatible with newer version of SQL as long as the uniqueidentifer is available
The Code – web.config 4 of 8 <connectionStrings> <addname="tulip“ providerName="System.Data.SQLClient" connectionString=“” </connectionStrings> *Add in your connection string <system.webServer><rewrite><rules> … *Change subdomain domain and top level domain to the apocopate values
The Code – tulip.cs 5 of 8 public tulip(){ ActiveDirectoryRoot = "LDAP://DC=domain,DC=topleveldomain"; ActiveDirectoryDomain = "domain.topleveldomain“; ActiveDirectorySearcherUserName = "ActiveDirectorySearcher" + "@" + ActiveDirectoryDomain; ActiveDirectorySearcherPassword = "Password for Active Directory Search Account"; ActiveDirectoryGroupsGrantAccess.Add ("CN=GroupThatHasAccess,OU=SomeOU,DC=domain,DC=topleveldomain“); ActiveDirectoryGroupsDenyAccess.Add ("CN=GroupThatDoesNotHasAccess,OU=SomeOU,DC=domain,DC=topleveldomain“); }
The Code – windows_authentication.aspx.cs 6 of 8 // If the URL contains our main application web address then // we can assume that we redirected the user to the page. if ( this.Request.UrlReferrer.ToString().Contains ("https://subdomain.domain.topleveldomain")) { . . . *Change subdomain domain and top level domain to the apocopate values
The Code – redirect.aspx 7 of 8 //Insert into the table SqlCommandmyCommand_INSERT=newSqlCommand("INSERT INTO database_table_name VALUES (NEWID(), '"+ str_UserName + "', '" + datetime_NOW + "', 'dev');",conn); //Select from the table SqlCommandmyCommand_SELECT=newSqlCommand("SELECT [uid] FROM database_table_name WHERE [username] = '" + str_UserName +"' AND [timestamp] = '" + datetime_NOW +"';", conn); *Change Insert and Select statements where needed str_Redirect_Path = "https://subdomain.domain.topleveldomain/protected/default.asp?key=" + reader["uid"].ToString(); *Change the redirect path, it can be outside of the application
The Code – begin_key_security.asp 8 of 8 Conn.Open "PROVIDER=SQLOLEDB;DATA SOURCE=database_server\database_server_instance;UID=database_user_name;PWD=database_user_password;DATABASE=database_name" *Modify the connection string sql = "SELECT [timestamp] FROM [database_table_name] WHERE [uid] = '" + strKey + '" *Modify the select statement where needed If strDifference < 10 Then *Modify the number of seconds if needed
Questions & Answers Thank You! https://github.com/adam-huffman/tulip Adam Huffman athuffman@mckendree.edu