1 Presented by: Adam Huffman McKendree University May 21, 2013 TULIP The UI Login Portal.
-
Upload
rosaline-dennis -
Category
Documents
-
view
217 -
download
2
Transcript of 1 Presented by: Adam Huffman McKendree University May 21, 2013 TULIP The UI Login Portal.
2
Introduction - TULIP - The UI Login Portal
• TULIP is a website that adds additional security to any web resource
• Developed for UI 4.4 but can be used for any web resource
• Technologies Used: IIS 7+ with the IIS URL Rewrite, HTML 5, CSS 3, C# .NET 4.0, Microsoft Active Directory, and Microsoft SQL
3
Agenda – TULIP
1. The need for TULIP
2. High-level overview
3. Demonstrations– GitHub– How McKendree University uses TULIP
4. Code– GitHub– What customizations need to be made
4
The need for TULIP
How to allow for offsite access to UI 4 without giving student workers access
offsite or in their residence hall?
5
The need for TULIP
• Provide offsite access to UI 4.X• Prevent student workers from accessing
UI 4.X in their residence halls and off campus
• Prevent anonymous access to the UI 4.X login
7
High-level overview 1 of 4
default.aspx
windows_authentication.aspx
Cam
pus
Logi
n
Login
redirect.aspx
8
High-level overview 2 of 4
redirect.aspx
Insert into database to create a new GUID with username and timestamp
Retrieve the newly created GUID
Protected Page
Redirect to the protected page appending the GUID to the URL GET request as the ?key=
9
High-level overview 3 of 4
Protected Page
Parts of the Protected Page
Page to be protected (.asp)
begin_key_security.asp
end_key_security.asp
10
High-level overview 4 of 4
Protected Page
Retrieve the timestamp from the database that correlates to the GUID
Verify that the GUID is not older then ten seconds
The Protected Page’s Content
13
Demo – GitHub – Protected Page 2 of 3
/default.asp?key=9775826a-111e-4d25-98fc-fb6a434dd32a
Example of the GUID
The GUID was valid and less than 10 seconds old
The GUID was invalid or more than 10 seconds old
*Instead of Success! the page that is meant to be protected would be displayed.
14
Demo – GitHub – Demo 3 of 3
A temporary demo site will be available during the ellucianIL presentation.
GitHub Demo
15
Demo – McKendree – default.aspx 1 of 3
default.aspx
windows_authentication.aspx
This takes the place of index.asp page that is delivered with UI 4
16
Demo – McKendree – launch.asp 2 of 3
/live43/launch.asp?key=9775826a-111e-4d25-98fc-fb6a434dd32a
The Protected Page is now launch.asp which is in its own application live43
Example of the GUID
The GUID was valid and less than 10 seconds old
17
Demo – McKendree 3 of 3
The link will be available during the ellucianIL presentation.
McKendree Demo
19
The Code – Overview 1 of 8
• GitHub• Servers IIS 7+ and MS SQL• Files to modify (C#)
– web.config– tulip.cs– windows_authentication.aspx.cs– redirect.aspx.cs– begin_key_security.asp
20
The Code – GitHub 2 of 8
• Create an account• Go to github.com/adam-huffman/tulip• Download the zip file or use
GitHub for Windows• Setup IIS 7+ and Microsoft SQL Server• Open project in Microsoft Visual Studio• Tweak, Deploy, Repeat
21
The Code – IIS 7+ and SQL 3 of 8
• Microsoft IIS – 7+ (Server 2008+)– IIS URL Rewrite– AppPool with .Net 4 and Integrated Pipeline
• Microsoft SQL Server– SQL Server 2005
• Should be compatible with newer version of SQL as long as the uniqueidentifer is available
22
The Code – web.config 4 of 8
<connectionStrings>
<add name="tulip“ providerName="System.Data.SQLClient" connectionString=“”
</connectionStrings>
*Add in your connection string
<system.webServer><rewrite><rules> …
*Change subdomain domain and top level domain
to the apocopate values
23
The Code – tulip.cs 5 of 8
public tulip(){
ActiveDirectoryRoot = "LDAP://DC=domain,DC=topleveldomain";
ActiveDirectoryDomain = "domain.topleveldomain“;
ActiveDirectorySearcherUserName = "ActiveDirectorySearcher" + "@" +
ActiveDirectoryDomain;
ActiveDirectorySearcherPassword = "Password for Active Directory Search Account";
ActiveDirectoryGroupsGrantAccess.Add
("CN=GroupThatHasAccess,OU=SomeOU,DC=domain,DC=topleveldomain“);
ActiveDirectoryGroupsDenyAccess.Add
("CN=GroupThatDoesNotHasAccess,OU=SomeOU,DC=domain,DC=topleveldomain“);
}
24
The Code – windows_authentication.aspx.cs 6 of 8
// If the URL contains our main application web address then
// we can assume that we redirected the user to the page.
if ( this.Request.UrlReferrer.ToString().Contains
("https://subdomain.domain.topleveldomain"))
{ . . .
*Change subdomain domain and top level domain to the apocopate values
25
The Code – redirect.aspx 7 of 8
//Insert into the table
SqlCommand myCommand_INSERT = new SqlCommand("INSERT INTO database_table_name VALUES (NEWID(), '" + str_UserName + "', '" + datetime_NOW + "', 'dev');", conn);
//Select from the table
SqlCommand myCommand_SELECT = new SqlCommand("SELECT [uid] FROM database_table_name WHERE [username] = '" + str_UserName + "' AND [timestamp] = '" + datetime_NOW + "';", conn);
*Change Insert and Select statements where needed
str_Redirect_Path = "https://subdomain.domain.topleveldomain/protected/default.asp?key=" + reader["uid"].ToString();
*Change the redirect path, it can be outside of the application
26
The Code – begin_key_security.asp 8 of 8
Conn.Open "PROVIDER=SQLOLEDB;DATA SOURCE=database_server\database_server_instance;UID=database_user_name;PWD=database_user_password;DATABASE=database_name"
*Modify the connection string
sql = "SELECT [timestamp] FROM [database_table_name] WHERE [uid] = '" + strKey + '"
*Modify the select statement where needed
If strDifference < 10 Then
*Modify the number of seconds if needed
27
Questions & Answers
Thank You!
https://github.com/adam-huffman/tulip
Adam Huffman