StrataFrame Forum

1st step in role based security

http://forum.strataframe.net/Topic6140.aspx

By yh - 1/24/2007

I am trying to make the most simple case (role based security) work.

 

  • one database strataFrame (everybody has this database when downloading strataframe),
  • Create one web site, then using the ‘Security Editor’ create one 1 record for this website: username=somebody , us_data=Test123  
  • In the global.asax, I specify the connection string to the database: strataFrame
  • Then in the default.aspx.vb, I use the following 3 lines code

             Dim loUserInfo As New MicroFour.StrataFrame.Security.BusinessObjects.SFSUsersBO   

             Dim loResult As MicroFour.StrataFrame.Security.Login.LoginResult     

             loResult = MicroFour.StrataFrame.Security.Login.AuthenticateUser("somebody ", " Test123", "nbs", loUserInfo)

 

 

Basically, the above is the whole test web site

 

And the loResult returns ‘failure’

 

 
By yh - 1/24/2007

Answer is here:

Add the following line to the global.asax.

SecurityBasics.SetSecurityKeyAndVectorForUserAuthentication("")
By yh - 1/24/2007

Is this kind of a bug?
By StrataFrame Team - 1/24/2007

No, the us_Data field is encrypted with 3DES and uses a 24-byte key and an 8-byte initialization vector for the 3DES algorithm.  Rather than hard-coding the key within SF (so all SF developers would have to use the same key), we allow the key to be specified by the developer.  Within the Role-Based Security Editor, if you open the project properties, you will notice the "User Data Encryption" box that specifies the "Security Key:".  This value is used as the seed for the key and IV that are used by the 3DES to encrypt the data when you create or modify a user.  You then have to specify the value to tell your application how to decrypt the us_Data field for your users within the database.
By yh - 1/24/2007

If user does not specify any value for the "Security Key:",   Should the decrypt  take a default value “” for the seed?

 

Anyway, it does not matter now.

By StrataFrame Team - 1/24/2007

Since the key and IV are integral to the security of the application, we don't default those values, so it's "by design," as Microsoft would say Smile
By Hugo R. Figueroa - 1/25/2007

For those of us that are very new to .net, could you add a web site example with security with your next release?

Thanks

By Trent L. Taylor - 1/25/2007

It probably won't make it into the next update, but we can add it to the "requested samples" list.