putting it all together dynamic data base access and authentication norman white stern school of...
TRANSCRIPT
![Page 1: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/1.jpg)
Putting it all togetherPutting it all togetherDynamic Data Base AccessDynamic Data Base Access
and Authenticationand Authentication
Norman White
Stern School of Business
![Page 2: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/2.jpg)
Advanced Web SolutionsAdvanced Web Solutions
Question– How do I add the capability to query/update a data base from a
WEB page Answers
– Need a Client/Server data base Oracle, SQL Server tec.
– Need tools to access data base Active Server pages PERL JAVA (JDBC) Java Servlets Cold Fusion Etc…
![Page 3: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/3.jpg)
Data Driven WEB PagesData Driven WEB Pages
Many business applications depend on knowledge of the current environment which is often available in a database somewhere
Need to “WEB-Enable” applications, so customer, supplier etc. can interact directly with a companies database.
Database changes are automatically immediately available on web site
![Page 4: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/4.jpg)
ExampleExampleActive Server PagesActive Server Pages
ASP files are Visual Basic or Java programs which can be mixed with HTML
The WEB server executes the ASP code as it generates the WEB page.– Code runs on the Server side, client never sees it– Code can dynamically access/update one or more
databases Only runs on Microsoft web servers, but similar
applications run cross platform (PHP, Cold Fusion, Java Servlets etc.)
![Page 5: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/5.jpg)
Simple ASP ExampleSimple ASP Example
Hello.asp– <html><head><title>What Day is it?</title></head>– <body>– <script language=“vbscript” runat=“server>Hello, <P><% datToday = Date() %>
Today is <% =datToday %> <P>Bye</body></html>
![Page 6: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/6.jpg)
ASP Database AccessASP Database Access
<%@ language=“vbscript” %> <html><head><title>Results</title></head> <body> <% SQL = “SELECT * FROM CUSTOMERS;” Set DBOBJ =
server.createobject(“adodb.connection”) Dbobj.open=“dsn=nwind;uid=;pid=;” Set oRS = DBOBJ.execute(SQL) %>
![Page 7: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/7.jpg)
ContinuedContinued
<P>Customers</p> <table border= 3> <% while not oRS.EOF %> <TR> <TD> <% =oRS.Fields(“CUSTOMERID”).Value %> </TD> <TD> <% =oRS.Fields(“COMPANYNAME”).Value %>
</TD> </TR> <% oRS.Movenext %> <%WEND %> </table> </body></html>
![Page 8: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/8.jpg)
OutputOutput
Customers– Id1, Company1– Id2, Company2– …– Idn, CompanyN
![Page 9: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/9.jpg)
How do we handle FORMs in How do we handle FORMs in ASPASP
GET form– Var = REQUEST.QUERYSTRING(“field”);
Eg <% userid = request.querystring(“userid”) Response.write( “Your userid is “ & userid %> REQUEST.FORM returns POST parameters <% userid =request.form(“userid”) %>
– Retrieves the userid field from the form for usage in the ASP program
![Page 10: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/10.jpg)
But what good is all this?But what good is all this?
Things get interesting if some of the fields in my database contain links to URLs
Now I can have a database that maintains information about web objects
I can allow user to select certain search characteristics
To update info, I update the database, and the links are automatically generated
![Page 11: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/11.jpg)
exampleexample
You have a music collection of a bunch of mp3 files which you keep adding to. You maintain information about your collection in a database
Your database– Song Table
Artist Id, album name, record label, date of release, type of music,name of song, link to MP3 file
– Artist Table Artist name, bio, link to picture
![Page 12: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/12.jpg)
Your applicationYour application
Web page with form that allows users to choose selection criteria
ASP file processes form and retrieves a list of links that point to songs that satisfy selection
User clicks on link and song plays
![Page 13: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/13.jpg)
Additional ApplicationsAdditional Applications
Add a songAdd an artistDelete a songDelete an artistUpdate a song
![Page 14: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/14.jpg)
ConclusionConclusion
Simple ASP files can be very powerfulWEB code doesn’t grow as data growsOnce built, no maintenance (except for
updating the database, which in many cases is already being done)
Easy to “web enable” existing database applications
![Page 15: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/15.jpg)
Server Side Scripting Server Side Scripting Languages Which support DB Languages Which support DB
AccessAccessASP (Visual Basic, JavaScript) C++ and C#
coming soon.Cold Fusion (CFM files)PhP (Free open source solution, runs on
Unix, Linux, NT) Supports all major databases
PERL DBI (Data Base Interface)Java, Javascript Servlets
![Page 16: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/16.jpg)
How do you identify server How do you identify server side scriptingside scripting
In most cases, the language processors become PART of the WEB browser.
Dramatically reduces overhead involved with running a separate program (ala CGI)
![Page 17: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/17.jpg)
Other AlternativeOther Alternative
JDBC – Java Data Base Connectivity– Allow Java applet to directly connect to a
remote database– Problems ….
Security (java can only connect back to server its code came from)
Overhead for connection(s) across internet Depends on users browser being able to handle java
– Best use is within an intranet….
![Page 18: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/18.jpg)
PHPPHP
PHP is more powerful than ASP, and has direct support for a number of major databases
PHP runs on almost all web serversPHP is free!Downside is documentation is weak, and
the programming environment complex.Better for big, complex projects
![Page 19: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/19.jpg)
Simple PHP ProgramSimple PHP Program
<html><head><title>PHP Test</title></head>
<body> <?php echo "Hello World<P>"; ?> </body></html>OR
– <?php echo $HTTP_USER_AGENT; ?>
![Page 20: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/20.jpg)
Cold FusionCold Fusion
Cold Fusion is a platform independent development system similar to ASP
Runs on Windows or Unix Includes Custom IDE (integrated development
environment) Some extra features include replication and
rollover– You can replicate cold fusion sites for better
performance, and you can have one site back up another site in case one fails.
![Page 21: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/21.jpg)
Other development Other development environmentsenvironments
Java ServletsJava Server Pages
They allow reusable components and a write once run anywhere environment.
![Page 22: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/22.jpg)
Advanced FeaturesAdvanced Features
AuthenticationState maintenanceReusabilityApplication integration
– Email – …
![Page 23: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/23.jpg)
AuthenticationAuthentication How does web application control user access? Some methods
– .htaccess files These are files located in a folder that are used to control access to the
folder by the web server
– LDAP server (Lightweight Directory Access Protocol) Uses separate servers for authentication, and maintenance of global
information to be shared across many applications and systems
– ADS Active Directory Service Microsoft supported directory information, cam integrate with LDAP
and Novell
– NDS Novell Directory Service Originally designed for Novell LAN directory access, now used for
enterprise-wide directory services
![Page 24: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/24.jpg)
AuthenticationAuthentication
.htaccess files– Pro
Can be supported by individual web developers with any centralized overhead.
– Con May end up with users have many different userids
and passwords. Not really suitable for an intranet environment
![Page 25: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/25.jpg)
.htaccess example.htaccess example
Assume a directory structure of restricted content that you want to restrict to “authenticated” users.
Have users fill out form with their email address, and desired userid. Email password to them with a link to a cgi script that allows them to change password.
![Page 26: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/26.jpg)
.htaccess example .htaccess example
AuthUserFile /export/grad/a/aab211/public_html/websys/.htpasswd
AuthGroupFile /dev/null AuthName Somewhere.com's Secret Section AuthType Basic
<Limit GET POST> require valid-user </Limit>
![Page 27: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/27.jpg)
ExampleExample
.htaccess file describes authentication details and location of htpasswd file
.htaccess file placed in the directory it controls, by default controls all lower level directories also.
Htpasswd file can be anywhere Htpasswd program used to updated htpasswd file Htpasswd file encrypted
![Page 28: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/28.jpg)
Maintaining htpasswd fileMaintaining htpasswd file
htpasswd –c passwordfile username – Creates a new htpasswd file and adds a
username to it, prompting for the password– Htpasswd passwordfile username adds a user– Htpasswd –b passwordfile username password
Creates or updates username password
![Page 29: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/29.jpg)
CGI Script to add userCGI Script to add user
Script one– htadduser.sh
User fills out form with desired username and email address Shell script adduser.sh
– grep .htpasswd file for username
• If username exists, issue error
• Else, generate random password
– Issue htpaaasswd –b username passwd
– Email emailadrees with username and password and link to files.
– Add username and email address to userid file
![Page 30: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/30.jpg)
Changepass.shChangepass.sh
Allows user to change passwordThis script should be restricted directoryLogic:
– Display form with userid, desired password– Take form input (using POST … Why)– Issue htpasswd –b passwordfile username
newpassword
![Page 31: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/31.jpg)
RequestnewpasswordRequestnewpassword
What if user forgets the userid, password? Requestpass.sh
– grep userid file for email address, username– Cut userid and email– Generate new random password, email to user– Watch out, since web server is creating .htpasswd file,
anyone can read it (but it is encrypted)– Solution don’t allow users to request .htaccess
or .htpasswd
![Page 32: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/32.jpg)
LDAPLDAP LDAP servers allow different types of authentication
and tools LDAP server can be viewed as a hierarchical or
relational data base which can be updated, queried etc. Can be used to handle a variety of global info like
userids, passwords, home directories, phone numbers, majors etc.
Supported by both Novell and Microsoft as well as Unix, Linux etc.
One of the best approaches to Enterprise-wide authentication for web, email, LAN etc.
![Page 33: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/33.jpg)
NDSNDS
Probably first major directory service, due to the fact that many organizations had very large user populations that needed to be authenticated enterprise-wide. (Stern has > 12,000 users)
Recent additions allow Novell to authenticate to LDAP.
![Page 34: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/34.jpg)
ADSADS
Active Directory ServicesMicrosoft “replacement” for NDSMicrosoft did not have a scalable, reliable
method for handling 1000s of users. Main reason they couldn’t displace Novell in large organizations.
Like NDS, ADS will also interoperate with LDAP, but still buggy.
![Page 35: Putting it all together Dynamic Data Base Access and Authentication Norman White Stern School of Business](https://reader036.vdocuments.us/reader036/viewer/2022070403/56649f2f5503460f94c4920b/html5/thumbnails/35.jpg)
Management TakeawayManagement Takeaway
Many approaches to authentication and security
Need an enterprise-wide solution to avoid “userid hangover”
3 major enterprise wide solutions– LDAP, NDS, ADS
LDAP only open solution