This question already has an answer here:
Can a use-case include and precondition the same other use-case?
(1 answer)
Closed 4 years ago.
Scenario: To use my application you need to login first (get an access token), then you are able to use my application. If you're not logged in. You will be shut out.
So, when drawing my UML Use Case:
do i link my actor to the "provide login" use case?
or
do i provide an includes from the other use cases to login?
A bit confused as I have been taught that its not the goal of the system to login, but what if you cant use it if there is no login credentials passed. So just need help on being clear in that understanding.
Thanks
A Use Case has to provide the user business value. “Provide Login” is not really a Use Case, since it doesn’t do anything useful on its own (the user wouldn’t login and then do nothing once logged in, that wouldn’t make sense) so it is more simply just a function of the system. The user being logged in should instead be modelled as a constraint (e.g. pre-condition) for your other Use Case (constraint being end user identity is authentic etc).
That said, though it’s not correct, some people decompose their Use Cases into functional blocks, and model a “Login” Use Case and then (usually) “include” that into their main Use Case (option #2 in your list). This is done usually so that the Use Case specifies precisely the expectations of the Login process (steps), however this is often more of a problem for the system architects/designers and programmers than a help (there are many ways that an end-user could be authenticated and the way it’s achieved may not be common across all end-users even within the context of just one system).
Login is no use case since it does not add any value. And use cases are simply about added value the system under consideration delivers to one of its actors. So rather than adding a wrong Login use case you should attach a constraint { must be logged in} where appropriate.
Again I have to recommend Bittner/Spence to get a full understanding of use cases.
Related
I'm pretty inexperienced when it comes to working with IIS, so I apologize if the question is a bit confusing.
In the application, I have a Controller with a method called 'Login' that takes in a string parameter. The parameter identifies the organization the user is trying to authenticate against.
For example:
http://mysite1.com/Login/12345
Visiting this link brings the user to a login page for the organization that is associated with '12345' for their access key.
Is there any way to redirect users that are logging in under '12345' to another server? We have a few beta users that are willing to participate, but the database schemas for both servers are different, so it's important that the beta users are not hitting the wrong site.
After the user logs in, the access key is no longer in the URL, so I can't do matches against it.
I'd like for the user to see the following URL:
http://mysite1.com/Login/12345
http://mysite1.com/Products/
http://mysite1.com/Admin/
While in reality they're on a different server:
http://mysite2.com/Products/
http://mysite2.com/Admin/
I have to emphasize that I really do need the URL to stay 'mysite1' for the user, when in reality they'll be on 'mysite2'. Please let me know if this is possible or not, or if there's a better solution for it.
Sorry if this is a confusing scenario or if there's some information that I'm missing. I'll make edits if necessary.
Virtually anything is possible, but this approach seems really painful.
IIS can perform URL rewriting but it's going to be doing this before it hits the authentication layer so it will not be possible to differentiate users at that level.
It seems like the best option will be to write a custom URL rewriter provider. Looks like this post is attempting to solve it that way.
It really seems better to either redirect to a different server (which I know you're saying you can't do) or merge the multiple versions of functionality into a single app (with different controls/backend models, etc.)
This link may help in understanding a little bit about how the flow works in an ASP.NET MVC app.
I have created some utility code that allows me to take text entered into our content management system and dynamically compile and invoke it with a method similar to this.
But this raises a security risk--since a content author could mistakenly (or worse--maliciously) enter code that would do things outside of what I am looking for. Any recommendations for keeping this functionality open, but be able to prevent certain types of code from being written? For example, there are obvious things to limit like writing to the file system.
My initial thought is excluding certain assemblies, but I am curious if anyone has any clever ideas on this.
Don't do this. There are endless possibilities for what a user could write and you won't be able to prevent them all. In security you should always specify what a user can do instead of what he can't do (whitelist instead of blacklist) because you will miss something if you do it otherwise.
In this specific case, allowing a user to write arbitrary code never seems like a good idea. Instead, you should choose specific operations that a user can perform and add a button/control for each one.
If you REALLY need such functionality consider creating very limited functionality. Don't allow users to enter text; give them "blocks".
Start with very basic, limited set of instructions and add new ones only when asked to.
Based on accepted answer of this post How can I create a product key for my C# application?
I would better to investigate (for didactic scope) what really means with "security check skip" terms.
As far as I know, a simple boolean comparsion can be cracked within 5 seconds, for example:
if(textBoxActivationKey.Tex == "123") ok...else ko. That represents a classic weakness of any secuirty system solution, so what really can be more efficient against simple comparsion?
Somewhere I remeber to have read to use some exception throwing for crash the application rather then use bool comparer, but I guess it cannot be enough.
Granted that (at least theorically) anything can be cracked, how make it really sofisticated secure activation system? Which can be a real deterrent?
Are you looking for efficiency or effectiveness? Most applications phone home. That seems to be a pretty good activation method. However, this means that the user must be online to activate.
If you must be online, and the activation is done through a service (that you own) on a server somewhere, then you can instantly record that the activation key has been used (and invalidate it).
I'm not an expert on this subject, but I think if the shipped key represents only part of the full activation key and the rest must be received from a server, that might work.
Im developing a web application, in which I need to identify a certain page using an identifier.
Usually I would use a auto increment interger, which relates to the ID of the item in the DB.
Like this for example:
http://example.com/item/1
But I see more and more use of identifies like this (TinyUrl and YouTube):
http://example.com/item/1BHYQJh1
And I wonder, should I go for this solution?
What is the benefit, is it just to shorten the ID in case you get up to a really long interger?
Or is it to "hack proof" the soulution so that people cant "guess" the url by replacing 1 with 2.
I really appreciate the last one, I would like to add this extra security to my application. But does anyone know of any code snippets that does this exact thing?
Examples in C# would be great.
This is not really a programming issue, but...
I prefer 'nice' URLs and I am not alone, and to me plain numbers are nicer than 1BHY..., but YMMV.
The 'guessing' you mention is not relevant here. If the user is allowed to access /2 then it doesn't matter. If he is not allowed, then basing the security on obscure URLs is a poor choice. What if someone types the wrong value and stumbles upon page not meant for him.
If you need security, you need to check whether the current user is allowed to access the page at specified URL and act accordingly.
I don't understand what 'examples in C#' mean. These are URLs, they are not expressed in C#.
You could use Guid.NewGuid() to create a 'unique' identifier
Is a GUID unique 100% of the time?
I apologize in advance for the generic nature of my question, but I was unable to find any helpful advice from people trying to do the same thing as me on the web. Let me describe my scenario:
I am providing end users/designers of a website the ability to customize their views by storing the views (using Razor) in the database. I have all of this working, but my question is the following; From a security standpoint, how can I ensure and enforce that unwanted code doesn't get executed in the user-defined view? There are two basic approaches that I think will work conceptually, but am not sure which one is more possible or feasible.
Option 1: Create a validation method in the administration tool that allows the user to input the view code. This would need to either take a whitelist or blacklist approach to what is allowable or not.
Option 2: Prevent unwanted code from being able to execute when rendering of the view occurs.
As a quick example of something that would need to be blocked, we wouldn't want to allow access to read or write files, access any data access functions, or even access configuration settings, etc. in the web.config. There will likely be a decently-sized list of things that probably shouldn't be allowable, but I'll need to sit down and try to think of as many security-related concerns as possible.
My question then is, which method would be the best bet? Also, can any direction be provided on how to go about either? I thought I might be able to make trust-level based change which would be Option 2, but couldn't find any way to make that work in a per-view based manor (the administration code is allowed to execute whatever it wants). I'm thinking Option 1 will end up being the best bet and I'll have to check for the input of certain framework functions that shouldn't be allowed. Does anyone have any experience doing anything like what I'm trying to do? ANY feedback is much appreciated!
This would be extremely difficult.
You could run the the template through the Razor preprocessor, then use Roslyn (still in early beta) to parse the generated file and look through all method calls (or constructors) and return an error if it calls something you don't like.
I strongly recommend that you use a whitelist for that, since the .Net framework is big enough that you are bound to overlook something in a blacklist.
However, I would instead recommend that you not use Razor at all and instead use a templating engine that does not allow real C# code.