// // Licensed to the Apache Software Foundation (ASF) under one or more // contributor license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright ownership. // The ASF licenses this file to You under the Apache License, Version 2.0 // (the "License"); you may not use this file except in compliance with // the License. You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // // .NET Service Configuration V2.0 for Design Considerations for Service-Oriented Applications based on Windows Communication Foundation. Created with Microsoft .NET Framework 3.5 and Microsoft Visual Studio. Copyright 2008, Microsoft Corporation. using System; using System.Web.Security; using System.Web.UI; using Trade.BusinessServiceClient; using Trade.StockTraderWebApplicationModelClasses; using Trade.StockTraderWebApplicationSettings; using Trade.Utility; namespace Trade.Web { /// /// Performs authenticated login and sets FormsAuth cookie if user is authenticated against registered users DB. /// public partial class Login : System.Web.UI.Page { protected void LoginButton_Click(object sender, EventArgs e) { Page.Validate(); if (Page.IsValid) { //Authenticate the user against Trade AccountProfile Table for non-admin (normal users), //or authenticate against the configuration system users table if administrator. //Notes on security: //We are using ASP.NET Forms authentication, which automates the authentication process against //either a simple list of valid users, backend database of registered users (StockTrader uses this mechanism), //Windows Active Directory, or any pluggable mechanism based on the extensibility of Forms Authentication in ASP.NET 2.0. //Via Forms Authentication, ASP.NET provides automatic authentication for restricted pages, and automates redirects to login forms //such as this one. ASP.NET Forms authentication defaults to use SHA1 for HMAC Generation and AES for //Encryption, which is recommended. The key to securing .NET StockTrader is to use "Protection="All" //for the forms authentication directive in web.config, and just as importantly, an application such as this in production //would be run over SSL for all authenticated pages identified as restricted via ASP.NET Forms Authentication. //An excellent security Patterns and Practices resource on how to secure Internet applications can be //found at: // http://msdn2.microsoft.com/en-us/library/aa302415.aspx // //Information on Forms Authentication, encryption and using Forms Authentication with SSL is available at: // // http://msdn2.microsoft.com/en-us/library/ms998310.aspx string userID = this.UserName.Text; string password = this.Password.Text; AccountDataUI customer = null; try { BSLClient businessServicesClient = new BSLClient(); customer = businessServicesClient.login(userID, password); } catch (Exception ex) { if (ex.Message.Contains(StockTraderUtility.EXCEPTION_WEBSPHERE_USERID_NOTFOUND)) customer = null; else throw; } if (customer == null) { InvalidLoginMessage.Text = StockTraderUtility.EXCEPTION_MESSAGE_INVALID_LOGIN; } else { FormsAuthentication.SetAuthCookie(customer.profileID, false); Response.Redirect(Settings.PAGE_HOME, true); } } } } }