DPS907 WSA500 Assignment 1 – Fall 2014

Web service for associated entities. Simple security implementation.


Read/skim all of this document before you begin work.


DPS907 WSA500 Assignment 1 – Due Fri Nov 14

Due date: Friday, November 14, 2014, at 11:00pm ET

Grade value: 15% of your final course grade

If you wish to submit your work before the due date and time, you can do that.



Work with associated entities, and provide a full range of operations.

Implement security at an introductory level.

Deploy to a public Microsoft Azure web site.


Introduction to the problem to be solved

The School of ICT needs a web service to support the information needs of students, faculty, and administration. The focus is academic programs.

There are three data entities in the problem domain:

  • Program – an academic program (e.g. Software Development, Computer Programming and Analysis)
  • Course – teaching unit for a topic (e.g. DPS907, WSA500)
  • Curriculum Plan – collection of courses within a program, as ‘Position’ objects
  • Position – identifies a course and its semester

The web service will enable a range of tasks to be performed. Some tasks can be performed by any user, whereas other tasks require authentication. We will add security components soon.



You can start by creating the design model classes, and you can use the following guidance.

The Program class is associated with the Course class. To-many, both ends.

The Program class is associated with the CurriculumPlan class:

  • CurriculumPlan is the ‘principal’ end; a CurriculumPlan object can be created without a link to a Program (at the time of creation)
  • Program is the ‘dependent’ end; a Program object MUST have a link to a CurriculumPlan object (when created and at all other times)

The CurriculumPlan class is associated with the Position class, in a familiar one-to-many association:

  • A CurriculumPlan has a collection of Position objects
  • A specific Position object is linked to a single CurriculumPlan object

The Position class is associated with a Course class:

  • A Position object is linked to a single Course object
  • A Course has a collection of Position objects


When writing the classes, include navigation properties that implement the associations discussed above.

All classes obviously need an “Id” property, of type int.

Program class, other suggested properties:

  • Code (program code)
  • Title (short name for the program)
  • Description (longer description)
  • Credential (grad cert, diploma, advanced diploma, degree)
  • DateStarted
  • DateRetired

Course class, other suggested properties:

  • Code (course code)
  • Title (short name for the course)
  • Description (longer description)
  • DateStarted
  • DateRetired

CurriculumPlan class, other suggested properties:

  • Code (manually composed from other data, e.g. 123STSY37CPAC)

Position class, other suggested properties:

  • Semester (number value, simply the semester in which the course appears)
  • DisplayOrder (helps define a specific display order for the objects)


Sample data? Use real data from the School of ICT web site.


Use cases

This specification will not include a list of use cases. You must think about this problem on your own, and then document the list of use cases that will be implemented. Bring this to the Thursday November 6 class/session, and review it with your professor.

Remember what you’ve learned recently about the command pattern. As a result, you must include more than simple CRUD tasks in your use cases. In other words, move up to a higher level of abstraction, and use commands for some (many?) use cases. Create a list of tasks/operations (from your list of use cases), and identify which ones will follow the command pattern. Bring this list to the Thursday November 6 class/session too.



Follow best practices. Responses must deliver objects/collections with link relations. Write useful code comments. Be kind to animals. Don’t litter.



Please follow the guidance in the new section, below.


Security configuration


Your professor will post an app (on the GitHub code repository, and on the My.Seneca/Blackboard ‘assignments’ area).

The app will combine an Identity Server with an Authorization Server. For our purposes, we will call it an Authorization Server (AS).

In its current state, it should be ready-to-use, without needing any changes. The idea is that you will deploy it to a dedicated app (on Microsoft Azure). As a result, you can use this AS from many different projects.

The app will have UI to enable a human user (resource owner) to create an account, and perform typical account-management tasks.

The app will also have web service endpoints for authentication, and token generation.

You will then add components to your Assignment 1 project to make it aware of security and the new AS.


Testing the Authorization Server, and your app’s security components

Both the AS and your app can be tested locally on your own (or on a College) computer. After you’re happy with their operation, you can deploy them to Azure.


Authorization Server (AS)

Get the app from GitHub or My.Seneca/Blackboard.

As noted above, it should be ready-to-use, without needing any changes. Use it locally while testing. Later, you will learn how to deploy it to Microsoft Azure.


Add components to your Assignment 1 project

Open the Package Manager Console. Run these commands, in sequence:

install-package microsoft.aspnet.webapi -version 5.2.2

If (when) it asks to overwrite file conflicts in ‘Areas\HelpPage\Views\…’, yes, you can choose ‘a’ for ‘Yes to All’.

install-package microsoft.aspnet.webapi.owin -version 5.2.2

install-package microsoft.owin.host.systemweb -version 3.0.0

install-package microsoft.owin.cors -version 3.0.0

install-package microsoft.owin.security.oauth -version 2.1.0

Some of the content in this section was based on this post by Taiseer Joudeh.


Next, add a source code file named “Startup.cs” to your project; it can be in the project’s root. It will hold the ‘Startup’ class:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
// more...
using Owin;
using System.Web.Http;
using Microsoft.Owin;
using Microsoft.Owin.Security.OAuth;

// Change the namespace to match the name of your project
[assembly: OwinStartup(typeof(Associations.Startup))]

// Change the namespace to match the name of your project
namespace Associations
    public class Startup
        public void Configuration(IAppBuilder app)
            HttpConfiguration config = new HttpConfiguration();




        private void ConfigureOAuth(IAppBuilder app)
            //Token Consumption
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions


At this point in time, your project will be able to use the security components.


Testing your work

Use Fiddler.

Start/run the Authorization Server (AS), and it will appear in a browser. If you are loading the AS for the first time, you will have to ‘register’ a new user. Then, you can test login and logout.

From Fiddler, access the AS. Then, follow the instructions on the AS home page to authenticate and get an access token. In summary, the request will look like this:

  • HTTP method is POST
  • URI is http://host/token
  • Content-Type header value is application/x-www-form-urlencoded
  • Message body is grant_type=password&username=uuuuuuuu@example.com&password=pppppppp

In your Assignment 1 project, protect one or more controllers/methods with the [Authorize] attribute.

Next, start/run your Assignment 1 project, and it will appear in a browser.

From Fiddler, attempt to access a protected resource. Notice the HTTP 401 response.

Add an authorization header, formatted as follows:

Authorization: Bearer gZNPJjEbPwyPB7ePGdLml9Ev-1IT… (a very long string)

Then attempt to access the resource again; the HTTP response should be ‘success’.

Wait until the token expires (check the value in the AS ‘Startup.Auth.cs’ source code file). Attempt to access the resource again; the HTTP response should be 401.


Deploy to Microsoft Azure

Please visit the September 11 notes page for instructions.

You will deploy your Assignment 1 web service to Microsoft Azure, and replace the existing web service.

For example, the web service will be deployed to “wsa500pmcintyr.azurewebsites.net” (assuming that your My.Seneca ID is ‘pmcintyr’).


New web site, and database, for the Authorization Server 

In the Microsoft Azure management portal, create a new web site and database. For example, assume that your My.Seneca ID is ‘pmcintyr’:

The new web site name will be something like:

Create the web site with a database. A suggested database name is:

It is important that the Authorization Server is configured as a new and separate app.


Testing your work

Use Fiddler.

Ensure that it has been configured to save the message bodies in requests and responses.

Test all scenarios (use cases). Make sure that you test error conditions too.

Remember – when sending the entity body with a PUT request, you must include the object’s identifier.

Saving – ‘exporting’ – your tests

On the left side list of requests, you can delete items that you don’t want included in the export.

When you’re ready to save, choose File > Export Sessions > All Sessions…

The export format will be “HTTPArchive v1.2″.


Reminder about academic honesty

You must comply with the College’s academic honesty policy. Although you may interact and collaborate with others, you must submit your own work.


Submitting your work

Here’s how to submit your work, before the due date and time:

1. Locate the folder that holds your project files.

2. Make a copy of the folder. This is the data that you will be uploading.

3. Remove the “packages” folder from the copied folder; also, remove the “bin” and “obj” folders.

4. Compress/zip the folder. The zip file SHOULD be about 1MB or less in size. If it isn’t, you haven’t followed the instructions properly.

5. Login to My.Seneca. Open the Web Services Architecture course area. Click the “Assignments” link on the left-side navigator. Follow the link for this lab. Submit/upload your zip file. The page will accept three submissions, so if you upload, then decide to fix something and upload again, you can do so.
















  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: