DPS907 WSA500 Assignment 8

Resource ownership and security considerations.

Read/skim all of this document before you begin work.

 

Due date

Monday, December 18, 2017, at 11:00pm ET

Grade value: 5% of your final course grade

If you wish to submit the assignment before the due date and time, you can do that.

 

Objective(s)

Implement the concept of resource or object ownership in a web service.

 

Introduction to the problem to be solved

At this point in time, you are familiar with the simple “smartphones” web service example. You worked on this as Assignment 1, and added security in Assignment 6.

In this Assignment 8, the app will be modified to include resource or object ownership. A user will be able to perform tasks on their own items only.

You have permission to use some or all of the code that’s in the Assignment 6 example solution that was posted in the “Templates and solutions” folder of the GitHub repository.

This assignment does NOT use the Chinook sample database.

 

Specifications overview and work plan

The following specifications apply to all of your assignments:

  • Follows best practices
  • Implements the recommended system design guidance
  • Customized appearance on the landing web page
  • Uses Entity Framework and Code First technology
  • Includes a Fiddler log file that shows complete coverage of tests

For this assignment, here is what we’re looking for:

  • Correctly-configured support for runtime access to user information
  • Restrict some data operations to work only for the data’s owner

 

During the class/session, your professor will help you get started and make progress on this assignment.

Every week, in the computer-lab class/session, your teacher will record a grade when you complete a specific small portion of the assignment. We call this “in-class grading“.

The in-class grading will be announced in-class by your professor.

 

Getting started

There are two ways to create your Assignment 8. You can start from scratch, or use the Assignment 6 example solution – as a base – in the “Templates and solutions” folder of the GitHub repository.

If you use the Assignment 6 example solution, then do this task:

In Solution Explorer, right-click the project item, and choose “Properties”. Click the left-side “Web” tab.

In the “Project Url” textbox, replace the TCP port number with the first four non-zero digits of your student number. Then, click the Create Virtual Directory button.

Save the changes, and close the properties editor.

 

Remember to customize the home controller’s index view with your personal information, and the _Layout.cshtml view template with the application name.

Build/compile, and run (without debugging), to ensure that the app’s home > index view loads in a browser.

 

Doing the work

The app in the example solution for Assignment 6 works well as-is. We just need to add the bits and make the adjustments necessary to implement resource or object ownership.

There are several tasks to be done. Here’s a list, and in the sections below, we call out more detail for some of the tasks.

  1. Edit the SmartphoneBase resource model class to include an “Owner” property
  2. Add the RequestUser class
  3. Edit the Smartphone design model class to include an “Owner” property
  4. Use Code First Migrations to update the persistent store
  5. Edit the logic of the manager methods to implement resource or object ownership

 

Edit the SmartphoneBase resource model class to include an “Owner” property

We will programmatically configure the owner name, so we can NOT add a property in the SmartphoneAdd resource model class.

Instead, we will add a string “Owner” property to the SmartphoneBase resource model class. It probably does not need any data annotations.

 

Add the RequestUser class

Get the RequestUser class from the Week 10 folder of the GitHub code repository.

Add it to your project, and make the edits needed to allow it to build in your project.

Update the manager class by adding a property for the RequestUser object.

 

Edit the Smartphone design model class to include an “Owner” property

Before doing this task, we will initialize the Code First Migrations feature. (We want to keep the existing data.)

How? Open the package manager console. Type this command:

enable-migrations

It will discover an existing data store, and it will create a migration class named “InitialCreate”. That will represent the initial (current) state of the design model and data store, before changes.

Note – This was covered in the web apps course notes, most recently on March 8, 2017.

 

Edit the Smartphone design model class to include an “Owner” property:

  • It’s a string
  • Make it required, with a maximum length of 100 characters
  • Add code (inline in an auto property initializer, or done in a constructor) to set its default value to “none”

 

Use Code First Migrations to update the persistent store

Update the data model. In the package manager console, run these two commands:

add-migration descriptive_name_for_the_update
update-database

The result of the commands will be displayed.

 

Edit the logic of the manager methods to implement resource or object ownership

There are three methods in the manager class that have something to do with data.

In “get all”, we must fetch all the smartphone objects, but ONLY if their owner values matches the security principal on the request thread of execution.

Same thing for the “get one” method.

In the “add new” method, we will programmatically set the value of the owner property.

That’s it, that’s all.

 

Testing your work

Use Fiddler.

Ensure that it has been configured to save the message bodies in requests and responses. (A default installation does not do this.) If you are using a College computer, this should have been configured, but check anyway. If you installed Fiddler on your own computer, follow the instructions on this document.

Test all scenarios (use cases). Make sure that you test error or error-like scenarios.

 

Saving – “exporting” – your tests

On the left side list of requests, you can delete items that you do not want included in the export.

When you’re ready to save, choose File > Export Sessions > All Sessions…

The export format will be “HTTPArchive v1.2”. Click the Next button to choose a save location (your project’s root, in the same folder level as the “packages” folder and specify a filename. Name the file by using the project name (e.g. “<whatever>.har”).

(You can test whether the export was successful. How? First, close then re-open Fiddler. Choose File > Import Sessions. Select “HTTPArchive” as the import format. Navigate to the folder that holds the “har” file, and select it. Finally, browse through the request-response sessions.)

 

Reminder about academic honesty

You must comply with the College’s academic honesty policy.

Although you may interact and collaborate with others, you must submit your own work.

 

Submitting your work

At this point in time, you should be familiar with the process:

  1. Copy your project
  2. Remove its packages, bin, and obj folders
  3. Zip and upload to the designated location on My.Seneca/Blackboard before the due date-and-time

If you need more details, look at the info in assignments 1 through 3.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

.

Advertisements
%d bloggers like this: