Putting it all together Dynamic Data Base Access

Download Report

Transcript Putting it all together Dynamic Data Base Access 

Putting it all together
Dynamic Data Base Access
and Authentication
Norman White
Stern School of Business
Advanced Web Solutions

Question
– How do I add the capability to query/update a data base
from a WEB page

Answers
– Need a Client/Server data base

Oracle, SQL Server tec.
– Need tools to access data base






Active Server pages
PERL
JAVA (JDBC)
Java Servlets
Cold Fusion
Etc…
Data Driven WEB Pages

Many business applications depend on knowledge
of the current environment which is often
available in a database somewhere
 Need to “WEB-Enable” applications, so customer,
supplier etc. can interact directly with a companies
database.
 Database changes are automatically immediately
available on web site
Example
Active Server Pages

ASP files are Visual Basic or Java programs which
can be mixed with HTML
 The WEB server executes the ASP code as it
generates the WEB page.
– Code runs on the Server side, client never sees it
– Code can dynamically access/update one or more
databases

Only runs on Microsoft web servers, but similar
applications run cross platform (PHP, Cold
Fusion, Java Servlets etc.)
Simple ASP Example

Hello.asp
– <html><head><title>What Day is it?</title></head>
– <body>
– <script language=“vbscript” runat=“server>
Hello, <P>
<% datToday = Date() %>
Today is <% =datToday %>
<P>
Bye
</body></html>
ASP Database Access

<%@ language=“vbscript” %>

<html><head><title>Results</title></head>
<body>
<% SQL = “SELECT * FROM CUSTOMERS;”
Set DBOBJ =
server.createobject(“adodb.connection”)
Dbobj.open=“dsn=nwind;uid=;pid=;”
Set oRS = DBOBJ.execute(SQL) %>





Continued

<P>Customers</p>
 <table border= 3>
 <% while not oRS.EOF %>
 <TR>
 <TD> <% =oRS.Fields(“CUSTOMERID”).Value %>
</TD>
 <TD> <% =oRS.Fields(“COMPANYNAME”).Value %>
</TD>
 </TR>
 <% oRS.Movenext %>
 <%WEND %>
 </table> </body></html>
Output

Customers
– Id1, Company1
– Id2, Company2
–…
– Idn, CompanyN
How do we handle FORMs in
ASP

GET form
– Var = REQUEST.QUERYSTRING(“field”);





Eg
<% userid = request.querystring(“userid”)
Response.write( “Your userid is “ & userid %>
REQUEST.FORM returns POST parameters
<% userid =request.form(“userid”) %>
– Retrieves the userid field from the form for usage in the
ASP program
But what good is all this?

Things get interesting if some of the fields
in my database contain links to URLs
 Now I can have a database that maintains
information about web objects
 I can allow user to select certain search
characteristics
 To update info, I update the database, and
the links are automatically generated
example

You have a music collection of a bunch of mp3
files which you keep adding to. You maintain
information about your collection in a database
 Your database
– Song Table

Artist Id, album name, record label, date of release, type of
music,name of song, link to MP3 file
– Artist Table

Artist name, bio, link to picture
Your application

Web page with form that allows users to
choose selection criteria
 ASP file processes form and retrieves a list
of links that point to songs that satisfy
selection
 User clicks on link and song plays
Additional Applications

Add a song
 Add an artist
 Delete a song
 Delete an artist
 Update a song
Conclusion

Simple ASP files can be very powerful
 WEB code doesn’t grow as data grows
 Once built, no maintenance (except for
updating the database, which in many cases
is already being done)

Easy to “web enable” existing database
applications
Server Side Scripting
Languages Which support DB
Access

ASP (Visual Basic, JavaScript) C++ and C#
coming soon.
 Cold Fusion (CFM files)
 PhP (Free open source solution, runs on
Unix, Linux, NT) Supports all major
databases
 PERL DBI (Data Base Interface)
 Java, Javascript Servlets
How do you identify server
side scripting

In most cases, the language processors
become PART of the WEB browser.
 Dramatically reduces overhead involved
with running a separate program (ala CGI)
Other Alternative

JDBC – Java Data Base Connectivity
– Allow Java applet to directly connect to a
remote database
– Problems ….



Security (java can only connect back to server its
code came from)
Overhead for connection(s) across internet
Depends on users browser being able to handle java
– Best use is within an intranet….
PHP

PHP is more powerful than ASP, and has
direct support for a number of major
databases
 PHP runs on almost all web servers
 PHP is free!
 Downside is documentation is weak, and
the programming environment complex.
 Better for big, complex projects
Simple PHP Program

<html><head><title>PHP
Test</title></head>

<body>

<?php echo "Hello World<P>"; ?>

</body></html>
 OR
–
<?php echo $HTTP_USER_AGENT; ?>
Cold Fusion

Cold Fusion is a platform independent
development system similar to ASP
 Runs on Windows or Unix
 Includes Custom IDE (integrated development
environment)
 Some extra features include replication and
rollover
– You can replicate cold fusion sites for better
performance, and you can have one site back up
another site in case one fails.
Other development
environments

Java Servlets
 Java Server Pages

They allow reusable components and a
write once run anywhere environment.
Advanced Features

Authentication
 State maintenance
 Reusability
 Application integration
– Email
–…
Authentication

How does web application control user access?
 Some methods
– .htaccess files

These are files located in a folder that are used to control
access to the folder by the web server
– LDAP server (Lightweight Directory Access Protocol)

Uses separate servers for authentication, and maintenance of
global information to be shared across many applications and
systems
– ADS Active Directory Service

Microsoft supported directory information, cam integrate with
LDAP and Novell
– NDS Novell Directory Service

Originally designed for Novell LAN directory access, now
used for enterprise-wide directory services
Authentication

.htaccess files
– Pro
 Can be supported by individual web developers with
any centralized overhead.
– Con
 May end up with users have many different userids
and passwords. Not really suitable for an intranet
environment
.htaccess example

Assume a directory structure of restricted
content that you want to restrict to
“authenticated” users.
 Have users fill out form with their email
address, and desired userid. Email password
to them with a link to a cgi script that
allows them to change password.
.htaccess example

AuthUserFile /export/grad/a/aab211/public_html/websys/.htpasswd

AuthGroupFile /dev/null
AuthName Somewhere.com's Secret Section
AuthType Basic





<Limit GET POST>
require valid-user
</Limit>
Example





.htaccess file describes authentication details and
location of htpasswd file
.htaccess file placed in the directory it controls, by
default controls all lower level directories also.
Htpasswd file can be anywhere
Htpasswd program used to updated htpasswd file
Htpasswd file encrypted
Maintaining htpasswd file

htpasswd –c passwordfile username
– Creates a new htpasswd file and adds a
username to it, prompting for the password
– Htpasswd passwordfile username adds a user
– Htpasswd –b passwordfile username password

Creates or updates username password
CGI Script to add user

Script one
– htadduser.sh


User fills out form with desired username and email address
Shell script adduser.sh
– grep .htpasswd file for username
• If username exists, issue error
• Else, generate random password
– Issue htpaaasswd –b username passwd
– Email emailadrees with username and password and link to files.
– Add username and email address to userid file
Changepass.sh

Allows user to change password
 This script should be restricted directory
 Logic:
– Display form with userid, desired password
– Take form input (using POST … Why)
– Issue htpasswd –b passwordfile username
newpassword
Requestnewpassword

What if user forgets the userid, password?
 Requestpass.sh
– grep userid file for email address, username
– Cut userid and email
– Generate new random password, email to user
– Watch out, since web server is creating .htpasswd file,
anyone can read it (but it is encrypted)
– Solution don’t allow users to request .htaccess or
.htpasswd
LDAP





LDAP servers allow different types of
authentication and tools
LDAP server can be viewed as a hierarchical or
relational data base which can be updated, queried
etc.
Can be used to handle a variety of global info like
userids, passwords, home directories, phone
numbers, majors etc.
Supported by both Novell and Microsoft as well as
Unix, Linux etc.
One of the best approaches to Enterprise-wide
authentication for web, email, LAN etc.
NDS

Probably first major directory service, due
to the fact that many organizations had very
large user populations that needed to be
authenticated enterprise-wide. (Stern has >
12,000 users)
 Recent additions allow Novell to
authenticate to LDAP.
ADS

Active Directory Services
 Microsoft “replacement” for NDS
 Microsoft did not have a scalable, reliable
method for handling 1000s of users. Main
reason they couldn’t displace Novell in
large organizations.
 Like NDS, ADS will also interoperate with
LDAP, but still buggy.
Management Takeaway

Many approaches to authentication and
security
 Need an enterprise-wide solution to avoid
“userid hangover”
 3 major enterprise wide solutions
– LDAP, NDS, ADS

LDAP only open solution