If your application is based on an ASP.Net 2.0Web Application project, you can consult the page "How to integrate Visual Guard in an ASP.Net 2.0 application".
To integrate Visual Guard in your application you must:
In order to use Visual Guard, you must add references to Visual Guard assemblies:
Note: If the assemblies does not appear in this list you can use the Browse button and select them in the directory <Visual Guard installation directory>/bin/1.1.
Description of Visual Guard assemblies:
To enable Visual Guard in your application, you must declare the class Novalys.VisualGuard.Security.WebForm.VGHttpModule in the list of HttpModules in the "web.config" of your application. To do that, you must:
<add type="Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule"/>
For example:
<configuration> <system.web> ... <httpModules> <add type= "Novalys.VisualGuard.Security.WebForm.VGHttpModule,Novalys.VisualGuard.Security.WebForm" name="VGModule"/> </httpModules> ... </system.web> </configuration>
This module will enable Visual Guard in your application. It will automatically detect the type of the authentication used in your application. Visual Guard supports Forms, Windows and Passport authentication.
If you use Form authentication mode, you can use the Visual Guard authentication mechanism. In this case you must call the method VGSecurityManager.Authenticate in your login form. You can find an example of the authentication integrated in a login form in the chapter "Integrate Visual Guard in your code".
If you use Windows or Passport authentication mode, Visual Guard will automatically detect the authenticated user and load the security permissions granted to this user.
If the user does not have any role in the application or if the user is not declared in the repository or if the user is anonymous, Visual Guard will deny the access to all pages in your web site.
If you want to allow anonymous session in your web site, you must declare an anonymous user to your application in the Visual Guard console.
To enable anonymous session, you must:
You can use Visual Guard in conjunction with the Url Authorization module to deny access to specific users (anonymous or not) or roles. Visual Guard users and roles are fully compatible with the Url Authorization module.
The main class in Visual Guard: Novalys.VisualGuard.Security.VGSecurityManager This class provides the main access point for interacting with Visual Guard. It provides authentication and authorization features, it allows to set the security of the object of your application.
[C#] Page.Validate(); if (!Page.IsValid) return; VGAuthenticationState state = VGSecurityManager.Authenticate(usernameTextBox.Text, passwordTextBox.Text, VGAuthenticationMode.VisualGuard); // Check if the authentication is failed. if (state.IsFailed) { // The username/password is invalid if (state.IsCredentialInvalid) { if (state.IsLastBadLogin) { // According to the password policy, the next bad login will lock the account errorLabel.Text = "Invalid user or password. The next bad login will lock your account."; } else { errorLabel.Text = "Invalid user or password"; } } else if (state.IsUserNotAuthorized) { // The credentials are valid but the user does not have any role granted for the application errorLabel.Text = "You are not authorized to log on to this application"; } else if (state.IsUserAccountExpired) { // The account of the user has expired errorLabel.Text = "Your account is no more valid. Contact your administrator"; } else if (state.IsUserAccountNotYetAvailable) { // The account of the user is not yet available errorLabel.Text = "Your account is not yet available."; } else if (state.IsUserAccountLockedOut) { // The account of the user is locked out and must be unlocked by using the Visual Guard console. errorLabel.Text = "Your account is locked. Contact your administrator."; } errorLabel.Visible = true; } else { if (!state.IsPasswordSecure) { // According to the password policy, the password is enough secure FormsAuthentication.SetAuthCookie(usernameTextBox.Text, remenberCheckBox.Checked); RedirectToChangePasswordPage(); } else { FormsAuthentication.RedirectFromLoginPage(usernameTextBox.Text, remenberCheckBox.Checked); } }
[Visual Basic] Page.Validate() If Not Page.IsValid Then Return Dim state As VGAuthenticationState = VGSecurityManager.Authenticate(usernameTextBox.Text, passwordTextBox.Text, VGAuthenticationMode.VisualGuard) ' Check if the authentication is failed. If state.IsFailed Then ' The username/password is invalid If state.IsCredentialInvalid Then If state.IsLastBadLogin Then ' According to the password policy, the next bad login will lock the account errorLabel.Text = "Invalid user or password. The next bad login will lock your account." Else errorLabel.Text = "Invalid user or password" End If ElseIf state.IsUserNotAuthorized Then ' The credentials are valid but the user does not have any role granted for the application errorLabel.Text = "You are not authorized to log on to this application" ElseIf state.IsUserAccountExpired Then ' The account of the user has expired errorLabel.Text = "Your account is no more valid. Contact your administrator" ElseIf state.IsUserAccountNotYetAvailable Then ' The account of the user is not yet available errorLabel.Text = "Your account is not yet available." ElseIf state.IsUserAccountLockedOut Then ' The account of the user is locked out and must be unlocked by using the Visual Guard console. errorLabel.Text = "Your account is locked. Contact your administrator." End If errorLabel.Visible = True Else If Not state.IsPasswordSecure Then ' According to the password policy, the password is enough secure FormsAuthentication.SetAuthCookie(usernameTextBox.Text, remenberCheckBox.Checked) RedirectToChangePasswordPage() Else FormsAuthentication.RedirectFromLoginPage(usernameTextBox.Text, remenberCheckBox.Checked) End If End If
If you need to secure only Page class in your application, you do not need to add more code. Visual Guard can detect automatically all page creations and apply the security action automatically. But, if you want to secure other types of class (WebControl, UserControl, non graphic class, etc), you must do the following:
[Visual Basic] Sub VGModule_PermissionLoading(ByVal sender As Object, ByVal e As VGPermissionsLoadingEventArgs) If e.Roles.Length > 1 Then Dim selectedRoles(1) As Novalys.VisualGuard.Security.VGGrantedRole For Each role As Novalys.VisualGuard.Security.VGGrantedRole In e.Roles If role.Name = "Administrator" Then selectedRoles(0) = role Exit For Else If role.Name = "Member" Then selectedRoles(0) = role Exit For End If End If Next If selectedRoles(0) Is Nothing Then e.Status = Novalys.VisualGuard.Security.VGAuthorizationStatus.ProcessCanceled Else e.Roles = selectedRoles End If End If End Sub
[C#] void VGModule_PermissionLoading(object sender, VGPermissionsLoadingEventArgs args) { if (e.Roles.Length > 1) { Novalys.VisualGuard.Security.VGGrantedRole[] selectedRoles = new Novalys.VisualGuard.Security.VGGrantedRole[1]; foreach (Novalys.VisualGuard.Security.VGGrantedRole role in e.Roles) { if (role.Name == "Administrator") { selectedRoles[0] = role; break; } else if (role.Name == "Member") { selectedRoles[0] = role; break; } } if (selectedRoles[0] == null) { e.Status = Novalys.VisualGuard.Security.VGAuthorizationStatus.ProcessCanceled; } else { e.Roles = selectedRoles; } } }
Visual Guard needs to Read/Write permissions to access to the repository. For example, for a file based repository you must grant "Modify" permission to the directory containing the repository for ASP.NET user accounts. For a database based repository, the user used to access to the Visual Guard repository database must be a member of "vg_BasicAccess" role.
In most of case, you must grant this permission to "MACHINE\ASPNET" user account. If you use IIS 6.0 on Windows Server 2003 the user account is "NT Authority\Network Service". If you use impersonation, you must grant permission to "MACHINE\IUSR_<MACHINE>" for Form authentication mode and "Domain\UserName" for Windows integrated authentication mode.
To change permission to a directory, you must: