Microsoft ASP .NET Professional Projects - Premier Press

Figure 13.2: A successful login.

Using a Database to Store Passwords

In this example, I will show you how you can use form-based authentication with the passwords validated against a database table. I will store the passwords in an access database called security.mdb. This implementation will comprise of three files: web.config, default.aspx, and login.aspx. These files can be found in the "advanced" folder of the samples folder of this chapter on the book's Web site at www.premierpressbooks.com/downloads.asp. The web.config and default.aspx files are identical to those discussed in the earlier example, with the exception that we do not store the user credentials in the web.config file. The only file that is different is the login.aspx file, the listing of which is below:

login.aspx (database version)

<%@ Import Namespace="System.Data" %>

<%@ Import Namespace="System.Data.OleDb" %>

<%@ Import Namespace="System.Web.Security " %>

<html>

<script language="VB" runat=server>

Sub Login_Click(Src As Object, E As EventArgs)

Dim myConnection As OleDbConnection

Dim myCommand As OleDbDataAdapter

Dim ds As New DataSet

Dim ConnStr As String

Dim SQL As String

Dim dv As DataView

ConnStr = "PROVIDER=Microsoft.Jet.OLEDB.4.0;DATA SOURCE=" & server.mappath("security.mdb")

myConnection = New OleDbConnection(ConnStr) 'DataSetCommand

SQL = "select * from passwords"

myCommand = New OleDbDataAdapter(SQL, myConnection) 'use Fill method of DataSetCommand to populate dataset myCommand.Fill(ds, "passwords")

dv = new DataView(ds.Tables("passwords")) dv.Sort = "UserName"

dv.RowFilter = "UserName = '" + UserName.Value + "' and password = '" + UserPass.Value +"'"

if dv.count >=1 then

FormsAuthentication.RedirectFromLoginPage(UserName.Value,

PersistCookie.Checked)

Else

Msg.Text = "Sorry Invalid username or password : Please try again" End if

End Sub </script> <body>

<form runat=server>

<h3><font face="Verdana">Login Page</font></h3> <table>

<tr>

<td>User Name:</td>

<td><input id="UserName" type="text" runat=server/></td>

<td><ASP:RequiredFieldValidator ControlToValidate="UserName" Display="Static" ErrorMessage="*"

runat=server/></td>

</tr>

<tr>

<td>Password:</td>

<td><input id="UserPass" type=password runat=server/></td>

<td><ASP:RequiredFieldValidator ControlToValidate="UserPass" Display="Static" ErrorMessage="*"

runat=server/></td>

</tr>

<tr>

<td>Persistent Cookie:</td>

<td><ASP:CheckBox id=PersistCookie runat="server" /> </td>

<td></td>

</tr>

</table>

<asp:button text="Login" OnClick="Login_Click" runat=server/>

<p>

<asp:Label id="Msg" ForeColor="red" Font-Name="Verdana" Font-Size="10" runat=server />

</form>

</body>

</html>

In this example, I populate a DataSet with rows from the passwords table of security.mdb. I then assign the default view of this DataSet to a DataView and filter for the username and password supplied by the user as follows:

dv.Sort = "UserName"

dv.RowFilter = "UserName = '" + UserName.Value + "' and password = '" + UserPass.Value +"'"

Finally, I check for the number of rows returned by using the count property of the DataView. If the count > 1 then I log the user in; otherwise, I reject his credentials as follows:

if dv.count >=1 then

FormsAuthentication.RedirectFromLoginPage(UserName.Value,

PersistCookie.Checked)

Else

Msg.Text = "Sorry Invalid username or password : Please try again"

Enabling Basic Security Authentication

The following example is using Windows NT.

1.Open IIS MMC. Right-click on Default Web Site and select Properties/Directory Security/Edit.

2.Check the Basic Authentication checkbox, as shown in Figure 13.3.

Figure 13.3: Enabling Basic security.

Setting Permissions

You now need to set up ACL (access control lists) based on users or groups for your application.

1.Go to the physical folder (not virtual folder) of the application. Rightclick and select the Security tab. On Windows NT you will see the screen shown in Figure 13.4.

Figure 13.4: Setting permissions in Windows NT.

2.Set up the ACL based on users or groups for your application.

§Chapter 16: Transactions

§Chapter 17: The Trial Balance Report

Project 1 Overview

A Personal Finance Manager is an accounting application like Quicken or Microsoft Money that enables you to maintain bank accounts, cash, credit cards, and investment accounts. You record all your deposits and expenses and the system generates many reports that help you to monitor your financial health.

An accounting application is composed of many modules, each performing certain specific tasks. A Personal Finance Manager handles cash, bank accounts, credit cards, and other financial transactions. An Inventory module records movement of inventory items, an Accounts Receivable module records customer transactions, and an Accounts Payable module records supplier transactions. These modules need to talk to each other. For example, when a customer buys some goods, the Financial Accounting module needs to reflect the monetary value of the purchase, and the Inventory module needs to be updated with the physical movement of the inventory items.

Traditionally, accounting applications have been developed around the client/server model. The modules share a central database and are connected to each other with some sort of a network protocol.

The Internet brings some very exciting possibilities to the traditional way of designing applications. The various modules of an accounting application need no longer be connected with wire. Using ASP.NET and web services, we can design applications that can send and receive data using the Internet and HTTP.

In this Project, I want to show you how to build a Web-Enabled Personal Finance Manager using ASP.NET web forms (we will extend this to incorporate web services later in the book). Its design is steeped in the double entry system of accounting. You can easily extend the concepts developed in this chapter to build other accounting modules. In fact, each new module is actually a new web form that will be very similar to the one that we design here.

Chapter 14: The Design of the Personal Finance Manager

The Personal Finance Manager is based on the double entry system of accounting. I will explain the relevant theory as I go along. In order to run the application, you need to create a Microsoft SQL Server database called ASPNET and install various database objects in it. Appendix A, "Installing the Sample Database," outlines the steps required to accomplish this. The Personal Finance Manager uses five database tables. These are the groups, masters, tr_header, transactions, and the tblSelection tables. An update, delete, and insert trigger is associated with the transactions table. This application also makes use of two stored procedures. These are the p_masters and the p_transactions stored procedures.

Groups

There are four basic groups and two types in financial accounting. The groups are Assets, Liabilities, Income, and Expenses, and the two types are Debits and Credits. Each group is either of type "Debit" or type "Credit." Assets and Expenses are Debit types, and Income and Liabilities are Credit types. Table 14.1 outlines the relationship between Types and Groups.

Table 14.1 Relationship between Types and Groups

Financial transactions are classified under these groups (or subgroups under these groups). This allows you to prepare a Balance Sheet, a Profit and Loss statement, or a cash flow statement from your financial data. The purpose of each of these reports is as follows:

§A Trial Balance is a report that shows all debit accounts on one side and all credit accounts on the other. The sum of all credit balances should always match the sum of all debit balances. The Trial Balance is the basis of preparing the Profit and Loss account and the Balance Sheet.

§Subtracting all Expenses from Income derives a Profit or Loss figure. Thus: Profit or (Loss) = Income - Expenses

§The Balance Sheet is a report that shows Assets plus Inventory on one side and Liabilities + Profit or Loss (as derived above) on the other. These two sides should be equal.

The Groups Table

I have provided some predefined groups that you can use in defining your Chart of Accounts. Each Master Account in your Chart of Accounts will specify a group to which it belongs. When you want to prepare a report like Balance Sheet or Profit and Loss, you will do a summation based on groups. Thus, if you want to find out the total expenditure, you would write a query as follows:

"Select sum (closing) from masters where code_category = '700'".

Here '700' is the code_category ("Group") for expenditure accounts.

You can use the groups table as it is. Table 14.2 is the definition of the groups table.

Table 14.2 The Groups Table Definition

Table 14.3 lists out the predefined groups included in the groups table.

Table 14.3 The Predefined Groups

Note the coding structure of this table. The primary groups have a code_value (the primary key value) of 1 to 9. Each subgroup under the primary group has a code_value of 100 multiplied by the code_value of the parent group. Each sub-group account in the same level has a sequential code value. Take the Revenue account classification. Revenue account, which is the base account group for all Profit and Loss items, has a code_value of 7. The Sale, Purchase, Income, Duties & Taxes paid and Expenditure accounts all fall under the Revenue account classification. Hence they have code_values of 700,701,702,703,704 respectively. Again the Expenses (direct) account has a code_value of 70400. This is because it falls under the Expenditure group which has a code_value of 704.

This method of code classification allows us to build queries that get all records for a given group or subgroup. As I will tell you in a moment, each master account in the Chart of Accounts is associated with a group. Each master account has a closing balance field that is updated each time a transaction takes place. Suppose we wanted to find the sum of the closing balance for all revenue accounts. The SQL query for this is: "Select sum(closing) from masters where code_category = 7". Now suppose we wanted to get all the expenditure accounts. The SQL query for this would be: Select * from masters where substring(convert(varchar(13),code_value),1,3) = '704'. If we apply this same query against the groups table we will get

Expenditure account, Expenses (direct) and Expenses (indirect). Similarly to get only the Expenses (direct) records, we would say Select * from masters where substring(convert(varchar(13),code_value),1,5) = '70400'.

The Masters Table

A master account must be created for each Income, Expense, Asset, and Liability account that you want to use. This is called the Chart of Accounts. The masters table holds this information. Each master account must be associated with a group from the groups table. You specify the group in the code_category field of the masters table. Each account has a closing field. This field holds the closing balance of that account at any given time. This field is automatically updated by triggers on the transactions table. You use this field for displaying the closing balances in the Trial Balance, Profit & Loss, and the Balance Sheet. Table 14.4 is the definition of the masters table.