II. Management: Vulnerabilities

  1. SQL Injection
    1. Use parameterized sql queries (or use ORM such as entity framework)
    2. Avoid dynamic query construction at run-time
  2. Cross-Site Scripting
    1. Javascript is disabled by default in MVC input fields
    2. Beware the raw MVC tag helper
  3. Cross Site Request Forgery (CSRF)
    1. Add

      to controller post/put/delete methods

    2. Add @Html.AntiForgeryToken to inside of form markup on MVC page
    3. Results in a token hidden field created within the form, and encrypted token in a cookie
      1. Two token sources (cookie and hidden field) must match on calling MVC controller

III. Management: DotNet5 Setup

  1. DotNet Version Manager (DNVM)
    1. Used for command line selection of dotNet version for compiling (clr or CoreClr, x64 or x86)
    2. Visual Studio sets this inside of project properties (but VS Code would use command line)
    3. After installing dotnet and restarting, go to command line in user directory
    4. Follow the following steps
      1. DNVM Setup
        1. Sets path names
      2. DNVM Upgrade
        1. Installs latest version of dotnet (but only x86, not x64 or coreClr)
      3. DNVM List
        1. Lists the current installed dotnet versions
      4. DNVM Install

        -arch

        -r

        1. Type most uptodate file version in the list
        2. Install any or all of the 4 versions
      5. DNVM alias default

        -arch

        -r

        1. Set the default version of DotNet
      6. DNVM use

        -arch

        -r

        -p

        1. Set the version of DotNet to use currently
        2. The -p switch persists this selection
    5. References
      1. Shawn Wildermuth (2015) Pluralsight, Building a Web App with asp.net 5, accessed 12/2/2015

IV. Management: Identity with Identity Server 4

  1. Setup identity server
    1. In Visual Studio, create a dotnet core web application with individual accounts
    2. Add "IdentityServer4" and "identityServer4.aspNetIdentity" Nuget packages
    3. Add to startup.configureServices: AddDeveloperIdentityServer(), and replace with AddIdentityServer in production
    4. In program.cs, addUrl("http://localhost:5000") or whichever host url
    5. In project properties, change to run as project name console app (not IISExpress) and uncheck launch browser
    6. Copy over the IdentityServer4.Quickstart.UI contents to added controllers, models and views for authentication
      1. This is primarily for consent and logout pages (asp.net identity covers the login)
  2. Setup google oauth
    1. Use the google developer's console - apis
    2. Create a project
    3. Under library tab, add "Google+api" (important!)
    4. Add credentials - oauth
    5. Set base url (or leave blank for testing e.g. localhost)
    6. Set redirect (url/signin-google)
  3. Visualization
    1. IdentityServer Connection Info (when set to AddDeveloperIdentityServer)
      1. Url:5000/.well-known/openid-configuration
    2. Json Access Token
      1. Website: jwt.io
      2. Paste the json access token contents into the jwt.io input area and view header and data
  4. Resources
    1. http://docs.identityserver.io/en/dev/quickstarts/6_aspnet_identity.html

V. Management: Api

  1. Visualization
    1. Postman (chrome plug-in)
    2. Nuget package Swagger
      1. Startup ConfigureServices: services.AddSwaggerGen()
      2. Startup Configure: app.UseSwaggerGen(), app.UseSwaggerUi()
      3. Navigate to localhost/swagger/ui

VI. Management: Visual Studio

  1. Project set-up of simple web site
    1. Use new project wizard, select ASP.NET Core project (and empty, api, or full/mvc)
    2. Add Identity (individual accounts)
    3. Program.cs will "Use IISIntegration()"
  2. Node/Grunt/Gulp/Bower
    1. Assumes Node is already installed on machine
    2. Assumes Visual Studio 2015 or Nuget Node Plug-ins are installed
    3. Add package.json
      1. Analogous to Nuget package installation for C#
      2. Installs node plugin dependencies for the current dir to project directory
      3. In Solution Explorer, Right click on the packages.json and click "NPM Install Packages"
      4. Replaces bower for most cases
    4. Add bower.json (or use npm/package.json instead)
      1. http://bower.io/docs/creating-packages/
      2. Installs the javascript dependencies (e.g. angular, bootstrap, jquery, d3)
      3. Add dependencies in json format (see link above)
      4. In Solution Explorer, Right click on the packages.json and click "Bower Install Packages"
        1. Malformed Error may occur (due to Visual Studio inserting a BOM character in the file)
        2. If malformed error, open in editor (e.g. Notepad++, Sublime) and Save As "UTF8 without BOM"
    5. Add Gruntfile.js
      1. http://gruntjs.com/sample-gruntfile
      2. Task runner with numerous plugins for any purpose (e.g. LESS/SASS, minify/uglify, convert...)
    6. Add Gulpfile.js (optional alternative to Grunt)
      1. https://github.com/gulpjs/gulp
      2. Task runner that allows more sequential steps for each file opened
      3. Younger than Grunt, so less plugins available, but very active development in 2015
      4. Great for writing quick, custom javascript tasks that combine multiple steps on a single file
        1. Example: Use load an XML file, convert to json (plug-in), custom modify it, then save the json

VII. Management: SqlServer Integration with Asp.Net MVC

  1. Application pool access
    1. Create an application pool in IIS
      1. Confirm that the application pool has Identity = ApplicationPoolIdentity (advanced settings)
      2. Assign the MVC application pool to the application
    2. Use Sql Server Management Studio to add the application pool to Sql logins
      1. Right click Security\Logins and choose "New Login"
      2. Login name: IIS APPPOOL[name of your application pool]
        1. Do not click search (it will not find the apppool)
      3. Leave as windows authentication
      4. Server Roles
        1. Public
      5. User Mapping
        1. Select the database(s)
        2. Role membership: db_datareader, db_datawriter, public (give no more access than needed)
    3. References
      1. Configuring an MVC4/IIS app to access SQL Server
        1. http://rarcher.azurewebsites.net/Post/PostContent/20

VIII. Management: Web Deploy (Visual Studio)

  1. Manually updating web.config on server
    1. Publishing web.config overwrites server settings
      1. Good for newly added components, bad for SQL Connections
      2. Deployment settings SQL connections for servers is tricky
    2. Added to project file (csproj), under properties
      1. <ExcludeFilesFromDeployment>web.config</...>
      2. Do not forget to manually copy new settings when components are added

Images: Related links to external sites (from Bing)

Related Studies (from Trip Database) Open in New Window