Synchronize your Security

In Querying and Reporting, "Using Cizer to Customize Reports" (June), I introduced Cizer, a decision-support server from MB Consulting (http://www.cizer.com), and showed you how to use it to generate custom reports. This month is a look at how you can use a few lines of code to customize the logon and password interfaces to integrate Cizer and its security features directly into your Active Server Pages (ASP) application.

Logon Security


Many Web sites have a logon feature that authenticates users when they access the site so that the application controls user access to certain features. Cizer fits in with such features in other applications’ security, but it has a separate security system to control access to reports and features. This combination gives you several options for ensuring the security of your application and controlling use of Cizer. By default, standard Cizer security requires users to go through the Cizer interface. You can customize this process by integrating the Cizer logon into your application, thereby giving users a seamless interface from your application to the Cizer reporting application.

Cizer divides its security system into users and groups of users. This security configuration is similar to the Windows NT security system, which incorporates userids and groups, but Cizer's security system is separate from the NT security system and doesn’t link to or integrate with NT's security.

The Cizer login.asp page, which you see in Screen 1, uses the HTML code in Listing 1 to collect the userid and password from the user, and then log on to the Cizer security system. This HTML code includes all text that is relevant to the logon process, except for the code to change or save the user’s password. To log on, the user enters a user name and password, then clicks Login. The Login button submits an HTTP Post action back to login.asp, which uses the ASP Request object to obtain the parameters the user entered, and then passes them to the Cizer login object (Cizer.CizerLogin). This object validates them against the Cizer security system.

Integrate Logons


To integrate your application’s security with Cizer's, you can use the Internet Service Manager (ISM) to change the security on Cizer’s Directory Security property page, which sets basic authentication on a site. After this change, users must log on through a basic authentication logon dialog box to access any file in the site. Microsoft Internet Information Server (IIS) takes the basic user account and password and validates the user against the NT security system. Once this validation occurs, you can use the following lines of code in your ASP application to retrieve the user account and password:

<%
dim UserID, Password
  UserID = Request.ServerVariables("AUTH_USER")
  Password = Request.ServerVariables("AUTH_PASSWORD")
%>

This process works well when only users with NT security accounts use your application. To manage users who don’t have NT accounts, most applications place the user accounts into a database and validate users by checking user names and passwords against the database entries. You can pass the user account and password that a user enters in login.asp to the Cizer Login object when you call the Login method, which performs the validation. Before your code executes the Login method, use the following code from Cizer's login.asp page to retrieve the userid and password:

if len(trim(request.form("userid"))) > 0 then
 userid = trim(request.form("userid"))
 password = trim(request.form("password"))

This code uses the Request object and places the values in local variables to pull the user logon information from the HTML form the user entered. Next, this code instantiates the Cizer Login object and executes the Login method. The Login method takes several parameters, including the userid and password. The Connect parameter contains the connection string from the Connect session variable that you set in global.asp. The Login method returns the Rights variable, which contains the user’s rights in Cizer. The final parameter that Login uses is the HTTP_User_Agent from the HTTP header. Cizer probably uses this code to detect the browser viewing the page:

set obj = Server.CreateObject("Cizer.CizerLogin")
on error resume next
rc = obj.login( connect, userid, password, rights,
  Request.ServerVariables("HTTP_USER_AGENT") )

Share the Code


To properly implement this logon approach in your ASP application, you must work all this code into the Cizer application. If you put the code into only your ASP application, you won’t be able to access the Cizer application because the Cizer logon process creates session variables that exist only in the context of the Cizer application. If the code is in only your ASP application, the session variables don’t exist when users visit the Cizer pages, and the Cizer login page displays.

Cizer's login.asp page uses the code in Listing 2 to set session variables. This code demonstrates the session variables that Cizer uses to monitor users’ logon status. If these variables are not set, Cizer's code can detect that the user is not logged on. But if the variables are set, Cizer not only can detect that the user is logged on, it can extract the user’s logon name. Cizer uses the Rights session variable, which contains the user’s security mask, to determine which parts of Cizer the user can access.

You can link to the Cizer login page and pass the userid and password as Form or QueryString variables. Neither approach is foolproof; users can retrieve userid and password information in the page’s source code or from the query string. If you want to use a query string to pass the variables, you must change the Cizer login.asp code to:

if len(trim(request ("userid"))) > 0 then
userid = trim(request ("userid"))
password = trim(request ("password"))

Removing .form from the Request object causes the Request object to search both the Form and QueryString collections for the values you request. This change makes the page more flexible because users can navigate to it from pages that use HTML forms or a query string to pass the userid and password information. If you make this change, check all the code in Login.asp and remove .form wherever it’s used. After you’ve made these changes, users can access Cizer directly from the other application.

Get Synchronized


To use this approach to integrate Cizer into your systems, you must keep the Cizer and NT account security synchronized. If the NT security gets out of sync from the Cizer security, the users won’t be able to log on. And, if you have some creative developers on staff, you can even synchronize Cizer’s security with any other security system you have. Every time users change their passwords on NT or in your security system, just execute the ChangePassword method in your code and the method directly changes the Cizer password at the same time. In this way, you synchronize password changes across both systems. If you use NT's security system, you can access password changes with Active Directory Service Interfaces (ADSI) or the NT API.

You can let users change their Cizer security passwords through Cizer's login.asp. When users click the Change Password check box, the page directs them to changepwd.asp. This page displays New and Confirm Password fields where users can change their passwords. This page executes the Cizer Login object’s ChangePassword method. Of course, you can customize the changepassword code to make these changes automatically.

Dig In


By looking inside the various Cizer files, you can uncover a wealth of information about how Cizer works. As always, be careful before modifying the files in any application. However, with the right planning, you can change a few lines of code and vastly improve the way your applications integrate with each other.