report body with bold headings
TRANSCRIPT
-
8/6/2019 Report Body With Bold Headings
1/87
Dept of CSE, RNSIT 2010-11 Page 1
Chapter 1
INTRODUCTION
SDX On Web is a system which draws its inspiration from document basedorganizations such as the ISO. During the course of our study, our findings reported that
there is a need for an open-source secure document exchange software. Our system
distinguishes the documents according to hierarchy in the organization. This is especially
useful during document retrieval and inspection. Additionally our project is like a
template that can be easily customized to various organizations and educational
institutions.
It is a system that can be used in an organization to manage documents across
different departments. It provides robust, highly scalable, and secure on-line document
management capabilities in a heterogeneous environment. The system provides a mean by
which employees of an organization can upload, read, delete, update or check in/out
documents with each other and provides a central repository for storing all organization
related documents.
The SDX On Web software is built as a three-tier web application utilizing Web
Services (WS) to enhance the modularity and ease of development.
The first tier consists of the Graphical User Interface (GUI) which will be
displayed on a web browser when SDX On Web is activated. The GUI is generated from
the server software, Microsoft IIS (Internet Information Service) coupled with Microsoft
ASP.NET languages and technologies. As the user interacts with software the GUI will
modify itself as necessary to display the correct information. Security is critical to the
success of the system. All user interaction occurs at this tier and therefore all input
coming from this tier must be validated. When business logic is necessary the first tier
system will call the web services in the second tier.
The second tier will consist of a variety of web services that interact to fulfill the
stated requirements of the customer. Web services will provide the necessary modularity
required by this system to portray the SDX On Web software in an efficient manner.
-
8/6/2019 Report Body With Bold Headings
2/87
SDX-Secure Document eXchange On Web Chapter 1
Dept of CSE, RNSIT 2010-11 Page 2
Additionally, the Service Oriented Architecture will allow the software
development team to develop various modules largely independently, increasing our
productivity. Web services are organized into reusable workflows for the variety of use
cases encountered. Among the business logic required for tier two is input validation,
user validation, document retrieval, user account creation and modification, writing to tier
three storage, reading from tier three storage, and user account rights verification.
The last, third tier, is primarily a storage layer. Information is stored at this layer
such as user details, documents, and document sharing information. Storage will be
accomplished via the Microsoft SQL Server 2005 Express Edition relational database
system. SQL Server is a well known and accomplished solution for multi-user concurrent
database storage systems. One of our primary requirements is to prevent access to this
layer by unauthorized users.
There are several types of users
Corporate-level management officials, such as CEO, president, vice presidents:
Corporate-level users include all the management officials, such as CEO,
president, vice presidents, who are responsible for the operations of multiple
departments. They have the highest level access rights, which is they can access
any documents in the departments they are responsible for with full rights.
Department manager: A Department Manager is a special kind of employee who
takes charge of the operations of a department. Apparently, a Department
Manager not only have the same privilege as the regular employees, but also
he/she has more access rights. In other words, the restrictions on all the operations
are different from those of Employees. Department Managers can delete all the
documents in the department that they are responsible for. Also, Department
Managers cannot access documents uploaded by corporate-level users unless the
documents are shared with them.
Regular employees: Employees are users that have been approved by the System
Administrator to have full access to the capabilities of the SDX on Web System.
Employees may upload documents, view, upload, share, delete, and check out
documents. There are restrictions on the above operations. Employees may only
delete documents that have been authored by the user. Other users may restrict
Sharing privileges to View, Update, and Check-in in any combination thereof.
-
8/6/2019 Report Body With Bold Headings
3/87
SDX-Secure Document eXchange On Web Chapter 1
Dept of CSE, RNSIT 2010-11 Page 3
One may be able to View, but not update a document that has been shared with
the user. If some shared document has been checked out by another user, they
will no longer have the ability to update that document.
Temporary user: A Temporary User is a user that has signed up for an account
but has not had their account approved by a System Administrator. Temporary
users have no access to any part of the SDX on Web system.
Guest user: A Guest User is a user that has been approved by the System
administrator. A Guest user is not an employee of the organization. Therefore,
guest users cannot upload or delete any document. The only operations for Guest
Users are to read, update or check in/out the documents which have been shared
with him/her.
System administrators: System Administrators are users that manage the approval
of other user accounts. They may not access any user's document(s) or personal
data in any way. System Administrators maintain the system by getting the
current system state via the System Log, Approving, and Denying users access to
the SDX On Web System. After signup and approval by another System
Administrator, the Department of their account is inconsequential and is ignored
because System Administrators do not have access or modify Department
documents.
-
8/6/2019 Report Body With Bold Headings
4/87
Dept of CSE, RNSIT 2010-11 Page 4
Chapter 2
LITERATURE SURVEY
Google Docs
Google Docs is Google's "software as a service" office suite. Documents,
spreadsheets, presentations can be created with Google Docs, imported through the web
interface, or sent via email. Documents can be saved to a user's local computer in a
variety of formats including: (ODF, HTML, PDF, RTF, Text, and Microsoft Word).
Documents are automatically saved to Google's servers to prevent data loss, and a
revision history is automatically kept. Documents can be tagged and archived for
organizational purposes. The service is officially supported on recent versions of the
Firefox, Internet Explorer, Safari and Chrome browsers running on Microsoft Windows,
Apple OS X, and Linux operating system.
Google Docs serves as a collaborative tool for editing amongst users and non-
users in real time. Documents can be shared, opened, and edited by multiple users at the
same time. Users can be notified of changes to any specified regions via e-mail. The
application supports two ISO standard document formats: OpenDocument (for both
opening and exporting) and Office Open XML (for opening only). It also includes support
for proprietary formats such as .doc and .xls.
IBM Doors
The doors subsystem is implemented as a user-space library with some kernel
support, and relies heavily on threads. It is designed for low overhead, and the Solaris
implementation uses some assembler code for maximum efficiency.
Doors are created by server processes (which must use threads) and called by
client processes. (It is possible for one process to both create and call a door.) When
creating a door, the server must specify a server procedure, which will be called by the
doors library on behalf of clients. Unlike most Remote procedure call systems, each door
has only one server procedure.
http://en.wikipedia.org/wiki/OpenDocumenthttp://en.wikipedia.org/wiki/OpenDocument -
8/6/2019 Report Body With Bold Headings
5/87
SDX-Secure Document eXchange On Web Chapter 2
Dept of CSE, RNSIT 2010-11 Page 5
A server can "attach" a door to a file, enabling clients to connect to that door
simply by opening that file. The ls -l command will then show the file with a 'type' of "D"
(not to be confused with "d" for a directory) for example:
Drw--r--r-- 1 smith dev 876 May 16 9:42 myfile
Clients use door_call() to invoke the door's server procedure, passing a contiguous
region of memory and a list of file descriptors as arguments, and getting back another
contiguous region and list of file descriptors. Either region may be empty, as may either
list. Usually, two C structs will be defined, one for the input data and one for the output
data. (Alternatively, tagged unions may be used, allowing a door procedure to provide
multiple actions in much the same way as the ioctl system call.) Every file descriptor is
accompanied by a flags word. The DOOR_RELEASE flag requests that a file descriptor
be closed in the sending process after being duplicated in the receiving process. If a file
descriptor that refers to a door is sent, the system records the properties of that door in the
flags word.
OpenDocMan
Document management software and document management in general is based
around a concept of centralized document storage, limited access, and change tracking.
These three DMS software fundamentals make up much of ISO 17025 in regards to
document management systems.
Centralized Document Storage:Any decent document management system (DMS), whether it is open source or
commercial, will allow documents to be stored in some sort of centralized location. This
makes finding documents in the DMS much easier, as there is only one place to look.
Limited Access:Having a centralized location to store files is not enough to call your product a
document management system. A simple folder on your computer can allow files to be
stored, but limiting access to specific individuals becomes more of a problem. A good
DMS will allow fine-grained access to each and every file.
http://en.wikipedia.org/wiki/Ioctlhttp://en.wikipedia.org/wiki/Ioctl -
8/6/2019 Report Body With Bold Headings
6/87
SDX-Secure Document eXchange On Web Chapter 2
Dept of CSE, RNSIT 2010-11 Page 6
Tracking Changes:
Limiting access to the DMS files is a good step in the right direction but does no
good if the files can be changed, added, removed without tracking of those actions. A
good document management software system will add on change tracking for the files so
that changes can be noted, and reversed if need be.
-
8/6/2019 Report Body With Bold Headings
7/87
Dept of CSE, RNSIT 2010-11 Page 7
Chapter 3
PROBLEM STATEMENT
3.1 Proposed System
A SDX On Web is a software system to facilitate access to all the documents
within an organization through the Internet. An organization often needs to track various
documents generated by all the users of the organization. For example, Human Resources
Department keeps track of all the pay-roll and benefits information; Sales Department
maintains sales record, etc.
This project is to develop a SDX On Web to facilitate the management and access
of all the documents of the organization. A user should be able to use this system any
place and any time Internet access and web browser are available.
Departments and Documents
The organization has the following departments:
1. Human resources
2. Logistic and supply
3. IT support
4. Sales
5. Research and development
The documents of the departments can have different formats: Word, Excel,
PowerPoint, PDF, text and image files. The system maintains all the documents and
related meta-data, such as authors, titles, departments, creation time, last access time and
modifications dates and time.
Users
Users of this system can be categorized according to their roles. In this project,
consider the following types of roles:
-
8/6/2019 Report Body With Bold Headings
8/87
SDX-Secure Document eXchange On Web Chapter 3
Dept of CSE, RNSIT 2010-11 Page 8
1. Corporate-level management officials, such as CEO, president, vice presidents,
responsible for the operations of multiple departments.
2. Department manager: responsible for the operations of a department.
3. Regular employees: responsible for generating and maintaining most of the documentsin departments.
4. System administrators: maintain all the user accounts
5. Temporary user: A user account created for a new user.
6. Guest user: A guest user who is not an employee of the organization.
User Account Management
1) The system provides a user interface for sign-in either as an existing user or as a newuser. If a new user signs in, he/she will be considered as a temporary user first. A
temporary user cannot do anything except sending a request to the system administrator.
The system administrator verifies the new users request and assigns a proper role to the
user.
2) Different user roles should have different privileges. The following are the general
rules:
A corporate-level management official can upload, read, delete, update or check
in/out all the documents in the departments he/she is responsible for
A department manager
o can upload, read, delete, update or check in/out all the documents in the
department he/she is responsible for
o does not have access privilege on any document uploaded by corporate-level
management officials unless a corporate-level management official specifiesto share the document with him/her.
A regular employee
o can upload, read, delete, update or check in/out the documents he/she created
(he/she is the author) in his/her department
o does not have access privilege on any document uploaded by department
managers or corporate-level management officials unless a department
manager specifies to share the document with him/her.
-
8/6/2019 Report Body With Bold Headings
9/87
SDX-Secure Document eXchange On Web Chapter 3
Dept of CSE, RNSIT 2010-11 Page 9
System administrator
o can verify new users requests and assign proper roles.
o can add /modify /delete users account.
ocan access the system log file.
o cannot access any document uploaded by users.
A guest user
o cannot upload or delete any document
o can read, update or check in/out the documents that have been shared with
him/her .
Document Management
1) The system should provide the following operations after a user has signed-in (all the
operations should be provided only for the user with proper privileges):
a. Show Document List
Show the list of documents and meta-data related to the documents
b. Upload
Upload a document to the server with meta-data.
c. Read
Read a document by clicking its link.d. Delete
Delete a document.e. Update
Update content or meta-data of a document
f. Check-in/Check-out
The Check-Out option should be used when a user wants to temporarily lock a
document in order to restrict other users from accessing to the document.
When a document is checked out,
No other user can update or check-out the document until it is checked in.
Other users can only read the document.
Only the user who checked-out can update and check-in the document.
g. Share a Document
Multiple departments may need to share a document. A user can share a document
with users in other departments by specifying the following:
User ID(s)
-
8/6/2019 Report Body With Bold Headings
10/87
SDX-Secure Document eXchange On Web Chapter 3
Dept of CSE, RNSIT 2010-11 Page 10
Access privileges (Read, Update, Check-in/Check-out)
Other Requirements
a. System Audit: SDX On Web should maintain a log file which records every operationperformed on any document in the system. The system administrator should be able to
keep track of who have performed what operations on which documents at what time
b. Transmitting a sensitive document through the Internet is not secure against
eavesdropping, tampering and message forgery. SDX On Web should provide end-to-end
confidentiality and authentication.
c. SDX On Web should allow multiple users to use the system at the same time.
3.2Advantages Of Proposed System SDX On Web is a platform independent system: source code written in one
language can be run on any machine independent of any hardware platform
with minimal or no changes.
Rijndael cryptographic algorithm is used to secure the documents:.
Password recoveryA new random password is sent to respective user email
account.
Locking and unlocking of documents are provided: Locking a document
prevents others from changing the document.
SQL Injection Detection is provided: SQL Injection refers to the technique of
inserting SQL meta-characters and commands into Web-based input fields in
order to manipulate the execution of the back-end SQL queries.
Password is hashed using SHA and stored in database for security: The Secure
Hash Algorithm is one of a number of cryptographic hash functions.
Cross Site scripting is provided: Cross Site Scripting attacks work by
embedding script tags in URLs and enticing unsuspecting users to click on
them, ensuring that the malicious JavaScript gets executed on the victim's
machine.
Security against eavesdropping and forgery: Eavesdropping is the
unauthorized real-time interception of a private communication, such as a
phone call, instant message, video conference or fax transmission. Forgery is
an illegal modification or reproduction of an instrument, document.
-
8/6/2019 Report Body With Bold Headings
11/87
Dept of CSE, RNSIT 2010-11 Page 11
Chapter 4
SYSTEMDESIGN
4.1 System Architecture
Figure 4.1.1: System Architecture
The architecture ofSDX On Web is divided into three parts. The presentation part
contains all the user interactive pages. These are the .aspx pages which allow the
system administrator to look into the user activities and the user to perform various
operations like registering to the system and logging in to their personalized portal. Once
the system administrator logs in, he can view the all the users in the system, give or deny
them access and view the system log.
The second part is the business logic. It consists of the core application business
logic. As an example, a business tier may accept request from a presentation tier, query
the data tier and return the requested data.
The third part is the storage. It consists of classes and objects and Meta data that
define these objects. The classes may be User, Role, Right, Department, Document and so
on.
-
8/6/2019 Report Body With Bold Headings
12/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 12
4.2 Development Plan
Incremental Delivery
Figure 4.2.1 : Process cycle of Incremental delivery development plan.
In an incremental development process, customers identify, in outline, the services
to be provided by the system. They identify which of the services are most important and
which are least important to them. A number of delivery increments are then defined,
with each increment providing a sub-set of the system functionality. The allocation of
services to increments depends on the service priority with the highest priority services
delivered first.
Once the system increments have been identified, the requirements for the
services to be delivered in the first increment are defined in detail, and that increment is
developed. During development, further requirement analysis for later increments can
take place, but requirements changes for the current increment are not accepted.
Once an increment is completed and delivered, customers can put it into service.
This means that they take early delivery of part of the system functionality. They can
experiment with the system that helps them clarify their requirements for later increments
and for later versions of the current increment. As new increments are completed, they are
integrated with the existing increments so that the system functionality improves with
each delivered increment. The common services may be implemented early in the process
or may be implemented incrementally as functionality is required by an increment.
-
8/6/2019 Report Body With Bold Headings
13/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 13
4.3 Workflows
User Input Security Verification Service Workflow
Figure 4.3.1: User Input Security Verification Service Workflow
User Input Security Verification Service - A workflow wrapped into a service that is
composed from other services to detect JavaScript and SQL Injection attempts from a
string. Returns success if there is are no injection attempts, fail otherwise. The two
services may also be run in parallel if the platform supports it.
JavaScript Injection Detection Service - Detects if the input string is an XSS attempt
through detecting JavaScript, returns succeed if none detected, fail otherwise.
SQL Injection Detection Service - Detects if the input string is an SQL Injection and
returns succeed if it is not and fail otherwise.
-
8/6/2019 Report Body With Bold Headings
14/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 14
Login Service Workflow
Figure 4.3.2: Login Service Workflow
Login Service - Is a composition based service comprised of a series of services to see if
the user has successfully logged in. Success means that the user has successfully logged
in into the SDX On Web, failure is otherwise.
User Input Security Validation Service - See Workflow 1: User Input Security
Verification Service Workflow
Username and Password Verification Service - Checks the database to see if the usersusername and password are correct. Succeeds if correct, fails otherwise.
Is User Logged in Already Service - Checks the system to see if the user is logged in
elsewhere, if the same user is logged in multiple places simultaneously the system
assumes a breach in security has occurred. Succeeds if user is not logged in elsewhere,
fails otherwise.
System Logging Service - Records that the action that has just taken place into the system
log.
________________________________________________________________________
-
8/6/2019 Report Body With Bold Headings
15/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 15
System Administrator Access Requests Workflow
Figure 4.3.3: System Administrator Access Requests Workflow
Login ServiceIs a composition based service comprised of a series of services to see if
the user has successfully logged in. Success means that the user has successfully logged
in into the SDX On Web, failure is otherwise.
Get All temporary User Requests Service - Gets a list of all temporary users and their
requests that have not had their access rights decided.
Get All System User : Gets a list of all users in the organization.
Get System Log - Get all the messages in the system log.
Give User Access Service - Service that gives the user the access rights given in the
request.
Deny User Access Service - Denies the temporary user access rights (or transition out of
temporary user).
-
8/6/2019 Report Body With Bold Headings
16/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 16
System Logging Service Records that the action that has just taken place into the
system log
New User Request Workflow
Figure 4.3.4: New User Request Workflow
Workflow for a new user requesting an account.
User Input Security Verification Service - See above
User Request Filing Service - Records the new account details and request details in the
database.
System Logging Service Records that the action that has just taken place into the
system log
-
8/6/2019 Report Body With Bold Headings
17/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 17
Document List Workflow
Figure 4.3.5: Document List Workflow
User_id=1?: Here the UserID is checked. If the user is a temporary user then the login
page is displayed. Else the documents of the user is displayed.
Documents to Check-Out: User selects the documents and can check out using the check
out button.
Button Check-Out click: when this button click is true and the documents are selected
then the control goes to Document Check-Out Service.
-
8/6/2019 Report Body With Bold Headings
18/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 18
Document Check-Out Service: The checked out documents are put to object reference
doc_checked . If this is done successfully then the document is checked out else its not
checked out.
________________________________________________________________________
View Document Workflow
Figure 4.3.6: View Document Workflow
List Service: This service loads the allowed documents to be viewed to the dropdown list.
Select Document: The document to be viewed is selected.
-
8/6/2019 Report Body With Bold Headings
19/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 19
View Document Service and Decryption: This service decrypts and opens the respective
document to be viewed. A pop-up asks whether to open or save the document.
If this service returns true then system log is updated else an error is occurred.
Upload Document Workflow
Figure 4.3.7: Upload Document Workflow
Name of file: A name is to be given to the file begin uploaded.
Browse for file: File is browsed from the system. This functionality is provided by File
Upload class.
Click upload button: The upload button is clicked after browsing.
-
8/6/2019 Report Body With Bold Headings
20/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 20
Upload and Encryption Service: The uploaded file is checked for the correct extension
and is encrypted using Rijndael Encryption Algorithm. The result of this service is
logged.
Update Document Workflow
Figure 4.3.8: Update Document Workflow
Target File: The file to be updated is chosen.
Source File: This is the file that has to replace the target file in system. This is done by
browsing for the file from user system. This file must have the same extension as that of
the target file.
Update and Encryption Service: The updated file is checked for the correct extension and
is encrypted using Rijndael Encryption Algorithm. The result of this service is logged.
-
8/6/2019 Report Body With Bold Headings
21/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 21
Document Check-in Workflow
Figure 4.3.9: Document Check-in Workflow
Select document: The documents are displayed using Listitem and one document is
chosen from them.
Confirm Check-In: The check box must be ticked to confirm the checkin and then the
Check-In button is to be clicked.
Check-In Service: This service removes the document from the object reference
doc_checked. The result of this service is logged in the system.
-
8/6/2019 Report Body With Bold Headings
22/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 22
Change Password Workflow
Figure 4.3.10: Change Password Workflow
Enter old password: user must enter the password that has to be changed.
Enter new password and re-type: The required password is to be typed and re-typed so
that it can be confirmed.
Change Password Service: This service is called upon change password button click. This
service replaces the old password by new password.
-
8/6/2019 Report Body With Bold Headings
23/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 23
Delete Document Workflow
Figure 4.3.11: Delete Document Workflow
Select Document: A document is to be chosen for deletion from the list.
Delete Document Service: The document which is chosen is removed from the object
reference document. The result of this service is logged.
Logout Workflow
Fig 4.3.12: Logout Workflow
-
8/6/2019 Report Body With Bold Headings
24/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 24
Forgot Password Workflow
Figure 4.3.13: Forgot Password Workflow
Enter email-id: The email-id of the user who has forgotten his/her password is to be
entered.
Validate id: Checks whether the email syntax is proper and checks whether the user
exists. If any of it is wrong then the user navigates to login page else it navigates to sendnew password page.
-
8/6/2019 Report Body With Bold Headings
25/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 25
User enters details: Here the user enters his/her details like security answer, role and
department. Then the user should click GetNewPassword button.
SQLInjection Detection and Detect XSSAttempt Service: These services detect
SQLInjection and XSSAttempt respectively.
Match details: The entered details are matched with the details in the database.
Generate new password : If the details match then a new password is generated and sent
to the user email using EmailClient Service.
Share Document Workflow
Figure 4.3.14: Share Document Workflow
Target Username: The name of the user with whom the document is to be shared.
Select Document: Select the document to be shared.
-
8/6/2019 Report Body With Bold Headings
26/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 26
Appropriate access: Grant only the required access and click the share button.
Share Document Service: Depending on the rights granted and the rights of the user, the
document is shared. The system logging is done at the end depending upon the results of
the service.
Document Management
Figure 4.3.15: Document Management Workflow
The above workflow describes how a user can interact with a document and the services
required to do so.
Login ServiceIs a composition based service comprised of a series of services to see if
the user has successfully logged in. Success means that the user has successfully logged
in into the SDX On Web, failure is otherwise.
Read Document Service - Service that displays a copy of the document to the user.
Delete Document Service - Removes the document from the SDX ON WEB system.
Share Document Service - Shares the current document with a specified user.
Check-In/Check-Out Service - Check out prevents the document from being updated so
the user has exclusive access and check in removes exclusive access.
Update Document Service - Retrieves the documents that can be updated; which
documents the user has access to are calculated in the database. Updates the document by
uploading a new version.
-
8/6/2019 Report Body With Bold Headings
27/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 27
System Logging Service - Records that the action that has just taken place into the system
log
4.4 Entity-Relationship Diagram
Figure 4.4.1: ER Diagram
The above diagram is the Entity-Relationship Diagram for the objects that we have used,
the links between each objects as shown above represents how the objects are dependent
on each other and how they are related. The golden key present in the objects as shown
above represents the primary key of the corresponding objects.
-
8/6/2019 Report Body With Bold Headings
28/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 28
4.5 Class Diagram
-
8/6/2019 Report Body With Bold Headings
29/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 29
-
8/6/2019 Report Body With Bold Headings
30/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 30
4.6 UML Diagrams
Figure 4.6.1: New User Request
-
8/6/2019 Report Body With Bold Headings
31/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 31
Figure 4.6.2: System Administrator
Figure 4.6.3: Login
-
8/6/2019 Report Body With Bold Headings
32/87
SDX-Secure Document eXchange On Web Chapter 4
Dept of CSE, RNSIT 2010-11 Page 32
Figure 4.6.4 : User Portal
-
8/6/2019 Report Body With Bold Headings
33/87
Dept of CSE, RNSIT 2010-11 Page 33
Chapter 5
REQUIREMENTS
5.1 Hardware Requirements
Intel Processor/ Celeron or AMD Processor.
RAM higher than 512 MB.
Hard disk space for the documents to get stored.
5.2 Software Requirements
Operating system equal to or newer than Windows XP.
Web browser equal to or newer than IE9.0 beta, Firefox 3.4, or Chrome.
SSL 3.0 activated in the web browser.
Firewall (Optional but strongly recommended).
A valid email address for account registration.
SQL Server 2005 Express Edition.
5.3Functional Requirements
Needs to be web based and available to users 24/7. It should allow users to log in using their username/password and perform
operations (according to their rights) on company documents.
The system should maintain all documents and related meta data.
A new user is considered as a temporary user and cannot do anything except
sending a request to the system administrator.
The system should provide the following operations to a signed in user: show
document list, upload, read, delete, update, check in/out and share a documents.
Every operation performed on any document should be logged.
5.4 External Interface Requirements
User Interface: The website must be usable from any browser under any operating
system.
Hardware Interfaces: SDX On Web should be implemented in a hardware-
independent fashion and should not rely on any particular hardware interfaces.
-
8/6/2019 Report Body With Bold Headings
34/87
SDX-Secure Document eXchange On Web Chapter 5
Dept of CSE, RNSIT 2010-11 Page 34
Software Interfaces: The documents repository will be held in a SQL DB and c#
will be used to interface with the DB.
Communication Interface: A web service layer implementing WCF (Windows
Communication Foundation).
5.5 Internal Interface Requirements
Secure Socket Layer (HTTPS) will provide users with an encrypted form for
security.
The system shall have the encryption for security requirement.
System shall be able to support up to 3000 transaction per hour with average
response time 3sec to maximum response time 10sec.
System shall be available 24 hours per day, 7 days per week.
System shall be capable of being accessed by multiple users.
System shall have a server application that performs all analysis, database
retrieval, and Real time query.
5.6 Non-Functional Requirements
We outline the following non-functional requirements
5.6.1 Safety Requirements
Safety requirements of a SDX On Web system include the appropriate
management of both user rights and document sharing operations. For this application,
the only potential risk is the potential incorrect manipulation of document contents.
The safety attributes the system must provide in order to be safe are as follows:
Ability of the system to securely store document data and related meta
data.
Ability of the system to securely store user account and corresponding
rights information.
Provide secure transactions.
-
8/6/2019 Report Body With Bold Headings
35/87
SDX-Secure Document eXchange On Web Chapter 5
Dept of CSE, RNSIT 2010-11 Page 35
5.6.2 Security and Privacy Requirements
There are a large number of security requirements associated with this project.
The client has requested end-to-end security in line with sensitive data. In order to meet
these requirements we will need to embed security in every part of the system. The
system should provide end to end confidentiality and authentication. Both document and
user information must be kept secure and private. The document information will be very
important, so are the access privileges. Both document content and metadata should be
encrypted during any kind of exchange transactions among different users. This is
especially important for sharing documents. The operations will not be executed without
the explicit consent of the owner. The information for users will be much more critical,because we will be storing the users login ID, name, password, role, request and
positions. For security reasons, user name must be an existing email account so that we
can validate the existence of the user. User account and the corresponding information
will be encrypted (using the secure socket server) during transactions. Also, because
quasi-identifier can be used to identify some specific users, therefore we will not show
users information to others unless explicitly permitted by the user.
5.6.2.1 Security Requirements
Beyond Privilege
Privilege check before opening the document. (Only show the documents which the
users have privilege to access).
Content Eavesdropping
Data should be encrypted during any kind of exchange transactions through internet
among different users. (Intercept data package). Forgery
Deny such kind of operation. Don't rely only on document titles for granting access.
(Rename the document to be the one the user has the right to access).
User Privacy
User account and the corresponding information will be encrypted.
Login Information Attack
Limit the times of login attempts. Email validation for real user confirmation guarantee the operation of password retrieval.
-
8/6/2019 Report Body With Bold Headings
36/87
SDX-Secure Document eXchange On Web Chapter 5
Dept of CSE, RNSIT 2010-11 Page 36
Log Activities
Activities should be correctly logged and should be kept highly confidential from
vulnerabilities like deletion of logs and accessing the file to gain information.
SQL Injection
Validate user input for SQL injection. Use stored procedure.
Session Validation and hijacking
Start and end session with user login and logout respectively. Session timeout if user
is idle.
Cross Site scripting
The application needs to be prevented from Cross site scripting.
-
8/6/2019 Report Body With Bold Headings
37/87
Dept of CSE, RNSIT 2010-11 Page 37
Chapter 6
IMPLEMENTATION
6.1 Implementation Plan
AnkhSVN Subversion
AnkhSVN is a free Subversion client. It is a software versioning and revision
control system implemented as a source-control plug-in for Microsoft Visual Studio
2005, 2008, 2010+. It is released under the Apache License. It provides an interface to
perform the most common revision control operations directly from inside the VS.NET
IDE. Changes are usually identified by a number or letter code, termed the "revision
number", "revision level", or simply "revision". For example, an initial set of files is
"revision 1". When the first change is made, the resulting set is "revision 2", and so on.
Each revision is associated with a timestamp and the person making the change.
Revisions can be compared, restored, and with some types of files, merged.
Rijndael Cryptographic Algorithm
Rijndael Cryptographic Algorithm encrypts specified plaintext using Rijndaelsymmetric key algorithm and returns a base64-encoded result. Plaintext value will be
encrypted. Passphrase from which a pseudo-random password will be derived. The
derived password will be used to generate the encryption key. Passphrase can be any
string. Here we assume that this passphrase is an ASCII string. Salt value is used along
with passphrase to generate password. Salt can be any string. Here we assume that salt is
an ASCII string. Hash algorithm is used to generate password. Allowed values are:
"MD5" and "SHA1". SHA1 hashes are a bit slower, but more secure than MD5 hashes. A
number of iterations are used to generate password. One or two iterations should be
enough. Initialization vector (or IV) value is required to encrypt the first block of
plaintext data. For Rijndael Managed class IV must be exactly 16 ASCII characters long.
Allowed values for size of encryption key in bits are: 128, 192, and 256. Longer keys are
more secure than shorter keys. Encrypted value formatted as a base64-encoded string. We
use this algorithm to encrypt and decrypt the documents to provide security against
eavesdropping and forgery.
-
8/6/2019 Report Body With Bold Headings
38/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 38
Email-Client
An email client, email reader, or more formally mail user agent (MUA), is a
computer program used to manage a user's email. The term can refer to any system
capable of accessing the user's email mailbox, regardless of it being a mail user agent, a
relaying server, or a human typing on a terminal. In our project we use email-client to
send a password that is randomly generated to the inbox of the respective user in case of
forgotten password.
6.2 Pseudo-Code
Name: CeoService
Input: user name, user id, file name, file path
Output: None
function shareOnUpload(userid, fileName, FileUploadPath)
// When a subordinate uploads a file, it is implicitly shared by the CEO
begin
deptid
-
8/6/2019 Report Body With Bold Headings
39/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 39
foreach document in doc_id_list do
begin
source
-
8/6/2019 Report Body With Bold Headings
40/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 40
check out document
if checkout successful then
begin
returnval
-
8/6/2019 Report Body With Bold Headings
41/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 41
if delete successful then
begin
result
-
8/6/2019 Report Body With Bold Headings
42/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 42
input Contains("
-
8/6/2019 Report Body With Bold Headings
43/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 43
allowedChars
-
8/6/2019 Report Body With Bold Headings
44/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 44
return true
end
else
begin
return false
end
end
Name: LoginService
Input: regular expression for password, username, password
Output: Returns user object
function Login(RegexPassword, username, password)
begin
safeMode
-
8/6/2019 Report Body With Bold Headings
45/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 45
return safemode
end
verify username for email syntax
if invalid then
begin
return safemode
end
verify the password against regular expression for password
if invalid then
begin
return safemode
end
authenticate the user
set the user object with authenticated attributes
return user object
end
Name: LogService
Input: Action string
Output: None
Maintains the system log for each action
Name: ManagerService
-
8/6/2019 Report Body With Bold Headings
46/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 46
Input: user name, user id, file name, file path
Output: None
function shareOnUpload(userid, fileName, FileUploadPath)
// When a subordinate uploads a file, it is implicitly shared by the Manager
begin
deptid
-
8/6/2019 Report Body With Bold Headings
47/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 47
Description: Changes password upon request
Input: Username of the user, Old Password of the uer, New Password of the user, Re-entered new password
Output: Returns true if password is changed otherwise false
function ChangePassword(username,oldPass,newPass,confirmPass)
begin
safemode
-
8/6/2019 Report Body With Bold Headings
48/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 48
return safemode
end
IsXSSInjection(newPass)
if found then
begin
return safemode
end
IsXSSInjection(confirmPass)
if found then
begin
return safemode
end
if oldPass equals newPass then
begin
return safemode
end
if newPass != confirmPass then
begin
return safemode
end
if newPass does not match standard then
begin
return safemode
end
-
8/6/2019 Report Body With Bold Headings
49/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 49
change the password
safemode
-
8/6/2019 Report Body With Bold Headings
50/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 50
Add user to the department
end
Name: CheckInService
Input: docID,userID
Output: Returns "Document checked in" if document check in is successful otherwisefailure
function Add(username, department)
begin
check in document
if checkin successful then
begin
return "Document checked in"
end
end
Name: RegisterService
Input:emailID,password,confirm password,request,role,department,altenate
email,question and answer of the user.
Output: return true if the user is registered successfuly otherwise false.
functionRegisterNewUser(emailid,password,confirmpassword,request,role,department,altEmail,question,answer)
begin
safeMode
-
8/6/2019 Report Body With Bold Headings
51/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 51
emailSyntaxValidation
-
8/6/2019 Report Body With Bold Headings
52/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 52
emailSyntaxValidation
if not valid then
begin
return false
end
emailSyntaxValidation
-
8/6/2019 Report Body With Bold Headings
53/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 53
Name: shareDocumentService
Input: username_target,userid_source,docid,read,update and check
Output: returns "success" if the documents are shared otherwise false
function ShareDocument(username_target,userid_source, docid, read, update, check)
begin
returnvalue
-
8/6/2019 Report Body With Bold Headings
54/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 54
Name: UpdateService
Input: filename,fileUpdateDoc,userid,docid
Output: returns "success" if the document is successfuly updated otherwise false.
function UpdateFileService(FileName,fileUpdateDoc,userId, docid)
begin
fileOK
-
8/6/2019 Report Body With Bold Headings
55/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 55
end
end
end
uploadedFile
-
8/6/2019 Report Body With Bold Headings
56/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 56
end
if uploadedFile.ContentType equals "text/plain" then
begin
fileOK
-
8/6/2019 Report Body With Bold Headings
57/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 57
if uploadedFile.ContentType equals "image/tiff" then
begin
fileOK
-
8/6/2019 Report Body With Bold Headings
58/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 58
if fileOK && extensionOK is true then
begin
uploadedFile.InputStream.Read(docData, 0, fileLength)
docId
-
8/6/2019 Report Body With Bold Headings
59/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 59
result
-
8/6/2019 Report Body With Bold Headings
60/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 60
fileExtension
-
8/6/2019 Report Body With Bold Headings
61/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 61
fileOK
-
8/6/2019 Report Body With Bold Headings
62/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 62
begin
fileOK
-
8/6/2019 Report Body With Bold Headings
63/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 63
fileOK
-
8/6/2019 Report Body With Bold Headings
64/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 64
if return value equals 1 then
begin
result
-
8/6/2019 Report Body With Bold Headings
65/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 65
Name: RijndaelService
Input: plain text
output: will get an encrypted data when the encrypt function is executed and then will getthe plain text of the encryted data when decrypt function is executed.
function array Encrypt(array plainTextBytes)
//encryts the plain text into cipher text which is a byte array.
begin
passPhrase
-
8/6/2019 Report Body With Bold Headings
66/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 66
//decrypts the cipher text into plain text
begin
passPhrase
-
8/6/2019 Report Body With Bold Headings
67/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 67
Sub versioning System: Ankhsvn
Project Hosted on: www.code.google.com
Database: Microsoft SQL Server 2005 Express Edition
6.4 User Manual
The following is a brief description of how a user can navigate through a system.
6.4.1 Why use the system?
The SDX On Web provides the ease of sharing documents in a corporate
environment. This system will allow multiple users to access and create files within an
organization no matter where the employee is located. Simplistic in design and robust in
functionality makes it the perfect addition to any company.
6.4.2 Introduction to the System
The SDX On Web utilizes the web and stores files on a remote server. Users can
then access the system and view those files pertaining to their department where they will
be able to read, update, delete, check-in, check-out, and upload files depending upon the
rights given to the user of the particular file.
6.4.3 Terminology used in the system
AdministratorMember of IT Support designated to administer SDX On Web.
New UserA user not yet authorized to use the system by the Administrator.
Check-outA command which prevents the document from being updated so the user
has exclusive access.
Check-inA command through which a user removes exclusive access.
Meta-dataAggregate of data associated with a file managed by the system that is
not part of the file itself.
-
8/6/2019 Report Body With Bold Headings
68/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 68
6.4.4 Start Page
This is the first screen that a user will see when accessing the SDX On Web. Here
a description about the system is provided with a link that navigates to login page(6.4.5).
6.4.5 Login
Existing users can directly login to the system. Here the user has to enter email id
and password which is authenticated at the time of login. Unregistered users can click the
link New User register here which will direct the user to the register page(6.4.6).
6.4.6 Create User
A person interested in applying for a position, can fill out the form and the request
will be than forwarded to admin for approval, the member has to wait until the admin
sends the reply to his/her request.
Required fields for the Create User page:-
The E-Mail address should be the corporate address , like in this case it should
have an tech.com address. The password should be minimum 7 character long and should contain one
number, one letter and one symbol. Allowed symbols are @#$\()*%^&+=.
Request field enables the new user to communicate with system administrator.
The new user also selects his role from the drop down menu .
The new user can select any department from the drop down menu like human
resoursec, supply, research and development etc.
Futher there is a security question and answer field which is used in case of lostpassword.
If the user enter any unvalidated information or leave any field blank then an
appropriate error message is displayed.
After filling out each field the user must click Register button , this would
automatically deliver the information to the admin account.
-
8/6/2019 Report Body With Bold Headings
69/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 69
6.4.7 System Administrator
Here, System Admin verifies the information provided by the users at the time of
registration. Admin verifies Name, Email id, User Role, Department for the user and
accordingly decide to either grant or deny access, thus providing another layer of security.
The following controls are provided
Fetch New Users: This fetches all the users who have registered new but not
granted access.
Fetch All Users: This fetches all the users in system including the temp users.
Check All/Uncheck All: This selects or deselects all the rows.
Deny Access/Delete User: If user(s) has been denied access, this means he/she
cannot access the system.
Grant Access: Allows the user to access the system according to the role he/she
has requested.
Additionally this page contains the system log that records every action performed
within the system. This is read only table listing the time at which events have occurred.
6.4.7 Document List
When the user logs in successfully , a list of documents populates the screen. The
user can view, edit, delete and share any of the documents provided he has the necessary
permissions. A more detailed explanation of the operations that can be performed on the
documents are as follows:
1) Upload
This operation allows the user to upload a new document from his system.
User feeds the Document name and browses the file from his system. A user becomes
the owner of document/file uploaded in this way.
2) Share
The owner of any document can share it with any other user by typing in the
username. Owner can dictate the permissions granted i.e., read, update, check-
in/check-out accesses.
-
8/6/2019 Report Body With Bold Headings
70/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 70
3) Delete
Owner of the document can delete a file by selecting it from the drop-down
list.
4) Check-in
A document that has been checked-out can be checked-in. The list of checked-
out documents is shown in the drop down list. Checking-in will release the lock on the
document and allows other user who have the appropriate rights to check out the
document.
5) Check-out
Document List page lists the documents that can be checked-out. User can
select a document by clicking the checkbox and check out that particular document.
6.4.8 Requirements
Needs to be web based and available to users 24/7.
It should allow users to log in using their username/password and perform
operations (according to their rights) on company documents.
The system should maintain all documents and related metadata.
A new user is considered as a temporary user and cannot do anything except
sending a request to the system administrator.
The system should provide the following operations to a signed in user: show
document list, upload, read, delete, update, check in/out and share a documents.
Every operation performed on any document should be logged.
The system should provide end to end confidentiality and authentication.
Documents
The organization has the following departments:
1. Human resources
2. Logistic and supply
3. IT support
4. Sales
5. Research and development
-
8/6/2019 Report Body With Bold Headings
71/87
SDX-Secure Document eXchange On Web Chapter 6
Dept of CSE, RNSIT 2010-11 Page 71
The documents in the system can be of following formats:
Word, Excel, PPT, PDF, TXT, PNG, JIF and JPEG. The system maintains all the
documents and related meta-data, such as authors, titles, departments, creation time,
modifications dates and time .
Users
Users of this system can be categorized according to their roles. In this project, we
consider the following types of roles:
Corporate-level management officials, such as CEO, president, vice presidents:
Responsible for the operations of multiple departments
Department manager: Responsible for the operations of a department
Regular employees: Responsible for generating and maintaining most of the
documents in departments.
Temporary user: A user account created for a new user.
Guest user: A guest user who is not an employee of the organization.
System administrators: Maintain all the user accounts
6.4.9 Steps to start the system
The user should open their browser and access the correct web address, at
which time the log in screen will appear (default view).
6.4.10 Trouble-shooting and limitations
The DMS does not allow people to edit any document they did not create.
That is solely for the owner of the document.
-
8/6/2019 Report Body With Bold Headings
72/87
Dept of CSE, RNSIT 2010-11 Page 72
Chapter 7
RESULTANALYSIS
7.1 Test Cases
Test Case Expected Results Remarks
Test Case for Login
1. System User Login into
SDX ON WEB.
2. The System User enters
the information needed to
login into SDX ON WEB.
3. The System User enters
in an invalid System
Username or password
4. The System User enters
only password and does not
enter Username
5. The System User enters
only username and does not
enter password
The SDX ON WEB
prompts the System User to
enter the login information
username and password.
The SDX ON WEB
authenticates the System
User, and login into the
system and take the user
according to the privilege
into the appropriate page.
The SDX ON WEB notifies
the System User of the login
failure and requests re-entry
of all username and
password. The SDX ON
WEB check for SQL
injection and JavaScript
Injection for security.
The SDX ON WEB notifies
the System User of the login
failure and requests re-entryof all username and
password.
The SDX ON WEB notifies
the System User of the login
failure and requests re-entry
of all username and
password.
The SDX ON WEB notifies
Information Needed to
login:
1. Username i.e Email
2. Password
Failed. User logs in.
Password or username
matching not working
properly.
-
8/6/2019 Report Body With Bold Headings
73/87
Dept of CSE, RNSIT 2010-11 Page 73
6. The System User tries to
enter a very huge length of
Username and password
the System User of the login
failure and requests re-entry
of all username and
password.
Test Case Expected Results Remarks
Test Case for System
Administrator
1. System User Login into
the to SDX ON WEB.
2. The System User enters
the information needed to
login into SDX ON WEB.
3. The System currently the
System Administrator
acknowledges the username
or password is incorrect.
4. The system Admin is able
to view the correct page
The SDX ON WEB
prompts the System User to
enter the login informationusername and password.
The SDX ON WEB
authenticates the System
User, and login into the
system and take the user
according to the privilege
into the appropriate page in
this case it should be tosystem admin page.
The SDX ON WEB notifies
the System User of the login
failure and requests re-entry
of all username and
password.
The SDX ON WEB will
show all the new user
(Temporary) requiring the
access and according to the
information system admin
will click the check box and
access the grant or deny the
access. In both cases the
system will email the user
regarding the appropriate
Information Needed to
System admin:
Landing page should beshowing request for new
users.
-
8/6/2019 Report Body With Bold Headings
74/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 74
action taken.
Test Case Expected Results Remarks
Test Case for Normal User
like CEO , employee , Dept
Manager or Guest User
1. System User Login into
the to SDX ON WEB.
2. The System User enters
the information needed to
login into SDX ON WEB.
3. The System currently the
acknowledges the username
or password is incorrect.
4. The User is able to view
the correct page
5. The user shared
documents access rights
The SDX ON WEB
prompts the System User to
enter the login information
username and password.
The SDX ON WEB
authenticates the System
User, and login into the
system and take the user
according to the privilege
into the appropriate page in
this case it should be to
system admin page.
The SDX ON WEB notifies
the System User of the login
failure and requests re-entry
of all username and
password.
The SDX ON WEB will
show all the documents listthat has been shared as well
as all the documents that he
has uploaded. User can
check out the documents.
Shared documents will have
access privileage according
to that the user can only
have the ability to use the
document.
Information Needed to
System admin:
It will land onto a user
page where he can view all
the documents that he has
uploaded.
All the activities will be
logged and in case of any
discrepancy. The logged can
be viewed.
-
8/6/2019 Report Body With Bold Headings
75/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 75
6. The user clicks the
Upload Menu
7. The user clicks the
checkout button for the
document
8. The user clicks the share
document
9. The user enter a wrong
email id not in the system
during sharing
10. The user click check in
menu.
11. The user checks in
wrong documents.
12. The user click delete the
document.
On the upload menu user
can upload document with
only the specified format
like word, wordx, pdf, text,
rich text, images (should not
pass). He will mention the
Document name and select
the document path from
where he wants to upload.
Another window will open
showing the content of the
documents.
A list of all documents that
he can share will occur and
he will be able to share that
by mentioning the Email id
of the user.
The user will prompted for
wrong email id.
The user will ask to name
the document he is checking
in and to get the appropriate
path of the document.
The SDX ON WEB will
prompt the user that the
document is not uploaded or
checkout. Please verify the
document you are trying to
upload.
The user wants to delete a
certain document and he
click the documents. He will
have a drop down of the
document that he can delete
according to the privileges.
-
8/6/2019 Report Body With Bold Headings
76/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 76
13. The user clicks logout.
14. User tries to click back
button after logging out.
He will select the document
and the SDX ON WEB will
prompt whether he wants to
delete the documents if yes
SDX ON WEB will delete
the document.
The user will be taken to
home page and will have to
login again.
The SDX ON WEB will
remain on the home page. if
the user is trying to access
without active session.
Failed. User is still logged
in. Possibly session is not
removed.
-
8/6/2019 Report Body With Bold Headings
77/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 77
7.2 Snapshots
Default.aspx
Login.aspx
-
8/6/2019 Report Body With Bold Headings
78/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 78
Register.aspx
System Administrator.aspx
-
8/6/2019 Report Body With Bold Headings
79/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 79
Document List.aspx
Upload.aspx
-
8/6/2019 Report Body With Bold Headings
80/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 80
Delete.aspx
ViewDocument.aspx
-
8/6/2019 Report Body With Bold Headings
81/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 81
ShareDocument.aspx
UpdateDocument.aspx
-
8/6/2019 Report Body With Bold Headings
82/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 82
CheckIn.aspx
ChangePassword.aspx
-
8/6/2019 Report Body With Bold Headings
83/87
SDX-Security Document Exchange On Web Chapter 7
Dept of CSE, RNSIT 2010-11 Page 83
ForgotPassword.aspx
-
8/6/2019 Report Body With Bold Headings
84/87
Dept of CSE, RNSIT 2010-11 Page 84
Chapter 8
CONCLUSION
SDX On Web is a software system to facilitate access to all the documents within
an organization through the Internet. An organization often needs to track various
documents generated by all the users of the organization. It is very important to take
account of all possible attacks at all the stages of Software development so that no bug is
left in the Software or code for exploitation after the development. Various attacks like
Forgery, Eavesdropping, SQL Injection, User privacy, Session Hijacking etc were the
possible attacks outlined during the initial stages. And now the system developed is
immune to such attacks.
Further, we have used an Email-Client Service for validating an email address to
send a new random generated password in the case a password is lost. An added feature
of the system is that we have provided security to all the documents uploaded to the
system. This is facilitated by means of the Rijndael Encryption Algorithm.
A possible future enhancement is that a versioning system could be made a
feature. This would empower the author of a file to exercise more control over the
changes made to his shared files. Also, it will make the job of tracking changes to a file
easier.
Working on this project has been an amazing learning experience and we express
our heartfelt gratitude to everyone who have been giving their valuable inputs.
-
8/6/2019 Report Body With Bold Headings
85/87
GLOSSARY
Administrator: Member of IT support designated to Administer SDX on Web.
Check-in: A command through which a user removes exclusive access.
Check-out: A command which prevents the document from being updated so that the user
has exclusive access.
ISO: International Organization for Standardization, an NGO which sets standards that
often become laws.
JavaScript injection: It is facility by which we can insert our own JavaScript into web-site
by entering code into address bar or finding XSS vulnerability.
Metadata: Aggregate of data associated with a file managed by the system that is not part
of the file itself.
SDX: Secure Document eXchange.
Services: Refer to Web Services (WS).
SQLInjection: Is an attack in which malicious code is inserted into strings that are later
passed into an instance of SQL server for parsing and execution.
System log: Records the action that has just taken place into the system log. Its not
modifiable.
Web Service: Shares business logic, data and processes through a programmatic interface
across a network. They are also called application services.
WS: Refers to Web Service.
XSSAttempt: It is a cross-site scripting found in web applications that enables malicious
attackers to inject client side script into web pages viewed by other users.
-
8/6/2019 Report Body With Bold Headings
86/87
BIBILIOGRAPHY
[1]Pro C# With .NET 3.0 Special Edition by Andrew Troelsen
[2]http://articles.sitepoint.com/article/sql-server-2000-database
[3]http://www.sql-server-performance.com/articles/dba/stored_procedures_basics_p1
.aspx
[4]http://www.triconsole.com/dotnet/sqlconnection_class.php
[5]http://databases.about.com/od/sqlserver/a/storedprocedure.htm --> y to use stored
procedures
[6]sqa.fyicenter.com/.../Email_Address_Format_Validator.php email syntax
[7]http://msdn.microsoft.com/en-us/library/ -->to learn about namespaces
[8]www.java-samples.com
[9]www.experts-exchange.com
[10] www.msdn.microsoft.com
[11] http://www.codeproject.com/KB/aspnet/NoCaching.aspx?display=Print
[12] http://more-csharp.blogspot.com/2006/12/comprehensive-guide-to-c-and.html
[13] http://en.wikibooks.org/wiki/C_Sharp_Programming
[14] http://upload.wikimedia.org/wikipedia/commons/b/b3/C_Sharp_Programming.p
df
-
8/6/2019 Report Body With Bold Headings
87/87
[15] http://learn.iis.net/page.aspx/387/using-visual-studio-2008-with-iis-7/
[16] www.thehackerslibrary.com/?p=28
[17] http://en.wikipedia.org/wiki/Cross-site_scripting
[18] http://en.wikipedia.org/wiki/SHA-1
[19] http://www.opendocman.com/