Recall that you recently joined a team at an IT software company who tasked you with conducting a design and code review of the team-owned codebases. As you onboard to your new team and explore the codebase, you discover an ASP.NET Blazor web project. With OWASP Top 10 in mind, you set off on a deep dive into the code with your security lenses on.

You start at the top of the OWASP Top 10 list with #1: Broken Access Control. This category refers to incidents where a user who shouldn’t have permission to access that data viewed confidential information.

Built-in framework security capabilities
.NET has built-in authentication and session management, so there’s no need to implement your own. Let’s consider a ASP.NET Core controller. A controller without any authorization attributes treats each request the same way without applying any security checks. By decorating controller actions or the controller itself with Authorize (user must be signed in and authenticated) or AllowAnonymous (any unauthenticated caller can invoke method) attributes, you gain control over what’s publicly accessible and which functionality is for authorized users only.

Plain ASP.NET controller with no authorization attributes, no access restrictions applied.

C#

Copy
public class AccountController : Controller
{
public ActionResult Login()
{
}

public ActionResult Logout()
{
}

public ActionResult GetCitizenTaxId()
{
}
}
Controller with authorization attributes, based on policy or role assignments. Authorized caller is able to invoke the GetCitizenTaxId method.

C#

Copy
[Authorize(Policy=””, Roles=””]
public class AccountController : Controller
{
[AllowAnonymous]
public ActionResult Login()
{
}

public ActionResult Logout()
{
}

[Authorize]
public ActionResult GetCitizenTaxId()
{
}
}
Similarly, the ASP.NET Minimal API supports the attribute decoration (Lambda HTTP get method with [Authorize] attribute), policy (AdminsOnly), and claim (admin) authorization, as shown here:

C#

Copy
var builder = WebApplication.CreateBuilder(args);

// Policy and claim use below
builder.Services.AddAuthorization(o => o.AddPolicy(“AdminsOnly”, b => b.RequireClaim(“admin”, “true”)));
var connectionString = builder.Configuration.GetConnectionString(“DefaultConnection”);
builder.Services.AddDbContext(options => options.UseSqlServer(connectionString));
builder.Services.AddDefaultIdentity(options => options.SignIn.RequireConfirmedAccount = true).AddEntityFrameworkStores();
var app = builder.Build();
app.UseAuthorization();

// Attribute use below
app.MapGet(“/auth”, [Authorize] () => “This endpoint requires authorization.”);
app.MapGet(“/”, () => “This endpoint doesn’t require authorization.”);
app.Run();
Your application’s user interface should also reflect the user’s authentication (the user is who they say they are) and authorization state (whether the user is allowed to access certain information). Here, too, you’re covered by the OWASP Top 10 framework. ASP.NET Blazor’s razor syntax supports conditionally displayed components depending on authorization status. The AutorizeView component selectively displays UI content based on user’s authorized status.

C#

Copy

Hello, @context.User.Identity.Name!

You can only see this content if you are authorized. Authorized Only Button

Authentication Failure!

You are not signed in.

@code {

private void SecureMethod() 
{ 
    // Invoked only upon successful authorization
}     

}

dynamics 365 marketing training courses malaysia

As application complexity increases, so does the effort of making it secure. Modern applications, in contrast with single-project monolith legacy applications, have many dependencies. Including, external libraries, services for hosting, building, and releasing, to name a few. None of these services are simple “plug and play” affairs. Developers need to understand them and know how to configure and implement the flows and processes securely in their own code.

Security is everyone’s job. Developers, service engineers, and program and product managers must understand security basics and know how to build security into software and services.

Training and education is an essential stage in the security-application development lifecycle (or SDL). For developers, OWASP Top 10 is a great start.

From a software-development point of view, your team’s security journey should begin by familiarizing yourself with the concepts behind each item on the Top 10 list.

Although security is everyone’s job, it’s important to remember that not everyone needs to be a security expert nor strive to become a proficient penetration tester. However, ensuring everyone understands the attacker’s perspective, their goals, and the art of the possible, helps capture the attention of everyone and raise the collective knowledge bar.

java programming training courses malaysia

Blazor includes layouts to make it easy to code common user interface (UI) elements that appear on many pages in your app.

Suppose you’re working in the pizza delivery company’s website and you created the content for most of the main pages as a set of Blazor components. You want to ensure that these pages have the same branding, navigation menus, and footer section. However, you don’t want to have to copy and paste that code into multiple files.

oracle java training courses malaysia

Suppose you write a component to handle a URI that the user requests, such as http://www.contoso.com/pizzas/margherita/?extratopping=pineapple.

When you write a component, you might need access to navigation information like:

• The current full URI, such as http://www.contoso.com/pizzas/margherita?extratopping=pineapple.
• The base URI, such as http://www.contoso.com/.
• The base relative path, such as pizzas/margherita.
• The query string, such as ?extratopping=pineapple.

You can use a NavigationManager object to obtain all these values. You must inject the object into the component and then you can access its properties. This code uses the NavigationManager object to obtain the website’s base URI and then uses it to set a link to the home page:

razorCopy

@page "/pizzas"
@inject NavigationManager NavManager

<h1>Buy a Pizza</h1>

<p>I want to order a: @PizzaName</p>

<a href=@HomePageURI>Home Page</a>

@code {
    [Parameter]
    public string PizzaName { get; set; }
    
    public string HomePageURI { get; set; }
    
    protected override void OnInitialized()
    {
        HomePageURI = NavManager.BaseUri;
    }
}

To access the query string, you must parse the full URI. To execute this parse, use the QueryHelpers class from the Microsoft.AspNetCore.WebUtilities assembly:

razorCopy

@page "/pizzas"
@using Microsoft.AspNetCore.WebUtilities
@inject NavigationManager NavManager

<h1>Buy a Pizza</h1>

<p>I want to order a: @PizzaName</p>

<p>I want to add this topping: @ToppingName</p>

@code {
    [Parameter]
    public string PizzaName { get; set; }
    
    private string ToppingName { get; set; }
    
    protected override void OnInitialized()
    {
        var uri = NavManager.ToAbsoluteUri(NavManager.Uri);
        if (QueryHelpers.ParseQuery(uri.Query).TryGetValue("extratopping", out var extraTopping))
        {
            ToppingName = System.Convert.ToString(extraTopping);
        }
    }
}

With the preceding component deployed, if a user requested the URI http://www.contoso.com/pizzas?extratopping=Pineapple, they would see the message “I want to add this topping: Pineapple” in the rendered page.

You can also use the NavigationManager object to send your users to another component in code by calling the NavigationManager.NavigateTo() method:

razorCopy

@page "/pizzas/{pizzaname}"
@inject NavigationManager NavManager

<h1>Buy a Pizza</h1>

<p>I want to order a: @PizzaName</p>

<button class="btn" @onclick="NavigateToPaymentPage">
    Buy this pizza!
</button>

@code {
    [Parameter]
    public string PizzaName { get; set; }
    
    private void NavigateToPaymentPage()
    {
        NavManager.NavigateTo("buypizza");
    }
}

jboss training courses malaysia

When the user makes a request for a page from your web app, they can specify what they want to see with information in the URI. For example:

http://www.contoso.com/pizzas/margherita?extratopping=pineapple

After the protocol and website address, this URI indicates that the user wants to know about margherita pizzas. Also, the query string after the question mark shows that they’re interested in an extra topping of pineapple. In Blazor, you use routing to ensure that each request is sent to the component that can best respond. You also use routing to ensure that the component has all the information it needs to display what the user wants. In this case, you might want to send the request to the Pizzas component and for that component to display a margherita pizza with information about adding pineapple to it.

Blazor routes requests with a specialized component called the Router component. The component is configured in App.razor like this:

razorCopy

<Router AppAssembly="@typeof(Program).Assembly">
    <Found Context="routeData">
        <RouteView RouteData="@routeData" DefaultLayout="@typeof(MainLayout)" />
    </Found>
    <NotFound>
        <p>Sorry, we haven't found any pizzas here.</p>
    </NotFound>
</Router>

When the app starts, Blazor checks the AppAssembly attribute to find out which assembly it should scan. It scans that assembly for components that have the RouteAttribute present. Blazor uses these values to compile a RouteData object that specifies how requests are routed to components. When you code the app, you use the @page directive in each component to fix the RouteAttribute.

In the preceding code, the <Found> tag specifies the component that handles the routing at runtime: the RouteView component. This component receives the RouteData object and any parameters from the URI or query string. It then renders the specified component and its layout. You can use the <Found> tag to specify a default layout, which is used when the selected component doesn’t specify a layout with the @layout directive. You learn more about layouts later in this module.

In the <Router> component, you can also specify what is returned to the user when there isn’t a matching route, by using the <NotFound> tag. The preceding example returns a single <p> paragraph, but you can render more complex HTML. For example, it might include a link to the home page or a contact page for site administrators.

Using the @page directive

In a Blazor component, the @page directive specifies that the component should handle requests directly. You can specify a RouteAttribute in the @page directive by passing it as a string. For example, this attribute specifies that the page handles requests to the /Pizzas route:

razorCopy

@page "/Pizzas"

If you want to specify more than one route to the component, use two or more @page directives, like in this example:

razorCopy

@page "/Pizzas"
@page "/CustomPizzas"

juniper networks training courses malaysia

We’re building hybrid apps with .NET, which means we have access to all of the .NET class libraries. In addition to these APIs, building Blazor Hybrid apps with .NET MAUI not only allows you to deploy to multiple platforms, it also allows access to each platform’s native APIs. This means that if you need to integrate platform capabilities of iOS, Android, macOS, or Windows, you can do it all in C#. You can access these APIs directly from your Blazor components or create shared .NET MAUI class libraries.

Platform integration

Each platform that .NET MAUI supports offers unique operating system and platform APIs that you can access from C#. .NET MAUI provides cross-platform APIs to access much of this platform functionality, which includes access to sensors, accessing information about the device on which an app is running, checking network connectivity, storing data securely, and initiating browser-based authentication flows.

.NET MAUI separates these cross-platform APIs into different areas of functionality:

• Application Model: App functionality, including app actions, application information, opening the browser, opening URIs, opening maps, handling permissions, and version tracking
• Communication: Access to contacts, email, networking, phone dialer, sms messaging, and web authentication
• Device Features: Information and access to battery, display info, device info, sensors, flashlight, geocoding, geolocation, haptic feedback, and vibration
• Media: Including media picker, screenshots, text to speech, and unit converters
• Sharing: Including access to the clipboard and sharing files or text to other applications
• Storage: APIs for picking files, file system helpers, preferences, and secure storage

kubernetes training courses malaysia

You’ve defined the UI for your web app. Now, let’s explore how to add logic to the app. In a Blazor app, you can add C# code in separate .cs files or inline in your Razor components.

C# inline in components

It’s common practice to mix HTML and C# in a single Razor component file. For simple components with lighter code requirements, this approach works well. To add code into a Razor file, you’ll use Razor syntax.

What are Razor directives?

Razor directives are component markup used to add C# inline with HTML. With directives, developers can define single statements, methods, or larger code blocks.

Code directives

Code directives should be familiar to developers who have used Razor in MVC or Pages.

You can use @expression() to add a C# statement inline with HTML. If you require more code, use the @code directive to add multiple statements enclosed by parentheses.

You can also add an @functions section to the template for methods and properties. They’re added to the top of the generated class, where the document can reference them.

lean it certification training courses malaysia

Companies that build web apps and client apps commonly hire developers for different roles. Some developers create back-end, server-side logic. Some build client-side web apps. Others build native-client apps for mobile and desktop platforms. These developers often use different development languages and technologies.

C# and .NET are popular choices for building server-side logic. Client-side web apps are often built with web UI frameworks using JavaScript. When it comes to native-client apps for desktop and mobile, there are several options available, including many for .NET and C#. Using multiple languages and toolsets requires multiple sets of skills and often requires two separate teams. Also, code to transfer and represent data must be built in both languages and kept in sync. Blazor Hybrid can simplify your development team’s tasks, code, and processes by allowing you to use your existing skills and code in building web applications in C# and .NET to build native-client applications using these same technologies.

In this unit, you’ll start with an introduction to Blazor Hybrid, .NET MAUI, and Razor Components.

What is Blazor?

Blazor apps are composed of reusable web UI components built using C#, HTML, and CSS. With Blazor, developers can build client and server code with C#. They can also share code and libraries with the front-end client code and back-end logic. Using C# for all code simplifies sharing data between the front end and back end, enables code reuse to accelerate development, and reduces maintenance.

jboss enterprise application platform training courses malaysia

Blazor is a fully featured web UI framework designed to handle the needs of most modern web apps. But whether Blazor is the right framework for you depends on many factors.

You should consider using Blazor for web development if:

• You’re looking for a highly productive full stack web development solution.
• You need to deliver web experiences quickly without the need for a separate frontend development team.
• You’re already using .NET, and you want to apply your existing .NET skills and resources on the web.
• You need a high-performance and highly scalable backend to power your web app.

iot training courses malaysia

Blazor provides many features to help you get started and deliver your next web app project fast. Let’s take a tour of the core capabilities of Blazor to help you decide whether you should use Blazor for your next great web app.

Blazor components

Blazor apps are built from components. A Blazor component is a reusable piece of web UI. A Blazor component encapsulates both its rendering and UI event handling logic. Blazor includes various built-in components for form handling, user input validation, displaying large data sets, authentication, and authorization. Developers can also build and share their own custom components, and many prebuilt Blazor components are available from the Blazor ecosystem.

Use standard web technologies

You author Blazor components using Razor syntax, a convenient mixture of HTML, CSS, and C#. A Razor file contains plain HTML and then C# to define any rendering logic, like for conditionals, control flow, and expression evaluation. Razor files are then compiled into C# classes that encapsulate the component’s rendering logic. Because Blazor components authored in Razor are just C# classes, you can call arbitrary .NET code from your components.

UI event handling and data binding

Interactive Blazor components can handle standard web UI interactions using C# event handlers. Components can update their state in response to UI events and adjust their rendering accordingly. Blazor also includes support for two-way data binding to UI elements as a way to keep component state in sync with UI elements.

The following example is a simple Blazor counter component implemented in Razor. Most of the content is HTML, while the @code block contains C#. Every time the button is pressed the IncrementCount C# method is invoked, which increments the currentCount field, and then the component renders the updated value:

razorCopy

<h1>Counter</h1>

<p role="status">Current count: @currentCount</p>

<button class="btn btn-primary" @onclick="IncrementCount">Click me</button>

@code {
    private int currentCount = 0;

    private void IncrementCount()
    {
        currentCount++;
    }
}

checkpoin certification malaysia