###BeginCaseStudy###
Testlet 1
Background
You are developing an ASP.NET MVC application in Visual Studio 2012 that will be used by Olympic marathon
runners to log data about training runs.
Business Requirements
The application stores date, distance, and duration information about a user’s training runs. The user can view,
insert, edit, and delete records.
The application must be optimized for accessibility.
All times must be displayed in the user’s local time.
Technical Requirements
Data Access:
Database access is handled by a public class named RunnerLog.DataAccess.RunnerLogDb.
All data retrieval must be done by HTTP GETand all data updates must be done by HTTP POST.
Layout:
All pages in the application use a master layout file named \\Views\\Shared\\_Layout.cshtml.
Models:
The application uses the \\Models\\LogModel.cs model.
Views:
All views in the application use the Razor view engine.
Four views located in \\Views\\RunLog are named:
_CalculatePace.cshtml
EditLog.cshtml
GetLog.cshtml
InsertLog.cshtml
The application also contains a \\Views\\Home\\Index.cshtml view.
Controllers:
The application contains a \\Controllers\\RunLogController.cs controller.
Images:
A stopwatch.png image is located in the \\Images folder.
Videos:
A map of a runner’s path is available when a user views a run log. The map is implemented as an Adobe Flash
application and video. The browser should display the video natively if possible, using H264, Ogg, or WebM
formats, in that order. If the video cannot be displayed, then the Flash application should be used.
Security:
You have the following security requirements:
The application is configured to use forms authentication.
Users must be logged on to insert runner data.
Users must be members of the Admin role to edit or delete runner data.
There are no security requirements for viewing runner data.
You need to protect the application against cross-site request forgery.
Passwords are hashed by using the SHA1 algorithm.
RunnerLog.Providers.RunLogRoleProvider.cs contains a custom role provider.
Relevant portions of the application files follow. (Line numbers are included for reference only.)
Application Structure
###EndCaseStudy###
You need to add an action to RunLogController to validate the users’ passwords.
Which code segment should you use?
A.
Option A
B.
Option B
C.
Option C
D.
Option D
why not C ? why [RequireHTTPS]?
3
2
Some more information on why “B” is not an option:
Do not use RequireHttpsAttribute on Web APIs that receive sensitive information. RequireHttpsAttribute uses HTTP status codes to redirect browsers from HTTP to HTTPS. API clients may not understand or obey redirects from HTTP to HTTPS. Such clients may send information over HTTP.
(Source – Microsoft Docs: https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-2.1&tabs=visual-studio)
0
0
The correct answer is C, there is no requirement for https.
3
2
From the reference
“The RequireHttpsAttribute ensures that all calls to the decorated controller or method have
gone through HTTPS to ensure secure transport. You typically use it whenever you manage
confidential or secure information, such as personal information, credit card purchases,
or screens that are expecting login names and passwords. If the call has not gone through
HTTPS, the application forces a resubmit over HTTPS.”
I think the right answer is B.
5
2
Answer is C, No requirement for HTTPS, instead HTTPGET and HTTPPOST
3
2
if you EVER send a user’s password and login over the line, without encrypting it (i.e. using https), you might as well give every user access to everything because you will have no security.
Microsoft will not only test your reading skills, but also your common sense.
11
0