Quick start
The simplest way to use MBLM Logic check is to use its ASP.NET validator control.
You can add this control to your page as you would any other server control.
To add the MBLM Logic Check validator control to the toolbox use the "Choose Toolbox Items Dialog Box" in Visual Studio 2005.
The Logic Check validator control works similarly to any other validator control, except you'll notice it has a couple of extra properties.
Most notable of these properties are the "QuestionControl" and "InstructionsControl" properties.
Here you may select a Label or a Textbox or some other type of ASP.NET control in which a logical question is to be displayed and another for displaying any instructions that may be needed by the user.
<%@ Register Assembly="MBLM.LogicCheck" Namespace="MBLM.LogicCheck.Web" TagPrefix="cc1" %>
<asp:Label ID="lblQuestion" runat="server" Text="Label"></asp:Label>
<asp:Label ID="lblInstructions" runat="server" Text="Label"></asp:Label>
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<cc1:LogicValidator
id="LogicValidator1"
runat="server"
QuestionLabel="lblQuestion"
ControlToValidate="TextBox1"
InstructionsLabel="lblInstructions"
ErrorMessage="Sorry incorrect. Try again.">
</cc1:LogicValidator>
Verifying that a request has been validated is done the same way as with any other ASP.NET validator server control...
protected void btnSubmit_Click(object sender, EventArgs e)
{
if (!IsValid)
return; // Request validation failed
// Request is from a human... continue processing
And thats all there is to it.
Configuring Logic Check
Logic Check will operate on predefined defaults without configuration, but it is advisable for security purposes to make some customisations.
A lot of effort has gone into making configuring and customising MBLM Logic Check as easy as it can possibly be.
To configure Logic Check via the web.config, firstly you need to add the Logic Check config section....
<sectionGroup name="mblm">
<section
name="logicCheck"
type="MBLM.LogicCheck.Config.LogicCheckSection, MBLM.LogicCheck, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
allowLocation="true"
allowDefinition="Everywhere"
/>
</sectionGroup>
Then you may add the MBLM Logic Check configuration section as follows...
<mblm>
<logicCheck securityMonitoringEnabled="true" invalidAnswersLimit="5" privateKey="bruce">
<maptcha
numOperands="2"
probabilityNumeric="0"
maximumAddSubtractOperand="50"
maximumMultiplyOperand="20"
maximumDenominator="20"
maximumNumerator="20" />
</logicCheck>
</mblm>
The following table describes system wide attributes in the Logic Check configuration section.
| Attribute | Description |
| securityLoggingEnabled | Set to true to enable security monitoring, when set to false no events are raised.
This setting is only effectual when ASP.NET Health Monitoring is enabled. |
| invalidAnswersLimit | This setting may be used to log invalid attempts to submit a request without a valid answer to a Logic Check question.
The default value is zero, which results in no LogicCheckSecurity events being logged when users requests have repeatedly failed Logic Check's validation.
A value greater than zero defines the number of attempts that may be made before a security event is raised.
See below for more details regarding Logic Check and ASP.NET Health Monitoring. |
| privateKey | This is a private key which is used by the system for security purposes.
Providing this key is not compulsory, but it is advisable to maximise security. |
The following table describes the attributes used for configuring the behaviour of the MBLM Maptcha Logic Check
| Attribute | Description |
| numOperands | The number of operands in maptcha problems |
| probabilityNumeric | An integer which determines the probability a number is represented using numeric characters i.e "4" as opposed to "four".
Valid values are
- 0 - indicates no numeric characters
- 1 - indicates all numbers should be represented with numeric characters
- > 1 - a probability e.g 2 represents 1 in 2 - a 50% probability
|
| maximumAddSubtractOperand | The maximum number to use in add and subtract operations |
| maximumMultiplyOperand | The maximum number to be used in multiplication operations |
| maximumDenominator | The maximum denominator to be used in divide operations |
| maximumNumerator | The maximum numerator to be used in divide operations |
| weighting | When using multiple Logic Check plug-ins you may alter the probability a plug-in is selected using its weighting.
Valid values are between 1 and 100, by default this value is set to 50. |
Creating MBLM Logic Check Plug-ins
To create a plug-in for MBLM Logic Check you simply need to create a single class which implements the ILogicCheck interface.
Here's a simple example which randomly chooses questions from a resource file.
public class GeneralKnowledgeQuestions : ILogicCheck
{
const int NumQuestions = 5;
public const string PLUGIN_ID = "MBLM.LogicCheckPluginDemo.GeneralKnowledge";
public string TypeID { get { return PLUGIN_ID; }}
public string GenerateLogicCheck(out IAnswerVerifier verifier)
{
Random randomiser = new Random();
int qNum = randomiser.Next(NumQuestions);
string answer = Questions.ResourceManager.GetString(string.Format("q{0}Answer", qNum));
string question = Questions.ResourceManager.GetString(string.Format("q{0}", qNum));
verifier = new SimpleComparisonVerifier("myKey", question, answer);
return question;
}
public string Instructions { get { return Questions.Instructions; }}
}
Using an MBLM Check Plug-in
To use an MBLM Check Plug-in you simply add an entry detailing the plug-in's assembly and fully qualified class name to the Web.config as follows...
<mblm>
<logicCheck>
<plugins>
<logicCheckPlugin
type="MBLM.LogicCheckPluginDemo.GeneralKnowledgeQuestions, MBLM.LogicCheckPluginDemo, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null"
weighting="100"/>
</plugins>
</mblm>
With this entry in the web.config and the default weighting for the Maptcha Logic Check, the GeneralKnowledgeQuestions plug-in above will be chosen to handle two out of every three requests.
Logic Check Security Events
Logic Check utlises the ASP.NET 2.0 "Health Monitoring" architecture enabling you to log security events.
MBLM Logic Check contains numerous security checks and will raise events when it detects activity that might be indicative of an automated attack or an attempt to circumvent Logic Check's security.
Events logged contain information about the request such as the user's login and IP address, and the last Logic Check question and the answer submitted from the user.
Whilst these events may be raised from time to time through normal use, repeated events arising from a single user would likely suggest malicious intent.
By default this functionality is deactivated; to enable logging first you must add the appropriate attributes to the MBLM Logic Check section in the web.config as follows...
<mblm>
<logicCheck securityLoggingEnabled="true" invalidAnswersLimit="5">
</mblm>
Secondly, you must enable ASP.NET Health Monitoring and add the MBLM LogicCheckSecurityEvent event to the list of mapped events as follows...
<system.web>
<healthMonitoring enabled="true">
<eventMappings>
<add name="LogicCheckEvent"
type="MBLM.LogicCheck.Management.LogicCheckSecurityEvent" />
</eventMappings>
<rules>
<clear />
<add name="Repeated Failure LogicCheckEvent"
eventName="LogicCheckEvent"
provider="EventLogProvider"
profile="Default"
minInstances="1"
maxLimit="Infinite"
minInterval="00:01:00"
/>
</rules>
</healthMonitoring>
</system.web>
The LogicCheckSecurityEvent derives from System.Web.Management.WebFailureAuditEvent, so alternatively you can consume logic check events by creating a rule for the WebFailureAuditEvent.
In this case we are using the EventLogProvider to log events to the system event log, however you may use any health monitoring provider to log the event in alternative ways, such as via email, SQL Server or a log file.
Consult the MSDN documentation for further details on how you may configure and utilise ASP.NET Health Monitoring.
Detailed Information
You can gain a quick overview of Logic Check's architecture from this UML diagram.
If you are unfamiliar with UML Class diagrams you get a quick start in understanding UML here.
For detailed information, please feel free to download Logic Check and examine the class library reference.