CSLA, silverlight and 'sensitive data'

CSLA, silverlight and 'sensitive data'

Old forum URL: forums.lhotka.net/forums/t/11341.aspx

griff posted on Tuesday, May 01, 2012

Hi

I am about tot develop a SL app - I know my client with ask me about Data Protection/sensitive data and security - my understanding is limited here.

I have a little understanding that calling https:// is SSL and makes that communication secure - but with SL you don't call https:// (or do you?) - anyway, how (if any) does/can CSLA and SL send sensitive data across the wire securely?  And if there is not  an easily ready way (e.g. web.config stuff) has anyone any advice on fielding these types of questions? 

Thanks

Richard

 

TSF replied on Tuesday, May 01, 2012

I don't know all the options involved with this, but under the covers CSLA uses WCF for communicating with the remote data portal.  And WCF communication can be done over SSL.  You'll notice that in any of the available SL examples that use a remote data portal, the ServiceReferences.ClientConfig file (found in the SL project) contains a service endpoint so that it can communicate with the server:

<endpoint address=http://myappserver/myproject/SlPortal.svc binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IWcfPortal" contract="WcfPortal.IWcfPortal" name="BasicHttpBinding_IWcfPortal"/>

So you should be able to adjust the address to https instead of http.  In addition, you might have to modify your bindingConfiguration...not sure about that, though.

griff replied on Tuesday, May 01, 2012

Hi

thanks for your replies - will look into - TSF if your suggestions works that looks like a nice and easy solution - happy to hear from people whop have maybe gone down this route

ajj3085 replied on Tuesday, May 01, 2012

One other thing to consider.  If you have objects which have some properties that will contain sensitive information, while you can use the Csla security, you might consider not loading the value into the property at all.  Using debuggers, people could still access the property value even with Csla security.

JonnyBee replied on Tuesday, May 01, 2012

SL can call WCF services using HTTPS / SSL. This will make the client/server communicate over an encrypted connection.

CSLA is out-of-the-box configured to use basicHttpBinding and this can use SSL.

There's a lot more that CAN be done to secure data using other bindingd and maybe MessageSecurity but that is a whole other aspect is will require some code to implement your own DataPortal.

For a general introducution to WCF Security read the WCF Security Guidelines
http://blogs.msdn.com/b/jmeier/archive/2009/02/11/new-release-patterns-practices-wcf-security-guide.aspx 

altho' not updated for WCF 4 it is still applicable.

 

 

Copyright (c) Marimer LLC