I know this is not strictly a CSLA thing, but this is probably the only place where I'll find someone with an answer.
I'm working on my very first SL application, integrating CSLA.NET 4.x + SL + Prism, but coming from Windows Forms, there is a lot of material to learn and I'm a bit overwhelmed.
The application will be ran from a web hosting service and should be accessible only to registered users. The data itself is not what I would call highly sensitive, but I'd still want to protect it from prying eyes.
I have found this thread about Single Sign On, but it dates a few years back, and I don't know how much of it still applies to newer versions of CSLA:
Basically, I think I need to consider the following security topcis:
Is there a resource that would cover what I need to consider WRT securing the application ? I've found so many bits of scattered information that I can't even begin to piece everything together.
Thanks for any pointers.
fwiw, there will be a resource: Using CSLA 4: Security. That's the next ebook I'll work on after I finish the data access one I'm writing now.
I know, that doesn't help... :)
Basically you are on the right track.
With SL 4 and higher you might be able to avoid using SSL by using WCF security, but I'm not sure about that because I haven't tried. Using WCF security on Windows is a pain though, because you end up having to deploy your own x509 cert. In my view SSL is easier to set up, because I can usually just tell the IT group that the web server needs SSL :)
First, thanks for taking time to reply. I know your schedule is very tight, so I appreciate.
As for the book on security, I think I'll definitely buy the series.
So it seems the SSL road is where I need to go, so I'll read up on this as I've never touched that before.
Between the 2 scenarios you've exposed, the difference seems to be wether the "main" page is itself secured by ASP.NET or not. The other steps are pretty much the same.
As for WCF security, would you use transport, or message security ?
SSL (https) is transport security. It encrypts the data between the client and server, and is the web standard for this sort of thing.
WCF on .NET supports message security too. I don't know if that is supported on Silverlight?
The Microsoft Patterns and Practices group wrote a book on WCF configuration and security - it is available on CodePlex. They talk about transport and message security, and SSL.
Copyright (c) Marimer LLC