Silverlight: authenticating users

Silverlight: authenticating users

Old forum URL: forums.lhotka.net/forums/t/10033.aspx


lukky posted on Saturday, February 05, 2011

Hi,

I know this is not strictly a CSLA thing, but this is probably the only place where I'll find someone with an answer.

I'm working on my very first SL application, integrating CSLA.NET 4.x + SL + Prism, but coming from Windows Forms, there is a lot of material to learn and I'm a bit overwhelmed.

The application will be ran from a web hosting service and should be accessible only to registered users. The data itself is not what I would call highly sensitive, but I'd still want to protect it from prying eyes.

I have found this thread about Single Sign On, but it dates a few years back, and I don't know how much of it still applies to newer versions of CSLA:

http://forums.lhotka.net/forums/t/6544.aspx

Basically, I think I need to consider the following security topcis:

Is there a resource that would cover what I need to consider WRT securing the application ? I've found so many bits of scattered information that I can't even begin to piece everything together.

Thanks for any pointers.

 

RockfordLhotka replied on Sunday, February 06, 2011

fwiw, there will be a resource: Using CSLA 4: Security. That's the next ebook I'll work on after I finish the data access one I'm writing now.

I know, that doesn't help... :)

Basically you are on the right track.

  1. Use SSL
  2. Implement Windows, forms, or membership provider authentication on the web site
  3. Have the SL app go get the principal from the web server as the SL app starts up
  4. Use an IAuthorizeDataPortal implementation to verify the principal on each data portal call (except calls to retrieve a new principal of course)

Or

  1. Use SSL
  2. Have the SL app ask the user for credentials
  3. Have the SL app send the credentials to the app server for verification against Windows, membership provider, or a custom store
  4. Use an IAuthorizeDataPortal implementation to verify the principal on each data portal call (except calls to do that initial login verification)

With SL 4 and higher you might be able to avoid using SSL by using WCF security, but I'm not sure about that because I haven't tried. Using WCF security on Windows is a pain though, because you end up having to deploy your own x509 cert. In my view SSL is easier to set up, because I can usually just tell the IT group that the web server needs SSL :)

 

lukky replied on Sunday, February 06, 2011

Rocky,

First, thanks for taking time to reply. I know your schedule is very tight, so I appreciate.

As for the book on security, I think I'll definitely buy the series.

So it seems the SSL road is where I need to go, so I'll read up on this as I've never touched that before.

Between the 2 scenarios you've exposed, the difference seems to be wether the "main" page is itself secured by ASP.NET or not. The other steps are pretty  much the same.

As for WCF security, would you use transport, or message security ?

Regards

RockfordLhotka replied on Sunday, February 06, 2011

SSL (https) is transport security. It encrypts the data between the client and server, and is the web standard for this sort of thing.

WCF on .NET supports message security too. I don't know if that is supported on Silverlight?

The Microsoft Patterns and Practices group wrote a book on WCF configuration and security - it is available on CodePlex. They talk about transport and message security, and SSL.

Copyright (c) Marimer LLC