I am familiar with configuring CSLA applications in a 3-tier architecture on an intranet, with a thick windows client using .NET remoting to access the DataPortal on the middle-tier server hosted in IIS.
Has anyone used the same configuration, but with the windows client communicating over the Internet with a public middle-tier server using .NET remoting, and what kind of security considerations are there for the Internet scenario vs. the intranet scenario?
John
First, do you "trust" the client in this scenario? In an Internet scenario the client is sometimes out of your control, and could be subject to unknown levels of hacking. Such hacking can defeat virtually any attempt at implementing client side validation/authorization/security/etc. If you are concerned about that level of hacking then you should not trust the client.
If you don't trust the client, then you should not use n-tier client/server architecture. Instead, you should use service-oriented architecture and design. That specifies that the client application is a totally separate application from the one on the server. And as a side-effect, the server application (a set of services) is entirely standalone, and paranoid. The "real" application is the server app, the client app exists merely to give the user a very nice experience. Typically this means you'll write much of the same code in both apps, but the server will never assume the client did the right thing.
That is expensive, but you can clearly do it. And you can use CSLA .NET to build objects for both the client app and the server app - though they may not be the exact same objects (probably aren't).
If you DO trust the client, then you can consider using the data portal directly.
In that case, the only way to securely use Remoting over the Internet is if you use SSL/https. Microsoft did add some encryption options to Remoting if I remember correctly, but for the most part https is the right answer.
If you have client->app server->db server everything should just work.
If you want client->web server->app server->db server, then you'll need to create a data portal relay to run on the web server. Basically a pass-through for calls from the client so they are relayed to the real app server.
This is pretty easy to do, and there've been a couple threads on the topic here before. The data portal is interface based, so all you need to do is create a data portal host that relays all inbound calls to a data portal object that calls the "real" data portal to get to the app server.
Copyright (c) Marimer LLC