[转]Securing Silverlight Application and WCF Service using ASP.Net Authentication Techniques [私人]
[ 2009-04-05 23:36:45 | 作者: progame ]
Securing Silverlight Application and WCF Service using ASP.Net Authentication Techniques
January 7, 2009 — Syed Mehroz Alam
Ads by Google
WPF Controls & Consulting
For Designers and Developers by the leading WPF experts - IdentityMine
www.blendables.com
Security is an issue that experts are discussing since the birth of Silverlight. A typical enterprise Silverlight application will consist of one or more Silverlight pages communicating with one or more WCF services. There are three major security concerns here:
Silverlight 2 supports communication with a WCF service in simple text (the basicHttpBinding), so anyone can use a packet sniffer (e.g. Fiddler) to read our data.
Anyone can access our WCF service, call its methods and get our data.
Anyone can download our Silverlight application (the .xap file), open it (since it is simple a zip file), extract the dlls and use Reflector to read all our code.
The first problem can be solved by securing the transmission via transport security (using https protocol). More on this can be found at msdn here. In this post, I will try to address the last two issues.
The good thing is that the Silverlight application and WCF service is hosted inside an ASP.NET website and luckily ASP.NET provides good tools around authentication so we can apply ASP.NET authentication techniques to secure those. The approach I like is to secure the entire ASP.NET web application using either Windows or Forms authentication and deny all anonymous users. This can be done by configuring the web.config as:
view plaincopy to clipboardprint?
<authentication mode="Windows"/> <!-- or Forms -->
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Windows"/> <!-- or Forms -->
<authorization>
<deny users="?"/>
</authorization>
This way, if anyone tries to access the WCF service, or download the Silverlight .xap file, or view a page inside the ASP.NET website, the ASP.NET engine authenticates the request and only authorized users are able to view the application or use the service.
So now, if our application is configured to use Windows authentication, the ASP.NET engine authenticates the request via integrated windows authentication. If it succeeds, users are automatically redirected to the Silverlight application; otherwise they get a HTTP 401.1 - Unauthorized message.
And, if our application is configured to use Forms authentication, the ASP.NET engine takes the user to an aspx login page. Once the user is validated (we can use either ASP.NET built-in authentication or any custom implementation to authenticate the user), he/she is redirected to the Silverlight application.
To observe this, you can download this application (Be sure to first rename the file to zip; this is a WordPress requirement) and toggle its authentication technique between Windows and Forms using web.config.
Note that the application also demonstrates how to get the logged in user in Silverlight using a WCF service call. The key is that we can use System.Web.HttpContext.Current.User to get the current user principal if the WCF service is running in ASP.NET compatibility mode.
I will be glad to know your thoughts on this approach.
评论Feed: /feed.asp?q=comment&id=2443
January 7, 2009 — Syed Mehroz Alam
Ads by Google
WPF Controls & Consulting
For Designers and Developers by the leading WPF experts - IdentityMine
www.blendables.com
Security is an issue that experts are discussing since the birth of Silverlight. A typical enterprise Silverlight application will consist of one or more Silverlight pages communicating with one or more WCF services. There are three major security concerns here:
Silverlight 2 supports communication with a WCF service in simple text (the basicHttpBinding), so anyone can use a packet sniffer (e.g. Fiddler) to read our data.
Anyone can access our WCF service, call its methods and get our data.
Anyone can download our Silverlight application (the .xap file), open it (since it is simple a zip file), extract the dlls and use Reflector to read all our code.
The first problem can be solved by securing the transmission via transport security (using https protocol). More on this can be found at msdn here. In this post, I will try to address the last two issues.
The good thing is that the Silverlight application and WCF service is hosted inside an ASP.NET website and luckily ASP.NET provides good tools around authentication so we can apply ASP.NET authentication techniques to secure those. The approach I like is to secure the entire ASP.NET web application using either Windows or Forms authentication and deny all anonymous users. This can be done by configuring the web.config as:
view plaincopy to clipboardprint?
<authentication mode="Windows"/> <!-- or Forms -->
<authorization>
<deny users="?"/>
</authorization>
<authentication mode="Windows"/> <!-- or Forms -->
<authorization>
<deny users="?"/>
</authorization>
This way, if anyone tries to access the WCF service, or download the Silverlight .xap file, or view a page inside the ASP.NET website, the ASP.NET engine authenticates the request and only authorized users are able to view the application or use the service.
So now, if our application is configured to use Windows authentication, the ASP.NET engine authenticates the request via integrated windows authentication. If it succeeds, users are automatically redirected to the Silverlight application; otherwise they get a HTTP 401.1 - Unauthorized message.
And, if our application is configured to use Forms authentication, the ASP.NET engine takes the user to an aspx login page. Once the user is validated (we can use either ASP.NET built-in authentication or any custom implementation to authenticate the user), he/she is redirected to the Silverlight application.
To observe this, you can download this application (Be sure to first rename the file to zip; this is a WordPress requirement) and toggle its authentication technique between Windows and Forms using web.config.
Note that the application also demonstrates how to get the logged in user in Silverlight using a WCF service call. The key is that we can use System.Web.HttpContext.Current.User to get the current user principal if the WCF service is running in ASP.NET compatibility mode.
I will be glad to know your thoughts on this approach.
评论Feed: /feed.asp?q=comment&id=2443
这篇日志没有评论.
