I have a WCF.
I have a silverlight application.
I do not want anyone to be able to call the WCF except the Silverlight application.
I do not want to install any certificates on the client.
I do not want to hit any databases.
What would typically be the best way to do something like this?
You can address this using a cross domain policy file. Silverlight cannot connect to WCF services hosted on secondary domains without the implementation of this policy file.
Here are two links to get you in the right direction
http://msdn.microsoft.com/en-us/library/cc197955%28v=vs.95%29.aspx
Tim Heuer has a good writeup on the implementation of this file as well.
http://timheuer.com/blog/archive/2008/04/06/silverlight-cross-domain-policy-file-snippet-intellisense.aspx
To prevent a WCF services from being accessed by other applications you will need to implement authentication of some sort Here is a related post
Related
I'm trying to authenticate my silverlight application to get windows user name, which then I use to get some further information. Have looked it up, but the answers I found were about configuring the web service to get it. Is there a way, to get windows credentials strictly in Silverlight? I cannot find .Credentials, the only thing I see is .ClientCredentials, but apparently it doesn't show the required information. I am getting the string "System.ServiceModel.Security.UserNamePasswordClientCredential". It actually allows me to set up the name, not retrieve it. Also there is a web service called authentication.asmx, but as before it applies to other purposes. Neither do I have any web service I could reference to and configure them. Or am I missing something? Perhaps I can retrieve the windows credential by NTLM or Kerberos? I am using Visual Web Developer 2010 Express with Silverlight 5.
My Experience is that the Membership framework that is present in the asp.net world is not available in silverlight. In order to achieve something similar I had to implement a web service (WCF) that was directed at the domain's active directory (ldap) server. Silverlight is a very strict framework in terms of interoperability, its good for security but has some limitations.
I am not sure about your level of knowledge of the active directory but here is a link that deal with a lot of the possible operations and has sample C# code to go along.
http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#40a
I want to send simple data (geolocation data to be precise) from Windows Phone 7 application to a windows forms application and use it, as I'm a total beginner in this field I don't know which tools to use.
I searched about wcf services and tested this method but there's some issues: the data is sent from the phone application but isn't sent to the winforms application (guess something is missing)
If your know how to do this in a quick way, or have good tutorials I'll be thankful.
EDIT
I found this tutorial, it show how to connect directly wp7 application and desktop application without using sockets neither wcf service, I'm wondering if it is really works if the application isn't in localhost.
the like for the tutorial: wp7 tutorial
I had a similar problem and so I created a REST/JSON WCF service hosted in IIS with AppHarbor to provide the data. There's hundreds of ways to do it (Ruby/Heroku, etc..), but that particular one fits well within the Microsoft stack. I also needed to share route data and I used the WCF service to wrap the BingMaps services so that route computations are cached and shared. Considering that I had already created a local model, moving it out of my phone project into a service took less than a few hours (including the usual config hiccups, and forgetting to add the appharbor user to my bitbucket repo).
Consuming the service from WinForms (or any client) shouldn't be an issue as the service knows nothing about the client implementation.
Here's a tutorial from code project. REST WCF Service with JSON
I think you would need to implement some sort of server side solution which you could upload to on your Windows Phone and download from on your Windows Form application. This could be achieved using a WCF service which was connected to a server side database.
Another option would be to use sockets and communicate directly with your WinForms application. Check this tutorial on how to use basic sockets on WP7.
I wonder is it possible to host RIA service as a stand alone application in IIS7? I've playing around with some RIA services and a wonder whether this scenario is possible. My goal is to detach the service from the WebSite application and host it separately.
Thanks in advance!
Definitely possible, just create another ASP.Net webforms application, add the domain service, reference your model (if its in another library), and link the Silverlight project to it. Might also be best to host your XAP in the same project as the RIA service to avoid any cross domain issues. In your real website, just copy and paste the object tag and javascript it generates and make sure its pointing to the right location on the RIA service site.
I have a Silverlight application that needs to retrieve some data from my database. This data is sensitive. Because of this, I only want my Silverlight application to be able to access the data. How do I ensure that only my applications can access the services that expose this data? Is there a way that I can validate a client attempting to retrieve the data?
Thank you!
These might be of interest:
Using ASP.NET Secure Services and Applications Services
Build Line-Of-Business Enterprise Apps With Silverlight, Part 2
MS Whitepaper: Security Guidance for Writing and Deploying Silverlight Applications
Well, everything your SL application does could be spoofed. So direct answer is NO, you cannot ensure that only your application will access to the data.
But there are number of options. For example you can implement authorization and then authenticate your user. In this way you can ensure that only users you trust access to the data.
Another option is to make spoofing harder. For example you can include sort of "secrete" token to all your requests. So other application will need to steal this token. This harder to achieve.
I think this question is more pertaining into implementing a web service or wcf service with authentication and authorization. If your service takes care of it, then you can be ensured about your data. Your silvelight app is just calling the service.
Whoever download the xap can decompress and reverse engineer your code, so your best bet is to build a web service as others suggested. Silverlight Ria ships with a full blown authentication membership that you can leverage.
We have a Silverlight app which we wrote which calls a Silverlight-enabled data service. The Silverlight app cannot require a login, as it is required to present data to the unauthenticated public.
We have some schmoe who took the time to examine our Silverlight app, one way or another figure out what service it is calling, and then wrote his own client to slurp off the data so he can post it on his site and pretend like it is his. We need to prevent this.
How can i limit my data service somehow to ONLY accept requests from my silverlight app? I tried using the allow-from domain uri setting in the clientaccesspolicy.xml file to limit access to the service only from the domain in which the silverlight app sits (say mydomain.com). This did absolutely nothing though, and the service is still serving up requests to clients from outside the domain. (I tested this by putting my SL app on a different domain under our control).
What is the proper/best/most effective way to limit the data service so only our app can use it? Thanks!!!
I'm using SL 3 and .NET 3.5.
The clientaccesspolicy.xml tells the Silverlight application which Webservice it can consume. Not preventing people accessing the Webservice.
You can try using a authentication login even though its not required. This prevents 'schmoes' accessing your webservice.
Also use Dotfuscator to prevent 'schoes' to disassemble your Silverlight application and acquire the login.
Silverlight webservice security follows the same patterns you'd use for ASP.NET security, especially services exposed to AJAX. The best way to do make use of ASP.NET's authentication.
RIA Services is an even better way to handle this. It rides on top of the ASP.NET authorization, but validates on both the client and server-side automatically to combat service spoofing. It let you take care of both client and server-side authorization by adding attributes to your methods indicating that the method requires authorized access, and by which groups or users if you need to be specific.
In addition to wire-side security and obfuscation, remember that clients can attach a debugger to Silverlight applications running in their browser. See this example from MSDN Magazine's Security IQ Test, November 2008.