If I port an old client/server to Silverlight RIA services, how can I avoid the extra security work?
Ideally, the client would pass the client's windows credentials to the middle tier; the middle tier would impersonate the client and access the database.
Is this possible?
As far as memory serves it is possible to set authentication mode in Web.config,
<system.web>
<authentication mode="Windows"></authentication>
</system.web>
Should do the trick
Silverlight will work with the ISS authentication quite well. So long as you can get your old authentication working in IIS you should be able to plug into it.
They have some good documentation on how it works, hopefully this is helpful.
http://msdn.microsoft.com/en-us/library/ee707361%28v=VS.91%29.aspx
If you did not previously use an IIS based authentication you can write a custom authentication provider that will plug in.
Related
I'm trying to authenticate my silverlight application to get windows user name, which then I use to get some further information. Have looked it up, but the answers I found were about configuring the web service to get it. Is there a way, to get windows credentials strictly in Silverlight? I cannot find .Credentials, the only thing I see is .ClientCredentials, but apparently it doesn't show the required information. I am getting the string "System.ServiceModel.Security.UserNamePasswordClientCredential". It actually allows me to set up the name, not retrieve it. Also there is a web service called authentication.asmx, but as before it applies to other purposes. Neither do I have any web service I could reference to and configure them. Or am I missing something? Perhaps I can retrieve the windows credential by NTLM or Kerberos? I am using Visual Web Developer 2010 Express with Silverlight 5.
My Experience is that the Membership framework that is present in the asp.net world is not available in silverlight. In order to achieve something similar I had to implement a web service (WCF) that was directed at the domain's active directory (ldap) server. Silverlight is a very strict framework in terms of interoperability, its good for security but has some limitations.
I am not sure about your level of knowledge of the active directory but here is a link that deal with a lot of the possible operations and has sample C# code to go along.
http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#40a
How can I authenticate to a web service hosted in IIS that is secured with Integrated Windows Authentication?
Do I use HTTP headers to add username and pwd?
I am trying to call this web service from UNIX in C.
I'm rather a newbie to IIS myself, and I'm just starting to dance around this topic, but I saw your note and thought it was crazy that no one has answered in so long!
I believe that the typical way that windows authenticates is Kerberos. You may have to go through some gyrations to get the Windows Kerberos server to get you a ticket that you could put in the SOAP header. That is at least the direction in which I would start researching... but it could heavily depend on your Windows domain configuration. At the very least, you'll probably need to do quite a bit of poking into Windows Domain configurations and concepts.
I've been struggling with this for a few days, and I hope someone can suggest some solutions.
I have a self-hosted WCF service, the main interface to this service will be a Silverlight application that is hosted in a non-IIS, potentially shared, environment.
I'm aware of the TransportWithMessageCredential and a custom authentication validator. The only requirement of this seems to be that the host has HTTPS and a valid SSL certificate. However, there are certain enviroments the product will be operating in where they don't wan't the hassle of paying for and maintaining a certificate, or the shared environment doesn't allow SSL.
The easy answer would be to tell them to find a new host/admin, but I've been asked to see if there are any other fesible authentication mechanisms.
Any suggestions?
Thanks
Without SSL there really isn't any way for you to secure the users credentials "across the wire". You "could" do some encryption in the Silverlight app, but this really amounts to obfuscation vs. "real" security.
The only option that I can think of in this scenario would be moderately secure would be a 3 factor solution such as giving all the users SecureID key fobs.
We had the same problem. We made the installer for the WCF service that creates a self-signed certificate, adds it to the system certificate store and configures the binding with HTTPS port. The Silverlight application had a link to download this certificate from the WCF service. So users could download this certificate and install it in the Trusted Root certificate store.
I have a Silverlight application that needs to retrieve some data from my database. This data is sensitive. Because of this, I only want my Silverlight application to be able to access the data. How do I ensure that only my applications can access the services that expose this data? Is there a way that I can validate a client attempting to retrieve the data?
Thank you!
These might be of interest:
Using ASP.NET Secure Services and Applications Services
Build Line-Of-Business Enterprise Apps With Silverlight, Part 2
MS Whitepaper: Security Guidance for Writing and Deploying Silverlight Applications
Well, everything your SL application does could be spoofed. So direct answer is NO, you cannot ensure that only your application will access to the data.
But there are number of options. For example you can implement authorization and then authenticate your user. In this way you can ensure that only users you trust access to the data.
Another option is to make spoofing harder. For example you can include sort of "secrete" token to all your requests. So other application will need to steal this token. This harder to achieve.
I think this question is more pertaining into implementing a web service or wcf service with authentication and authorization. If your service takes care of it, then you can be ensured about your data. Your silvelight app is just calling the service.
Whoever download the xap can decompress and reverse engineer your code, so your best bet is to build a web service as others suggested. Silverlight Ria ships with a full blown authentication membership that you can leverage.
I am accessing Sharepoint web services from a Silverlight application, I have put the clientaccesspolicy.xml file in the root of my Sharepoint site, so I can access fine.
What I would like to do though is hard code the user credentials so the web service always connects with the same user.
Is this possible and if so how?
Thanks in advance.
After emailing Tim Heuer, I was informed that is not possible in SL3, but will be in SL4!
I've recently ran into similar case where I need to pass a specific credential to the generated web service client proxy in Silverlight 4 OOB. For whatever reason I am still getting prompted for authentication so, I'm not sure if it's there in SL4.
What I know possible in SL4 is you can force an HttpRequest to use a ClientHttp stack instead of the WebBrowser one. I've used this with SharePoint 2010 OData feed (_vti_bin/listdata.svc) before successfully, but to access SharePoint Web Services (for example: _vti_bin/lists.asmx), it's a different story.
I finally decided to create my own workaround (specific to SL OOB w/ Elevated Privilege) for this that should work on SL3 OOB and SL4 OOB with elevated privilege. Basically creating my own SharePoint Web Service proxy using the ClientHttp stack and composing and passing my own SOAP message manually using WebRequest.
I blogged about how to do this here.