Silverlight security on the downloaded xap file - silverlight

I want to develop a online trading application using silverlight in which I want to perform all the calculations at the client side instead of server.
First, Is it possible to run the whole application on the client side??
Second, How secure is silverlight xap file to prevent decoding the logic??
Please let me know.
Thanks,
Mahesh

You can use Silverlight Out-of-Browser which will increase your access to the local system if that is needed however is is still sandboxed and you do not get full access to system resources. If that is not a concern then you can perform your logic internal to the Silverlight application which remains in the browser and is indeed client side.
In terms of security to your .XAP file is nothing more then a re-branded .ZIP file. If someone can download your .XAP they can then get access to the .DLL's within the .XAP. Obfuscating the DLL's may hinder individuals from getting access to your code see this, however if intellectual property is something on the top of your list, I'd recommend not performing that logic client side as the other post mentions as well.

Related

Silverlight vs ActiveX for lightweight app with system access

Just an R&D question. We need to develop an application that can be run in a browser that has the capability of performing some system checks to gather support information to be emailed to us. These checks will include basic system information, but also will need to scan the filesystem and pull out version information about various DLLS, executables, and .NET assemblies that might be installed. The idea being that we can direct a client to a page and have the application gather the relevant information needed for support, and potentially even populate some database fields. We need it to have as small a footprint as possible.
I've worked with ActiveX before, and know it is capable of these things, but particularly on modern systems security is a nightmare to get around, with a lot of people blocking ActiveX altogether. Is Silverlight easier to deliver to clients? Does it have a lighter footprint? Is it even capable of doing these things?
Silveright has access to isolated storage, but I don't think it can do what you are looking for (I may be wrong). As for footprint, if I remember correctly, the runtime is reasonably small, and the .xap packages are limited to 4Mb.
Silverlight out-of-browser has access to the file system. http://msdn.microsoft.com/en-us/library/dd550721(v=vs.95).aspx#special_features_for_outofbrowser_applications
If you intend to run your app in the browser, you will still have to configure the trust as if it where oob. http://msdn.microsoft.com/en-us/library/gg192793(v=vs.95).aspx
However, iTunes has a neat way of doing something somewhat related. It has a custom protocol (itms://) that allows the browser to invoke a client side program (iTunes). Then you can embed html in a webpage that passes parameters as command line arguments to that app. The website also knows if the iTunes is installed by a cookie. We this in mind, you might be able to encourage your users to install some small app that setups the custom protocol on install. You could pass command-line parameters to it from the web, and the app will push information from the client back to the server.
To create a real-time experience, you could use sockets + more javascript to update the page with the info you just got off the machine.
HTH,
Silverlight runs in a pretty restricted silo and can't do a lot of low level things - such as checking the file system. So I would say it does not fit your use case, unfortunately.

Upload a large File to Sharepoint in a Silverlight application

I have tried what seems like about a dozen different methods of uploading files to sharepoint from a silverlight application. They either have severe limitations (file size limits of less than a meg or so) or lots of security issues that I have not been able to over come. I have tried:
WCF (We are trying not to use any custom WCF services at all FYI though this is the method that I have gotten to semi work)
Sharepoint Web services
Client object model
HTTP put
Webclient write stream
I have seen lots of different examples out there of people doing completely different things but none seem to work and all seem like they are the "old" way of doing things. I am using silverlight 4, sharepoint 2010 on IIS 7. Is there a best practice for uploading large (say 20-30 meg) files? I just want to dump a file into a document library.
I had similar issue. Tweaking web application level setting from central admin, changing asp.net limit in web.confit and following article helped me.
http://blogs.msdn.com/b/sridhara/archive/2010/03/12/uploading-files-using-client-object-model-in-sharepoint-2010.aspx
Just had a thought silverlight has a thing called an HTML Bridge which allows it to interact with the rest of the page. Consider calling a javascript function from Silverlight, and let the javascript function do the actual upload
UPDATE - the Javascript ClientOM doesn't seem to have the SaveBinaryDirect method :-(
How about doing some ExecuteQueryAsync and then in the success call back function (no longer on the UI thread), using the Microsoft.SharePoint.Client version of File? I know this would require downloading the larger assembly, so perhaps that's not so good.
I wonder if there is a way to get the clientOM use a more efficient binding when calling the web services...
Martin
The default upload size limit for the SharePoint client object model is 2 MB. You can change that limit by modifying the MaxReceivedMessageSize property of the service.
This can be done in two ways:
programatically - as described in this link - tho this won't work in Silverlight for example
trough the powershell. On the server where you have SharePoint installed, fire up the SharePoint Management Shell (make sure you run it under the farm administrator account) and run the following commands.
$ws = [Microsoft.SharePoint.Administration.SPWebService]::ContentService
$ws.ClientRequestServiceSettings.MaxReceivedMessageSize = 52428800
$ws.Update()
This will change the upload limit to 52428800 bytes - or 50 MB. Now, restart the website hosting your SharePoint site (or the entire IIS) for the changes to take effect.

Launch local application with Silverlight

I would like to know if there is any way to launch a local application with silverlight. I'm having some security problems doing this with a user control embedded in IE 8, so I would like to convert this into silverlight app. This little issue is stopping me to go forward with silverlight, so if any suggestion, I would appreciate to hear it.
Thanks in advance..
Carlos.
This will be, theoretically possible, using COM interop with Silverlight OOB in SL4, but you will still have the same security issues, and in addition, add some deployment issues.
In order to do this directly from within IE, you'll need to make an add-in that gets installed with proper security permissions. Any "automatic" model for this would violate the standard IE security policies, so there is no direct means of getting from browser->local system.
this would totally invalidate Silverlight security model. So, good luck with that. Pretty sure you can not do it. This is what officially is known as a "Bad Thing."
Things I learned from Jurassic Park: Just because you CAN do something doesn't mean you SHOULD do something.
It is absolutely possible to get "Out of Browser" support using Silverlight 4. But what you need to do in order to access applications on the "Host" machine is the certify the SL4 application as being trusted.
This will involve getting a certificate for it. This could be obtained from CA (or similar for Internet applications) OR you could generate your own certificate for Intranet use and have the users simply install it or have it installed via another automated sys admin style process.
The bottom line is that when the SL4 application is running OOB AND it is trusted, it can access anything on the host machine; to a point.
Even though you can have file access and so forth, you still cannot call the application directly. That is unless it's installed as a COM object.
So what you will need to do is invoke the application using the "script" host COM object. You create a reference to the Script host and then simply pass in the command (and parameters if you like) that would invoke the application.
Hey presto, you broke the wall :-)
It should be noted that the use will still only be able to run the applications on their machine that they are currently allowed to. So you won't be able to invoke Admin tools on a user with limited control.
See here for details
http://msdn.microsoft.com/en-us/library/dd550721(VS.95).aspx
It seems to me that you ought to post a question about the developement of the user control you already have. Ultimately no matter what technology you use you will need to get the user to opt-in manually. Silverlight when hosted by a browser is designed to live in nice and secure sandbox that it can't get out of. It isn't the answer to your problem in this case.
Your Silverlight application should be a trusted application because it runs on a browser.
If you want to launch an application in your local machine use the below code:
AutomationFactory.CreateObject("WScript.Shell").Run(FilePath);
Use the namespace System.Runtime.InteropServices.Automation

Silverlight OOTB Support for 'Save File' browser dialog

I am in the design stage of an application that must be both a standalone app & a web application (To save the costs of building 2 near identical applications twice). Basically I have opted to go for a silverlight OOTB application that will be installed on the standalone machines and they will write to a collection of files in the sandbox and occasionally talk to the server version. The same application (with a little configuration) will also operate on the webserver and store its data in a database.
I am however more of a WPF developer so I would like to cover some concerns I have before I go too far down this path...these are:
I hear you can pass a file out for the user to 'Save As' in their browser when using SL normally. Is there similar functionality with OOTB? Because I want to be able to save some of the local files to locations other than the sandbox (With user permission)?
Is is possible to configure OOTB to allow access to the filesystem outside of the sandbox?
Is there a way to programatically determine whether a silverlight application is running in OOTB mode (So I know what mode the application should be running in)?
Are there any major flaws in my ideas so far that would prevent this from being a possibility?
Silverlight 4 will provide support for out of browser trusted applications, which have more privileges that a normal sandboxed application but still not as much as a regular desktop application. Regarding file access, a trusted application will be able to access to some predefined folders such as MyDocuments, MyMusic, MyPictures, MyVideos, but not the entire filesystem. See here for details: http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2009/11/18/silverlight-4-rough-notes-trusted-applications.aspx
As for how to know whether you are running out of browser or not, use Application.Current.RunningOffline.
Finally, I recommend you to take a look at PRISM. Among other things, it eases the task of sharing code between WPF and Silverlight, so you could consider developing a dual SL+WPF application.

Do I need a local web service to connect to database for Silverlight OOB?

I've done some cursory reading on Silverlight and data access. From what I can tell, I'll need a web service to hook up a Silverlight application to a database while it's running in browser. Is this true when it goes OOB? Or is there another method that should be used then?
Some background:
We have a .Net 2.0 Winforms application. We're trying to convert the functionality to a web app of some sort without rewriting the business logic. Our internal web developers all write in ColdFusion, so Adobe Air seemed to be a natural fit. However, we've found out that the only way to consume a .Net dll in Air is to write an EXE that makes function calls. (Perhaps something like a WCF service on the local machine.) Since that's the case, I thought I'd see how the data access was in Silverlight OOB, because we will have customers with limited-to-no internet connectivity and will need to be able to access an offline DB.
As far as I know, whether it runs in or out of browser it will need a web service or other means to hit a database. You cannot do it through the Silverlight application because of the sandbox security model used.
In 4.0 there is the added use of COM so you may be able to use that to your advantage.
Otherwise you would just be using a file stored in IsolatedStorage to persist data to, like an XML file for example. Maybe this is what you are looking for though?

Resources