I've got a Silverlight application that will be running out on the open internet, available to basically everyone who has ever lived.
The application makes use of RIA Services to manipulate data in a database on the server.
The application creates, reads, updates, and deletes data of different varieties, however I only want these operations to occur from within the application.
This brings about two questions:
Is there a particular recommendation for what type of Authentication to use? Forms or Windows?
Is there a way to prevent someone from "linking" to the application? That is to say, copying the HTML from the containing page, pasting it in their own HTML page on their local machine and running it? The end goal would be to only allow the application to be run when it is embedded in a page requested directly from my server and my server alone?
If your application is being used on an internal network, then Windows authentication is best. Otherwise (as is your case) use Forms authentication.
Silverlight automatically prevents applications (unless they're running with elevated trust) from accessing resources on the Internet (web services, HTML, etc) that are not from the domain that the application originated from, unless that domain has a cross-domain policy file in its root. The Silverlight runtime prevents this (not the server), so this a client based security feature - not server based. By not having a cross-domain policy file in place on your server, your application will only be able to communicate with your domain services when it is run from your server (as you are after). The application will run, but calls to those services will fail.
You could always do a check for what domain the application originated from in code, and match it to a hard-coded domain name if you want to prevent the application running at all from other domains.
Hope this helps...
Chris
Related
Could someone please explain to me in a simple way, what is a web service?
Please correct me if I'm wrong. I have a DB hosted somewhere in the web, and I want to perform DB transactions from a desktop application as well as a mobile application. Can this be done through a web service ? Someone mentioned it to me and I wanted to make sure this could happen.
Here's a good explanation on Wikipedia.
A middle dynamic content processing and generation level application server, for example Ruby on Rails, Java EE, ASP.NET, PHP, ColdFusion platform
The middle tier of a 3-tier application is often the web service
i want to perform DB transactions from a desktop application and a mobile application, can this be done through a web service ?
This is Exactly what a web service is for.
A web service allow you to create multiple front ends if needed, and serve your database data to all of those front ends. You can also open up the API and allow third party developers to access the web service and thereby access the data of your application in a controlled environment.
It's considered a better practice for larger applications to access a web service or a middle tier rather than directly access the database.
In your case, a web service would involve setting up your DB behind a web server that listens for incoming requests, performs the appropriate DB operations, and returns whatever data is appropriate. Then, your desktop and mobile applications could send a http request and the DB would respond appropriately. This would let all your applications access the same DB.
I got a problem when trying to call a remote rest webservice
https://stackoverflow.com/questions/5442175/error-on-httpwebrequest
It seems it's due to cross domain policy file missing on the remote server
http://forums.silverlight.net/forums/p/183993/419448.aspx
I don't understand the reason to have this file. It doesn't protect the user at all so for what purpose did they create this restriction ?
UPDATE: Reading the explanation from MS I still fail to see how this policy allows user to be more aware since it's all done on servers side WITHOUT EVER NOTIFYING THE USER OF ANYTHING.
UPDATE: Seems people don't agree so after all my question is not so stupid :) Answer would be Secure the service not the User ? Why on earth would twitter for example would like to protect its service without even wanting it ? If a website would want to protect itself it would just well put some login / password :) It is obvious that a site wants greatest access from browser it doesn't matter if browser uses plugin or not why would the site care ?
It's for security and making you actually OPT IN to allowing it.
MSDN explains it the best so there is no point in me re-wording it:
Using Silverlight version 4 for
cross-domain communication requires
guarding against several types of
security vulnerability that can be
used to exploit Web applications.
Cross-site forgery is a class of
exploits that becomes a threat when
allowing cross-domain calls. This
exploit involves a malicious
Silverlight control transmitting
unauthorized commands to a third-party
service, without the user's knowledge.
To prevent cross-site request forgery,
Silverlight allows only site-of-origin
communication by default for all
requests other than images and media.
For example, a Silverlight control
hosted at
http://contoso.com/mycontrol.aspx can
access only services on that same
domain by default – for example
http://contoso.com/service.svc, but
not a service at
http://fabrikam.com/service.svc. This
prevents a malicious Silverlight
control hosted on the
http://contoso.com domain from calling
unauthorized operations on a service
hosted on the http://fabrikam.com
domain.
To enable a Silverlight control to
access a service in another domain,
the service must explicitly opt-in to
allow cross-domain access. By
opting-in, a service states that the
operations it exposes can safely be
invoked by a Silverlight control,
without potentially damaging
consequences to the data that the
service stores.
Here is something to consider. Assume a world where Silverlight did not require a web service to opt into being used by a Silverlight client or a indeed a Flash client come to that.
Some malcontent manages to find a weakness in a popular web service API and writes an exploit in Silverlight or Flash. Harm is done and users of this web service are upset. Where might the finger of responsibility get pointed? What happens when it gets into the news that a Silverlight or Flash plugin was the "cause" of some breach? Whose reputation is harmed? Answer: Microsoft / Adobe even though in fact it has nothing to do with them.
Ultimately this is about public relations, about the risk of there being a perceived insecurity where none is really warranted.
By including this opt-in requirement these companies massively reduce the number of services that could possibly be exploited using their plugins. Significantly reducing the risk that their plugin would unfairly be tarnished with an uncalled for reputation. For those that do opt-in the policy files can be pointed at as the responsibility of the service provider who made an informed choice to include such a file.
Ultimately if there is a choice between risking your public perception with 100,000,000 potential users or risk some disgruntlement and bewilderment of some 100,000 potential developers I know which one I would pick.
Imagine you have a webservice, which is on your website, it displays live stocks and you want this website to be used by only your silverlight client.
Now I can write a silverlight client and put it on my website that will fetch data from your website, I can steal your data and users will feel it's my data. As there is no way o determine who is connecting it.
So silverlight loaded from my domain will not connect unless you allow from your domain. This is not for server client security but this is for cross domain security. Same as JavaScript cross domain security that you can not access any objects loaded from different domain.
I have googled a bit for how I should handle security in a web service application when the application is basically the data repository for a Silverlight application, but have gotten inconclusive results.
The Silverlight application is not supposed to have its own user authentication, since it will be reachable only through a web application that the user have already authenticated to get into.
As such, I was thinking I could simply add a parameter to the SL application that is a cookie-type value, with a certain lifetime, linked to the user in the database. The SL application would then have to pass this value alongside other parameters to the web services. Since the web service is hopefully going to be a generic web service endpoint, few methods, adding an extra parameter at this level will not be a problem.
But, am I supposed to roll this system on my own? It sounds to me as this isn't exactly new features that nobody has considered before, so what are my options?
First of all use SSL for the service. Otherwise users will be able to capture all the parameters passed to the service. It's still possible to see it in case of https but it will be a little bit more difficult.
Also, consider using Message Inspector for adding custom headers to the messages which you will validate on the server. This way you will not need to add extra parameters.
I am using a silverlight with wcf and when I use the .web project then it runs but when use the silver light project to run the following exception throws:
An error occurred while trying to make a request to URI 'http://localhost:9000/Services/BLWCFSvrc.svc'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details.
I want to use the silverlight project to debug my code
Thanks in advance
In order to access network resources from Silverlight, the domain hosting the resource must provide a client access policy file; this is designed this way for security reasons. See here for details: http://msdn.microsoft.com/en-us/library/cc645032%28VS.95%29.aspx
I think your problem is different that just having the clientaccesspolicy.xml, the fact that it runs under the web project, means that you are delivering policies, if you have those added as seperate files under the web project then they wont be deployed when you run the SL3 app seperately, but im sure you figured this out and you're delivering the policies via WCF using webHttp binding (RESTful style), if not, you should.
I think the problem is that when you run the webproject, it builds to your local IIS and executes from there, IIS will allow the SL3 app to communicate with ports/addresses different from the ones that the site is hosted on
when you run SL3 app natively, VS2008 auto generates a test html site for it to be hosted in with some default settings, and uses VS2008 built-in hosting service, which does not allow communication to an address/port different from that of the hosting address. (even though Silverlight is a client side library, VS2008 can do this)
so if you want to run the Silverlight application natively, meaning actually executing the XAP, you can deploy it to IIS, and configure IIS to deliver XAP files, or just install it and run it out of browser and let it update from IIS the deployed version
Just copy a clientaccesspolicy.xml file (for an example take a look at this post; you can even use this sample) into the root of your webserver (eg: c:\inetpub\wwwroot\).
This should help.
We have a Silverlight app which we wrote which calls a Silverlight-enabled data service. The Silverlight app cannot require a login, as it is required to present data to the unauthenticated public.
We have some schmoe who took the time to examine our Silverlight app, one way or another figure out what service it is calling, and then wrote his own client to slurp off the data so he can post it on his site and pretend like it is his. We need to prevent this.
How can i limit my data service somehow to ONLY accept requests from my silverlight app? I tried using the allow-from domain uri setting in the clientaccesspolicy.xml file to limit access to the service only from the domain in which the silverlight app sits (say mydomain.com). This did absolutely nothing though, and the service is still serving up requests to clients from outside the domain. (I tested this by putting my SL app on a different domain under our control).
What is the proper/best/most effective way to limit the data service so only our app can use it? Thanks!!!
I'm using SL 3 and .NET 3.5.
The clientaccesspolicy.xml tells the Silverlight application which Webservice it can consume. Not preventing people accessing the Webservice.
You can try using a authentication login even though its not required. This prevents 'schmoes' accessing your webservice.
Also use Dotfuscator to prevent 'schoes' to disassemble your Silverlight application and acquire the login.
Silverlight webservice security follows the same patterns you'd use for ASP.NET security, especially services exposed to AJAX. The best way to do make use of ASP.NET's authentication.
RIA Services is an even better way to handle this. It rides on top of the ASP.NET authorization, but validates on both the client and server-side automatically to combat service spoofing. It let you take care of both client and server-side authorization by adding attributes to your methods indicating that the method requires authorized access, and by which groups or users if you need to be specific.
In addition to wire-side security and obfuscation, remember that clients can attach a debugger to Silverlight applications running in their browser. See this example from MSDN Magazine's Security IQ Test, November 2008.