I'm attempting to write some tests using the Silverlight Unit Test Framework (the unsupported, unofficial MS library Microsoft.Silverlight.Testing). I need to impersonate three different users when testing some functionality of our application.
Our application is for internal use at our company, so the authenticated user may get different functionality based on security groups they are members of (e.g. read/write permission, read-only, no access).
The Microsoft.VisualStudio.TestTools.UnitTesting.Web namespace has the CredentialAttribute for impersonating different users when testing an ASP.NET app, but that's not available in Microsoft.Silverlight.Testing.
Any suggestions on how to accomplish this? The simplest working solution will win a prize (my never-ending appreciation)!
Everything in the Silverlight unit test framework (and Silverlight platform) is going to be truly client-side, so what you're talking about is changing the authenticated user to the server, and its web services, I assume.
That's a difficult task, instead I'd recommend mocking the business objects/logic to allow you to swap out the underlying user type for your testing.
Related
I have a silverlight application backed by RIA services & EntityFramework. Users log in directly in the silverlight application. We have the [RequiresAuthentication] attribute on the DomainService and have implemented custom MembershipProvider/AuthenticationBase<UserBase> for custom authentication utilizing "forms authentication". All of this is working well to authenticate users.
The problem is that users with laptops using wifi will travel through the building and hand off between wifi access points. As soon as that handoff occurs, the users session is immediately terminated - with no notice to the user. I would like some way to make the session more resilient. Asp.Net's out-of-the-box forms authentication seems to do this well - as long as you are inside the session timeout and you haven't deleted your cookies, you are good to go regardless of any temporary connectivity issues. What can I do to get my Silverlight app to be at least as resilient as a standard asp.net app?
One thing that might be the issue, is that I haven't implemented many of the functions in the MembershipProvider - really only ApplicatinName and ValidateUser(). Could that be the source of my problem?
I'm consuming a lot of WCF Services from a Silverlight application in a totally disconnected-way.
I want to ensure that I know the user who is calling every service and I don't know if there is a "standar way".
I've thought of a Login method to get a Token and then pass the username and its token in every call to ensure he/she is logged and has permissions to execute it.
Is there any "almost-done" way with ASP.NET authorization in my own SQL Server? Or I can only use its tables but I'll have to do it "manually"???
Thanks in advance!!!
It sounds like using ASP.NET Membership might be a good fit for you. There's two approaches you an use with this. The first is to use the default membership tables as generated by aspnet_regiis. This option has the advantage of being basically done for you. In this case, all you'd need to do is run the aspnet_regiis tool, then add the necessary portions to the Web.config for your WCF service as described here. Then, when calling the service you need to set credentials for your binding as described here - specifically the portion about setting ClientCredential for your binding when consuming the service.
The other option is to write your own custom membership provider as described here. This allows you to do whatever you want behind the scenes in terms of storing and managing your users, rather than using the pre-built ASP.NET mechanisms. This is a good approach if you're mating with an existing user base or want to have more control over how things are implemented.
Also, keep in mind that ASP.NET Membership isn't your only option for securing your WCF service. Spend some time reading up on your options, which include:
Windows Authentication and Windows Authorization via transport level security on basicHttpBinding
Windows Authentication and Windows Authorization via message level security on wsHttpBinding
UsernamePasswordToken Authentication with ASP.NET Membership and ASP.NET Role Authorization via message level security on wsHttpBinding
UsernamePasswordToken Authentication with custom validator via message level security on wsHttpBinding
Authorization using a custom Authorization Policy
Impersonation using Windows credentials
That list comes from this blog post, which is a good place for you to start exploring your options. Reading up on them will give you the opportunity to learn the strengths, weaknesses, and features of each so that you can choose the one that best suits your purposes. You can also begin with the MSDN articles on WCF security here.
In summary, yes there is an "almost-done" way to do it with ASP.NET Membership, and it shouldn't be too hard to implement, but take some time to explore your other options as well before just diving in with one, because they all have trade-offs and you don't want to have to re-implement it in the future if you decide the approach you chose is a bad fit.
One way to do this is if you can impersonate all users for that You need to add following in your service behaviour
<serviceAuthorization impersonateCallerForAllOperations="true" />
more details here http://msdn.microsoft.com/en-us/library/ms731090.aspx
and if you want to know the user then inside your service methods you can use
System.Threading.Thread.CurrentPrincipal.Identity.Name
to find the user name who is using your services
Edit:
You can use membership api details here
http://msdn.microsoft.com/en-us/library/ms731049.aspx
http://blogs.msdn.com/b/pedram/archive/2007/10/05/wcf-authentication-custom-username-and-password-validator.aspx
http://social.msdn.microsoft.com/forums/en-US/asmxandxml/thread/8a679fb2-e67e-44a9-b491-eb95d5144068
I've got a Silverlight application that will be running out on the open internet, available to basically everyone who has ever lived.
The application makes use of RIA Services to manipulate data in a database on the server.
The application creates, reads, updates, and deletes data of different varieties, however I only want these operations to occur from within the application.
This brings about two questions:
Is there a particular recommendation for what type of Authentication to use? Forms or Windows?
Is there a way to prevent someone from "linking" to the application? That is to say, copying the HTML from the containing page, pasting it in their own HTML page on their local machine and running it? The end goal would be to only allow the application to be run when it is embedded in a page requested directly from my server and my server alone?
If your application is being used on an internal network, then Windows authentication is best. Otherwise (as is your case) use Forms authentication.
Silverlight automatically prevents applications (unless they're running with elevated trust) from accessing resources on the Internet (web services, HTML, etc) that are not from the domain that the application originated from, unless that domain has a cross-domain policy file in its root. The Silverlight runtime prevents this (not the server), so this a client based security feature - not server based. By not having a cross-domain policy file in place on your server, your application will only be able to communicate with your domain services when it is run from your server (as you are after). The application will run, but calls to those services will fail.
You could always do a check for what domain the application originated from in code, and match it to a hard-coded domain name if you want to prevent the application running at all from other domains.
Hope this helps...
Chris
I am going to be developing an application for work, and I am trying to decide whether to use Silverlight Business App or Asp.Net Web App. My manager is concerned about the performance and download time it would take if I created the entire application as a Silverlight app, with authentication. I have been playing around with some tutorials over the last week trying to get a perspective on my situation and have come up with a design question I need to ask those that are more experienced than me.
Is it possible to use a Asp.Net application and just embed a silverlight application in one of the pages that will be used inside a folder that is configured with the roles authorization? And if so, would it be possible to get user credentials from the client silverlight app without passing them through the initParams.
I understand that I can set the authentication to "useCookies", so I was thinking I would be able to get the cookie on the client and hopefully get a property verifying if the user is authenticated.
Also, would this be a risky practice? Thanks for any advice and direction.
There are a few approaches you could take. While I know you don't want to expose the credential in init params, you could generate a "ticket" (claims-based authentication) for the credential, and include the ticket (for example, a GUID) in the init params. When the Silverlight application launches, it would consume the ticket, possibly validating it via a secured web service call, and the ticket would no longer be valid so even if someone spoofed it or viewed the source, it couldn't be used.
Quite a bit depends on your architecture. For example, if you are using the roles-based authentication, and most of the business logic and/or decision making is based on web service calls, the web services can use HttpContext.Current.Identity to validate the user. Even if someone opens the Silverlight application, any service calls would fail unless they were appropriately authenticated. Otherwise, I would either go with passing a ticket so Silverlight trustst the user is valid (you can create a service that accepts the Guid and returns the role information) or have the user log in from Silverlight (you have a service facing in front of the authentication mechanism and then return a ticket and/or role information).
It gets even more interesting if you decide to use WCF RIA, check out these examples for baked-in authentication:
http://code.msdn.microsoft.com/RiaServices/Release/ProjectReleases.aspx?ReleaseId=2661
1.) It's absolutely possible to embed a Silverlight xap on an ASP.NET page.
2.) As far as credentials, using cookies could work, or you could pass in a token over initparams and validate that token via a web service to see if the user is valid
It's always a risk passing credentials around, especially when it's running on a clients computer. That said, Silverlight buys you a lot, so don't let the challenge of authentication hold you back.
I have a Silverlight application that needs to retrieve some data from my database. This data is sensitive. Because of this, I only want my Silverlight application to be able to access the data. How do I ensure that only my applications can access the services that expose this data? Is there a way that I can validate a client attempting to retrieve the data?
Thank you!
These might be of interest:
Using ASP.NET Secure Services and Applications Services
Build Line-Of-Business Enterprise Apps With Silverlight, Part 2
MS Whitepaper: Security Guidance for Writing and Deploying Silverlight Applications
Well, everything your SL application does could be spoofed. So direct answer is NO, you cannot ensure that only your application will access to the data.
But there are number of options. For example you can implement authorization and then authenticate your user. In this way you can ensure that only users you trust access to the data.
Another option is to make spoofing harder. For example you can include sort of "secrete" token to all your requests. So other application will need to steal this token. This harder to achieve.
I think this question is more pertaining into implementing a web service or wcf service with authentication and authorization. If your service takes care of it, then you can be ensured about your data. Your silvelight app is just calling the service.
Whoever download the xap can decompress and reverse engineer your code, so your best bet is to build a web service as others suggested. Silverlight Ria ships with a full blown authentication membership that you can leverage.