Skip to main content
Home Forums General Silverlight Getting Started Moving an asp.net site to silverlight, access and security?
9 replies. Latest Post by stkmks on November 4, 2008.
(0)
stkmks
Member
19 points
9 Posts
10-23-2008 5:38 AM |
Hey,
I currently have a codebase in asp.net that would benefit from being ported to silverlight 2. Thinking about the problem a bit more, just had some questions for people smarter than me:
Given silverlight is client side, im going to need to expose server logic and data to it. Creating an asmx web service is a great experice, so that would be my preferred option but:
- My site is currently using asp.net membership. Is it possible to integrate this into a web service? Asking google seems to hint at no its not. If anyone knows otherwise, could you suggest an article or tutorial on how to do this?
If anyone has some better broad approaches that would be easier than putting up a web service (theres a namespace or two of code id have to create wrappers for, and continually keep doing as it grows) would be great. Id like to keep everything secure, though ssl encryped transports are good enough. Also Id like to keep asp.net membership.
My site currently has linq hidden off in some 'business logic' which presents via asp.net. Its a basic data driven site, nothing too fancy.
Any suggestions or approaches would be appreciated. Can MS write a nice API that does all that and works with IIS for us? :)
Ken Tucker
All-Star
16144 points
2,463 Posts
10-23-2008 7:02 AM |
You cannot get the asp.net membership info directly in a silverlight app. You can however call a webservice and get the info. Here is a simple example I have used for getting the user info
<OperationContract()> _ Public Function GetUserInfo() As List(Of String) ' Add your operation implementation here Dim lst As New List(Of String) Dim context As HttpContext = HttpContext.Current If Not context.User.Identity.IsAuthenticated Then Return Nothing End If lst.Add(context.User.Identity.Name) For Each r In Roles.GetRolesForUser(context.User.Identity.Name) lst.Add(r) Next Return lst End Function
jakkaj
Participant
904 points
146 Posts
10-23-2008 7:06 AM |
You can use the Authentication Application Service to check forms authentication from Silverlight. This will in turn check your custom membership provider and so on.
This article shows you how to use custom membership and forms authentication from Silverlight.
http://blog.webjak.net/2008/08/13/silverlight-windows-live-id/ (and a video here on the same content http://blog.webjak.net/2008/08/13/silverlight-and-windows-live-id-video/). Skip around the Windows Live stuff, it's all the same apart from that :)
Jordan.
10-23-2008 7:12 AM |
Hi,
That looks ok, but would this example assume a user has logged in already though one of the aspx pages?
How could membership work on a request made from the silverlight app a webservice on the server? or how could the server tell that an incoming web service call is from a -something- that has been authenticated by membership?
Thanks. Descriptions of broad approaches would still be good.
marcus
ps. on a tangent i guessed the scenario of 'silverlight knowing about asp.net membership authentication' wouldn't work. When trying a similar idea with flash, a page could be quate happily authenticated, but without passing some user based info through a query string any requests made from swf's on the same page are unknown to be authenticated.
pps. thanks for those links. will check them out.
10-23-2008 7:19 AM |
First the user signs in the usual way by using forms auth. Then you can set your WCF services to ASP.NET Compatability mode (see here for more information http://blogs.msdn.com/wenlong/archive/2006/01/23/516041.aspx)
The take away here is that when calling things from silverlight it automatically includes the authentication cookies etc in the browser as it uses the browser network stack to make the calls just like a standard ASPX or AJAX request.
10-23-2008 10:00 PM |
Thanks for your responses.
Seems that i was mistaken. Long story short doing the following works for authentication:
- Have an existing asp.net membership setup.- Login to membership via the asp.net login control on an aspx page.- Check for status in a web service method using:
HttpContext current = HttpContext.Current; if (current.User.Identity.IsAuthenticated)...
everythings maintained with the request from silverlight. I didn't have to do anything to set compatibility mode.. but the article seems to be referring to a wcf service as opposed to asmx..?
That proof of concept is enough to get started. Having the asmx public on my server doesn't make me feel that good either, but at least there are a number of ways to disable the documentation page, will use one of those.
Also guess i need to bite the bullet and web service all the interfaces. Was thinking about using reflection and writing one generic web method with a bunch of constants somewhere, but you loose type then.. (Alas..yes id still like to pass the problem of client to server communication to someone else, if possible :))
Thanks again for the pointer for asp.net membership + web services.
Sopheap Ly
902 points
205 Posts
10-25-2008 12:48 PM |
You have to think twice before exposing a web service to your Silverlight application, because anyone can literally compromise your system, steal private information, etc, by just calling your unprotected web service. This is an extensive topic to discuss here. You should grab a WCF book.
Really you would need to dig into Stateful SCT Secure Session Binding with a decent user authentication configuration. Plus you would need to explicitly set the PrincipalPermissionAttribute like below to restrict the access to certain user role.
<PrincipalPermission(SecurityAction.Demand, Authenticated:=True, Role:="Administrators")> _ Public Function GetAllUsers() As MicroCreditorUser() ' Return the private of all users to only administrators ' If a stranger call this function, s/he will get a welcome exception thrown in the face. End Function
10-26-2008 6:56 PM |
Hi Sopheap,
Would returning from the web method if the user wasnt authenticated answer your security concern, or is there something more? Please let me know if there is!!
Thanks.
[WebMethod] public bool DoSomething() { HttpContext current = HttpContext.Current; if (!current.User.Identity.IsAuthenticated) { return; // or throw an exception. }
10-28-2008 12:10 AM |
Hi stkmks,
Checking if users are authenticated is not enough. Some function members especially the ones that give out mass information (e.g. all users, all files, etc) should be allowed to execute by authenticated administrators only.
You should use the PrincipalPermissionAttribute to create such permission rule. You won't have to manually write more lines to check whether a user is authenticated or a user belongs to a user role. .NET framework will automatically throw necessary exception for you.
You can see my previous post for the example on how to use PrincipalPermissionAttribute. Hope it helps.
11-04-2008 10:05 PM |
Thanks. I see what you mean about roles.
A few weeks and tutorial video's later, the solution to my question was well demonstrated in one of the videos:
http://silverlight.net/learn/learnvideo.aspx?video=56228
It demo's using asp.net authentication after logging in from the asp.net login control, and from native silverlight controls calling the same function. The wcf stuff was a bit sticky since ive never used it before, but he shows a way to also get asp membership roles and profiles from silverlight.
Moving an asp.net site to silverlight, access and security?