tags:

views:

3110

answers:

2
+2  Q: 

Silverlight user authentication

I am currently developing a Silverlight 3 app that needs some sort of user authentication, because the data pulled from a WCF service is user specific. Target audience is the regular Internet - so there is no AD to authenticate against.

Here are some of the questions I have concerning that situation:

  • Is there a framework or other mechanism that would support me?
  • Would you recommend authentication within the Silverlight app or via outside mechanisms like forms auth? Which is more secure?
  • What about out-of-browser support?
+2  A: 

I would consider using the the authentication classes that exist in ASP.NET. You can then use .NET RIA Services (or even simply, WCF) to communicate with authentication service.

Consider this article as a primer.

billb  2009-07-12 15:49:02
Do you have experience with this solution?
Tobias Hertkorn  2009-07-13 14:49:17
Yes. I used SL3 and .NET RIA Services. It's a proof of concept application that I'm working on, but I can create and log users in remotely.
billb  2009-07-13 15:11:42
+1  A: 

I used ASP.NET's authentication. Just use a MembershipProvider (or implement your own). Then go to http://www.silverlightshow.net/items/Accessing-the-ASP.NET-Authentication-Profile-and-Role-Service-in-Silverlight.aspx to check out how you can expose the authentication service.

Then in your WCF service, you do the following (hosted in ASP):

public class MyWCFService : IMyWCFService 
{
        // retrieve your UserId from the MembershipProvider
        private int GetUserId()
        {
            MembershipUser user = Membership.GetUser();
            int userId = (int)user.ProviderUserKey;
            return userId;
        }

        // check if user is authenticated
        private bool IsUserAuthenticated()
        {
            return HttpContext.Current.User.Identity.IsAuthenticated;
        }

        public void Subscribe()
        {
            if (!IsUserAuthenticated())
            {
                throw new SecurityException("You must be authenticated to be able to use this service.");
            }

            int userId = GetUserId();
            DoStuff(userId);
        }
}

Hope that helps.

R4cOON  2009-07-15 12:18:07

related questions

Encryption in C# Web-Services
How Do You Secure database.yml?
ASP.NET LocationProvider
What do you (or your company) use for wiping a machine?
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
Java: What is the best way to SFTP a file from a server
How do I call a Flex SWF from a remote domain using Flash (AS3) ?
Best way to store a database password in a startup script / config file?
Using VM to get around VPN restrictions
Best references for secure coding practices in ASP.NET and classic ASP.
Secure Memory Allocator in C++
Resolving Session Fixation in JBoss
Best Practices for securing a REST API / web service
Defensive programming
Personal Linux web server
Block user access to internals of a site using HTTP_REFERER
Is there an Unobtrusive Captcha for web forms?
My website got hacked... What should I do?
What all do I need to escape when sending a (My)SQL query?
How do you disable browser Autocomplete on web form field / input tag?
Best .NET obfuscation tools/strategy
Are there best practices for testing security in an Agile development shop?
What is the best way to avoid SQL injection attacks?
Found a critical bug, but the company doesn't care
PHP Session Security