views:

172

answers:

2

Hello all. We have a Silverlight app which we wrote which calls a Silverlight-enabled data service. The Silverlight app cannot require a login, as it is required to present data to the unauthenticated public.

We have some schmoe who took the time to examine our Silverlight app, one way or another figure out what service it is calling, and then wrote his own client to slurp off the data so he can post it on his site and pretend like it is his. We need to prevent this.

How can i limit my data service somehow to ONLY accept requests from my silverlight app? I tried using the allow-from domain uri setting in the clientaccesspolicy.xml file to limit access to the service only from the domain in which the silverlight app sits (say mydomain.com). This did absolutely nothing though, and the service is still serving up requests to clients from outside the domain. (I tested this by putting my SL app on a different domain under our control).

What is the proper/best/most effective way to limit the data service so only our app can use it? Thanks!!!

I'm using SL 3 and .NET 3.5.

+1  A: 

The clientaccesspolicy.xml tells the Silverlight application which Webservice it can consume. Not preventing people accessing the Webservice.

You can try using a authentication login even though its not required. This prevents 'schmoes' accessing your webservice.

Also use Dotfuscator to prevent 'schoes' to disassemble your Silverlight application and acquire the login.

rdkleine
Thanks for the clarification. I am actually looking now at using SOAP headers to transit a private key, ... which would then also mean doing the obfuscation, and i guess also HTTPSing the service, so that he cannot snoop the information from the wire. Correct?
eidylon
And to dotfuscate, i would assume you just unzip the xap, dotfuscate whatever dll's you may have made in there, then rezip it back to a xap file, yes?
eidylon
Using SSL on the wire the information is secure.Haven't tried dotfuscating a silverlight app yet but they seem to support it though: http://preemptive.com/dotfuscator-professional-support-for-microsoft-silverlight-11-alpha.html
rdkleine
+1  A: 

Silverlight webservice security follows the same patterns you'd use for ASP.NET security, especially services exposed to AJAX. The best way to do make use of ASP.NET's authentication.

RIA Services is an even better way to handle this. It rides on top of the ASP.NET authorization, but validates on both the client and server-side automatically to combat service spoofing. It let you take care of both client and server-side authorization by adding attributes to your methods indicating that the method requires authorized access, and by which groups or users if you need to be specific.

In addition to wire-side security and obfuscation, remember that clients can attach a debugger to Silverlight applications running in their browser. See this example from MSDN Magazine's Security IQ Test, November 2008.

Jon Galloway