tags:

views:

172

answers:

2
+2  Q: 

how to limit access to a silverlight-enabled data service?

Hello all. We have a Silverlight app which we wrote which calls a Silverlight-enabled data service. The Silverlight app cannot require a login, as it is required to present data to the unauthenticated public.

We have some schmoe who took the time to examine our Silverlight app, one way or another figure out what service it is calling, and then wrote his own client to slurp off the data so he can post it on his site and pretend like it is his. We need to prevent this.

How can i limit my data service somehow to ONLY accept requests from my silverlight app? I tried using the allow-from domain uri setting in the clientaccesspolicy.xml file to limit access to the service only from the domain in which the silverlight app sits (say mydomain.com). This did absolutely nothing though, and the service is still serving up requests to clients from outside the domain. (I tested this by putting my SL app on a different domain under our control).

What is the proper/best/most effective way to limit the data service so only our app can use it? Thanks!!!

I'm using SL 3 and .NET 3.5.

+1  A: 

The clientaccesspolicy.xml tells the Silverlight application which Webservice it can consume. Not preventing people accessing the Webservice.

You can try using a authentication login even though its not required. This prevents 'schmoes' accessing your webservice.

Also use Dotfuscator to prevent 'schoes' to disassemble your Silverlight application and acquire the login.

rdkleine  2009-09-28 18:53:16
Thanks for the clarification. I am actually looking now at using SOAP headers to transit a private key, ... which would then also mean doing the obfuscation, and i guess also HTTPSing the service, so that he cannot snoop the information from the wire. Correct?
eidylon  2009-09-28 19:01:52
And to dotfuscate, i would assume you just unzip the xap, dotfuscate whatever dll's you may have made in there, then rezip it back to a xap file, yes?
eidylon  2009-09-28 19:02:23
Using SSL on the wire the information is secure.Haven't tried dotfuscating a silverlight app yet but they seem to support it though: http://preemptive.com/dotfuscator-professional-support-for-microsoft-silverlight-11-alpha.html
rdkleine  2009-09-28 19:37:48
+1  A: 

Silverlight webservice security follows the same patterns you'd use for ASP.NET security, especially services exposed to AJAX. The best way to do make use of ASP.NET's authentication.

RIA Services is an even better way to handle this. It rides on top of the ASP.NET authorization, but validates on both the client and server-side automatically to combat service spoofing. It let you take care of both client and server-side authorization by adding attributes to your methods indicating that the method requires authorized access, and by which groups or users if you need to be specific.

In addition to wire-side security and obfuscation, remember that clients can attach a debugger to Silverlight applications running in their browser. See this example from MSDN Magazine's Security IQ Test, November 2008.

Jon Galloway  2009-09-29 05:12:27

related questions

Silverlight DataBinding cross thread issue
Suggestions for migrating ASP.net app from 1.1 forward
Clone a control in silverlight
How to track if browser is Silverlight enabled
Image cropping C# without .net library
Large File Download
Image processing in Silverlight 2
ASP.NET vs. Silverlight
XAML - Accessing static fields
What's the best way to display a video with rounded corners in Silverlight?
How to do crossdomain calls from Silverlight?
Databind RenderTransform Scaling in Silverlight 2 Beta 2
Custom Attribute Binding in Silverlight
What is the purpose of the 'AppManifest.xaml' file in Silverlight applications?
Silverlight programatic access to Sony RZ30N Video Feed
Silverlight vs Flex
Version detection with Silverlight
What's your top feature request for Silverlight?
How do I update my UI from within HttpWebRequest.BeginGetRequestStream in Silverlight
Upload binary data with Silverlight 2b2
In silverlight, how to you attach a changeEvent handler to an inherited dependency property?
What is the easiest way to add compression to WCF in Silverlight?
What is the value-binding syntax in xaml?
Using SQLite with Visual Studio 2008 and Silverlight
Hiding inherited members in C#