I made a toy Silverlight application. It gets some arbitrary XML from a domain service and stuffs it in a datagrid.
What I'd like to do is implement access control for the service and the Silverlight control. For example, I'd like to allow access only to logged-in users, while denying access to anonymous users.
With forms authentication, I can control access to ASPX files, either by directory, or by file: I tell it to allow authorized users only, and IIS cheerfully redirects anonymous users to a login page. But whatever I do, I can't prevent unauthenticated users from accessing anything other than ASPXs.
For example: I put "<deny users="?"/>" on the ClientBin directory, the XAP file itself, the bin directory where the service DLL lives, and on the service DLL itself. There's an ASPX file that hosts the Silverlight control; I leave that accessible by anybody. I load the page and it loads the data just fine. The security on the service and the XAP has no effect.
Am I missing something obvious, or do I have to implement access control by hand in the service and the Silverlight UI widget?
UPDATE:
If I put "<deny users="?"/>" in the top-level authorization tag, while explicitly allowing non-authenticated access to the page that hosts the Silverlight control, I get no rows back from the service. This actually does the job I'm concerned about doing here, though it answers no questions about how this all actually works.
If I then add location tags with "<allow users="?"/>" for the service directory and DLL, nothing changes -- which I'd expect, since explicit "deny" doesn't work either for those two.