RIA Services Authentication - What type? Preventing "copies?"

Question

I've got a Silverlight application that will be running out on the open internet, available to basically everyone who has ever lived.

The application makes use of RIA Services to manipulate data in a database on the server.

The application creates, reads, updates, and deletes data of different varieties, however I only want these operations to occur from within the application.

This brings about two questions:

1. Is there a particular recommendation for what type of Authentication to use? Forms or Windows?
2. Is there a way to prevent someone from "linking" to the application? That is to say, copying the HTML from the containing page, pasting it in their own HTML page on their local machine and running it? The end goal would be to only allow the application to be run when it is embedded in a page requested directly from my server and my server alone?

Answer 1

1. If your application is being used on an internal network, then Windows authentication is best. Otherwise (as is your case) use Forms authentication.

2. Silverlight automatically prevents applications (unless they're running with elevated trust) from accessing resources on the Internet (web services, HTML, etc) that are not from the domain that the application originated from, unless that domain has a cross-domain policy file in its root. The Silverlight runtime prevents this (not the server), so this a client based security feature - not server based. By not having a cross-domain policy file in place on your server, your application will only be able to communicate with your domain services when it is run from your server (as you are after). The application will run, but calls to those services will fail.

You could always do a check for what domain the application originated from in code, and match it to a hard-coded domain name if you want to prevent the application running at all from other domains.

Hope this helps...

Chris