tags:

views:

43

answers:

2
+2  Q: 

Silverlight Design Question

I am going to be developing an application for work, and I am trying to decide whether to use Silverlight Business App or Asp.Net Web App. My manager is concerned about the performance and download time it would take if I created the entire application as a Silverlight app, with authentication. I have been playing around with some tutorials over the last week trying to get a perspective on my situation and have come up with a design question I need to ask those that are more experienced than me.

Is it possible to use a Asp.Net application and just embed a silverlight application in one of the pages that will be used inside a folder that is configured with the roles authorization? And if so, would it be possible to get user credentials from the client silverlight app without passing them through the initParams.

I understand that I can set the authentication to "useCookies", so I was thinking I would be able to get the cookie on the client and hopefully get a property verifying if the user is authenticated.

Also, would this be a risky practice? Thanks for any advice and direction.

A: 

1.) It's absolutely possible to embed a Silverlight xap on an ASP.NET page. 2.) As far as credentials, using cookies could work, or you could pass in a token over initparams and validate that token via a web service to see if the user is valid

It's always a risk passing credentials around, especially when it's running on a clients computer. That said, Silverlight buys you a lot, so don't let the challenge of authentication hold you back.

Corey Schuman  2010-07-27 15:55:08
Yeah, the InitParams are out of the question. The manager sees it as a security risk. So it is possible to get the authenticated cookie??? I was trying to get the username and password from the membership role, but it was impossible to retrieve the password without turning off the encryption. And even if I was able to get it server side, how would I pass it to client without the initparams.
jhorton  2010-07-27 16:24:12
Take a look at these two link - http://bit.ly/bjmRUs and http://bit.ly/aAS91F. They might help. My approach would be to create a token when the user logs on. Then pass the token into Silverlight via initparams (this shouldn't be any different than having an auth token in cookies). When a service call is made from Silverlight, I would then take that token and pass it along with the call.
Corey Schuman  2010-07-28 03:42:54
+2  A: 

There are a few approaches you could take. While I know you don't want to expose the credential in init params, you could generate a "ticket" (claims-based authentication) for the credential, and include the ticket (for example, a GUID) in the init params. When the Silverlight application launches, it would consume the ticket, possibly validating it via a secured web service call, and the ticket would no longer be valid so even if someone spoofed it or viewed the source, it couldn't be used.

Quite a bit depends on your architecture. For example, if you are using the roles-based authentication, and most of the business logic and/or decision making is based on web service calls, the web services can use HttpContext.Current.Identity to validate the user. Even if someone opens the Silverlight application, any service calls would fail unless they were appropriately authenticated. Otherwise, I would either go with passing a ticket so Silverlight trustst the user is valid (you can create a service that accepts the Guid and returns the role information) or have the user log in from Silverlight (you have a service facing in front of the authentication mechanism and then return a ticket and/or role information).

It gets even more interesting if you decide to use WCF RIA, check out these examples for baked-in authentication: http://code.msdn.microsoft.com/RiaServices/Release/ProjectReleases.aspx?ReleaseId=2661

Jeremy Likness  2010-07-27 16:19:59
This is a solid idea. I have done something similar in the past to share an authentication scheme between ASP.NET pages and an ActiveX control that manipulated db data. Only diff: I tend to call the idea a security token (I've seen it called a cookie as well in COM documentation)
Paul Sasik  2010-07-27 16:47:19
I believe I did go through the RiaServices authentication tutorial, and honestly loved it. Unfortunately I'm constrained to using a component they built for data access. Personally, I would love to use the Microsoft Technology, but I also love getting a paycheck just as much. And I'll look into your "claims based authentication". Thanks for the ideas.
jhorton  2010-07-27 18:44:08

related questions

How do I write Firefox add-on that automatically enters proxy passwords?
Login Integration in PHP
Strange Rails Authentication Issue
Concurrent logins in a web farm
Is there a browser equivalent to IE's ClearAuthenticationCache?
How can I authenticate using client credentials in WCF just once?
Why can't I connect to my CAS server with Perl's AuthCAS?
Best Solution For Authentication in Ruby on Rails
Authenticate on an ASP.Net Forms Authorization website from a console app
How do I use NTLM authentication with Active Directory
What have you used Windows CardSpace for, if anything
Forms Authentication across Applications
Retreiving the PC Name of a Client? (Windows Auth)
How would you implement FORM based authentication without a backing database?
What's the best way to authenticate over WCF?
Only accepting certain ajax requests from authenticated users
OpenID authentication in Ruby on Rails
OpenID Attribute Exchange - should I use it?
OpenID: which provider should I recommend to my users?
What to use for login ID?
ASP.NET authentication: user name Vs User ID
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Checklist for IIS 6/ASP.NET Windows Authentication?
The Definitive Guide To Website Authentication