This document discusses options for integrating security roles into Microsoft Silverlight applications. It begins by outlining Silverlight authentication and authorization options like Windows authentication and forms roles. It then discusses techniques for accessing user identity information and roles in Silverlight, such as passing data via initParams, using a security service, or the WebContext class in WCF RIA Services. The document recommends creating a SecurityManager class to simplify working with user credentials by handling asynchronous calls to retrieve data and integrating with MVVM patterns.
3. Agenda Silverlight Security Options Accessing User Identity Information Accessing User Roles Creating a SecurityManager class
4. Silverlight Security Options Silverlight Authentication: Windows Forms Custom Silverlight Authorization: Active Directory Groups Forms Roles Custom Roles
5. Windows Authentication Options Option 1: Secure page hosting Silverlight control Easiest User prompted Silverlight app secured Option 2: Secure backend services Silverlight application is anonymous Calls to service require credentials Client HTTP stack can be used
6. Using the Client HTTP Stack //Set once in App.xaml.cs HttpWebRequest.RegisterPrefix("https://", WebRequestCreator.ClientHttp); .... WebClientwc = new WebClient(); wc.UseDefaultCredentials = false; wc.Credentials = new NetworkCredential("username", "password", "domain");
7. Agenda Securing Silverlight Applications Accessing User Identity Information Accessing User Roles Creating a SecurityManager class
8. Accessing a User's Credentials Silverlight does not support accessing the User object directly User.Identity.Name Options for accessing the user name: initParams (be careful!) Use a service WCF RIA Services
9. Passing the User Name with initParams User Name can be passed dynamically into Silverlight using initParams Be Careful!
11. Creating a User Credentials Service Create a User Credentials WCF/ASMX service: Service handles returning authenticated user's information No risk of a spoofed User Name as with initParams Service can return additional information such as roles WCF RIA Services does this out-of-the-box
12. Returning a User Name from a Service [OperationContract] public string GetLoggedInUserName() { return new SecurityRepository() .GetUserName(OperationContext.Current); } public class SecurityRepository { public string GetUserName(OperationContextopContext) { return (opContext.ServiceSecurityContext != null && opContext.ServiceSecurityContext.WindowsIdentity != null) ? opContext.ServiceSecurityContext.WindowsIdentity.Name : null; } }
14. Agenda Silverlight Security Options Accessing User Identity Information Accessing User Roles Creating a SecurityManager class
15. Accessing User Roles Options: Pass user roles into application using initParams Create a security service operation that returns roles Be Careful!
16. Returning Roles from a Service [OperationContract] public List<Role> GetRoles() { return new SecurityRepository().GetRoles(OperationContext.Current); } public class SecurityRepository { public List<Role> GetRoles(OperationContextopContext) { varuserName = GetUserName(opContext); //Get roles from Active Directory, Database, or elsewhere } }
18. Agenda Silverlight Security Options Accessing User Identity Information Accessing User Roles Creating a SecurityManager class
19. How do you access and manage user names and roles in a Silverlight application?
20. Creating a SecurityManager Class SecurityManager class can act as client-side gateway to user credentials: Accesses user credentials asynchronously Determine user role(s) Determine access to view MVVM compliant Add to ViewModel base class through aggregation
21. The SecurityManager Class [Export(typeof(ISecurityManager))] [PartCreationPolicy(CreationPolicy.Shared)] public class SecurityManager : ISecurityManager { public event EventHandlerUserSecurityLoaded; public boolIsUserSecurityLoadComplete { get; set; } public ObservableCollection<Role> UserRoles { get; set; } public string UserName { get; set; } public boolIsAdmin { get; } public boolIsInUserRole { get; } public boolIsValidUser { get; } private void GetUserSecurityDetails() {} public boolCheckUserAccessToUri(Uri uri) {} public boolUserIsInRole(string role) {} public boolUserIsInAnyRole(params string[] roles) {} }
22. Using the SecurityManager Class public class ViewModelBase: INotifyPropertyChanged { [Import] public ISecurityManagerSecurityManager { get; set; } } public class MainPageViewModel : ViewModelBase { public MainPageViewModel() { if (!IsDesignTime) SecurityManager.UserSecurityLoaded += SecurityManagerUserSecurityLoaded; } void SecurityManagerUserSecurityLoaded(object sender, EventArgs e) { IsAdmin = SecurityManager.IsAdmin; //Set INPC property UserName = SecurityManager.UserName; //Set INPC property } }
24. Summary Silverlight doesn’t provide direct access to user credentials Different techniques can be used to access a user name and roles: Pass into initParams (be careful!) Access data through a security service Use WCF RIA Service's WebContext class The SecurityManager class can simplify the process of working with user credentials Handles async calls to security service Stores user credentials and provides security logic Integrates well with MVVM
25. Contact Info Blog http://weblogs.asp.net/dwahlin Twitter @DanWahlin Blog http://weblogs.asp.net/dwahlin Twitter @DanWahlin
26. Related Content Required Slide Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC. DEV209: From Zero to Silverlight in 75 Minutes DEV210: Microsoft Silverlight, WCF RIA Services and Your Business Objects DEV331: A Lap around Microsoft Silverlight 5 DEV386HOL: Microsoft Silverlight Data Binding DEV388HOL: Web Services and Microsoft Silverlight DEV390HOL: Using the MVVM Pattern in Microsoft Silverlight Applications
27. Track Resources Required Slide Track PMs will supply the content for this slide, which will be inserted during the final scrub. Resource 1 Resource 2 Resource 3 Resource 4
28. Resources Connect. Share. Discuss. http://northamerica.msteched.com Learning Sessions On-Demand & Community Microsoft Certification & Training Resources www.microsoft.com/teched www.microsoft.com/learning Resources for IT Professionals Resources for Developers http://microsoft.com/technet http://microsoft.com/msdn
Option 1: Secure page hosting Silverlight control:Easiest approachSilverlight application isn't accessed until user authenticatesUser prompted for credentials or credentials are passed throughOption 2: Secure backend servicesAnonymous application accessCalls to services prompt for authentication credentialsUse Client HTTP Stack to set network credentials programmatically (example shown next)
Use WCF RIA Service's WebContext class:WebContext.Current.Authentication.User
Be Careful!Hacker could change value passed into initParamsIf application simply displays the User Name then no problemIf application relies on User Name to lookup roles and more from services this can be a bad solution
Be Careful!Embedding roles in initParams opens the application to spoofingReturning roles from a service call is the best option
New for TechEd 2011, we will be working with Microsoft Tag (http://tag.microsoft.com/overview.aspx) to create unique Tags for every session at the event. Your session Tag will appear on both the room signage and at the end of your presentation. With your session Tag, attendees will be able to scan as they enter the room to retrieve session details, view speaker bios, and engage in discussions; or scan at the end of the presentation to evaluate your session and download materials. We’re excited to integrate Microsoft Tag across the My TechEd mobile experience this year.