Integrating Security Roles into Microsoft Silverlight Applications
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Integrating Security Roles into Microsoft Silverlight Applications

on

  • 4,775 views

 

Statistics

Views

Total Views
4,775
Views on SlideShare
3,336
Embed Views
1,439

Actions

Likes
0
Downloads
12
Comments
0

13 Embeds 1,439

http://weblogs.asp.net 584
http://localhost 458
http://feeds2.feedburner.com 165
http://codersoasis.com 114
http://www.ontheblog.net 61
http://www.codersoasis.com 18
http://localhost:13993 16
http://silverlightfeeds.com 6
http://ontheblog.net 6
http://dashboard.bloglines.com 5
http://webcache.googleusercontent.com 4
http://localhost:14391 1
http://www.blognewschannels.com 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Option 1: Secure page hosting Silverlight control:Easiest approachSilverlight application isn't accessed until user authenticatesUser prompted for credentials or credentials are passed throughOption 2: Secure backend servicesAnonymous application accessCalls to services prompt for authentication credentialsUse Client HTTP Stack to set network credentials programmatically (example shown next)
  • Use WCF RIA Service's WebContext class:WebContext.Current.Authentication.User
  • Be Careful!Hacker could change value passed into initParamsIf application simply displays the User Name then no problemIf application relies on User Name to lookup roles and more from services this can be a bad solution
  • Be Careful!Embedding roles in initParams opens the application to spoofingReturning roles from a service call is the best option
  • New for TechEd 2011, we will be working with Microsoft Tag (http://tag.microsoft.com/overview.aspx) to create unique Tags for every session at the event. Your session Tag will appear on both the room signage and at the end of your presentation. With your session Tag, attendees will be able to scan as they enter the room to retrieve session details, view speaker bios, and engage in discussions; or scan at the end of the presentation to evaluate your session and download materials. We’re excited to integrate Microsoft Tag across the My TechEd mobile experience this year.

Integrating Security Roles into Microsoft Silverlight Applications Presentation Transcript

  • 1.
  • 2. Integrating Security Roles into Microsoft Silverlight ApplicationsDEV356
    Dan Wahlin
    Wahlin Consulting
  • 3. Agenda
    Silverlight Security Options
    Accessing User Identity Information
    Accessing User Roles
    Creating a SecurityManager class
  • 4. Silverlight Security Options
    Silverlight Authentication:
    Windows
    Forms
    Custom
    Silverlight Authorization:
    Active Directory Groups
    Forms Roles
    Custom Roles
  • 5. Windows Authentication Options
    Option 1: Secure page hosting Silverlight control
    Easiest
    User prompted
    Silverlight app secured
    Option 2: Secure backend services
    Silverlight application is anonymous
    Calls to service require credentials
    Client HTTP stack can be used
  • 6. Using the Client HTTP Stack
    //Set once in App.xaml.cs
    HttpWebRequest.RegisterPrefix("https://", WebRequestCreator.ClientHttp);
    ....
    WebClientwc = new WebClient();
    wc.UseDefaultCredentials = false;
    wc.Credentials = new NetworkCredential("username", "password", "domain");
  • 7. Agenda
    Securing Silverlight Applications
    Accessing User Identity Information
    Accessing User Roles
    Creating a SecurityManager class
  • 8. Accessing a User's Credentials
    Silverlight does not support accessing the User object directly
    User.Identity.Name
    Options for accessing the user name:
    initParams (be careful!)
    Use a service
    WCF RIA Services
  • 9. Passing the User Name with initParams
    User Name can be passed dynamically into Silverlight using initParams
    Be Careful!
  • 10. Using initParams
    <param name="initParams" value="UserName=<%=User.Identity.Name%>" />

    private void Application_Startup(object sender, StartupEventArgs e) {
    ProcessInitParams(e.InitParams);
    this.RootVisual = new MainPage();
    }
    void ProcessInitParams(IDictionary<string, string> initParams) {
    if (initParams != null) {
    foreach (var item in initParams) {
    this.Resources.Add(item.Key, item.Value);
    }
    }
    }
  • 11. Creating a User Credentials Service
    Create a User Credentials WCF/ASMX service:
    Service handles returning authenticated user's information
    No risk of a spoofed User Name as with initParams
    Service can return additional information such as roles
    WCF RIA Services does this out-of-the-box
  • 12. Returning a User Name from a Service
    [OperationContract]
    public string GetLoggedInUserName() {
    return new SecurityRepository() .GetUserName(OperationContext.Current);
    }
    public class SecurityRepository {
    public string GetUserName(OperationContextopContext) {
    return (opContext.ServiceSecurityContext != null &&
    opContext.ServiceSecurityContext.WindowsIdentity != null) ? opContext.ServiceSecurityContext.WindowsIdentity.Name : null;
    }
    }
  • 13. demo
    Accessing an Authenticated User's User Name
  • 14. Agenda
    Silverlight Security Options
    Accessing User Identity Information
    Accessing User Roles
    Creating a SecurityManager class
  • 15. Accessing User Roles
    Options:
    Pass user roles into application using initParams
    Create a security service operation that returns roles
    Be Careful!
  • 16. Returning Roles from a Service
    [OperationContract]
    public List<Role> GetRoles()
    {
    return new SecurityRepository().GetRoles(OperationContext.Current);
    }
    public class SecurityRepository {
    public List<Role> GetRoles(OperationContextopContext)
    {
    varuserName = GetUserName(opContext);
    //Get roles from Active Directory, Database, or elsewhere
    }
    }
  • 17. demo
    Accessing User Roles
  • 18. Agenda
    Silverlight Security Options
    Accessing User Identity Information
    Accessing User Roles
    Creating a SecurityManager class
  • 19. How do you access and manage user names and roles in a Silverlight application?
  • 20. Creating a SecurityManager Class
    SecurityManager class can act as client-side gateway to user credentials:
    Accesses user credentials asynchronously
    Determine user role(s)
    Determine access to view
    MVVM compliant
    Add to ViewModel base class through aggregation
  • 21. The SecurityManager Class
    [Export(typeof(ISecurityManager))]
    [PartCreationPolicy(CreationPolicy.Shared)]
    public class SecurityManager : ISecurityManager {
    public event EventHandlerUserSecurityLoaded;
    public boolIsUserSecurityLoadComplete { get; set; }
    public ObservableCollection<Role> UserRoles { get; set; }
    public string UserName { get; set; }
    public boolIsAdmin { get; }
    public boolIsInUserRole { get; }
    public boolIsValidUser { get; }
    private void GetUserSecurityDetails() {}
    public boolCheckUserAccessToUri(Uri uri) {}
    public boolUserIsInRole(string role) {}
    public boolUserIsInAnyRole(params string[] roles) {}
    }
  • 22. Using the SecurityManager Class
    public class ViewModelBase: INotifyPropertyChanged { [Import]
    public ISecurityManagerSecurityManager { get; set; }
    }
    public class MainPageViewModel : ViewModelBase {
    public MainPageViewModel() {
    if (!IsDesignTime) SecurityManager.UserSecurityLoaded += SecurityManagerUserSecurityLoaded;
    }
    void SecurityManagerUserSecurityLoaded(object sender, EventArgs e) {
    IsAdmin = SecurityManager.IsAdmin; //Set INPC property
    UserName = SecurityManager.UserName; //Set INPC property
    }
    }
  • 23. demo
    Creating and using a SecurityManager Class
  • 24. Summary
    Silverlight doesn’t provide direct access to user credentials
    Different techniques can be used to access a user name and roles:
    Pass into initParams (be careful!)
    Access data through a security service
    Use WCF RIA Service's WebContext class
    The SecurityManager class can simplify the process of working with user credentials
    Handles async calls to security service
    Stores user credentials and provides security logic
    Integrates well with MVVM
  • 25. Contact Info
    Blog
    http://weblogs.asp.net/dwahlin
    Twitter
    @DanWahlin
    Blog
    http://weblogs.asp.net/dwahlin
    Twitter
    @DanWahlin
  • 26. Related Content
    Required Slide
    Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.
    DEV209: From Zero to Silverlight in 75 Minutes
    DEV210: Microsoft Silverlight, WCF RIA Services and Your Business Objects
    DEV331: A Lap around Microsoft Silverlight 5
    DEV386HOL: Microsoft Silverlight Data Binding
    DEV388HOL: Web Services and Microsoft Silverlight
    DEV390HOL: Using the MVVM Pattern in Microsoft Silverlight Applications
  • 27. Track Resources
    Required Slide
    Track PMs will supply the content for this slide, which will be inserted during the final scrub.
    Resource 1
    Resource 2
    Resource 3
    Resource 4
  • 28. Resources
    Connect. Share. Discuss.
    http://northamerica.msteched.com
    Learning
    Sessions On-Demand & Community
    Microsoft Certification & Training Resources
    www.microsoft.com/teched
    www.microsoft.com/learning
    Resources for IT Professionals
    Resources for Developers
    http://microsoft.com/technet
    http://microsoft.com/msdn
  • 29. Required Slide
    Complete an evaluation on CommNet and enter to win!
  • 30. Required Slide
    Your MS Tag will be inserted here during the final scrub.
    MS Tag Placeholder Slide
  • 31. © 2011 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
    The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.