Security and Silverlight

Monday, December 29 2008 - , ,

I was reading a post by Tim Greenfield today regarding RIA and security. He also followed this up with a nice post on how to implement one of his techniques using sessions. Taking this from the Silverlight RIA perspective this has some interesting turns. His scenarios are compelling as any information from Silverlight to the server can be sniffed out using a tool like Fiddler. So repeatedly sending credentials is not a good idea. Also, storing credentials in the hard drive of the client can have its own issues. So what to do?

One option Tim throws out there is a token technique. The user logs in and is handed back a token (or session ID). This can be done by assigning tokens server side with some sort of expiration on them. The token is then sent from the client to the server with each call. This can be a pain in some senses since it literally has to be sent in each call as a parameter or wrapped inside of some HTTP header, but it works.

Another option with Silverlight is to use Forms Authentication. The user logs into the client application and it passes their username and password to the server via some HTTP web service. The service uses Forms Authentication to check with its provider to make sure this is a valid user. If so the user is registered as a authenticated user and e s/he may proceed. One subsequent calls the server side services first check to make sure the user is authenticated (and possibly in a specific role) before allowing any call to continue. This interception of the call acts as a bouncer at the door to refuse entry from anyone not authenticated.

As Silverlight continues to grow, this topic is going to become more critical for many developers. I plan on producing a few materials at my site to help explain some of the options over the next few months. But for now, I recommend Tim Heuer’s nice post on security that shows how to do this on www.silverlight.net in the learning section.

9 comment(s)

Dew Drop - December 29, 2008 | Alvin Ashcraft's Morning Dew wrote on Monday, December 29 2008

Pingback from Dew Drop - December 29, 2008 | Alvin Ashcraft's Morning Dew

Bart Czernicki wrote on Tuesday, December 30 2008

This is where I think some of the REST principles apply real well. A lot of Silverlight developers are trying to place/make Silverlight a desktop application. It should be treated like a Ajax client. Therefore, using best practices for REST (for example) and using: SSL/obfuscating your Silverlight assemblies/not placing symmetric encryption on the client/using WS standard security like WSSE tokens and you will be fine.

John Papa wrote on Tuesday, December 30 2008

Bart ... agreed, it pays to be prudent when considering what to do in Silverlight and what not to do there. Calls to REST services are an open door via the querystring, so awareness of that is important. REST is great, but obviously putting credentials in the querystring is not ideal. I totally agree about SSL ... it still is critical for protecting data in transit.

magellings wrote on Tuesday, December 30 2008

The authentication service given as an example in the link seems like the wrong choice. For internal Silverlight (LOB) apps, I'd think you'd want to use net.tcp and windows authentication. You could then use an authorization policy.

Also, if we were to use basicHttp, why would one want to pass a username and password as parameters in the WCF method call when WCF supports setting the credentials on the proxy and implicitly passing them thru a username validator? One could also include an authorization policy for authorization purposes?

Overall an authentication service seems like a valid approach albeit I'd do it differently.

Silverlight Cream for December 30, 2008 -- #471 wrote on Tuesday, December 30 2008

In this issue: Pete Brown, Damon Payne, Agata Staniak, Justin Angel, and David Anson. Shoutout: John

Miguel Madero wrote on Thursday, January 01 2009

Bart,

Unfortunaely we can't use WS Standard Sec in SL.

Tim Greenfield wrote on Tuesday, January 06 2009

John,

This is Tim Greenfield, author of the RIA security article. I just wanted to say thanks for reading and commenting about the Forms Authentication. This is a great way to support a secure login session between SL and an ASP.NET backend and I’ve update my article to include it as a third option. I also added some source code to demonstrate it in action so readers can get a good start on employing it.

Anyway, thanks again for the info and congrats on the MVP renewal!

links of london wrote on Thursday, July 09 2009

Unfortunaely we can't use WS Standard Sec in SL. The Same to you. Thanks.

Towel Cake wrote on Monday, August 24 2009

Pretty good post. I just stumbled upon your blog and wanted to say

that I have really enjoyed reading your blog posts. Any way I’ll be subscribing to your feed and I hope you post again soon.