New Posts New Posts RSS Feed: How does the security work in DevForce 4 SL?
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

How does the security work in DevForce 4 SL?

 Post Reply Post Reply
Author
BenHayat View Drop Down
Groupie
Groupie
Avatar

Joined: 06-Jan-2009
Location: Estero, FL USA
Posts: 86
Post Options Post Options   Quote BenHayat Quote  Post ReplyReply Direct Link To This Post Topic: How does the security work in DevForce 4 SL?
    Posted: 25-Mar-2009 at 6:54pm
I was reading the WinClient DevGuide on the security, but I would like to know how the SL version works with Login, authentication, authorization, rights and roles. Does DevForce use it's own system or uses ASP.Net services?

Thanks!
Best Regards!
..Ben

WPF & Silverlight Insider
http://www.MicroIntelligence.Com
Back to Top
IdeaBlade View Drop Down
Moderator Group
Moderator Group
Avatar

Joined: 30-May-2007
Location: United States
Posts: 347
Post Options Post Options   Quote IdeaBlade Quote  Post ReplyReply Direct Link To This Post Posted: 25-Mar-2009 at 7:32pm

DevForce Silverlight security operates the same way as it does in DevForce WinClient (so, yes the shipped Developers Guide is accurate for Silverlight as well).

Basically, you collect whatever credentials you need on the client (e.g. user name and hash of the password) and these are passed to the server where there is a hook for you to implement your authentication logic (e.g. database table, windows domain controller, ldap).
 
Once authenticated, your session is digitally signed by the server and any requests from the client can be checked for authorization by the server behind the firewall (which can include role based security checks).  Even if the client is compromised (even deliberately by the administrator of the machine), the server can still perform authorization before allowing a request to go through.
 
SSL3 provides the encryption for the communications channel to keep everything private.
 
Back to Top
BenHayat View Drop Down
Groupie
Groupie
Avatar

Joined: 06-Jan-2009
Location: Estero, FL USA
Posts: 86
Post Options Post Options   Quote BenHayat Quote  Post ReplyReply Direct Link To This Post Posted: 25-Mar-2009 at 7:51pm
a) How and where do we create users, passwords, assign roles, create roles and etc.?

b) How do we authenticate a user in Web application that has nothing to do with windows authentication?

The developer guides talks about User login as if we were using Windows client:
DevForce provides a login mechanism that builds on the developerís implementation of .NET's IPrincipal interface. That interface is robust and supportive of a wide range of application login schemes including Windows authentication and LDAP.

c) How is that done when running SL in ASP.Net project?

Best Regards!
..Ben

WPF & Silverlight Insider
http://www.MicroIntelligence.Com
Back to Top
kimj View Drop Down
IdeaBlade
IdeaBlade
Avatar

Joined: 09-May-2007
Posts: 1390
Post Options Post Options   Quote kimj Quote  Post ReplyReply Direct Link To This Post Posted: 26-Mar-2009 at 1:57pm

DevForce Silverlight doesn't currently use ASP.NET security features, although it's something we will look into.

a) There's no facility within DevForce to create users, roles, etc. 
 
b) Authentication is performed via implementation of the IEntityLoginManager interface.  This effectively leaves how the authentication is accomplished to the developer. The credentials passed into the Login method must be an implementation of ILoginCredential, and the return must be a System.Security.Principal.IPrincipal, but the concrete types involved can be of your choosing.  The IPrincipal interface is supported in Silverlight, although WindowsPrincipal is obviously not.  DevForce only cares about the interfaces and not the concrete types.
 
c) The IEntityLoginManager is implemented on the BOS (the ASP.NET project), so an EntityManager.LoginAsync() call from the Silverlight client is sent to the Login method of the interface implementation.  The IPrincipal returned is saved to the SL client.   Unfortunately, we currently don't expose that within the client application (in a standard .NET application the Thread.CurrentPrincipal is set), but in server-side events and interface implementations the IPrincipal is usually passed and the Thread.CurrentPrincipal is set, so your code can query the user role.
Back to Top
zinovate View Drop Down
Newbie
Newbie
Avatar

Joined: 24-Apr-2009
Posts: 9
Post Options Post Options   Quote zinovate Quote  Post ReplyReply Direct Link To This Post Posted: 30-Apr-2009 at 9:02am

Lets say you are already logged into the website using Forms authentication. I would like to have an "island" of Silverlight content in an ASPX page. Since the user is already logged in and has a valid session, I would like to reuse those credentials in the "Island" of silverlight/devforce content. (All point at the same site, no cross site ect..)

If you run your WCF services in ASP.NET compatability mode, you can support this senario I believe. The cookies are shared and the ASP.NET stack will have already taken care of the ID validation.
 
Then, instead of passing the actual login and password, you could validate using the Current Identity of the user. Server side would be more of a Role check instead of a creds check...
 
The Out of browser abilities would add some complexity for sure. (I need to think more about that)
 
Does DevForce's WCF services support ASP.NET compatability mode?
 
There are some videos on the Silverlight.NET site by Tim H. They were actually showing how to share creds from an ASPX Forms authenticated page and an ADO>NET data services.
Back to Top
ting View Drop Down
IdeaBlade
IdeaBlade
Avatar

Joined: 27-Mar-2009
Location: San Francisco
Posts: 427
Post Options Post Options   Quote ting Quote  Post ReplyReply Direct Link To This Post Posted: 01-May-2009 at 12:09pm

zinovate - Yes, that's an interesting use case.  We're looking into this and will let you know early next week.

Back to Top
kimj View Drop Down
IdeaBlade
IdeaBlade
Avatar

Joined: 09-May-2007
Posts: 1390
Post Options Post Options   Quote kimj Quote  Post ReplyReply Direct Link To This Post Posted: 07-May-2009 at 7:12pm
DevForce services do not currently support ASP.NET compatibility mode.  We'll be adding support for integrating with ASP.NET security features in RC3 (due in late June / early July).
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down