This is a migrated thread and some comments may be shown as answers.

Security for WCF RIA service using ASP.NET website session

3 Answers 170 Views
General Discussions
This is a migrated thread and some comments may be shown as answers.
This question is locked. New answers and comments are not allowed.
Dean Wyant
Top achievements
Rank 1
Dean Wyant asked on 20 Jan 2011, 08:07 PM
I have an ASP.NET WebSite that has authentication already configured. I use a SecurePage:Page class to implement the authorization/authentication. It redirects to the login (forms) when necessary. Session is used to indicate that the user is already authenticated.

I want to add a page that contains a Silverlight app.
I do not want anyone without a current session to be able to access the data service, or the page.

I will make the container page a SecurePage type and that should secure the page. But, I do not think that will secure the service. I do not think I need to secure the xap because it is not usable without data.

Is there a simple way to secure a WCF RIA service in this situation? Perhaps checking for a authenticated Session somehow?

----------



3 Answers, 1 is accepted

Sort by
0
Dean Wyant
Top achievements
Rank 1
answered on 25 Jan 2011, 05:47 PM
The service already shares the session. There is no extra code needed to access HttpContext.Current.Session from the service class.

The WCF RIA Service in the Website project has a comment:

// TODO: Wire up authentication (Windows/ASP.NET Forms) and uncomment the following to disable anonymous access

 

 

 

 

[

 

RequiresAuthentication]

I think that the [RequiresAuthentication] tag will cause unauthorized direct access to the service calls to fail.

 

 

 

With all of the security options, connection types and information detailing them, it was difficult to see the simplicity of what was already included by default.




 

 

0
Milan
Telerik team
answered on 27 Jan 2011, 09:35 AM
Hello Dean Wyant,

Here is a nice blog post about Silverlight authentication which might prove useful. 


Best wishes,
Milan
the Telerik team
Let us know about your Windows Phone 7 application built with RadControls and we will help you promote it. Learn more>>
0
Dean Wyant
Top achievements
Rank 1
answered on 27 Jan 2011, 11:09 PM
I could find not mention of what I am discussing in the linked blog. Perhaps it is there but it is obscured by the volume of information?

I would like to have someone that is very knowledgable about authentication to tell me if the following is right or wrong. ????

There are only two things that need to be done to secure a WCF service:

  1. Uncomment (or add) [RequiresAuthentication] above the service class (in your Website project).
  2. Make sure the page you are using to contain the silverlight app is an authenticated page.

Of course, you could use the RequireRole attribute etc. in the service class also... for the whole class or individual methods.

I believe that this is the correct way to secure services hosted in a secure website.

Is all of that correct?

If so, why is it so hard to find online? I still cannot find a discussion of it online.
If not, then I know I can just check System.Web.HttpContext.Current.User.Identity.IsAuthenticated in each service method and return null if it is false. That seems a little silly when there is a [RequiresAuthentication] attribute..

The majority of the info online (including the linked blog) seems to be very complicated. I believe that it is mostly related to running a silverlight app on an unathenticated page or using custom authentication, https, etc. In other words, it is mostly aimed at how to secure the silverlight app when it is not hosted in website's authenticated page. In that case, just like in the case of securing a website itself, the details/options can be very complicated.

I am always looking to save time and to keep things simple. It seems that I can never find information online that helps me do that. It is eiter way too simple or way too complicated to be of much use at all.


Tags
General Discussions
Asked by
Dean Wyant
Top achievements
Rank 1
Answers by
Dean Wyant
Top achievements
Rank 1
Milan
Telerik team
Share this question
or