Security for WCF RIA service using ASP.NET website session

4 posts, 0 answers
  1. Dean Wyant
    Dean Wyant avatar
    46 posts
    Member since:
    Nov 2009

    Posted 20 Jan 2011 Link to this post

    I have an ASP.NET WebSite that has authentication already configured. I use a SecurePage:Page class to implement the authorization/authentication. It redirects to the login (forms) when necessary. Session is used to indicate that the user is already authenticated.

    I want to add a page that contains a Silverlight app.
    I do not want anyone without a current session to be able to access the data service, or the page.

    I will make the container page a SecurePage type and that should secure the page. But, I do not think that will secure the service. I do not think I need to secure the xap because it is not usable without data.

    Is there a simple way to secure a WCF RIA service in this situation? Perhaps checking for a authenticated Session somehow?


  2. Dean Wyant
    Dean Wyant avatar
    46 posts
    Member since:
    Nov 2009

    Posted 25 Jan 2011 Link to this post

    The service already shares the session. There is no extra code needed to access HttpContext.Current.Session from the service class.

    The WCF RIA Service in the Website project has a comment:

    // TODO: Wire up authentication (Windows/ASP.NET Forms) and uncomment the following to disable anonymous access








    I think that the [RequiresAuthentication] tag will cause unauthorized direct access to the service calls to fail.




    With all of the security options, connection types and information detailing them, it was difficult to see the simplicity of what was already included by default.



  3. Milan
    Milan avatar
    1989 posts

    Posted 27 Jan 2011 Link to this post

    Hello Dean Wyant,

    Here is a nice blog post about Silverlight authentication which might prove useful. 

    Best wishes,
    the Telerik team
    Let us know about your Windows Phone 7 application built with RadControls and we will help you promote it. Learn more>>
  4. Dean Wyant
    Dean Wyant avatar
    46 posts
    Member since:
    Nov 2009

    Posted 27 Jan 2011 Link to this post

    I could find not mention of what I am discussing in the linked blog. Perhaps it is there but it is obscured by the volume of information?

    I would like to have someone that is very knowledgable about authentication to tell me if the following is right or wrong. ????

    There are only two things that need to be done to secure a WCF service:

    1. Uncomment (or add) [RequiresAuthentication] above the service class (in your Website project).
    2. Make sure the page you are using to contain the silverlight app is an authenticated page.

    Of course, you could use the RequireRole attribute etc. in the service class also... for the whole class or individual methods.

    I believe that this is the correct way to secure services hosted in a secure website.

    Is all of that correct?

    If so, why is it so hard to find online? I still cannot find a discussion of it online.
    If not, then I know I can just check System.Web.HttpContext.Current.User.Identity.IsAuthenticated in each service method and return null if it is false. That seems a little silly when there is a [RequiresAuthentication] attribute..

    The majority of the info online (including the linked blog) seems to be very complicated. I believe that it is mostly related to running a silverlight app on an unathenticated page or using custom authentication, https, etc. In other words, it is mostly aimed at how to secure the silverlight app when it is not hosted in website's authenticated page. In that case, just like in the case of securing a website itself, the details/options can be very complicated.

    I am always looking to save time and to keep things simple. It seems that I can never find information online that helps me do that. It is eiter way too simple or way too complicated to be of much use at all.

Back to Top