I could find not mention of what I am discussing in the linked blog. Perhaps it is there but it is obscured by the volume of information?
I would like to have someone that is very knowledgable about authentication to tell me if the following is right or wrong. ????
There are only two things that need to be done to secure a WCF service:
- Uncomment (or add) [RequiresAuthentication] above the service class (in your Website project).
- Make sure the page you are using to contain the silverlight app is an authenticated page.
Of course, you could use the RequireRole attribute etc. in the service class also... for the whole class or individual methods.
I believe that this is the correct way to secure services hosted in a secure website.
Is all of that correct?
If so, why is it so hard to find online? I still cannot find a discussion of it online.
If not, then I know I can just check System.Web.HttpContext.Current.User.Identity.IsAuthenticated in each service method and return null if it is false. That seems a little silly when there is a [RequiresAuthentication] attribute..
The majority of the info online (including the linked blog) seems to be very complicated. I believe that it is mostly related to running a silverlight app on an unathenticated page or using custom authentication, https, etc. In other words, it is mostly aimed at how to secure the silverlight app when it is not hosted in website's authenticated page. In that case, just like in the case of securing a website itself, the details/options can be very complicated.
I am always looking to save time and to keep things simple. It seems that I can never find information online that helps me do that. It is eiter way too simple or way too complicated to be of much use at all.