Rank 1
I want to add a page that contains a Silverlight app.
I do not want anyone without a current session to be able to access the data service, or the page.
I will make the container page a SecurePage type and that should secure the page. But, I do not think that will secure the service. I do not think I need to secure the xap because it is not usable without data.
Is there a simple way to secure a WCF RIA service in this situation? Perhaps checking for a authenticated Session somehow?
----------
3 Answers, 1 is accepted
Rank 1
The WCF RIA Service in the Website project has a comment:
// TODO: Wire up authentication (Windows/ASP.NET Forms) and uncomment the following to disable anonymous access
[
RequiresAuthentication]
I think that the [RequiresAuthentication] tag will cause unauthorized direct access to the service calls to fail.
With all of the security options, connection types and information detailing them, it was difficult to see the simplicity of what was already included by default.
Here is a nice blog post about Silverlight authentication which might prove useful.
Best wishes,
Milan
the Telerik team
Rank 1
I would like to have someone that is very knowledgable about authentication to tell me if the following is right or wrong. ????
There are only two things that need to be done to secure a WCF service:
- Uncomment (or add) [RequiresAuthentication] above the service class (in your Website project).
- Make sure the page you are using to contain the silverlight app is an authenticated page.
Of course, you could use the RequireRole attribute etc. in the service class also... for the whole class or individual methods.
I believe that this is the correct way to secure services hosted in a secure website.
Is all of that correct?
If so, why is it so hard to find online? I still cannot find a discussion of it online.
If not, then I know I can just check System.Web.HttpContext.Current.User.Identity.IsAuthenticated in each service method and return null if it is false. That seems a little silly when there is a [RequiresAuthentication] attribute..
The majority of the info online (including the linked blog) seems to be very complicated. I believe that it is mostly related to running a silverlight app on an unathenticated page or using custom authentication, https, etc. In other words, it is mostly aimed at how to secure the silverlight app when it is not hosted in website's authenticated page. In that case, just like in the case of securing a website itself, the details/options can be very complicated.
I am always looking to save time and to keep things simple. It seems that I can never find information online that helps me do that. It is eiter way too simple or way too complicated to be of much use at all.