1. Integrating Security Roles into Microsoft Silverlight Applications
11/27/2018 1:45 AM
DEV356
Integrating Security Roles into Microsoft Silverlight Applications
Dan Wahlin
Wahlin Consulting
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

2. Agenda Silverlight Security Options
11/27/2018 1:45 AM
Agenda
Silverlight Security Options
Accessing User Identity Information
Accessing User Roles
Creating a SecurityManager class
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

3. Silverlight Security Options
11/27/2018 1:45 AM
Silverlight Security Options
Silverlight Authentication:
Windows
Forms
Custom
Silverlight Authorization:
Active Directory Groups
Forms Roles
Custom Roles
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

4. Windows Authentication Options
11/27/2018 1:45 AM
Windows Authentication Options
Option 1: Secure page hosting Silverlight control
Easiest
User prompted
Silverlight app secured
Option 2: Secure backend services
Silverlight app is anonymous
Calls to service require credentials
Client HTTP stack can be used
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

5. Using the Client HTTP Stack
//Set once in App.xaml.cs
HttpWebRequest.RegisterPrefix(" WebRequestCreator.ClientHttp);
....
WebClient wc = new WebClient();
wc.UseDefaultCredentials = false;
wc.Credentials = new NetworkCredential("username", "password", "domain");

6. Agenda Securing Silverlight Applications
11/27/2018 1:45 AM
Agenda
Securing Silverlight Applications
Accessing User Identity Information
Accessing User Roles
Creating a SecurityManager class
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

7. Accessing a User's Credentials
11/27/2018 1:45 AM
Accessing a User's Credentials
Silverlight does not support accessing the User object directly
User.Identity.Name
Options for accessing the user name:
initParams (be careful!)
Use a service
WCF RIA Services
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

8. Passing the User Name with initParams
User Name can be passed dynamically into Silverlight using initParams
Be Careful!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

9. Using initParams
<param name="initParams" value="UserName=<%=User.Identity.Name%>" /> …
private void Application_Startup(object sender, StartupEventArgs e) {
ProcessInitParams(e.InitParams);
this.RootVisual = new MainPage(); }
void ProcessInitParams(IDictionary<string, string> initParams) {
if (initParams != null) {
foreach (var item in initParams) {
this.Resources.Add(item.Key, item.Value);

10. Creating a User Credentials Service
11/27/2018 1:45 AM
Creating a User Credentials Service
Create a User Credentials WCF/ASMX service:
Service handles returning authenticated user's information
No risk of a spoofed User Name as with initParams
Service can return additional information such as roles
WCF RIA Services does this out-of-the-box
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

11. Returning a User Name from a Service
[OperationContract]
public string GetLoggedInUserName() {
return new SecurityRepository() GetUserName(OperationContext.Current); }
public class SecurityRepository {
public string GetUserName(OperationContext opContext) {
return (opContext.ServiceSecurityContext != null &&
opContext.ServiceSecurityContext.WindowsIdentity != null) ? opContext.ServiceSecurityContext.WindowsIdentity.Name : null;

12. Accessing an Authenticated User's User Name
demo
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

13. Agenda Silverlight Security Options
11/27/2018 1:45 AM
Agenda
Silverlight Security Options
Accessing User Identity Information
Accessing User Roles
Creating a SecurityManager class
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

14. Be Careful! Accessing User Roles Options:
11/27/2018 1:45 AM
Accessing User Roles
Options:
Pass user roles into application using initParams
Create a security service operation that returns roles
Be Careful!
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

15. Returning Roles from a Service
[OperationContract]
public List<Role> GetRoles() {
return new SecurityRepository().GetRoles(OperationContext.Current); }
public class SecurityRepository {
public List<Role> GetRoles(OperationContext opContext)
var userName = GetUserName(opContext);
//Get roles from Active Directory, Database, or elsewhere

16. demo Accessing User Roles 11/27/2018 1:45 AM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

17. Agenda Silverlight Security Options
11/27/2018 1:45 AM
Agenda
Silverlight Security Options
Accessing User Identity Information
Accessing User Roles
Creating a SecurityManager class
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

18. 11/27/2018 1:45 AM
How do you access and manage user names and roles in a Silverlight application?
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

19. Creating a SecurityManager Class
11/27/2018 1:45 AM
Creating a SecurityManager Class
SecurityManager class can act as client-side gateway to user credentials:
Accesses user credentials asynchronously
Determine user role(s)
Determine access to view
MVVM compliant
Add to ViewModel base class through aggregation
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

20. The SecurityManager Class
[Export(typeof(ISecurityManager))]
[PartCreationPolicy(CreationPolicy.Shared)]
public class SecurityManager : ISecurityManager {
public event EventHandler UserSecurityLoaded;
public bool IsUserSecurityLoadComplete { get; set; }
public ObservableCollection<Role> UserRoles { get; set; }
public string UserName { get; set; }
public bool IsAdmin { get; }
public bool IsInUserRole { get; }
public bool IsValidUser { get; }
private void GetUserSecurityDetails() {}
public bool CheckUserAccessToUri(Uri uri) {}
public bool UserIsInRole(string role) {}
public bool UserIsInAnyRole(params string[] roles) {} }

21. Using the SecurityManager Class
public class ViewModelBase: INotifyPropertyChanged { [Import]
public ISecurityManager SecurityManager { get; set; } }
public class MainPageViewModel : ViewModelBase {
public MainPageViewModel() {
if (!IsDesignTime) SecurityManager.UserSecurityLoaded += SecurityManagerUserSecurityLoaded;
void SecurityManagerUserSecurityLoaded(object sender, EventArgs e) {
IsAdmin = SecurityManager.IsAdmin; //Set INPC property
UserName = SecurityManager.UserName; //Set INPC property

22. Creating and using a SecurityManager Class
11/27/2018 1:45 AM
Creating and using a SecurityManager Class
demo
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

23. Summary Silverlight doesn’t provide direct access to user credentials
11/27/2018 1:45 AM
Summary
Silverlight doesn’t provide direct access to user credentials
Different techniques can be used to access a user name and roles:
Pass into initParams (be careful!)
Access data through a security service
Use WCF RIA Service's WebContext class
The SecurityManager class can simplify the process of working with user credentials
Handles async calls to security service
Stores user credentials and provides security logic
Integrates well with MVVM
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

24. Related Content DEV209: From Zero to Silverlight in 75 Minutes
Required Slide
Speakers, please list the Breakout Sessions, Interactive Discussions, Labs, Demo Stations and Certification Exam that relate to your session. Also indicate when they can find you staffing in the TLC.
Tech Ed North America 2010
11/27/2018 1:45 AM
Related Content
DEV209: From Zero to Silverlight in 75 Minutes
DEV210: Microsoft Silverlight, WCF RIA Services and Your Business Objects
DEV331: A Lap around Microsoft Silverlight 5
DEV386HOL: Microsoft Silverlight Data Binding
DEV388HOL: Web Services and Microsoft Silverlight
DEV390HOL: Using the MVVM Pattern in Microsoft Silverlight Applications
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

25. Contact Info
Blog
Blog
Twitter
@DanWahlin

26. Web Track Resources http://www.asp.net/ http://www.silverlight.net/

27. Resources Learning http://northamerica.msteched.com
Tech Ed North America 2010
11/27/2018 1:45 AM
Resources
Connect. Share. Discuss.
Learning
Sessions On-Demand & Community
Microsoft Certification & Training Resources
Resources for IT Professionals
Resources for Developers
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

28. Complete an evaluation on CommNet and enter to win!
Tech Ed North America 2010
11/27/2018 1:45 AM
Complete an evaluation on CommNet and enter to win!
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

29. Tech Ed North America 2010 11/27/2018 1:45 AM
© 2010 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.