SilverlightShow: WCF RIA Services Part 7 - Authentication and Authorization Comments

Re: WCF RIA Services Part 7 - Authentication and Authorization

MattHousley — Tue, 15 May 2012 15:28:34 GMT

Hi,

I solved the '404 on the login.aspx' problem by changing the connection credentials in the Application Settings. The Web Application was set to use "Application user (pass-through authentication)" [see "Connect As" in the Edit Application dialog]. Once this was changed to a "Specific user", all was well.

Hope that helps anyone with the same problem.

Matt

Re: WCF RIA Services Part 7 - Authentication and Authorization

NikitaSherman — Thu, 10 May 2012 23:11:14 GMT

Thanks, great articale!

Re: WCF RIA Services Part 7 - Authentication and Authorization

brian.noyes — Thu, 03 May 2012 20:41:31 GMT

Are you positive there is not a web.config in the root site directory with deny anonymous or even at the machine config level? That is the only thing I am aware of that would cause what you are describing if anonymous is allowed through IIS.

Re: WCF RIA Services Part 7 - Authentication and Authorization

MattHousley — Thu, 03 May 2012 16:39:10 GMT

Hi Brian,
Thanks for you reply.
No at this point, the web.config file is exactly as it is in your TaskManagerPart7 project.

I'm assuming that this is how to allow anonymous users to get to the hosting page and the XAP.

I've added the following to the web.config file, but I still get the same result.:

<authorization>

<allow users="?"/>

authorization>


system.web>

 
<location path="TaskManagerTestPage.aspx"><system.web><authorization><allow users="?"/>authorization>system.web>location>

<location path="TaskManagerTestPage.html"><system.web><authorization><allow users="?"/>authorization>system.web>location>

<location path="Silverlight.js"><system.web><authorization><allow users="?"/>authorization>system.web>location>

<location path="ClientBin/TaskManager.xap"><system.web><authorization><allow users="?"/>authorization>system.web>location>


In IIS, the Authentication for the Web App, has Anonymous Authentication enabled as well as Forms Authentication, with HTTP 302 Login/Redirect enabled. ASP.Net Impresonation is Disabled. That's all that appears in the Authentication list.



Regarding the IIS Installation it's on Windows 7 Ultimate, with Request Filtering and URL Authorization enabled under Secuity for IIS in "Turn Windows features on or off".



I've started a thread on MSDN, but I haven't found a solution there either.
Any further help would be greatly appreciated.
Thanks again.



Matt



Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Thu, 03 May 2012 14:37:53 GMT
Presumably your root web.config has an authorization element with deny users="?". ASP.NET auto redirects in that case and by convention expects you to have a Login.aspx page, which this solution does not because it was not intended to show creating the secure session through a login page (which does work fine with RIA Services by the way).
You can create one easy enough by creating a page with that name and dragging and dropping a login control onto it and you are done.
But the real answer is - if you want clients to log in through the Silverlight app, don't restrict anonymous users from getting to the hosting page or the ClientBin directory.


Re: WCF RIA Services Part 7 - Authentication and Authorization
MattHousley — Wed, 02 May 2012 16:43:03 GMT
Hi Brian,

Great set of articles, thank you.



When I run the example project under Visual Studio it works great, but when I deploy to IIS 7, I just get a 404 for login.aspx.



How can I configure IIS to stop this from happening?
Thanks again
Matt


Re: WCF RIA Services Part 7 - Authentication and Authorization
Mivoat — Tue, 17 Apr 2012 15:22:23 GMT
Thanks Brian.
That puts it in perspective.
Clive


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Tue, 17 Apr 2012 14:16:53 GMT
I only didn't use HTTPS in the sample because that requires running from IIS, setting up your certificate, etc. - stuff that is outside the scope of the article. There are plenty of tutorials for setting that up. This is completely appropriate for outside the firewall and I would always deploy with HTTPS for the authentication if not the whole site, depending on the nature of the data going back and forth.
If you are building and deploying distributed Silverlight browser apps you are a web developer. You don't have to be an IIS expert as a web developer, but you do at least have to learn how to set up applications/virtual directories in IIS and configure an SSL cert if you want to be successful deploying for real world scenarios.








Re: WCF RIA Services Part 7 - Authentication and Authorization
Mivoat — Tue, 17 Apr 2012 13:59:44 GMT
Brian
Yes that does help.  
But your (very useful) TaskManager example doesn't use https to login and so I'm wondering if its pattern is only appropriate for use inside firewalls - not really for the public internet?
I've looked for help on using https and there are warnings that it's difficult and involves having to use IIS for testing. 
I think I may be somewhat typical - having come from the world of the MSSQL stack, with VB Forms, (and avoided what I regard as fundamentally 70s mainframe architecture - screen refreshes coming from a big cpu at the end of a wire), and now want to take advantage of this great new architecture (appropriate processing at both ends with easy data interchange).
Bottom line - I was hoping to avoid having to become an expert in IIS and net protocols, and use a recommended pattern so I could stick mostly to data modelling etc.
If https is recommended for the login process on a public site can you recommend a simple example to download?   Or do most public sites just heavily encrypt username and password over http during login, and then keep regular backups and hope for the best?
Many thanks for your help, Clive
 
 
 


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Mon, 16 Apr 2012 20:43:50 GMT
Clive,
This does presume that you are using SSL (HTTPS) for the authentication call that passes the credentials at a minimum. At that point it is no more or less secure than every web site you you log into out there. Once the authentication has happened, it uses the same session cookie based approach for maintaining the secure session that ASP.NET does, which has protections for trying to use that cookie from another machine and has timeouts to avoid having it used again from the same machine at some later time by another user. 
So it is "secure enough" - good enough for many banking, medical, and other domains.
Hope that helps.
Brian


Re: WCF RIA Services Part 7 - Authentication and Authorization
Mivoat — Mon, 16 Apr 2012 17:33:01 GMT
Very useful article Brian - thank you.
I'm new to web security, so please forgive me:
Even if I encrypt the password at the client side before submitting it with

WebContext.Current.Authentication.Login

- couldn't that be picked up by someone watching the net traffic, and then impersonated?  I'm worried they could then get a list of all the web services and then play all sorts of havoc?
- Or does the above Login routine do it's own encryption, that varies each time somehow?
My app is not hyper-sensitive with financial transactions, etc but I'm just wondering what is considered a sensible security arrangement for most LOB apps?
Is it considered generally secure enough as long as encryption keys are changed from time to time?  Do most hackers watch net traffic, or do they just try lots of password combinations with intelligent guesses?
BTW My app config is nothing special, just a plain vanilla SL4 business app, deployed to Azure and using SQL Azure.
Many thanks, Clive


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Tue, 10 Apr 2012 18:01:28 GMT
You need to have the Silverlight Toolkit installed. Sorry, should have stuck to core Silverlight controls to make the demo more portable.


Re: WCF RIA Services Part 7 - Authentication and Authorization
anabifar — Mon, 09 Apr 2012 21:19:43 GMT
Hi Brian,
I've downloaded the sample part 7 , but i can't run it and see how it works, I'm getting an error that time picker could not be found, do you have any idea???
Thanks,


Re: WCF RIA Services Part 7 - Authentication and Authorization
TKelley — Sun, 25 Mar 2012 18:10:36 GMT
Hey Brian,
I liked the article and learned something.  One thing that would be really useful is to show how to mix WCF Authorization, Authentication with Prism.  Perhaps in it's own module.  I bought this book and would buy the one I'm speaking about.
Tim
 


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Fri, 24 Feb 2012 21:47:17 GMT
cmeyerPng, you will have to try again. The zip is fine, just downloaded it to one of my machines to make sure.


Re: WCF RIA Services Part 7 - Authentication and Authorization
cmeyerPng — Thu, 23 Feb 2012 05:50:26 GMT
Could you please upload the sample code again? Unfortunately the zip file is empty.
Thanks!!!


Re: WCF RIA Services Part 7 - Authentication and Authorization
cmeyerPng — Thu, 23 Feb 2012 02:25:23 GMT
Could you please upload the sample code again? Unfortunately the zip file is empty.
Thanks!!!


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Mon, 13 Feb 2012 17:14:20 GMT
Singlepoint, I'm not sure why you are getting that error. That error is the standard one you get if you try to access a private, protected, or internal member outside of the scope where it is accessible. However, when the WebContext class gets generated on the client side, it should redeclare the User property as public as you are alluding to. In which case you should not get this error.
First I would confirm that I have added the AuthenticationDomainService with proper definition on the server side as outlined above. Then I would double check that the WebContext class in the generated code has a redefined User property that wraps and exposes the base class one and that the property is public. Also double check that the visibility of the AuthUser class is public.
If all those are in place, I can't think why it would give you that error.


Re: WCF RIA Services Part 7 - Authentication and Authorization
singlepoint — Mon, 13 Feb 2012 08:10:13 GMT
Brian one more thing, if I do WebContext.Current.Authentication.User then I get the user but I can't find the isAuthenticated property.


Re: WCF RIA Services Part 7 - Authentication and Authorization
singlepoint — Mon, 13 Feb 2012 08:08:49 GMT
Hi Brian, 
Thanks for replying. This is the expression I am using
WebContext.Current.User
ain't this user supposed to be our AuthUser? But it's not accessible. 
Thanks


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Mon, 13 Feb 2012 01:11:23 GMT
Hi singlepoint,
Are you using WebContext.Current.Authentication.User to get to it or are you trying to use the property directly on the WebContext instance?


Re: WCF RIA Services Part 7 - Authentication and Authorization
singlepoint — Sun, 12 Feb 2012 21:09:25 GMT
Hi Brian
I was following this post lately, once my domain context got created on the client side, it started giving me an error which says
WebContextBase.User inaccessible due to it's protection level. Can you please give me some hint what I am doing wrong here. I am new to .Net. Please bear with me if it's a nonsense question.





Re: WCF RIA Services Part 7 - Authentication and Authorization
Eran — Wed, 07 Dec 2011 02:33:05 GMT
Excellent.


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Mon, 17 Oct 2011 06:03:30 GMT
Benoit73,
Anytime you see that  error message, tell yourself "I should not have blindly clicked OK in that dialog that warned me that a Silverlight client using RIA Services would not run correctly in the debugger unless the hosting web project is the startup project." :)


Re: WCF RIA Services Part 7 - Authentication and Authorization
Benoit73 — Mon, 17 Oct 2011 05:49:12 GMT
The login doesn't work for me. When I do a try/catch like this one:

try{
loginOp = WebContext.Current.Authentication.Login(UsernameTextBox.Text, PasswordTextBox.Text);
}catch(Exception eee){
MessageBox.Show(eee.Message);
}
 
I get a message like this one:
 

The URI model <> is not valid; the model <> was expected.
Parameter name: via
 
Any clue why?


Re: WCF RIA Services Part 7 - Authentication and Authorization
jiang212003 — Tue, 27 Sep 2011 10:32:44 GMT
excellent jobs.


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Thu, 15 Sep 2011 18:02:24 GMT
With either Prism or MEF, you could conditionally load different XAP files based on role after initially loading a root app assembly to establish the security context. I wouldn't generally recommend that as it will be complicated to manage and maintain.
I don't think you can state in general that doing authentication or authorization on the client side is not a good idea, it depends on the app, the context, the users, the deployment scenarios, etc. Certainly for OOB apps you have no choice.


Re: WCF RIA Services Part 7 - Authentication and Authorization
koo9 — Tue, 13 Sep 2011 23:14:01 GMT
just a crazy thought, should the host service return role base xap file base on the user permission? then again, it's too much work. it's easier with html. doing authorization on client side is not really a good idea with sl.


Re: WCF RIA Services Part 7 - Authentication and Authorization
sonny_lp — Thu, 11 Aug 2011 00:27:19 GMT
Hi,
Thank you for this well written article. I was able to create my own custom membership provider as well as role provider following your article and they work well. I tried to create a custom ProfileProvider in the hope that I could add some custom properties to the user such as company, so that I could retrieve this information in my RIA service. To my disappointment, I cannot see my custom properties on the server side (in the RIA Service method). Is there anything, I am missing? Or is there any other way to achieve this? 


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Sun, 31 Jul 2011 19:01:19 GMT
Koen,
You have a couple of paths you could take there. One is to write custom membership and profile providers to point to your own tables. Depending on the schema of those tables, this is straightforward and makes the providers reusable outside of RIA Services (web apps and normal WCF services can use them too). 
The other path is to override the ValidateUser and GetAuthenticatedUser methods and do your own data access to look up the username/password and to create the instance of the user object.
Hope that helps.
Brian


Re: WCF RIA Services Part 7 - Authentication and Authorization
KoenJordens — Sun, 31 Jul 2011 15:58:14 GMT
Hi Brian,
Thanks for your response.

I watched your webinar ... nice stuff.
In the demo solution you use the silverlight app to supply the FavoriteColor property of the User object and save the user in the asp.net database.
My goal is to add additional fields (name, first name, ...) from my own database from within the service project. 

Is that possible ? And how would you do that ?
Grtz, Koen.


Re: WCF RIA Services Part 7 - Authentication and Authorization
brian.noyes — Sat, 30 Jul 2011 02:44:58 GMT
Hi Koen
Depends on what "missing parts" you are referring to? Do you mean adding personalization properties? If so, see my webinar here on Silverlight show on securing and personalizing Silverlight apps.
If not, let me know what you had in mind.
Thanks
Brian


Re: WCF RIA Services Part 7 - Authentication and Authorization
KoenJordens — Mon, 25 Jul 2011 15:33:13 GMT
Hi Brian,

First of all: Great article !!
Just one question, how can I fill in the missing parts on the AuthUser class ?
grtz, Koen.


Re: WCF RIA Services Part 7 - Authentication and Authorization
hbteun — Thu, 09 Jun 2011 16:59:40 GMT
Hi Brian,
I solved it. It was an typing error in the DomainContextType string.
For other people who want place the authentication service in a RIA services class library check this post: Silverlight forum
Greetings,

Teun






Re: WCF RIA Services Part 7 - Authentication and Authorization
hbteun — Thu, 09 Jun 2011 14:53:34 GMT
Hi Brian,
do you know a good example of an (preferably a custom) AuthenticationService inside a RIA services class library for SL4? 
As I understand it, the WebContext is not created and you have to create it your self. But I get an exception when using it: The DomainContextType is null or invalid and there are no contexts generated from AuthenticationBase. 
Greetings,

Teun


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Sun, 08 May 2011 00:52:01 GMT
You can tie it in with the ASP.NET Profiles functionality if you set up a profile for the authenticated user. See this article: http://msdn.microsoft.com/en-us/library/ee707350(v=vs.91).aspx


RE: WCF RIA Services Part 7 - Authentication and Authorization
George P. — Thu, 05 May 2011 11:34:26 GMT
In your post you said that we can put what ever other information we want to AuthUser. But how are we going to update this information? Using your approach and with my limited knowledge i don't see how this can be done.
For example if in AuthUser i have a property PhoneNumber how am i going to fill it using your approach?
Thank you.


RE: WCF RIA Services Part 7 - Authentication and Authorization
Mahdi — Wed, 23 Feb 2011 20:35:04 GMT
Hi Brian,
I created a sample of custom membership provider for a business application but i don't what is my problem that i got the below error when i want to register a new user :
(
Invoke operation 'CreateUser' failed. The HTTP request to 'https://localhost:52878/ClientBin/SLCustomMembershipProvider-Web-UserRegistrationService.svc/binary/CreateUser' has exceeded the allotted timeout. The time allotted to this operation may have been a portion of a longer timeout.

)
and you can get my porject here.
 please help to find my problems.
Thanks a lot



RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Wed, 09 Feb 2011 16:06:01 GMT
When you set up an Authentication Domain Service, it is queryable directly like any other domain service. It exposes a collection of your user type (AuthUser in my sample), which is an IPrincipal (meaning it has an IsInRole method on it). So you can do a Load operation for the GetUserQuery method on that domain context to get it to reload the user and its roles from the server side.


RE: WCF RIA Services Part 7 - Authentication and Authorization
bitdisaster — Wed, 09 Feb 2011 02:40:29 GMT
In my scenario the user can request to join another role from teh client. How coud I update the roles of user when the access to the role was granted. Is their a way wihtout doing a logout/login?


RE: WCF RIA Services Part 7 - Authentication and Authorization
Marius H Enerud — Thu, 18 Nov 2010 16:10:38 GMT
...and here is the event-handler for the Login-function:

Private

Sub loginIsCompleted(ByVal sender As Object, ByVal e As EventArgs)
    Dim op As LoginOperation = CType(sender, LoginOperation)
    If op.HasError Then 
        ErrorWindow.CreateNew(op.Error)
        op.MarkErrorAsHandled()
        Return
    ElseIf Not op.LoginSuccess Then 
        ErrorWindow.CreateNew("Login failed...")
        Return
    Else
        MessageBox.Show("Success!")
        Return
    End If
End Sub


RE: WCF RIA Services Part 7 - Authentication and Authorization
Marius H Enerud — Thu, 18 Nov 2010 16:06:54 GMT
Oops! Seems that I refreshed the page so that my text was posted several times... sorry!
Thanks for your explanation, but unfortunately it didnt help me: I still receive the same exception when I try to call the Login-function. 
Here is det exception that raises when I try to call the Login-function in the Authenication class :
Load operation failed for query Login. Could not load type

'RlAinterview.web.CustomMembershipProvider' from assembly

'RlAinterview.web'. (C:\Users\marius\Documents\Visual Studio

20 1O\Projects\RlAinterview\RlAinterview.web\web.config line 24)

Inner exception message: Could not load type

'RlAinterview.web.CustomtMlembershipProvider' from assembly

'RlAinterview.Web'.
   at System.Web.Security.Membership.Initialize()

   at System.Web.Security.Membership.get_Provider()

   at System.Web.Security.Membership.ValidateUser(String username, String password)

   at System.ServiceModel.DomainServices.Server.ApplicationServices.AuthenticationBase`1.ValidateUser(String userName, String password)

   at System.ServiceModel.DomainServices.Server.ApplicationServices.AuthenticationBase`1.Login(String userName, String password, Boolean isPersistent, String customData)

   at Login(DomainService , Object[] )

   at System.ServiceModel.DomainServices.Server.ReflectionDomainServiceDescriptionProvider.ReflectionDomainOperationEntry.Invoke(DomainService domainService, Object[] parameters)

   at System.ServiceModel.DomainServices.Server.DomainOperationEntry.Invoke(DomainService domainService, Object[] parameters, Int32& totalCount)

   at System.ServiceModel.DomainServices.Server.DomainService.Query(QueryDescription queryDescription, IEnumerable`1& validationErrors, Int32& totalCount)

   at System.ServiceModel.DomainServices.Hosting.QueryProcessor.Process[TEntity](DomainService domainService, DomainOperationEntry queryOperation, Object[] parameters, ServiceQuery serviceQuery, IEnumerable`1& validationErrors, Int32& totalCount)

   at System.ServiceModel.DomainServices.Hosting.QueryOperationBehavior`1.QueryOperationInvoker.InvokeCore(Object instance, Object[] inputs, Object[]& outputs)
 
..and here is the code for the login-button that trigger the exception:
Private Sub OKButton_Click(ByVal sender As Object, ByVal e As RoutedEventArgs) Handles OKButton.Click
    Dim loginOp As LoginOperation = WebContext.Current.Authentication.Login(TextBox1.Text, TextBox2.Text)
    AddHandler loginOp.Completed, AddressOf loginIsCompleted
End Sub


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Thu, 18 Nov 2010 15:36:29 GMT
The only thing particular to VB is that they hide your root namespace from you more so than C#. You have to know what your fully qualified type name is. I can't tell that without seeing your project code, but again, unless you have customized your namespaces, it is the project name that you added the class to. So if you added it to your web project and its name is MySLHost.Web, then your type name is MySLHost.Web.CustomMembershipProvider and the type attribute on your membership add eleement would be MySLHost.Web.CustomMembershipProvider,MySLHost.Web.


RE: WCF RIA Services Part 7 - Authentication and Authorization
Marius H Enerud — Thu, 18 Nov 2010 15:12:19 GMT
Thanks for your quick answer, Brian. But I'm still a bit confused about how to resolve the issue..
If I would create my own MembershipProvider-class (based on the techniques in your text) and I would call it "CustomMembershipProvider", how do I reference it in the web.config file to avoid the exception? Are there any other elements that I need to configure to get it working?
I forgot to mention that I'm writing this Solution in VB.
 
thanks again,
Marius


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Thu, 18 Nov 2010 13:17:27 GMT
Hi Marius, The type property in the membership element just needs to take on the form "fully-qualified-type-name,assemblyname". So whatever your custom provider name is with its full namespace (i.e. web project name by default if you put it there, or class library project name by default if you put it there). If you put it in a class library, you will naturally also need a reference to that library to get it pulled into the \bin directory of the web app, even though there is no code in your web app that is using it, once you add it to your config the framework is going to use it in the web app. You of course could use the built in SqlMembershipProvider as well.


RE: WCF RIA Services Part 7 - Authentication and Authorization
Marius H Enerud — Thu, 18 Nov 2010 12:06:04 GMT
Thanks for your quick answer, Brian. But I'm still a bit confused about how to resolve the issue..
If I would create my own MembershipProvider-class (based on the techniques in your text) and I would call it "CustomMembershipProvider", how do I reference it in the web.config file to avoid the exception? Are there any other elements that I need to configure to get it working?
I forgot to mention that I'm writing this Solution in VB.
 
thanks again,
Marius


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Thu, 18 Nov 2010 00:23:57 GMT
Looks like you modified the membership element and broke it. The one in the download code reads:


      

        

      

    


RE: WCF RIA Services Part 7 - Authentication and Authorization
Marius H Enerud — Thu, 18 Nov 2010 00:05:02 GMT
Hi!
Thanks for this nice tutorial! I'm pretty new into Silverlight and I seem to have a problem that struggle to solve:
I followed your tutorial step-by-step, but when I execute the application and push the OK-button (to run the login) I get an exception:
Load operation failed for query 'Login'. Could not load type 'Web.CustomerMembershipProvider'. 
The exception fires here in the web.config file:


<membership defaultProvider="myCustomProvider">
    <providers>
        <add name="myCustomProvider" type="Web.CustomMembershipProvider"/>
    providers>

membership>



I thought maybe that I should have a Namespace.ClassName naming convention, but I tried all kinds of namespaces without success...
Do you know what could be the answer to my problem?
Thanks, 
Marius
 
 


RE: WCF RIA Services Part 7 - Authentication and Authorization
KK — Wed, 10 Nov 2010 07:51:20 GMT
How's the rest of the topics coming along?  I'm eagerly waiting for "Structuring WCF RIA Services Applications".


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Thu, 28 Oct 2010 15:34:53 GMT
Ted, 
You have two choices - one is a custom authentication domain service and override ValidateUser to do your own look up wherever you like. The other that I favor is writing custom membership and role providers that do those look ups because then those can be integrated with non-RIA WCF services, ASP.NET, Client Application Services, or anywhere else membership and role providers are used. There are tons of examples of writing custom membership and role provides out there. 


RE: WCF RIA Services Part 7 - Authentication and Authorization
Ted — Thu, 28 Oct 2010 06:52:25 GMT
Thanks Brian, this is nice and useful as far as it goes.  However, while you deal with making the "Authentication Domain Service", you say nothing about where the data is actually stored.  All of the examples I have found so far that deal with these assume the data is stored in some version of MS SQL.  I have been told that if I want to use a different RDBMS, such as MySQL, I have to make a customer authentication domain service.
Now, creating a data model using a connection I have previously created to a schema in MySQL is trivially easy.  And  have created a test schema with a table to hold user credentials (along with an additional 'nickname'), a lookup table with role names, and a third to hold the many to many relations between useers and roles.  Can you either tell me how to tell my custom authentication domain service to use it rather than look for a DB in MS SQL, or point me to a resource that shows how to do it?
Thanks
Ted


RE: WCF RIA Services Part 7 - Authentication and Authorization
hunsra — Wed, 27 Oct 2010 22:14:33 GMT
Brian, thanks again.  I think I'll have to settle for using Windows auth.  I have tried it and it does work, but I wanted to avoid using the browser to establish the login, and let the Silverlight application do it.  We'll go that way for now.
-Randy


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Wed, 27 Oct 2010 21:48:38 GMT
Randy, since the AuthenticationService is a separate service, doing
something there would not have an effect in the other services. That
service just allows a security context to be set up that can then be
returned to the client. In fact, if you don't need to do any
authorization or personalization client side, you don't even need an
authentication service, just the membership providers set up on the
individual domain services host. 
 For the impersonation thing, now that I think it through a little more, that would not work. Was remembering use of the WindowIdentity in a scenario where you did have the full creds available. If you used Windows auth instead of Forms however, I think it might work, but again have not tried that part.


RE: WCF RIA Services Part 7 - Authentication and Authorization
hunsra — Wed, 27 Oct 2010 21:20:42 GMT
Brian,
Thank you for the quick response.  So, if I understand you correctly, it's not possible to customize the AuthenticationBase -based authentication domain service class in some way so that when its Login() method is called the user is impersonated, right?
To use your suggestion about establishing a WindowsPrincipal in the RIA service, how would the service discover the credentials used during the login operation?  The DomainServiceContext object passed to the Initialize() method includes a User property of the IPricipal type, and that includes an Identity property of the IIdentity type.  But that only includes the user name, not the password.
Thanks for any help you can provide.
-Randy


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Wed, 27 Oct 2010 20:52:25 GMT
Randy, In combination with the membership provider you could not impersonate. Even though the credentials are being validated against Windows, you are not establishing a WindowsPrincipal on the thread, which is required for Impersonation. In fact, RIA Services never establishes a thread principal, instead keeping the authorization context in its own service context. You could potentially set up your own WindowsPrincipal and establish it in the Initialize method of the service based on the credentials. I don't have a working sample of that, but have done it in the past through the WindowsIdentity class.


RE: WCF RIA Services Part 7 - Authentication and Authorization
hunsra — Wed, 27 Oct 2010 20:30:11 GMT
Hi Brian,



Thank you for the excellent post.  It has helped to clear things up a bit for me.  I have a question related to the statements "... For the Windows case, you may require the user to enter a domain account on the client side because they could be working from a home or public computer that is not part of the domain ..." and "... You can collect the user credentials in either case before the Silverlight application launches through a web login form that uses normal Forms Authentication to pass the user credentials in a cookie, or by using RIA Services to pass the credentials from within the Silverlight application ..." you wrote in the post:



If I want to use Windows credentials (i.e. a Windows username, domain, and password) instead of proprietary application credentials to authenticate users, but want to use the Silverlight application to collect them (rather than the browser), how would I get a WCF service to impersonate the given user?  I understand how I would implement the "ValidateUser" method in the CustomMembershipProvider class (call the Win32 LogonUser API), but I don't see how I would be able to impersonate the identity in a WCF service once the user has logged in.  Can you provide any insight?



Thanks again!

Randy


RE: WCF RIA Services Part 7 - Authentication and Authorization
schilders — Thu, 14 Oct 2010 01:23:58 GMT
Hi Brian,
Is it possible to use an ObjectDataSource in a Silverlight solution?  I'm creating a prototype for a customer, and they don't necessarily want a database, membership provider, etc. included in the prototype.  Yet, we want to demonstrate the Silverlight Business Application's login functionality, protecting some pages from unauthenticated users, etc.  How would you suggest we proceed with using authentication and not going with a SQL Membership provider?
Thanks,
Sid


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Wed, 13 Oct 2010 13:49:02 GMT
Hi Cleyton,
Answered in both places just in case... :) Sorry, but just have had some schedule conflicts and priorities recently delaying me. Will have Part 8 out by end of October and Part 9 and 10 in November.


RE: WCF RIA Services Part 7 - Authentication and Authorization
Cleyotn — Wed, 13 Oct 2010 12:04:14 GMT
Sorry. I meant to write my message in this article:
Hi,
I would like to congratulate you on these articles. They are fantastic. Thanks for this brillant series of articles. 
I really would like to learn how to test WCF Ria services and other stuff. 
When are you planning to finish the remaining articles?

    Debugging and Testing WCF RIA Services Applications 
    Structuring WCF RIA Services Applications 
    Exposing Additional Domain Service Endpoints for Other Clients 



RE: WCF RIA Services Part 7 - Authentication and Authorization
eric yan — Tue, 12 Oct 2010 08:31:40 GMT
brian, 
Can't wait for part-8 and part -9 and part-10 and 11... 
:)


RE: WCF RIA Services Part 7 - Authentication and Authorization
Thomas t1 — Fri, 08 Oct 2010 17:09:25 GMT
Brian,
I would like to moderate the "simple" statement in my last comment to "possible". Although it is possible to use CAS, the WCF Authentication Service provides services more compatible with WCF RIA. By using shared cookie management implemented in a WCF Message Inspector/Behavior it's possible to combine the two in a relatively seamless way. None of the WCF RIA samples I have found deal with this issue, maybe this could be a section in a future article that deals with distributed solutions/applications, where the primary client is Silverlight but also has secondary clients e.g. a desktop application.


RE: WCF RIA Services Part 7 - Authentication and Authorization
Thomas t1 — Tue, 28 Sep 2010 16:52:41 GMT
Thanks for the tip Brian, turns out it's simple after all :) One of the very useful features of WCF RIA, IMHO, is the ability to use the same domain service from Silverlight, ASP.NET and non-web applications, which I'll be able to do via the Client Application Services, thanks again!


RE: WCF RIA Services Part 7 - Authentication and Authorization
Brian Noyes — Tue, 28 Sep 2010 16:40:46 GMT
Thomas,
Not really the right tool for the job in my opinion since you don't get any client side code generation to make the authentication service as useful. What you want to look at is "Client Application Services", which allows you to easily leverage Membership and Role providers in a different way in WPF and Windows Forms clients.


RE: WCF RIA Services Part 7 - Authentication and Authorization
Thomas t1 — Tue, 28 Sep 2010 16:35:06 GMT
Very useful posts! What I cannot seem to figure out, is how to authenticate a stand-alone application (WPF/Windows Forms) against the domain service, any hints on how to acheive this would be very useful as the authentication for non-SL clients is not very well documented IMHO, feel free to prove me wrong :)


RE: WCF RIA Services Part 7 - Authentication and Authorization
Kyle McClellan — Fri, 17 Sep 2010 19:06:46 GMT
Great post Brian.
@daniel
You have to implement your own authentication service to take advantage of it.
public class MyAuthenticationService : DomainService, IAuthentication


RE: WCF RIA Services Part 7 - Authentication and Authorization
daniel — Fri, 17 Sep 2010 03:48:06 GMT
Hi. Good article as always.

I have a question about sending custom data when logging in.
the AuthenticationBase.Login method has 'string customData' parameter, but this field seems to be ignored. and since it is not a virtual method, I can't override it. Is there a way to send custom data along with ID/Password when calling this method?


RE: WCF RIA Services Part 7 - Authentication and Authorization
Mahesh — Thu, 16 Sep 2010 21:29:23 GMT
Hi Brian,
In Step 4, in LoginForm childwindow code, you are putting LoginOperations errors inside a textbox(errortextblock).
Can you show instead of this direct input , how to raise validationresults so that a validationsummary control can catch all validations like "incorrect username" or "wrong password"?
Also is it possible to use MetaDataClasses on server side to put Validation  Attributes like , etc?
Otherwise this post is great!!!