This is a mirror of official site: http://jasper-net.blogspot.com/

Securing Your Silverlight Applications

| Sunday, May 9, 2010
  In my role as a consultant with Microsoft Services, I have regular discussions with customers and partners about application security. In this article, I’ll explore some of the themes that arise in those discussions. In particular, I’ll focus on the new challenges programmers face when trying to secure Silverlight applications, and I’ll consider where development teams should focus their resources.

   This article touches on many technical concepts that you’ll find covered in more detail elsewhere (including this magazine). For this reason, I won’t explore these topics in great technical depth. Instead, the goal of the article is to “connect the dots” and show how you can exploit these concepts to secure your applications.

When planning security for an application, it’s useful to think of three A’s: authentication, authorization and audit.

Authentication is the act of confirming that users are who they claim to be. We usually do this with a user name and password.

Authorization is the process of confirming that a user, once authenticated, actually has the appropriate permissions to perform a particular action or access a particular resource.

Audit is the act of maintaining a record of activity such that actions and requests made upon a system can’t be denied by the user.

I will focus on the first two, authentication and authorization, in the context of a Silverlight application. As this is a Rich Internet Application (RIA), the majority of concepts described in this article apply equally to Asynchronous JavaScript and XML (AJAX) or other RIA approaches. I’ll also discuss how you can prevent unwanted access to your Silverlight application files.

Topology

Silverlight is a cross-browser plug-in that leverages many of the graphical concepts pioneered by Windows Presentation Foundation (WPF), enabling Web developers to create rich user experiences far beyond what’s possible with only HTML and JavaScript.

Unlike ASP.NET, Silverlight is a client-side technology, so it runs on users’ computers. So Silverlight development arguably has more in common with Windows Forms or WPF than with ASP.NET. In many ways, this is one of Silverlight’s greatest advantages, as it removes many of the problems caused by the stateless nature of Web applications. However, because all the UI code runs on client computers, you can’t trust it anymore.


Read more: MSDN Magazine

Posted via email from jasper22's posterous

0 comments: