This article touches on many technical concepts that you’ll find covered in more detail elsewhere (including this magazine). For this reason, I won’t explore these topics in great technical depth. Instead, the goal of the article is to “connect the dots” and show how you can exploit these concepts to secure your applications.
When planning security for an application, it’s useful to think of three A’s: authentication, authorization and audit.
Authentication is the act of confirming that users are who they claim to be. We usually do this with a user name and password.
Authorization is the process of confirming that a user, once authenticated, actually has the appropriate permissions to perform a particular action or access a particular resource.
Audit is the act of maintaining a record of activity such that actions and requests made upon a system can’t be denied by the user.
I will focus on the first two, authentication and authorization, in the context of a Silverlight application. As this is a Rich Internet Application (RIA), the majority of concepts described in this article apply equally to Asynchronous JavaScript and XML (AJAX) or other RIA approaches. I’ll also discuss how you can prevent unwanted access to your Silverlight application files.
Topology
Silverlight is a cross-browser plug-in that leverages many of the graphical concepts pioneered by Windows Presentation Foundation (WPF), enabling Web developers to create rich user experiences far beyond what’s possible with only HTML and JavaScript.
Unlike ASP.NET, Silverlight is a client-side technology, so it runs on users’ computers. So Silverlight development arguably has more in common with Windows Forms or WPF than with ASP.NET. In many ways, this is one of Silverlight’s greatest advantages, as it removes many of the problems caused by the stateless nature of Web applications. However, because all the UI code runs on client computers, you can’t trust it anymore.
Read more: MSDN Magazine
Posts
