MSDN Magazine - September 2008 - (Page 56) The key is to isolate in a protected user interface element—an ASP.NET page in this case—any function that needs to invoke a sensitive service method. By requiring that any user who wants to invoke that functionality pass through a login page first, you guarantee that any subsequent requests originated by that user carry the authentication cookie issued by the application’s membership system. The login page gets credentials from the user and verifies whether the user is authorized to visit the page. If all is fine, the request is authorized and an authentication cookie is generated and attached to the response. From then on, any requests the user makes to the application, including service requests, will carry the cookie. As a result, any invoked services in the AJAX service layer should check for the authentication cookie to ensure that a legitimate user is making the request. Any page that carries security-sensitive operations in ASP.NET AJAX or Silverlight 2 applications should be placed in a protected area of the Web site. To filter access to a specific area, add the following configuration fragment to the web.config file: You can’t avoid public endpoints, but you need a way to recognize authorized users and keep others off your site. Here, the contents of the MembersOnly folder are restricted to authenticated users. Finally, you need to turn on authentication. In this example, I’m enabling ASP.NET forms authentication: Admittedly, this is not rocket science. Once a user has successfully visited the login page, a valid authentication cookie is attached to the response. This cookie will be used for any subsequent request until it expires. It is interesting that this approach works for both ASP.NET AJAX and Silverlight 2. The Silverlight plug-in, in fact, relies on the browser’s underlying infrastructure (which is only visible to plug-ins) to execute remote calls. This ensures that authentication cookies (and any other cookies) are appended to the request. WebService, you can still access the same ASP.NET intrinsic objects using the HttpContext.Current property. In any case, the ASP.NET request context is always available to an ASMX Web service. For a WCF service, things are different. A WCF service can be hosted in IIS either side-by-side with ASP.NET or in compatibility mode. The default configuration is side-by-side with ASP.NET. Requests for a WCF service are received by the ASP.NET run time, but it doesn’t participate in the processing of these requests. Within the worker process, the WCF run time detects incoming requests and processes them through the WCF stack. When ASP.NET and WCF work side-by-side, there are a few side effects to note. For example, you can’t define an access control list to the SVC resource and, more important in this context, the HttpContext.Current property always returns null when accessed from within a WCF service. As a result, there’s no way for the WCF service to grab any information about the ASP.NET logged-in user. In general, the WCF model is designed to work regardless of the hosting environment or transport mechanism. However, security over the AJAX service layer requires a stricter collaboration between WCF and the host ASP.NET environment. This is just what the ASP.NET compatibility mode for WCF addresses. When running in compatibility mode, a WCF service fully participates in the lifecycle of the ASP.NET request. The net effect is that the WCF service has access to the same information as an ASMX Web service. In particular, file-based authorization is supported and, more important, HttpContext.Current is correctly set. Compatibility mode is a global setting enabled at the application level. Individual services, though, are allowed to refuse or accept the mode. To turn on compatibility mode, you need to enter the following fragment in the configuration file: Retrieving User Information from the Service The authentication cookie issued by the application is passed to the Web service or WCF service. But how can the service access this information? Let’s tackle ASMX Web services first. An ASMX Web service is always hosted by the ASP.NET worker process; thus it has access to the HTTP context of the ASP.NET request being processed. If you derive the Web service class from the WebService class defined in the System.Web.Services namespace, then your class will inherit the Context property and will then have access to all of its properties, including Session, Request, Response, and, especially, User. If you choose not to derive your class from 56 msdn magazine Individual services declare their support for compatibility mode through the RequirementsMode property of the AspNetCompatibilityRequirements attribute, which is to be set on the service class, not the contract. Values for the property are Required, Allowed, and NotAllowed. The default is NotAllowed, which means that each WCF service in the AJAX service layer must have the RequirementsMode property changed to either Allowed or Required: [AspNetCompatibilityRequirements( RequirementsMode = AspNetCompatibilityRequirementsMode.Required)] public class TimeService : ITimeService { : } Based on this information, each critical method in a service within the AJAX service layer should incorporate a piece of code that checks the identity of the logged-in user. Here’s an example: public class TimeService : ITimeService { Cutting Edge
Table of Contents Feed for the Digital Edition of MSDN Magazine - September 2008 MSDN Magazine - September 2008 Contents Toolbox CLR Inside Out Data Points Advanced Basics Office Space Cutting Edge Hierarchy ID New Features for Microsoft SQL Server 2008 Prism Data Services Advanced WPF Test Run Security Briefs Foundations { End Bracket } MSDN Magazine - September 2008 MSDN Magazine - September 2008 - (Page Intro) MSDN Magazine - September 2008 - Contents (Page Cover1) MSDN Magazine - September 2008 - Contents (Page Cover2) MSDN Magazine - September 2008 - Contents (Page 1) MSDN Magazine - September 2008 - Contents (Page 2) MSDN Magazine - September 2008 - Contents (Page 3) MSDN Magazine - September 2008 - Contents (Page 4) MSDN Magazine - September 2008 - Contents (Page 5) MSDN Magazine - September 2008 - Contents (Page 6) MSDN Magazine - September 2008 - Contents (Page 7) MSDN Magazine - September 2008 - Contents (Page 8) MSDN Magazine - September 2008 - Contents (Page 9) MSDN Magazine - September 2008 - Contents (Page 10) MSDN Magazine - September 2008 - Toolbox (Page 11) MSDN Magazine - September 2008 - Toolbox (Page 12) MSDN Magazine - September 2008 - Toolbox (Page 13) MSDN Magazine - September 2008 - Toolbox (Page 14) MSDN Magazine - September 2008 - Toolbox (Page 15) MSDN Magazine - September 2008 - Toolbox (Page 16) MSDN Magazine - September 2008 - Toolbox (Page 17) MSDN Magazine - September 2008 - Toolbox (Page 18) MSDN Magazine - September 2008 - CLR Inside Out (Page 19) MSDN Magazine - September 2008 - CLR Inside Out (Page 20) MSDN Magazine - September 2008 - CLR Inside Out (Page 21) MSDN Magazine - September 2008 - CLR Inside Out (Page 22) MSDN Magazine - September 2008 - CLR Inside Out (Page 23) MSDN Magazine - September 2008 - CLR Inside Out (Page 24) MSDN Magazine - September 2008 - CLR Inside Out (Page 25) MSDN Magazine - September 2008 - CLR Inside Out (Page 26) MSDN Magazine - September 2008 - Data Points (Page 27) MSDN Magazine - September 2008 - Data Points (Page 28) MSDN Magazine - September 2008 - Data Points (Page 29) MSDN Magazine - September 2008 - Data Points (Page 30) MSDN Magazine - September 2008 - Data Points (Page 31) MSDN Magazine - September 2008 - Data Points (Page 32) MSDN Magazine - September 2008 - Data Points (Page 33) MSDN Magazine - September 2008 - Data Points (Page 34) MSDN Magazine - September 2008 - Advanced Basics (Page 35) MSDN Magazine - September 2008 - Advanced Basics (Page 36) MSDN Magazine - September 2008 - Advanced Basics (Page 37) MSDN Magazine - September 2008 - Advanced Basics (Page 38) MSDN Magazine - September 2008 - Advanced Basics (Page 39) MSDN Magazine - September 2008 - Advanced Basics (Page 40) MSDN Magazine - September 2008 - Advanced Basics (Page 41) MSDN Magazine - September 2008 - Advanced Basics (Page 42) MSDN Magazine - September 2008 - Advanced Basics (Page 43) MSDN Magazine - September 2008 - Advanced Basics (Page 44) MSDN Magazine - September 2008 - Office Space (Page 45) MSDN Magazine - September 2008 - Office Space (Page 46) MSDN Magazine - September 2008 - Office Space (Page 47) MSDN Magazine - September 2008 - Office Space (Page 48) MSDN Magazine - September 2008 - Office Space (Page 49) MSDN Magazine - September 2008 - Office Space (Page 50) MSDN Magazine - September 2008 - Office Space (Page 51) MSDN Magazine - September 2008 - Office Space (Page 52) MSDN Magazine - September 2008 - Cutting Edge (Page 53) MSDN Magazine - September 2008 - Cutting Edge (Page 54) MSDN Magazine - September 2008 - Cutting Edge (Page 55) MSDN Magazine - September 2008 - Cutting Edge (Page 56) MSDN Magazine - September 2008 - Cutting Edge (Page 57) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 58) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 59) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 60) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 61) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 62) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 63) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 64) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 65) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 66) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 67) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 68) MSDN Magazine - September 2008 - New Features for Microsoft SQL Server 2008 (Page 69) MSDN Magazine - September 2008 - Prism (Page 70) MSDN Magazine - September 2008 - Prism (Page 71) MSDN Magazine - September 2008 - Prism (Page 72) MSDN Magazine - September 2008 - Prism (Page 73) MSDN Magazine - September 2008 - Prism (Page 74) MSDN Magazine - September 2008 - Prism (Page 75) MSDN Magazine - September 2008 - Prism (Page 76) MSDN Magazine - September 2008 - Prism (Page 77) MSDN Magazine - September 2008 - Prism (Page 78) MSDN Magazine - September 2008 - Prism (Page 79) MSDN Magazine - September 2008 - Data Services (Page 80) MSDN Magazine - September 2008 - Data Services (Page 81) MSDN Magazine - September 2008 - Data Services (Page 82) MSDN Magazine - September 2008 - Data Services (Page 83) MSDN Magazine - September 2008 - Data Services (Page 84) MSDN Magazine - September 2008 - Data Services (Page 85) MSDN Magazine - September 2008 - Data Services (Page 86) MSDN Magazine - September 2008 - Advanced WPF (Page 87) MSDN Magazine - September 2008 - Advanced WPF (Page 88) MSDN Magazine - September 2008 - Advanced WPF (Page 89) MSDN Magazine - September 2008 - Advanced WPF (Page 90) MSDN Magazine - September 2008 - Advanced WPF (Page 91) MSDN Magazine - September 2008 - Advanced WPF (Page 92) MSDN Magazine - September 2008 - Advanced WPF (Page 93) MSDN Magazine - September 2008 - Advanced WPF (Page 94) MSDN Magazine - September 2008 - Advanced WPF (Page 95) MSDN Magazine - September 2008 - Advanced WPF (Page 96) MSDN Magazine - September 2008 - Test Run (Page 97) MSDN Magazine - September 2008 - Test Run (Page 98) MSDN Magazine - September 2008 - Test Run (Page 99) MSDN Magazine - September 2008 - Test Run (Page 100) MSDN Magazine - September 2008 - Test Run (Page 101) MSDN Magazine - September 2008 - Test Run (Page 102) MSDN Magazine - September 2008 - Test Run (Page 103) MSDN Magazine - September 2008 - Test Run (Page 104) MSDN Magazine - September 2008 - Security Briefs (Page 105) MSDN Magazine - September 2008 - Security Briefs (Page 106) MSDN Magazine - September 2008 - Security Briefs (Page 107) MSDN Magazine - September 2008 - Security Briefs (Page 108) MSDN Magazine - September 2008 - Security Briefs (Page 109) MSDN Magazine - September 2008 - Security Briefs (Page 110) MSDN Magazine - September 2008 - Security Briefs (Page 111) MSDN Magazine - September 2008 - Security Briefs (Page 112) MSDN Magazine - September 2008 - Foundations (Page 113) MSDN Magazine - September 2008 - Foundations (Page 114) MSDN Magazine - September 2008 - Foundations (Page 115) MSDN Magazine - September 2008 - Foundations (Page 116) MSDN Magazine - September 2008 - Foundations (Page 117) MSDN Magazine - September 2008 - Foundations (Page 118) MSDN Magazine - September 2008 - Foundations (Page 119) MSDN Magazine - September 2008 - { End Bracket } (Page 120) MSDN Magazine - September 2008 - { End Bracket } (Page Cover3) MSDN Magazine - September 2008 - { End Bracket } (Page Cover4)
For optimal viewing of this digital publication, please enable JavaScript and then refresh the page. If you would like to try to load the digital publication without using Flash Player detection, please click here.