Some key points fomr Karens blog: "*Also, all the requests you send will have the "right thing happen" to them from a cookies and authentication standpoint. This is a result of us leveraging the hosting browser to make the HTTP request.*"
And "*Similarly, we could have gone directly to the operating system's networking APIs, but then we would have lost the cookies and authentication integration with the browser. In the future, exploring multiple of these stacks to expose more capabilities is definitely a possibility, and is something we would like feedback on.*" On Thu, May 29, 2008 at 5:28 PM, Jonas Follesø <[EMAIL PROTECTED]> wrote: > Not sure about all the spesifics - But if it's an ad it would be served off > another domain, so if it tried to call back to your server the > authentication headers and cookies wouldn't be attached (since the source is > different). But not 100% sure. > > I guess the video is a good starter - Also Karen Corby has a three part > blog series on Silverlight HTTP Network Stack at > http://scorbs.com/2008/04/05/silverlight-http-networking-stack-part-1-site-of-origin-communication- > and I guess I have to "plug" my own blog at > http://jonas.follesoe.no/PermaLink,guid,52d330a9-2931-40dc-9320-01195b24996a.aspxwhere > I show how to use Yahoo Pipes as a general cross domain proxy ;) > > Cheers, > Jonas > > > On Thu, May 29, 2008 at 5:21 PM, Jordan Knight <[EMAIL PROTECTED]> > wrote: > >> Oh sweet, I have that vid (networking) on my iPod I thinkJ >> >> >> >> I love what you are saying here! However... >> >> >> >> With this in mind, how do you prevent a Silverlight ad from gaining access >> to this same stuff? I.e. Could a silverlight ad access the server, get some >> sensitive data and then use cross domain networking to send it somewhere >> else? >> >> Do you have some more info, or should I just watch the Silverlight ad >> video from mix? >> >> >> >> Cheers, >> >> >> >> Jordan >> >> >> >> *From:* [EMAIL PROTECTED] [mailto: >> [EMAIL PROTECTED] *On Behalf Of *Jonas Follesø >> *Sent:* Thursday, 29 May 2008 5:10 PM >> >> *To:* [email protected] >> *Subject:* Re: [OzSilverlight] Accessing asp.net from Silverlight >> >> >> >> Hi, >> >> This is the nice thing: the XAP is hosted inside your web application. >> When making requests back to the server, the requests go through the >> browsers networking stack. If you have any cookies/authentication headers >> (if you're using basic http authentication) those will be attatched to the >> request, and when it reach the server, the server will see the incomming >> HTTP request as authenticated. >> >> I'm doing this on the current project, where the Silverlight XAP is beeing >> hosted on a HTML page served from an (Oracle) Apache server. The page and >> back-end services are protected using basic http authentication. >> >> The user access the HTML page, a browser spesific username/password dialog >> pops-up (to authenticate the user to actually access the HTML page hosting >> the XAP), the user gets authenticated and all protected resources (HTML, >> IMG, CSS, JS, XAP) gets returned to the user. >> >> When the silverlight application starts making web service requests back >> to the server any authentication headers and cookies gets automatically >> attached to the request, and I'm able to access protected services on the >> server. >> >> So, the way I see it there will be no login dialog in your silverlight app >> - you'll use ASP.NET forms auth, basic auth or windows auth to do that. >> >> In fact, there is no way you can change the HTTP headers or cookies before >> issuing the request. >> >> There is a great MIX session on networking in Silverlight you should check >> out - Can't access the visitmix.com site from work so I'll drop the link >> when I get home. >> >> Cheers, >> Jonas >> >> >> On Thu, May 29, 2008 at 5:00 PM, Jordan Knight < >> [EMAIL PROTECTED]> wrote: >> >> The server never assumes the client is authenticated even in a normal web >> forms app… it simply says to the client "Yes you are authenticated, but I'll >> also keep track of authentication status – nothing personal, I just don't >> trust you". >> >> >> >> So the real question is, can the silverlight app access the session cookie >> and viewstate when accessing server – or does it have to go through some >> kind of partial update procedure in the host page to gain access to >> protected information (i.e. not only perform auth using the host page, but >> also consume services and stuff which require authorized status by using the >> host page also). Is there a bridge so that the silverlight app can act on >> behalf of its host page? Maybe we will all be getting rather nicely >> acquainted with the DOM bridge for auth/membership related actions? >> >> >> >> Cheers, >> >> >> >> Jordan >> >> >> >> *From:* [EMAIL PROTECTED] [mailto: >> [EMAIL PROTECTED] *On Behalf Of *Stephen Price >> *Sent:* Thursday, 29 May 2008 4:53 PM >> >> >> *To:* [email protected] >> *Subject:* Re: [OzSilverlight] Accessing asp.net from Silverlight >> >> >> >> Ok so that brings me back to an interesting problem (the best kind heheh) >> >> If the asp.net application authenticates the user (and is given an >> encrypted cookie to Id them to future pages) how can I get away with not >> having to enter a username and password into the Silverlight app? Also does >> this mean every single web service call needs to authenticate the user? Am >> in the stage of most of the site being asp.net but the application is >> accessed through the site. A second login would be nice if it could be >> avoided. >> >> Need to do some more reading on the security of Silverlight. Like they >> could take the xap file and write their own html page to host it and away >> they go. The authentication definitely has to come from the Silverlight app >> given the fact someone could walk off with the xap file. >> >> cheers, >> Stephen >> >> On Thu, May 29, 2008 at 1:59 PM, Jonas Follesø <[EMAIL PROTECTED]> wrote: >> >> Yepp - And in some cases you won't have access to the host (it can disable >> HTML access). For instance you don't want a Silverlight 2 ad grabbing hold >> of the entire HTML page, or accessing any information about the user >> browsing a page containing the ad. >> >> Yeah - Takes a little bit of time before you start thinking of Silverlight >> as a client side .NET app running in the browser. But some times that can >> fool you to - for instance when you wan't to grab HTTP headers, cookies etc >> and don't get access to do this from the browser. >> >> cheers, >> Jonas >> >> >> >> On Thu, May 29, 2008 at 3:53 PM, Stephen Price <[EMAIL PROTECTED]> >> wrote: >> >> Thanks for the replies all. The Server/Client explanation made it all >> click home into place. It's easy to forget you're actually working with a >> fully client based app (in a browser). My boss wasn't aware, and I assumed >> he knew it was client based. >> >> So the issue of security of remote services isn't a new one, it looks like >> its a good time to get familiar with WCF and it's security. :) >> >> Right after I check out Isolated storage... >> >> You're right, it's a client and thus should not be trusted. All the >> standard security practices apply. I did see a post somewhere about another >> SL app theoretically being able to hijack the isolated storage of another SL >> app. I was thinking the easiest way to find out who the user is would be to >> ask the host app, but if you think about it, the silverlight app shouldn't >> trust the host as it could be anyone. >> >> cheers, >> Stephen >> >> >> >> On Thu, May 29, 2008 at 1:23 PM, Jordan Knight <[EMAIL PROTECTED]> >> wrote: >> >> Oh also keep in mind that getting data from the host page in this way is >> insecure – your app may not be running where it thinks it is, and could get >> false information regarding authentication from a scrupulous user. >> >> >> >> I've not tested this out (spoofing to a SL app) – does anyone else have >> any comments on this? >> >> >> >> I guess as long as you remember that nothing on the client end is sacred >> you will be alright – just as long as you don't trust anything from your SL >> app on the server... >> >> >> >> *From:* [EMAIL PROTECTED] [mailto: >> [EMAIL PROTECTED] *On Behalf Of *Jordan Knight >> *Sent:* Thursday, 29 May 2008 3:18 PM >> *To:* [email protected] >> *Subject:* RE: [OzSilverlight] Accessing asp.net from Silverlight >> >> >> >> Hi Stephen, >> >> >> >> You can access membership stuff from AJAX using the AuthenticationService >> class... >> http://www.asp.net/ajax/documentation/live/ClientReference/Sys.Services/AuthenticationServiceClass/default.aspx >> >> With a bit of ingenuity I'm sure you can pipe a call from Silverlight to >> this class to get the info you need J >> >> >> >> Cheers, >> >> >> >> Jordan. >> >> >> >> *From:* [EMAIL PROTECTED] [mailto: >> [EMAIL PROTECTED] *On Behalf Of *Jonas Follesø >> *Sent:* Thursday, 29 May 2008 2:49 PM >> *To:* [email protected] >> *Subject:* Re: [OzSilverlight] Accessing asp.net from Silverlight >> >> >> >> Hi Stephen! >> >> First off: great meeting you at REMIX! Haven't gotten around to figure out >> why you're having issues with the YouCard demo - Will get back with some >> feedback on that ASAP. Been a busy week! >> >> Second: Silverlight is a pure client side technology, and the ASP.NET >> spesific things you want to access are all server side spesific. You would >> have to expose a web service (REST, WCF, ASMX what ever) that you call from >> Silverlight to get that data back. >> >> Since the Silverlight app is running on your ASP.NET page any HTTP >> requests you make back to the server will include any authentication headers >> or cookies, so you should be able call the service, do the >> Pager.User.Identity.IsAuthenticated check, and then return true/false. >> >> BTW: Wilco Bauwer has a post on ASP.NET Silverlight component development >> at >> http://www.wilcob.com/wilco/News/asp-net-silverlight-component-development.aspx >> >> >> Cheers, >> Jonas :) >> >> On Thu, May 29, 2008 at 2:38 PM, Stephen Price <[EMAIL PROTECTED]> >> wrote: >> >> Hey all, >> >> I'm trying to find an example of accessing Asp.Net objects on the host >> page from the Silverlight application. >> >> I've found some great stuff on accessing the HTML on the page (You know, >> set the content of a Div tag or whatever) as well as calling Silverlight >> methods from the HTML page using the [ScriptableMember] but I'd like to get >> access to things like Page.User.Identity.IsAuthenticated. >> >> Is this possible? >> >> thanks, >> Stephen >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ______________________________________________________________________ >> This email has been scanned by the MessageLabs Email Security System. >> For more information please visit http://www.messagelabs.com/email >> ______________________________________________________________________ >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ______________________________________________________________________ >> This email has been scanned by the MessageLabs Email Security System. >> For more information please visit http://www.messagelabs.com/email >> ______________________________________________________________________ >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ______________________________________________________________________ >> This email has been scanned by the MessageLabs Email Security System. >> For more information please visit http://www.messagelabs.com/email >> ______________________________________________________________________ >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> >> ______________________________________________________________________ >> This email has been scanned by the MessageLabs Email Security System. >> For more information please visit http://www.messagelabs.com/email >> ______________________________________________________________________ >> ------------------------------------------------------------------- >> OzSilverlight.com - to unsubscribe from this list, send a message back to >> the list with 'unsubscribe' as the subject. >> Powered by mailenable.com - List managed by www.readify.net >> > > ------------------------------------------------------------------- OzSilverlight.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com - List managed by www.readify.net
