Jonas, Correct but it also depends at what level you're at and what you define is secret. In that if a user is authenticated and you have all the "forms" for example housed in the .XAP (which is fine), then before you accept and receive data between the client and server you need to sanitize it and ensure the user doesn't go rogue. It's something at times I've seen folks in both Flash and Silverlight space overlook (as once they get through the security gate, it's an assumed the user will not interfere with the client). It can be small things like switching parts of the UI on or off and the more clues you give a malicious user, the more they have to work with in terms of figuring out what it is you have written and how you expect data to be sent back and forth.
It's more of a cautionary tip and I'd highly recommend folks (when it comes to Admin vs. Public) look into dynamically loading .XAP files or more to the point bring XAML in over the wire as well. I've gotten loading of modules to work dynamically and should post some demo code around this as it's quite cool to bring in .XAP files over the wire as needed. As when you load a .XAP file, it stores it local cache (ie not in memory) and then feeds from it when it needs it as well, so the tax isn't high. You also can do sniff tests to determine if an assembly is loaded or not and if it isn't go get it. I've taken a framework I wrote in the early days of Flex and ported it over to Silverlight, (SynergyFlex = SynergyLight) :D and as we draw closer to Silverlight 2 ship dates I'll see if I can spare up some time to release it as a basic starter guide to some of these ideas. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jonas Follesø Sent: Thursday, September 18, 2008 5:12 AM To: [email protected] Subject: Re: [OzSilverlight] A couple of questions Scott, On point 3, why would that matter? Even if you fake the response and "trick" your Silverlight app (which would be easy, just download the XAP, unzip it, and have it talk to a different end-point), your XAML shouldn't really contain any "secret" information anyway. Your users is not part of your markup, that's just data. That information should be sent to the user in an authenticated WCF call.... So even if you manage to enable the "show all user" screen, your service should re-validate on the server side before giving you that data. But there might be cases where what you describe makes allot of sense. And partial loading of XAP's is quite interesting stuff - could be useful for things like composite Silverlight applications, where you download modules as needed. On Thu, Sep 18, 2008 at 5:19 PM, Scott Barnes <[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>> wrote: Hi Ross! (long time no speak) :) 1) You have a number of options, essentially the easiest way is to tap into the Windows Communication Foundation services and utilize this option. It's essentially sending data over the wire in XML format, Silverlight has great hooks already built in to handle these type of requests. We're also looking to do more here to make things more seamless in upcoming versions. I can't say more than that, but it will get a lot easier in the long term. 2) That's the intent going forward. We see a great deal of positive power with using LINQ inside Silverlight and WPF. It's almost safe to say out loud to think of LINQ as you're Data Passport between client and server. There will be more expansion on this in the future as well. 3) Security will remain similar or if not the same as ASP.NET<http://ASP.NET> today. The difference is on the client, you essentially need to architect in such a way that the initial "first ask" is defining whom the person is and what their session may look like. From there, it's a case of "CanIHaveAccessTo(args)" style security access (given you're in a non-Refresh situation - assuming this is a 100% Silverlight App by the way). Now, the danger here is if not architected correctly is that you can fake the "true/false" responses, so the further piece to this is to maybe consider using XAML over the wire. In that "can I have access to ViewAllUsrProfiles?, If the answer is true, you essentially trigger a .xap download or you load .XAML remotely, via an ASP.NET<http://ASP.NET> page (pushing the content). As this will also be a secondary check to make sure they did indeed have positive response to the question" 4) Could you expand on the Binary Formatter? I.e. what do you have in mind? 5) We're working on smarter ways to go between Client and Server, but can't say much just yet on what that will look like. We're still actively planning features and so feel free to expand on what you're thinking here as I'm more than happy to walk this into the next planning meeting and discuss with the team. P.S I'll be back home in Brisbane (currently Belinda and I are living in Seattle now) around XMAS time. So if you're still stuck around then, I'm sure we can find a E&Y event to meet up at and discuss in depth over a beer or two. Failing that, feel free to contact me offline to discuss in depth should the above not be enough (same goes for anyone on this list btw). -- Scott Barnes (Rich Platforms Product Manager) Microsoft Corp.<http://www.microsoft.com/> | Blog: http://blogs.msdn.com/msmossyblog | Mobile: + 1 (425) 802-9503 (New!) Twitter: twitter.com/mossyblog<http://twitter.com/mossyblog> | MSN: [EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]> P Please consider your environmental responsibility before printing this e-mail From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]<mailto:[EMAIL PROTECTED]>] On Behalf Of Ross McKinnon Sent: Wednesday, September 17, 2008 7:20 PM To: [email protected] Subject: [OzSilverlight] A couple of questions Hi all, I am the CIO of Michael Hill Jeweller which is an international (US, Canada, New Zealand, Australia) jewellery retail chain whose global head office is based in Brisbane and we are in the process of replacing our global website. The executive here are very excited by the opportunities presented by silverlight and we will be developing the new site using this technology and are trying to release it as soon as possible. I did have a couple of questions which I have posed to Microsoft, but they have been unable to answer and most of them are directed towards my personally perceived weaknesses of silverlight and I was hoping that someone would be able to point out how they can be achieved. Hopefully our work arounds are not the suggested best practice. 1) What is the best way of persisting user identity through multiple silverlight pages? 2) It appears to me that linq to SQL entities seem to lose the ability to maintain state (ie know what is changed) after passing through a wcf call and silverlight treats it like a normal class. Is that the case and if so, is that going to be changed? 3) What is the best practice for integrating security and sessions between asp.net<http://asp.net> / silverlight / wcf? 4) Are there plans for a binary formatter in the silverlight framework? 5) I have been overlaying silverlight pages over aspx with master and content pages. The largest issue with that is being able to pass information between your master and content pages (easily achievable in aspx), but are there any plans to implement a method to easily pass information between SL pages on the client (usually user specific information), other than at creation of the page. Thanks for any help in advance, Ross. 18/9/2008 Ross McKinnon [email protected] This email and any attachments ("Email") are intended only for the addressee and may contain privileged, confidential and/or disclosure-exempt information. You must not edit this Email without our express consent. Michael Hill Jeweller (Australia) Pty Ltd does not warrant that this Email is complete, error-free or virus free, and by opening any attachments, you accept full responsibility for the consequences. If you are not the addressee, you must not disseminate, rely upon or copy this Email, and you must immediately erase permanently and destroy all records of it and notify us by phone (at our cost). Thank you. ------------------------------------------------------------------- OzSilverlight.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com<http://mailenable.com> - List managed by www.readify.net<http://www.readify.net> ------------------------------------------------------------------- OzSilverlight.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com<http://mailenable.com> - List managed by www.readify.net<http://www.readify.net> ------------------------------------------------------------------- OzSilverlight.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com - List managed by www.readify.net ------------------------------------------------------------------- OzSilverlight.com - to unsubscribe from this list, send a message back to the list with 'unsubscribe' as the subject. Powered by mailenable.com - List managed by www.readify.net
