On the note of security, I had a look at PrinciplePermission, an attribute you can set on your domain service methods to check if the user is in a particular role and throw security exception if they are not.
What I also need to check is if the user has permission to access a particular job. (Each user selects a job they are working on) I'm wondering on the best approach to do this check. If I was to customise the user object and add a current job id to it, which then via a custom principlePermission class check the current job id as well as the role? Alternatively use the jobId from the url? There doesnt seem to be a way to pass parameters to attributes, but putting the info into the user object, would it then be available on the server? (Plan to investigate this tomorrow) does this then mean we're trusting the client? (thou shall not trust thy client). Alternatively we pass in the job id with every domain service call and do a security check in each method before proceeding with processing. I'm assuming it would be possible to fake the job id in the user object or on the url and the only way to really check the right jobId would be to use the one passed to the method, and have that be the one thats being processed. Thanks for the post. cheers, Stephen On Mon, May 16, 2011 at 9:19 AM, David Burela <[email protected]> wrote: > Talking of deep linking, that is what we are trying to tackle next. > We've stopped all of the different entry points, (as it all goes through the > NavigationFramework with the auth checking). > > But what we want to do is: > > User gets a deeplink URL in their email to a specific page (with some query > params in the query string) > The navigation framework jumps up and says "whoa you aren't authorised", and > redirects to the login screen > After logging in, they are redirected to the original page they were trying > to access from the email link > > At the moment we've got the pages secured and the user redirected to the > login screen. We just need to figure out how to send them on to the page > they originally requested > -David Burela > > On 16 May 2011 11:15, Scott Barnes <[email protected]> wrote: >> >> lol :) >> Sorry, I'll pack-up my paint brushes and drive my VW Beattle car back to >> my soho cafe and sip latte's wearing a French Beret.. >> From memory WCF RIA Services team owns the Navigation framework so all >> rounds will point to them for this kind of thing when it comes to SL. >> --- >> Regards, >> Scott Barnes >> http://www.riagenic.com >> >> >> On Mon, May 16, 2011 at 11:11 AM, Jordan Knight <[email protected]> wrote: >>> >>> Pipe down designer boy :p j/k >>> WCF Ria services also has a cool auth bit in it. >>> >>> Cheers, >>> Jordan. >>> On 16/05/2011, at 11:02 AM, Scott Barnes <[email protected]> wrote: >>> >>> Now for your next trip (hehehe) is to handle transition + bookmarking >>> that accommodates security authentication. Overall problem with Deep Linking >>> as a concept is that there is a series of entry points that need to be >>> upheld but also guiding the user through this (kind of like a fast-forward >>> button like experience) is what often gets lost. A website by itself is >>> different as its some what flat and document centric. Dynamic content plays >>> by a different set of rules... >>> I mention this as i remember listening to why MTV moved from 100% flash >>> to hybrid and later to inverse hybrid and a lot of what was found was due to >>> the site being top-heavy but also the deep linking model was somewhat broken >>> because it was the small subtle xp points that got lost along the way. >>> That being said check out Mach-II for Coldfusion David, it's something >>> you could also draw some inspiration from around >>> filter/plugin/listener marshaling using a XML structure like the one you've >>> outlined. >>> --- >>> Regards, >>> Scott Barnes >>> http://www.riagenic.com >>> >>> >>> On Mon, May 16, 2011 at 10:54 AM, David Burela <[email protected]> >>> wrote: >>>> >>>> I found a way to easily secure any Silverlight application (that is >>>> using the Navigation framework), and thought I would share it with the >>>> list. >>>> To secure your application you only need to put around 15 lines of xaml >>>> into MainPage.xaml >>>> The syntax is similar to the page authorisation config in an ASP.Net >>>> application >>>> <authLoader:NavigationAuthRule Uri="/Views/CustomerPage.xaml"> >>>> <authLoader:Deny Users="?" /> >>>> <authLoader:Allow Users="*" /> >>>> </authLoader:NavigationAuthRule> >>>> >>>> http://www.davidpoll.com/2010/01/01/opening-up-silverlight-4-navigation-authenticationauthorization-in-an-inavigationcontentloader/ >>>> There are two controls: >>>> AuthContentLoader will check that the user is allowed to access the >>>> page. If they aren't then an UnauthorizedAccessException is thrown. >>>> To catch this the AuthContentLoader control is wrapped in a >>>> ErrorPageLoader control. This is configured to catch the Unauthorized >>>> exception and can redirect to a login screen >>>> Hope it helps someone >>>> -David Burela >>>> _______________________________________________ >>>> ozsilverlight mailing list >>>> [email protected] >>>> http://prdlxvm0001.codify.net/mailman/listinfo/ozsilverlight >>>> >>> >>> _______________________________________________ >>> ozsilverlight mailing list >>> [email protected] >>> http://prdlxvm0001.codify.net/mailman/listinfo/ozsilverlight >>> >>> _______________________________________________ >>> ozsilverlight mailing list >>> [email protected] >>> http://prdlxvm0001.codify.net/mailman/listinfo/ozsilverlight >>> >> >> >> _______________________________________________ >> ozsilverlight mailing list >> [email protected] >> http://prdlxvm0001.codify.net/mailman/listinfo/ozsilverlight >> > > > _______________________________________________ > ozsilverlight mailing list > [email protected] > http://prdlxvm0001.codify.net/mailman/listinfo/ozsilverlight > > _______________________________________________ ozsilverlight mailing list [email protected] http://prdlxvm0001.codify.net/mailman/listinfo/ozsilverlight
