.asmx web service security question > Forums

Unanswered Active Topics

Forums Search

Subject: .asmx web service security question

You are not authorized to post a reply.

Author

Messages

Frauke

Posts:4

04/15/2011 6:16 AM
I'm just starting to learn Silverlight in conjunction with DNN, so this is a bit of a newbie question, I'm afraid :) I've developed DNN modules before where I had to implement standard CRUD operations, which are perfectly secure AFAIK. But now I need to write a module that needs a Silverlight UI... First of all, many thanks to you, Michael, for providing all this great info on SL in DNN modules, it's been a great help! I've seen in one of your previous forum posts that .asmx services are perfectly OK for communication between SL and DNN, but looking at .asmx web services info on the web it almost looks as if anybody who knows where the file is can access the methods therein? Not something I'd want, especially with insert operations :) I'm sure I must be missing something obvious here, as I can't imagine such a huge security hole actually existing. If anybody can enlighten me as to what I need to do to make sure the web service methods in my DNN installation can only be accessed by my .xap file, I'd be very grateful! Thanks in advance! Frauke

Michael Washington (admin) User is Offline

Posts:202

04/15/2011 7:02 AM
Frauke, Your question is perfectly understandable. i went through the EXACT SAME THING :) :) Look at this tutorial: http://dnnsilverlight.adefwebserver.com/Silverlight30/Silverlight3HelloWorld/tabid/79/Default.aspx It comes down to one line: UserInfo objUserInfo = UserController.GetCurrentUserInfo(); What this is, is a DotNetNuke "wrapper" around the "httpContext" object. All web requests, including Silverlight requests to a DotNetNuke web service have HttpContext. Inside that Context is your "authentication token". So when you call "UserController.GetCurrentUserInfo()" in a web service, it is able to check to see if you have been authenticated by the asp.net website that is hosting the web service.

Michael Washington (admin) User is Offline

Posts:202

04/15/2011 7:09 AM
On more thing, you cannot "only allow calls from MY .xap file". What you CAN do is have your web service respond to calls that contain a valid "authentication token" in the HTTPContext. You will notice that on all the examples on this site, that have security, I require you to log into DotNetNuke, THEN I give you the Silverlight application. What you will find interesting when I create my LightSwitch and DotNetNuke tutorials, is that LightSwitch actually allows you to log in through the Silverlight client. However, in the background all it is doing is obtaining a Windows Forms Authentication Token and adding that authentication token to he HTTPContext. However, it creates this odd situation where you are not logged into DotNetNuke and you are looking at a Silverlight application running inside DotNetNuke. You log into the Silverlight application, and then if you click on a link in the DotNetNuke site (to get it to refresh and do a post back), you discover that you are now logged into DotNetNuke.

Frauke

Posts:4

04/16/2011 9:01 AM
Thanks for your quick reply, that info was really helpful! Looking forward to seeing your LightSwitch tutorial... :)

You are not authorized to post a reply.