Prevent Reflection and Disassembly of Silverlight Class Libary Code

Over the weekend, I began to think about how to better protect proprietary algorithms and other sensitive code in a Silverlight application, keeping the assembly away from prying, snooping eyes. I decided the best way would be to keep the code in memory and never have it committed to the hard drive. A little research and a little coding and badda bing (er, badda google?).

The solution turns out to be rather simple. You need four projects: the Silverlight app, the web app, the contract (interface) and the implementation Silverlight class libraries. The Silverlight app references the contract library which pulls it into the XAP. The implementation library references the contract library to implement the interface, of course. And the web app does its thing, supplying the XAP file to the browser and most importantly supplying the protected bits via a stream that presumably is protected by SSL, authentication and authorization mechanisms, items I've conveniently left out of this post and the sample code for brevity.

Start with the AppManifest.xaml (in Dinorythm.xap)
Note that the manifest contains only the Silverlight app and the contract class library along with the other assemblies required for the Silverlight Navigation Application (find what you need at Scott Guthrie's informative Silverlight 4 Released blog post).

<Deployment 
    xmlns="http://schemas.microsoft.com/client/2007/deployment" 
    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" 
    EntryPointAssembly="Dinorythm" 
    EntryPointType="Dinorythm.App" 
    RuntimeVersion="4.0.50401.0">
  <Deployment.Parts>
    <AssemblyPart x:Name="Dinorythm" Source="Dinorythm.dll" />
    <AssemblyPart x:Name="DinoContracts" Source="DinoContracts.dll" />
    <AssemblyPart x:Name="System.ComponentModel.DataAnnotations" Source="System.ComponentModel.DataAnnotations.dll" />
    <AssemblyPart x:Name="System.ServiceModel.DomainServices.Client" Source="System.ServiceModel.DomainServices.Client.dll" />
    <AssemblyPart x:Name="System.ServiceModel.DomainServices.Client.Web" Source="System.ServiceModel.DomainServices.Client.Web.dll" />
    <AssemblyPart x:Name="System.ServiceModel.Web.Extensions" Source="System.ServiceModel.Web.Extensions.dll" />
    <AssemblyPart x:Name="System.Windows.Controls" Source="System.Windows.Controls.dll" />
    <AssemblyPart x:Name="System.Windows.Controls.Navigation" Source="System.Windows.Controls.Navigation.dll" />
  </Deployment.Parts>
</Deployment>

 

DinoContracts a Silverlight 4 Class Library (in Dinorythm.xap).
To any nosy disassembler looking for the secret sauce code, all they will get is the interface and perhaps a few domain classes if you need them.

namespace DinoContracts
{
  public interface IMySecretCode
  {
    string DoSecretWork(string input);
  }
}

 

SecretAlgorithms a Silverlight 4 Class Library (NOT in Dinorythm.xap)
This library has a project reference to DinoContracts and copies it's output to the Dynorythm.Web/App_Data folder.

namespace SecretAlgorithms
{
  public class MySecretCode : IMySecretCode
  {
    public string DoSecretWork(string input)
    {
      return "results of my secret code";
    }
  }
}

 

Dinorythm.Web an ASP.NET MVC 2 project
Obviously this code is not production ready. You need some security here, but what you see here will get you the result you seek. Securing this action method might be a good topic for another blog post.

namespace Dinorythm.Web.Controllers
{
  [HandleError]
  public class HomeController : Controller
  {
    //...other code removed for brevity

    public FileContentResult Secret()
    {
      string ctype = "application/octet-stream";
      string fileName = "SecretAlgorithms.dll";
      byte[] dll = GetFile(fileName);
      return File(dll, ctype, fileName);
    }

    byte[] GetFile(string fileName)
    {
      string path = HostingEnvironment.MapPath(@"~/App_Data/" + fileName);
      byte[] bytes = System.IO.File.ReadAllBytes(path);
      return bytes;
    }
  }
}

 

Dinorythm a Silverlight 4 Navigation Application
This app has a project reference to DinoContracts but knows nothing about the SecretAlgorithms project. The secret code in this demo won't win any awards but it might help you conceive (and me to remember) of how to get the job done with your real intellectual property.

namespace Dinorythm
{
  public partial class About : Page
  {
    public About()
    {
      InitializeComponent();
    }

    // Executes when the user navigates to this page.
    protected override void OnNavigatedTo(NavigationEventArgs e)
    {
      WebClient down = new WebClient();
      down.OpenReadCompleted += new OpenReadCompletedEventHandler(down_OpenReadCompleted);
      Uri location = new Uri(System.Windows.Application.Current.Host.Source, @"../Home/Secret");
      down.OpenReadAsync(location);
    }

    void down_OpenReadCompleted(object sender, OpenReadCompletedEventArgs e)
    {
      AssemblyPart part = new AssemblyPart();
      Assembly asm = part.Load(e.Result);
      IMySecretCode secret = (IMySecretCode)asm.CreateInstance("SecretAlgorithms.MySecretCode");

      if (secret != null)
        this.ContentText.Text = secret.DoSecretWork("help me");
      else
        this.ContentText.Text = "was null";
    }
  }
}

Help credits go to Tim Heuer for some comparison with cached assemblies and to the practical help from a Silverlight Tip of the Day.

A Note About Security: I am not a self-proclaimed security expert. I'm sure there are ways to defeat this approach, but I suspect that doing so would be more trouble than it would be worth. But certainly this would be more efficient than simple or even complex obfuscation. Then again one could obfuscate and then dynamically download and instantiate in memory. That ought to really throw a would be intellectual property thief for a real loop. (Also note, I've never tried obfuscation in a Silverlight class library, so perhaps it's not even possible. Hmm... Another research and blog topic.)

If you find this code useful, I'd love to hear from you. Download Dinorythm.zip (313.34 KB) here.

Silverlight 4 Enterprise Stack: WCF RIA Services, MVVM and MEF

The .NET technology map keeps expanding, but I have my eye on one particular continent, a little piece of the .NET 4 world I’m calling the Silverlight 4 Enterprise Stack. There seems to be focus coalescing on this important piece of technology real estate.

The Patterns & Practices team blog has a great post looking into the enterprise crystal ball. Be sure to check out their Prism (Composite Application Guidance) on CodePlex.

The primary pieces of the Silverlight 4 Enterprise Stack are:

Other supporting players in the stack are:

With the eminent release of these technologies on April 12, we the Enterprise Software rank and file have much to look forward to in terms of new toys to play with while delivering some amazing new user experiences in the enterprise world.

If you want to keep tabs on the Silverlight 4 Enterprise Stack, be sure to set your RSS reader to tap into these key bloggers:

For us enterprise software geeks, the year 2010 is shaping up to be a very good year!

Enterprise Silverlight 3 with WCF RIA Services on Windows Azure 1.0 Part 1 Redux

A month ago I posted the results of some experimentation with the preview bits of what was then called .NET RIA Services, Silverlight 3 and the Windows Azure with AspProvider sample code from the Azure July 2009 CTP. That was then and much has changed.

Windows Azure 1.0 and what is now called WCF RIA Services Beta have since been released. Lot’s of great changes make using these together with the new AspProvider sample in the “Additional C# Samples” download that some friendly readers shared with me. With Visual Studio 2008 SP1 and SQL Server 2008 (Express if you want) and these you’re set up to play.

WARNING: They were not lying about the WCF part when they renamed it. The default Domain Service channel is binary and they’re using Windows Activation Service (WAS). So make sure you’re Windows Features look something like this or you’re in for several hours of maddening error chasing.

advnew3

After some review of the previous effort using the July 2009 CTP and RIA preview bits, I decided starting over was the best course of action. Here’s the steps to nirvana:

  1. Create a new Silverlight Business Application called Adventure which produces Adventure.Web application as well.
  2. Add new CloudService project with WebRole called AdventureCloudService and WebRole1.
  3. Copy WebRole.cs to Adventure.Web and rename namespace.
  4. Add 3 azure refs to Adventure.Web.
  5. In the cloud service project file, replace WebRole1 with Adventure.Web and project guid with that from Adventure.Web. (There is probably a better way to do this.)
  6. The node under Roles in the cloud service project shows an error. Right click it and choose “associate” and pick Adventure.Web.
  7. Copy system.diagnostics section from WebRole1 web.config to that of Adventure.Web.
  8. Remove WebRole1 from solution and set service project as startup.
  9. Copy and new AspProviders project and sections from demo web.config into Adventure.Web, changing DefaultProviderApplicationName and applicationName="Adventure".
  10. Do the same previous steps to create/copy UserProfile class and IUserProfile with FriendlyName property too. Added to the Models directory this time. NOTE: Be sure to get the magic strings right in the UserProfile class or you will get unexpected results.
  11. Add Global.asax and AppInitializer class to it from previous project without the CreateTableFromModel calls which are no longer needed as I understand it.
  12. Drop in the code to create the admin user if it does not already exist.
  13. When I go to modify the LoginStatus.xaml which was previously LoginControl.xaml, but find the needed modification is already there. Skip this step.
  14. Just hit F5 and error is thrown.

After some lengthy research, I discovered a bug in the AspProvider's TableStorageRoleProvider.cs. When the RoleExists method is called and no roles have yet been created an exception is thrown.

AspProvider Fix Found
Replace e.InnerException in line 484 in TableStorageRoleProvider.cs with e.InnerException.InnerException. The first inner exception is another InvalidOperationException. The second inner exception is the DataServiceClientException we're looking for.

Login with admin/admin and we see Administrator displayed in the newly renamed LoginStatus area.

And we’re back to par. Download the code here (566KB).

Silverlight WCF RIA Services Beta Released

Silverlight WCF RIA Services Beta Released was released recently, replacing the preview bits I’ve been playing with. You can pick up the new beta here. I'm still using VS 2008 SP1, but I am using Windows 7, so I download directly from here.

WARNING! If you’re not on Windows 7 or Server 2008 R2, you’ll need the hotfix mentioned. If you're still on XP or Vista, let this be the final reason to upgrade and do it. You won't regret it.

I learned first about the beta release from Dan Abrams blog post. Some coolness he mentions:

  • DataSources window. Drag and drop "tables" exposed by Domain Service onto the form.
  • Simplified error handling on client and server.
  • Data model inheritence flows through the Domain Service.
  • Presentation model hides DAL model with CRUD support.
  • Optimized binary channel by default.
  • Integrated into Silverlight 4 installer.
  • Handling of compositional hiearchy in data models.
  • GAC and bin deployment, with bin taking precedence.
  • Globalization support, user state and persisted sign in with updated Business Application Template.
  • Go-Live bits for .NET 3.5 SP1 and Silverlight 3.

Another item of note is the name change with the WCF moniker. RIA Services is now part of the WCF services family along with ADO.NET Data Services. This seems like a convergence of technologies in an enterprise ready set of tools and services that will bring Silverlight into the forefront of enterprise application development and delivery.

I'll be working on pulling these new bits together and getting my "Aventure" blog sample back on track with the new Azure SDK bits and these new WCF RIA Services bits. Given the plethora of changes, I'll likely start over with fresh new project templates and pull what little customized code that might be needed from my previous blog post on the topic.

Building Enterprise Applications with Silverlight 3, .NET RIA Services and Windows Azure Part 1

After spending last weekend working on and blogging about Silverlight 3 and .NET RIA services, I decided I’d look to build out a membership, profile and role provider that would use Windows Azure storage. Much to my delight, I stumbled into the AspProvidersDemo code that comes with the Windows Azure SDK or perhaps the Visual Studio 2008 Tools for Azure.

No matter, you need them both to follow along with this post. If you have not already, you should look at my previous post and make sure you prepare your environment for Silverlight 3 in addition to signing up for your Azure account and installed the tools mentioned

You can download the entire solution file (434KB) and skip to the momentous striking of your F5 key if you like. Or you can follow along here and blunder through this adventure as I did. (I recommend cheating now and downloading the code.)

Here’s the step-by-step details. I’ll try to spare the you excruciating minutiae and keep it as exciting as possible.    

I started by creating a standard Cloud Service application called MyFilesCloudService with a web role called WebFilesRole. I then added a Silverlight Business Application called Adventure. Unfortunately, this template does not allow you to select the web role application to host the Silverlight app.

I removed the Adventure.Web application and in the web role’s project properties added the Silverlight app in the Silverlight Application tab. (ERROR: This turned out to be a problem which I solved by added a throwaway standard Silverlight app to the solution, selecting the WebFilesRole app as the host. I am still not certain why, but I’ll spare you the grisly details of experimentation with the web.config. If you haven’t already, this is a good place to stop and download the code.)

I copied the AspProviders and StorageClient projects from the Azure SDK demos folder into the solution directory and added them to the solution. I also copied the relevant sections from the web.config for the web role and the ServiceConfiguration.cscfg and ServiceDefinition.csdef files in cloud service project.

I hit F5 for kicks and get (via Event Viewer) an event 3007, “A compilation error has occurred.” Upon further digging I realize that the profile provider is configured to inherit it’s ProfileBase from UserProfile. The class is in the demo’s web role. Steal that too. Here it is as added to the web role in my project:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Profile;
using System.Web.Security;

namespace WebFilesRole
{
   public class UserProfile : ProfileBase
   {
      public static UserProfile GetUserProfile(string username)
      {
         return Create(username) as UserProfile;
      }

      public static UserProfile GetUserProfile()
      {
         return Create(Membership.GetUser().UserName) as UserProfile;
      }


      [SettingsAllowAnonymous(false)]
      public string Country
      {
         get { return base["Country"] as string; }
         set { base["Country"] = value; }
      }

      [SettingsAllowAnonymous(false)]
      public string Gender
      {
         get { return base["Gender"] as string; }
         set { base["Gender"] = value; }
      }

      [SettingsAllowAnonymous(false)]
      public int Age
      {
         get { return (int)(base["Age"]); }
         set { base["Age"] = value; }
      }
   }
}

I boldly hit F5 again and get this gem:

Configuration Error
Initialization of data service structures (tables and/or blobs) failed!
The most probable reason for this is that the storage endpoints are not configured correctly.
Line 133: type="Microsoft.Samples.ServiceHosting.AspProviders.TableStorageSessionStateProvider"

A little searching and googling and I learn that I need to right-click on my cloud service application and select “Create Test Storage Tables.” I do it and bada-bing, I get this nice dialog and Output window text:

advent3

DevTableGen : Generating database 'MyFilesCloudService'
DevTableGen : Generating table 'Roles' for type 'Microsoft.Samples.ServiceHosting.AspProviders.RoleRow'
DevTableGen : Generating table 'Sessions' for type 'Microsoft.Samples.ServiceHosting.AspProviders.SessionRow'
DevTableGen : Generating table 'Membership' for type 'Microsoft.Samples.ServiceHosting.AspProviders.MembershipRow'
===== Create test storage tables succeeded =====

Aha! I go examine my local SQL Server instance and sure enough, there’s a new DB called MyFilesCloudService with some interesting tables. You can take at look at your own when you’ve read far enough along here to learn to click that “Create Test Storage Tables” magic context menu item too.

So I experiment a little and create a couple of test tables like this:

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using Microsoft.Samples.ServiceHosting.StorageClient;

namespace WebFilesRole
{
   public class MyTestDataServiceContext : TableStorageDataServiceContext
   {
      public IQueryable Roles
      {
         get
         {
            return this.CreateQuery("MyTest");
         }
      }
   }

   public class MyTestRow : TableStorageEntity
   {
      public string MyTestName { get; set; }
   }
}

Note the nice and easy TableStorageEntity and it’s TableStorageDataServiceContext. Just don’t make the mistake I did and forget to name the property something unique. I tried Roles (yeah, a copy/past error) and got a nasty message like this:

No table generated for property 'Roles' of class 'WebFilesRole.MyTestDataServiceContext' because the name matches (or differs only in case) from the name of a previously generated table

I add an AppInitializer class to make sure these tables get created in the cloud when run there. First, I add a bit of code to the Application_BeginRequest method in the Global.asax.cs (the one I just added but didn’t tell you about).

protected void Application_BeginRequest(object sender, EventArgs e)	
{	
   HttpApplication app = sender as HttpApplication;   
   if (app != null)   
   {   
      HttpContext context = app.Context;   
      AppInitializer.Initialize(context);   
   }   
}

I then add the initializer class at the bottom of that same code file.

internal static class AppInitializer
{
   static object lob = new object();
   static bool alreadyInitialized = false;
   public static void Initialize(HttpContext context)
   {
      if (alreadyInitialized) return;
      lock (lob)
      {
         if (alreadyInitialized) return;
         InitializeAppStartFirstRequest(context);
         alreadyInitialized = true;
      }
   }

   private static void InitializeAppStartFirstRequest(HttpContext context)
   {
      StorageAccountInfo account = StorageAccountInfo.GetDefaultTableStorageAccountFromConfiguration();
      TableStorage.CreateTablesFromModel(typeof(Microsoft.Samples.ServiceHosting.AspProviders.MembershipRow));
      TableStorage.CreateTablesFromModel(typeof(Microsoft.Samples.ServiceHosting.AspProviders.RoleRow));
      TableStorage.CreateTablesFromModel(typeof(Microsoft.Samples.ServiceHosting.AspProviders.SessionRow));
      TableStorage.CreateTablesFromModel(typeof(Room));
   }
}

I then add some test code into the Default.aspx.cs which I won’t bore you with here. You can look at it in the downloaded solution. I got a weird error with the session test, but after a reboot, it went away, so I’ll chalk that up to the development fabric being a CTP.

Now I want to get back to working Silverlight into the picture. I need to create an admin user for my test login, so I add some code to the AppInitializer class in the Global.asax.cs file like this:

MembershipUser user = Membership.GetUser("admin");
if (null == user)
{
   //create admin user
   MembershipCreateStatus status = MembershipCreateStatus.Success;
   Membership.CreateUser("admin", "admin", "admin@admin.com", "admin-admin", "admin", 
      true, Guid.NewGuid(), out status);

   //add admin user to admin role
   if (status == MembershipCreateStatus.Success)
   {
      if (!Roles.RoleExists("admin"))
      {
         Roles.CreateRole("admin");
      }
      Roles.AddUserToRole("admin", "admin");
   }

   //add profile data to admin user
   UserProfile profile = UserProfile.Create("admin") as UserProfile;
   profile.Age = 40;    //not my true age
   profile.Country = "US";
   profile.Gender = "M";
   profile.Save();
}

I look at the UserProfile class and know that the DomainService’s User class needs the same properties in order for the Silverlight RiaContext to know about them. I discovered in the metadata code the following comments in the UpdateUser method of the  System.Web.Ria.ApplicationServices.AuthenticationBase<T> base class used for the AuthenticationService domain service class:

// Remarks:
//     By default, the user is persisted to the System.Web.Profile.ProfileBase.
//     In writing the user to the profile, the provider copies each property in
//     T into the corresponding value in the profile. This behavior can be tailored
//     by marking specified properties with the System.Web.Ria.ApplicationServices.ProfileUsageAttribute.

I know now that I want the UserProfile and the User classes to have the same profile properties, so I add an interface above the UserProfile class like this:

public interface IUserProfile	
{	
   string Country { get; set; }   
   string Gender { get; set; }   
   int Age { get; set; }   
}

And then add the same properties found in UserProfile to the User class in the AuthenticationService.cs file as follows:

public class User : UserBase, IUserProfile   
{   
   // NOTE: Profile properties can be added for use in Silverlight application.   
   // To enable profiles, edit the appropriate section of web.config file.   
   
   // public string MyProfileProperty { get; set; }   
   
   public string Country { get; set; }   
   
   public string Gender { get; set; }   
   
   public int Age { get; set; }   
}

I try to run it and get the following error on the Silverlight app when I try to login using admin/admin: "The specified resource was not found." A little digging reveals that I need two things: first, some additions to the web.config file that I was missing, and second, the ServiceDefinition.csdef had to have it’s enableNativeCodeExecution set to true. Here’s the pieces:

<!-- handlers and httpHandlers sections require the following additions -->
<handlers>
   <add name="DataService" verb="GET,POST" path="DataService.axd" type="System.Web.Ria.DataServiceFactory, System.Web.Ria, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>		
</handlers>

<httpHandlers>
   <add path="DataService.axd" verb="GET,POST" type="System.Web.Ria.DataServiceFactory, System.Web.Ria, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" validate="false"/>		
</httpHandlers>

<!-- the ServiceDefinition.csdef gets the enableNativeCodeExecution set to true -->
<WebRole name="WebFilesRole" enableNativeCodeExecution="true">

Once those changes were made, I was able to run the Silverlight application, login using admin/admin and logout. Now one more item on the agenda for this post. I want to see the profile information we added in the AppInitializer code. So I modify the LoginControl.xaml and LoginControl.xaml.cs as follows.

<StackPanel x:Name="logoutControls" Style="{StaticResource LoginPanelStyle}">
   <TextBlock Text="welcome " Style="{StaticResource WelcomeTextStyle}"/>
   <TextBlock Text="{Binding Path=User.Name}" Style="{StaticResource WelcomeTextStyle}"/>
      <TextBlock Text="  |  " Style="{StaticResource SpacerStyle}"/>
      <TextBlock Text="" x:Name="ProfileText" Style="{StaticResource WelcomeTextStyle}"/>
      <TextBlock Text="  |  " Style="{StaticResource SpacerStyle}"/>
   <Button x:Name="logoutButton" Content="logout" Click="LogoutButton_Click" Style="{StaticResource LoginRegisterLinkStyle}" />
</StackPanel>

With the code behind changed like this:

private void UpdateLoginState()	
{	
   if (RiaContext.Current.User.AuthenticationType == "Windows")   
   {   
      VisualStateManager.GoToState(this, "windowsAuth", true);   
   }   
   else //User.AuthenticationType == "Forms"   
   {   
      VisualStateManager.GoToState(this,    
         RiaContext.Current.User.IsAuthenticated ? "loggedIn" : "loggedOut", true);   
   
      if (RiaContext.Current.User.IsAuthenticated)   
      {   
         this.ProfileText.Text = string.Format("age:{0}, country:{1}, gender:{2}",    
            RiaContext.Current.User.Age,    
            RiaContext.Current.User.Country,    
            RiaContext.Current.User.Gender);   
      }   
   }
}

Now when I login, I get to look at something like this:

advent8

Cool. In Part 2, I’ll modify the UserProfile to capture the data I want to keep in my Adventure application and complete the user registration changes to the Silverlight application as well as clean up and prepare the app for some real application development in follow-on posts.

If you have any questions or ways to do this better, I’d love to hear from you.

Silverlight 3 and .NET RIA Services Forms Security

I finally carved out some time to experiment with Silverlight 3 and .NET RIA Services over the weekend. Specifically I wanted to experiment with Forms security and how one might secure a Silverlight "page" as well as the services on the server side along with a custom membership, role and profile providers. Here's the result.

Tools
Before you follow along on your own machine, be sure that you have these:

1. Visual Studio 2008 Pro (Visual Studio 2008 Professional Edition (90-day Trial))

2. Visual Studio 2008 SP1 (Microsoft Visual Studio 2008 Service Pack 1 (Installer))

3. Silverlight SDK (Microsoft® Silverlight™ 3 Tools for Visual Studio 2008 SP1)

4. RIA Services July 2009 Preview (Microsoft .NET RIA Services July 2009 Preview)

5. Download code for this post (download DemoAgRia.zip 427KB).

Once you have the tools installed, you can start a new Visual Studio project from the Silverlight projects types called Silverlight Business Application. Name yours whatever you like. I've chosen DemoAgRia.

s1

The project template creates a Silverlight and ASP.NET Web Application project and populates them with a number of helpful artifacts to get us started. There are two DomainService classes, one for authentication and one for user registration. These services use the standard ASP.NET Membership, Role and Profile provider model.

s2

You also get several "views" or Page and ChildWindow XAML controls with code-behind. These files are a familiar construct to any classic ASP.NET developer. Of course XAML is a whole new ballgame compared to the hodge podge of HTML. But rather than focus on these page and child window objects, I will focus this post on the security aspects of the app.

While the project template sets authentication to "Forms" based authentication there are no membership, role, or profile providers configured in the web.config. Since I'm going to create some custom providers in order to just experiment with the mechanics of security within the Silverlight and the web app, I'll just spin up some stub providers. Here's the web.config sections (including the "Forms" authentication node) for them:

<authentication mode="Forms"/>

<roleManager enabled="true" defaultProvider="AgRoleProvider">
  <providers>
    <clear />
    <add name="AgRoleProvider" type="DemoAgRia.Web.AgRoleProvider" />
  </providers>
</roleManager>
<membership defaultProvider="AgMembershipProvider">
  <providers>
    <clear />
    <add name="AgMembershipProvider" type="DemoAgRia.Web.AgMembershipProvider" />
  </providers>
</membership>
<profile enabled="true" defaultProvider="AgProfileProvider">
  <providers>
    <clear />
    <add name="AgProfileProvider" type="DemoAgRia.Web.AgProfileProvider" />
  </providers>
  <properties>
    <clear />
    <add name="PhoneNumber" />
    <add name="FullName" />
  </properties>
</profile>

Now I stub out the provider classes in the Providers folder of the web application. I won't post the code here because the implementation provides dumb data or place holders. Of course, a real set of providers, whether you use the AspSqlMembership provider or role your own, will do real authentication and provide real role and profile access. The stub membership class will authenticate any username and password to allow us to just play with the happy path for now.

Note the custom properties I've added to the profile provider above. These require some custom code in two places. First, in the profile provider class and then in the User class found in the AuthenticationService.cs file. Here's the code for both:

in AgProfileProvider.cs:

public override SettingsPropertyValueCollection GetPropertyValues(SettingsContext context, 
  SettingsPropertyCollection collection)
{
  string userName = context["UserName"].ToString(); //use this to look up real values for user

  SettingsPropertyValueCollection s = new SettingsPropertyValueCollection();
  foreach (SettingsProperty p in collection)
  {
    if (p.Name == "PhoneNumber") s.Add(new SettingsPropertyValue(p) { PropertyValue = "508.555.1212" });
    if (p.Name == "FullName") s.Add(new SettingsPropertyValue(p) { PropertyValue = "Tyler Jensen" });
    //NOTE: replace with real lookups
  }
  return s;
}
in AuthenticationService.cs:

public class User : UserBase
{
  // NOTE: Profile properties can be added for use in Silverlight application.
  // To enable profiles, edit the appropriate section of web.config file.

  // public string MyProfileProperty { get; set; }
  public string FullName { get; set; }
  public string PhoneNumber { get; set; }
}

Now to use these new profile provider properties, let's modify some XAML in the LoginControl.xaml file so that rather than seeing the username of the logged in user, we'll see the FullName and the PhoneNumber.

Here's the existing XAML which we will modify:

<StackPanel x:Name="logoutControls" Style="{StaticResource LoginPanelStyle}">
  <TextBlock Text="welcome " Style="{StaticResource WelcomeTextStyle}"/>
  <TextBlock Text="{Binding Path=User.Name}" Style="{StaticResource WelcomeTextStyle}"/>
  <TextBlock Text="  |  " Style="{StaticResource SpacerStyle}"/>
  <Button x:Name="logoutButton" Content="logout" Click="LogoutButton_Click" Style="{StaticResource LoginRegisterLinkStyle}" />  
</StackPanel>

We now modify this XAML snippet to this:

 
<StackPanel x:Name="logoutControls" Style="{StaticResource LoginPanelStyle}">
  <TextBlock Text="welcome " Style="{StaticResource WelcomeTextStyle}"/>
  <TextBlock Text="{Binding Path=User.FullName}" Style="{StaticResource WelcomeTextStyle}"/>
  <TextBlock Text="  |  phone: " Style="{StaticResource SpacerStyle}"/>
  <TextBlock Text="{Binding Path=User.PhoneNumber}" Style="{StaticResource WelcomeTextStyle}"/>
  <TextBlock Text="  |  " Style="{StaticResource SpacerStyle}"/>
  <Button x:Name="logoutButton" Content="logout" Click="LogoutButton_Click" Style="{StaticResource LoginRegisterLinkStyle}" />
</StackPanel>

Now lets add a DomainService for fecthing some data. Right click on the web application's Services folder and select Add | New Item.

s3

Of course, we don't have a data or object context class, so we don't have any to choose from in the dialog.

s4

Leave "Enable client access" checked. We want a proxy class to automatically be generated from our service class on the server side. Just click OK and let's create our own custom DomainService.

Now you'll see something like this:

 
namespace DemoAgRia.Web.Services
{
  using System;
  using System.Collections.Generic;
  using System.ComponentModel;
  using System.ComponentModel.DataAnnotations;
  using System.Linq;
  using System.Web.Ria;
  using System.Web.Ria.Data;
  using System.Web.DomainServices;


  // TODO: Create methods containing your application logic.
  [EnableClientAccess()]
  public class DemoDataService : DomainService
  {
  }
}

I'll put it into the root of the namespace by lopping off the ".Services" in the namespace declaration. This is just a convenience to me. You can do with it what you like.

Now let's add a couple of simplistic methods. Be sure to decorate them with the ServiceOperation attribute or the build process will not autogenerate the DemoDataContext class and proxy class in the Silverlight client app.

 
[EnableClientAccess()]
public class DemoDataService : DomainService
{
  [ServiceOperation]
  public string GetApplicationName()
  {
    return "Demo Ag Ria";
  }

  [ServiceOperation]
  public string GetApplicationAddress()
  {
    return "http://www.demoagria.com";
  }
}

To use the DemoDataService on the client, let's try the following code in the Home.xaml.cs file. Note the two additional using statements and take special note that all calls to the server are asynchronous:

 
using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Windows;
using System.Windows.Controls;
using System.Windows.Documents;
using System.Windows.Input;
using System.Windows.Media;
using System.Windows.Media.Animation;
using System.Windows.Navigation;
using System.Windows.Shapes;
using System.Windows.Data;
using System.IO;
using DemoAgRia.Web;
using System.Windows.Ria.Data;

namespace DemoAgRia
{
  public partial class Home : Page
  {
    public Home()
    {
      InitializeComponent();
    }

    // Executes when the user navigates to this page.
    protected override void OnNavigatedTo(NavigationEventArgs e)
    {
      DemoDataContext ddc = new DemoDataContext();
      InvokeOperation<string> invAddress = ddc.GetApplicationAddress();
      invAddress.Completed += new EventHandler(invAddress_Completed);
      
      InvokeOperation<string> invAppName = ddc.GetApplicationName();
      invAppName.Completed += new EventHandler(invAppName_Completed);
    }

    void invAppName_Completed(object sender, EventArgs e)
    {
      InvokeOperation<string> op = sender as InvokeOperation<string>;
      string appName = op.Value;
      this.ContentText.Text += string.Format("{0}app name: {1}", Environment.NewLine, appName);
    }

    void invAddress_Completed(object sender, EventArgs e)
    {
      InvokeOperation<string> op = sender as InvokeOperation<string>;
      string address = op.Value;
      this.ContentText.Text += string.Format("{0}address: {1}", Environment.NewLine, address);
    }

  }
}

If you F5 and run a debug test, you'll note that the text in the Home page gets modified as expected.

s5

Now let's add a RequiresAuthentication to the GetApplicationName method:

[ServiceOperation, RequiresAuthentication]
public string GetApplicationName()
{
  return "Demo Ag Ria";
}

Run the app again and you will notice that the GetApplicationName's InvokeOperation<string> object's Value property is null. Now login and click the About page link and then go back to the Home page link. Note that the text has maintained it's state. We're not clearing it, but this time we've added text which includes the app name.

s6

Now try modifying the GetApplicationAddress method like this:

[ServiceOperation, RequiresRoles("Supervisor")]
public string GetApplicationAddress()
{
  return "http://www.demoagria.com";
}

Since the stubbed role provider gives your logged in user the Admin and Analyst role, you can run this and see that you are getting a null value for the operation. Now change the role to "Admin" and try the same thing. This time when you login and come back to the Home page you'll see what we'd expect.

Getting this far was almost enough fun, but then I wondered how I would prevent a user from navigating to a specific Silverlight page if they were not authenticated. There are probably better ways, but here's the solution I arrived at after a little fiddling.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Net;
using System.Windows;
using System.Windows.Controls;
using System.Windows.Documents;
using System.Windows.Input;
using System.Windows.Media;
using System.Windows.Media.Animation;
using System.Windows.Shapes;
using System.Windows.Navigation;

namespace DemoAgRia
{
  public class PageSecurity
  {
    private Page page;
    private string url;

    public PageSecurity(Page page)
    {
      this.page = page;
    }

    public void Authenticate()
    {
      Authenticate(null);
    }

    public void Authenticate(string url)
    {
      this.url = url;
      if (!RiaContext.Current.User.IsAuthenticated)
      {
        ErrorWindow ew = new ErrorWindow("You must be logged in to view this page.", 
          "Using this page is not allowed unless you are logged in.");
        ew.Title = "Authentication Required";
        ew.IntroductoryText.Text = "Not Authenticated";
        ew.LabelText.Text = "Message";
        ew.Closed += new EventHandler(ew_Closed);
        ew.Show();
      }
    }

    void ew_Closed(object sender, EventArgs e)
    {
      if (null == url)
        this.page.NavigationService.GoBack();
      else
      {
        if (!url.StartsWith("/")) url = "/" + url;
        try
        {
          this.page.NavigationService.Navigate(new Uri(url, UriKind.Relative));
        }
        catch
        {
          this.page.NavigationService.GoBack(); 
        }
      }
    }
  }
}

To test this code, I've added the following code to the About.xaml.cs code to see how it plays.

protected override void OnNavigatedTo(NavigationEventArgs e)
{
  PageSecurity ps = new PageSecurity(this);
  ps.Authenticate("Home");
}

Now all you have to do is download the code and you've got a headstart on Silverlight and .NET RIA Services security. Let me know if you find any exciting improvements or alternatives.