Subscribe Now: Feed Icon

Subscribe in a reader

Wednesday, January 25, 2012

Silverlight Windows Authentication (the Prism way)

Note: this was done with Silverlight 5 and Prism 4

In the past month our team started a new project and after many discussions of how to build it right, decided to use the Prism framework (you an read more on Prism here). I was put in charge of providing a service (as in a Silverlight utility class) for Authentication and Authorization using Windows Authentication and Active Directory groups.

The way we handled that in our previous project was using the built in services in RIA services (the only use we had for RIA Services). But that implementation used:

  1. Code in the main Silverlight Application project (not in Class Library projects)
  2. Configuration in App.Xaml
  3. Configuration in web.config

So I tried for two days to create the code in a Silverlight Application project that is not the main project (not the one referenced in the ASPX page), with no success and many errors. I found many forum posts that claim it is possible but all the examples were either Forms Authentication or used the main Silverlight Application (like this one or this one). The main problem I found is the configuration that should be put in the App.Xaml:

  1. <Application.ApplicationLifetimeObjects>
  2.     <app:WebContext>
  3.         <app:WebContext.Authentication>
  4.             <appsvc:WindowsAuthentication/>
  5.         </app:WebContext.Authentication>
  6.     </app:WebContext>
  7. </Application.ApplicationLifetimeObjects>

The app preface is from the generated code that is generated in a Module Silverlight Application, but the App.Xaml is in the Main Silverlight Application and it just doesn’t work to use it outside of the project it was generated at. Adding App.xaml in the Module Silverlight Application won’t work either because Prism doesn’t call the App.Xaml of inner Modules (though having that Module run as it’s own main application does work).

 

In the end I decided to try to implement the RIA Authentication myself using WCF Services (me and my team leader have burned to much time on RIA by that point… and since we use it for just authentication it didn’t seem justified).

The WCF Services web site must be configured in IIS to use Windows Authentication. The code for the service is:

  1. [ServiceContract]
  2. public interface IAuthenticationService
  3. {
  4.     [OperationContract]
  5.     User GetUser();
  6. }
  1. [AspNetCompatibilityRequirements(RequirementsMode = AspNetCompatibilityRequirementsMode.Allowed)]
  2. public class AuthenticationService : IAuthenticationService
  3. {
  4.     public User GetUser()
  5.     {
  6.         var result = new User { Name = OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Name };
  7.         if (OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Groups != null)
  8.         {
  9.             result.Groups = new List<string>();
  10.             foreach (var userGroup in OperationContext.Current.ServiceSecurityContext.WindowsIdentity.Groups)
  11.             {
  12.                 result.Groups.Add(userGroup.Translate(typeof(NTAccount)).Value);
  13.             }
  14.         }
  15.         return result;
  16.     }
  17. }

The user groups default values are in SID format so the code:

  1. userGroup.Translate(typeof(NTAccount)).Value

translate it to readable text.

User is defined as:

  1. [DataContract]
  2. public class User
  3. {
  4.     [DataMember]
  5.     public string Name { get; set; }
  6.  
  7.     [DataMember]
  8.     public IList<string> Groups { get; set; }
  9. }

Web.Config code:

  1. <configuration>
  2.   <system.web>
  3.     <compilation debug="true" targetFramework="4.0" />
  4.     <authentication mode="Windows" />
  5.   </system.web>
  6.   <system.serviceModel>
  7.     <behaviors>
  8.       <serviceBehaviors>
  9.         <behavior name="AllServicesBehavior">
  10.           <serviceMetadata httpGetEnabled="true" />
  11.           <serviceDebug includeExceptionDetailInFaults="true" />
  12.           <dataContractSerializer maxItemsInObjectGraph="2147483647" />
  13.         </behavior>
  14.         <behavior name="">
  15.           <serviceMetadata httpGetEnabled="true" />
  16.           <serviceDebug includeExceptionDetailInFaults="false" />
  17.         </behavior>
  18.       </serviceBehaviors>
  19.     </behaviors>
  20.     <bindings>
  21.       <customBinding>
  22.         <binding name="customBinaryEncodedBinding">
  23.           <binaryMessageEncoding/>
  24.           <httpTransport authenticationScheme="Negotiate"/>
  25.         </binding>
  26.       </customBinding>
  27.     </bindings>
  28.     <services>
  29.       <service behaviorConfiguration="AllServicesBehavior" name="DllShepherd.AuthenticationService">
  30.         <endpoint address="" binding="customBinding" bindingConfiguration="customBinaryEncodedBinding" contract="DllShepherd.IAuthenticationService"/>
  31.       </service>
  32.     </services>
  33.   </system.serviceModel>
  34. </configuration>

The important part is:

  1. <httpTransport authenticationScheme="Negotiate"/>

and:

  1. <authentication mode="Windows" />

that enables the authentication and binaryMessageEncoding for Silverlight.

 

In the Silverlight Services Class Library project (Services is part of the Prism terminology for client services, usually Singleton utility classes), add the service reference (I do this part usually in code) and consume it using usual Silverlight code:

  1. public string UserName { get; private set; }
  2.  
  3. public event EventHandler UserLoaded;
  4.  
  5. public void GetUser()
  6. {
  7.     Client.Begin("GetUser", GetUserCompleted, null, null);
  8. }
  9.  
  10. private void GetUserCompleted(object sender, ObjectClient<DllShepherd.IAuthenticationService>.ClientEventArgs e)
  11. {
  12.     Dispatcher.BeginInvoke(() =>
  13.     {
  14.         var result = e.LoadResult<User>();
  15.         UserName = result.Name;
  16.         AuthorizationService.Roles = result.Groups;
  17.         if (UserLoaded != null)
  18.             UserLoaded(this, null);
  19.     });
  20. }

AuthorizationService will later use the Groups to check if the user is authorized to view Modules, Views or data.

 

In the Prism way the Modules now know only the interface for this Silverlight service (the interface is in the Infrastructure project which everyone knows), which look something like:

  1. public interface IAuthenticationService
  2. {
  3.     #region EVENTS
  4.  
  5.     event EventHandler UserLoaded;
  6.  
  7.     #endregion
  8.  
  9.     #region METHODS
  10.  
  11.     void GetUser();
  12.  
  13.     #endregion
  14.  
  15.     string UserName { get; }
  16. }

But the implementation is only known by the Application (not the Modules which just use IAuthenticationService with a Prism Import) and there is no special code or configuration needed in the Application.

 

Resources:

Silverlight.Net Forum - Prism, RIA & Authentication (VS 2010)

Silverlight.Net Forum - PRISM 4 and RIA services

Prism for Silverlight/MEF in Easy Samples. Part 1 - Prism Modules (there are three parts)

Posted by Roy Dallal at 10:51 AM
Labels:
Subscribe to: Posts (Atom)