All geek questions in one place

How to ensure that authentic Silverlight clients call my azure services

How can I be sure that only our silverlight applications call our azure services?

The Silverlight client would need to authenticate the user and have the correct permissions to complete the action, but I did not know how application authentication is typically applied to these azure service calls. I know that you can sign an application (necessary for client updates). Is this compatible with ssl connections? Should I use a client certificate?

What are some common approaches to this problem?

+4
source share
4 answers

You can put data inside your message headers. You can do this in the SOAP header when using SOAP or in the HTTP header when using REST. Then, when you do this, you can use the secure SSL channel for communication so that people cannot sniff out your packets.

http://blogs.msdn.com/b/nathana/archive/2007/05/29/custom-soap-headers-wcf-and-asmx.aspx

When you use the RIA service and want to add data to the HTTP header, see my blog:

http://strugglesofacoder.blogspot.com/2011/02/normal-0-21-false-false-false-nl-be-x.html

+2
source

Silverlight cannot identify with the service, and even if it does, a small tool called Fiddler will reveal all this information to anyone to use your services.

You should not assume anything about the client. Your services should check incoming requests without trying to determine who / what the client is.

I hope that someone has a solution, because I have not found it yet, and I would like to protect my services so that only Silverlight can make requests.

+1
source

You can do this using the access control service, there is a good example in the code written by someone from the ACS team:

http://acs.codeplex.com/wikipage?title=ACS%20Windows%20Phone%20Sample&referringTitle=Samples

although it is a Windows 7 client (which is also silver), I think you can separate what you need from it.

0
source

Silverlight is a tricky beast when it comes to ACS integration, it seems that writing headers from Silverlight to pass authentication information is very difficult - there is no easy way to intercept calls to wrap their auth header in Silverlight, as you could do in an ASP application .NET

You can use ACS to obtain identifying information in Silverlight using an approach similar to this example: http://channel9.msdn.com/Events/MIX/MIX10/SVC01

What I ended up with is transferring some unique identifier requirement in the SWT token, signed with a key known both by Silverlight and the web service, and with the web service to verify that this user has access. By placing a unique identifier in the signed SWT token (with a very short expiration date) to reduce the number of attacks when people copy a valid request and send it later, I could more confidently believe that the request was really based on my Silverlight application.

To pass the token, I simply created a class containing all the parameters that I want to pass (so I did not need to rewrite the definitions of the functions), including the SWT token.

Hope this helps.

0
source

Source: https://habr.com/ru/post/1344544/

More articles:


All Articles