Share via

Silverlight Authorization Sample

  • Article

There have been a lot of questions recently about how to write authorization-enabled UI in Silverlight. We’ve always floated suggestions from the RIA Services team, but never put something concrete together. I decided to take some of those ideas and run with them. So today I’m excited to announce we’ve made an authorization sample available. The core functionality is located in a single Silverlight assembly so it’s easy to reuse. Please take a look and let me know what you think. I’m still actively developing this so I appreciate any and all feedback.

Authorization based dynamic UI and Navigation

This sample shows how to use client-side authorization to customize UI and authorize navigation through xaml markup. The main functionality is contained in a Silverlight library to make it portable and reusable. Included with this sample are guides that cover common scenarios to make client-side authorization easy to understand and implement.

[Security Note]
Authorization in Silverlight should only be used for Navigation and UI customization. For true security, you need to secure your data by adding authorization to your web services. These msdn links describe how this can be done using WCF RIA Services.

https://msdn.microsoft.com/en-us/library/ee707361(v=VS.91).aspx
https://msdn.microsoft.com/en-us/library/ee707357(v=VS.91).aspx

Comments

  • Anonymous
    May 24, 2010
    Kyle, Excellent code. Almost exactly what I need. Thanks One question for you: I have an application with many pages and each page has list of controls which RequireAuthorization must be linked with DB. DB structure somethin like this: AppID; PageID; ControlID; Role; So idea is to assign roles in run time. This will  control visibility/state of the GUI depending on user who is working with it. Why I need this? Because I want to change Control's group after application is deployed. Lets say today button Get report must be available for users Sales, tommorow they want to assign GetReport button to another people - managers. So instead of developing GUI with hard coded Roles like this <button ss: requiresRole="sales"/> I can do something like this: <button ss:requiresRole={Binding ValueFromDB}/> where ValueFromDB can be list of groups...U see what I mean? Pls advise. Vitaliy

  • Anonymous
    May 24, 2010
    I think that even binding will not do the trick here: <button ss:requiresRole={Binding ValueFromDB}/> as I will need to apply binding on the root container and it will not allow me to use another data bindings for the page.

  • Anonymous
    May 24, 2010
    Hi Kyle, Thanks for sharing this wonderful library. I have found an issue , If you go to the Page which Prompts you for credentials and after giving required credentials if user refreshes the page or enter the same URL in another browser tab you get this exception Value cannot be null. Parameter name: target It will be great help if you could re-share your updated library with the fix of this issue. Thanks, Shah

  • Anonymous
    May 30, 2010
    Hi Kyle , Any solution/fix for the above mentioned issue in Authorization library ? Thanks, Shah

  • Anonymous
    June 02, 2010
    When I try to unzip the zip file of the authorization sample available in the RIA Services code gallery it asks for a password for some of the files?  What would the password be?

  • Anonymous
    June 02, 2010
    Shah, good news is the update is uploaded. Bad news is that some of the files might be password protected. I'll look into it.

  • Anonymous
    June 02, 2010
    Also, with this update I've introduced some breaking changes. They're mostly in the extensibility hooks and I've updated the Authorization Sample 201 post accordingly. I'll do another post about extensibility later.

  • Anonymous
    June 02, 2010
    Vitaliy, your scenario is interesting and I've done something similar (permissions-based) that I'll post later. Take a look at extensibility using an AuthorizationRule. It allows you a lot of flexibility beyond what you can express in markup. The one warning I'll mention is that authorization is synchronous. That means you won't be able to access the database when you need to authorize. The major implication for your (and other) scenarios is that all the data required for authorization should be on the client before you attempt to authorize things. Ideally it will all be pulled down as part of the User data when the user logs on.

  • Anonymous
    July 05, 2010
    Hi Kyle, Can you give some sample code on how to use authorization with dynamic page loading from external xap, please?

  • Anonymous
    July 05, 2010
    @Carlos Feel free to email me and I can send you a site map sample I've been working on.

  • Anonymous
    September 14, 2010
    could you make a sample of manage user roles in Silverlight? I want the user 'admin' role can edit  the other user's roles;

  • Anonymous
    February 03, 2011
    The comment has been removed

  • Anonymous
    February 04, 2011
    @Oleg The types in S.CM.DataAnnotations are all duplicates of the types shipped in S.SM.DS.Server. I added them to these assemblies so they could be used in Silverlight (the Server assembly cannot be referenced from Silverlight). The implication is they could exist in the framework. If you look at this list (dotnet.uservoice.com/.../57026-wcf-ria-services), they're about half way down. That makes it a little difficult to know when they'd be prioritized for promotion into the framework. A strong push from the community might speed up the process a little, though.

  • Anonymous
    February 06, 2011
    Hi Kyle, Thanks a lot for your reply. I also cast my vote at the link you gave. Thanks again, Oleg

  • Anonymous
    February 07, 2011
    Hi Kyle, I have one other question. Let’s say I have a TextBox. The scenario I try to achieve is as follows: Role1 should be able to edit the text in it (TextBox visible, enabled, not read-only) Role2 should only have the ability to view the text but not edit it (TextBox visible and either disabled or read-only) Other roles should not even see the TextBox (not visible). Is this scenario achievable using the Authorization Sample model? What would I need to do to achieve this? Thank you, Oleg

  • Anonymous
    February 07, 2011
    @OlegNM I touched on it in this post (blogs.msdn.com/.../authorization-sample-305-permission-based-authorization-for-silverlight.aspx). It's definitely a possibility, but it takes a little more work on your end.

  • Anonymous
    April 21, 2012
    Thanks for the article.  I was creating something simular to this to use in Prism and the article helped steer me in the right direction.

  • Anonymous
    September 19, 2013
    Dear Kyle, I am trying to use the code, but didn't manage to log in. The busy indicator never ends... Please advise. I know this is old thing but being a nub to Silverlight I need to implement some kind of the functionality that your code provides.

  • Anonymous
    February 27, 2014
    Kyle, Great library and articles! I'm new to this and struggling with authentication and navigation. This provides a much cleaner solution. And I'm glad to learn that in addition to this, it's even more important to secure the services. Thanks for sharing!