Business Apps Example for Silverlight 3 RTM and .NET RIA Services July Update: Part 3: Authentication


More update on my Mix09 talk “building business applications with Silverlight 3”.


You can watch the original  video of the full session 


The demo requires (all 100% free and always free):



  1. VS2008 SP1 (Which includes Sql Express 2008)

  2. Silverlight 3 RTM

  3. .NET RIA Services July ’09 Preview

Also, download the full demo files and check out the running application.


Today, we will talk about Authentication  


Business applications often access very important data.  It is important that you can audit, restrict and control access to your data.  Let’s look at how to use .NET RIA Services and SL3 to do that. 


Using the Silverlight Business Application Template this is super easy to do..  By default it is wired up the ASP.NET authentication system that offers a customizable user management system.   


I’ll show using Forms Auth, you can of course use Windows Auth with only very small tweaks to the template. 


image_thumb[56]


For this demo, I will show creating a new user, but if you already have a user base you can of course use that. 


image_thumb[57]


image_thumb[58]


Notice we get full validation here.  


Any now, when we log in the app knows who we are..


image_thumb[59]


Notice all of this UX on the client is completely customizable as all the source code is right there in the project.  But the out of box experience is not bad for many apps. 


Now that we are logged in, let’s do something with that user data.  For example, let’s make it such that only logged in users can access the super employee data.  Edit the SuperEmployeeDomainService class on the server to add the RequiresAuthentication attribute.  There are other attributes for things like “in role” and there is a way to do this in code if you’d like. 



[RequiresAuthentication]
public IQueryable<SuperEmployee> GetSuperEmployees()

Now, when we run this app and we are not logged in we get no data.  Notice this validation is done on the client for a good UX and again on the server to ensure security. 


image_thumb[60]


Then when we log in we get data!


image_thumb[61]

Comments (25)

  1. Ashraf Nadi says:

    Hi brad

    I want to know how can i display Arabic Words in this example from right to left order , i tried to do this but the order of Arabic alphabit  if from left to right.

    thanks for these greate posts.

  2. Michael says:

    Probably it is possible to improve generated  MyApp.Web.g.cs  as now it  throws exception in addition to  attribute based validation rules for "password".

  3. Hi Brad,

    I just wanted to warn you that your screenshot thumbnails link to file://C:/Users/brada/AppData/…

  4. Brad,

    This looks great. Looks like RIA Services is going in the right direction. I’m glad to see that it considers other aspects like security.

    I’ve seen the need to restrict access not only at a method level but also to some of the DataMembers (eg. you will have the same GetProduct method, but I want to send the cost only to Managers).

  5. Marc Ziss says:

    Brad,

    Excellent Job on everything you guys pushed out in this; I think SL3+RIA represents a giant leap in app develpoment.

    One question about authentication:

    I tried using the [RequiresAuthentication] decorator for the update and delete methods and found that although it did not execute the RIA CRUD; the fact that these options were not available to the user was not reflected in the UI. Is it possible to make the appropriate buttons in the dataform "pay attention" to what actions can be performed by the current user?

    Thanks to your whole team for making development fun again.

  6. BradA says:

    >> Probably it is possible to improve generated  MyApp.Web.g.cs  as now it  throws exception in addition to  attribute based validation rules for "password".

    Michael  –  we have been around this a few times, there is not an easy asnwer..  But do check out David’s blog post on this: http://blog.davidyack.com/journal/2009/5/18/suppressing-validationexception-during-debugging.html

  7. Brad,

    I think that Exceptions for Validation errors is wrong. The exceptions should be raised for abnormal flows of the program, which setting an invalid password really isn’t. The fact that we have an object with a property with an invalid value is different than having this exception. The worst part is that this property aren’t going to be used only by the views, but also through the ViewModels, other models or directly in CodeBehind (hopefully no), forcing us to write a bunch of unecessary try/catch blocks.

  8. dsoltesz says:

    When usings ria services July and windows authentication, how do you get the

    RiaContext.Current.User.Roles populated from the domain/ldap

  9. dsoltesz says:

    Figured out what I was missing…need to make sure I specified the provider in my web.config

    defaultProvider="AspNetWindowsTokenRoleProvider"/>

    Full settings should be set under <system.web>

    <authentication mode="Windows"/>

    <roleManager enabled="true" defaultProvider="AspNetWindowsTokenRoleProvider"/>

  10. BradA says:

    Miguel Madero  – I hear your pain on exception.. In fact I wrote a book that covered the subject and I completely agree with you!

    http://www.amazon.com/Framework-Design-Guidelines-Conventions-Development/dp/0321246756

    All I can say is there were some implementation constraints that lead us down this path in Silverlight 3 and we are looking hard at this area in Silverlight 4

  11. Edward Johnson says:

    Trying to use RIAServices Library. Have to remove ria link from the Silverlight project.

    Now riacontext is undefined. What do I need to do?

  12. BradA says:

    Edward — yes, the RIA Link is required for codegen.. why did you have to remove it?

  13. Edward Johnson says:

    Reading (scanning really so that’s probably the problem) the July 2009 docs on RIA. Probably confused.

    On page 133 — it says the ‘Enable RIA Services’ option in the Silverlight library project has been enabled to creat a RIA Link with the mid-tier class library. — Mine still has link to the .Web and there is not one available for the service library.

    So on page 143 it says ‘The astute reader may have noticed …. the RIA Link was missing between Silverlight apps and Web App’

    On page 145 it says ‘… if your application involves multiple domain services or ….. consider using .NET RIA class libraries and remove the RIA LInk between the client and Web application projects’

  14. Edward Johnson says:

    OK tried it again from scratch.

    Seems to have worked. What I did different I can’t say other than maybe I hadn’t added a domain service to the service.web library.

    Thanks anyway…I guess RTFM applies here.

  15. Richie Scott says:

    Brad,

    Like Edward I would prefer to use the RIA .Net Set Class Libraries rather than having a link to the Web Application. I to do not get a RIAContext generated. Any chance you could update your example to show how authentication would work when using Class Libraries instead of having a RIA link to the Server Weba application?

  16. BradA says:

    Richie — yes.. i am working on a class library example..  

  17. richiescott says:

    In terms of modularity (Prism v2) I believe being able to support Authentication as part of a Service Class Library a must.

    The problems I had were with regards the ContextType of the RiaContext not being set and as such was getting an Object Reference Not Set error.

    Thanks Brad I really appreciate it.

  18. Brad,

    To separate exceptions from validation errors, we are using and Attached Behaviour that will take the Binding object, and then check if the Source object has any validation errors registered for the Source property of the binding and based on that go to the appropriate state.

    In our case we have a dictionary of properties with a list of validation errors. That’s the list we’ll check to see if there’s any problem with the bindings.

    The other benefit, appart from not having to deal with Exceptiosn in the ViewModel or other code is that we can defer some of the validations, to run in the background, when we click save or even get errors from Server Side validations, we could send the object, get it back, update the DataContext and read the a list of validation errors generated in the server.

    Of course this is just the strategy an this option can vary from app to app, but the AttachedBehaviour gives us the option to plug-in any strategy.

  19. Wow, a lot of words!!!  I’m wondering if there is a story around GetSuperEmployee(WithParameters)

    I always find the WithParameters is where it gets hard.  I currently use a query class that seems to get bigger and bigger, but then at least I don’t have 300 indivudual methods with different combinations of parameters I can never seem to remember.

    Thanks for writing all this

  20. Graham Stevenson says:

    Hi,

    Is there a way to catch the exception thrown by ‘RequiresAuthentication’ at the client end. Seems to me like we should just catch this and pop up a login box ??.

    Thanks

    Graham

  21. Jim Evans says:

    Hi –

    I don’t like the idea of an exception or showing a blank screen if authentication fails. Wouldn’t the best way to implement a scenario like this in a LOB application be to not show the menu option to get to the data until the user is authenticated?

    Just my 2 cents.

    Jim

  22. Henri says:

    I agree with Jim Evans. When no data is shown, it is unclear if it’s a bug or a ‘not authenticated’ state.

    I would prefer to hide the menu item

    Henri

  23. MarkShortt says:

    Brad, is there any way of refreshing the displayed page after the user logs in? e.g. to show unlogged in text and then different logged in text?

    Great tutorial series by the way

  24. MarkShortt says:

    Figured it out. Hooked into the AuthenticationService events for logged in and out. Copied them from the code behind for LoginControl.xaml

  25. Mylo says:

    Hi!

    I would add some custom properties to UserBase class; it works with "simple" types (string,int,DateTime,…), but it doesn’t work with custom types.

    "Code-generator" doesn’t create properties at client-side.