Authorization Sample 201

The attached properties described in Authorization 101 will get you going. It may even be a long time before you need more. If you find yourself chafing at the limits, though, then this section is for you. It works through some of first customization steps most applications will find useful.

Custom Authorization

Authorization is implemented using AuthorizationAttributes. If you’ve used ValidationAttributes in Silverlight, this approach should feel familiar to you. Custom authorization can be added by simply extending the AuthorizationAttribute and implementing the IsAuthorized method. These attributes can then be applied to a navigation Page or any other type where authorization would be useful.

In addition to attribute-based authorization, rule-based authorization is also available for convenient use in xaml. To implement rule-based authorization, you will need to create a new class that derives from AuthorizationRule and override the GetAuthorizationAttributes method.

  public class CustomAuthorizationRule : AuthorizationRule
      public override IEnumerable<AuthorizationAttribute>
GetAuthorizationAttributes(object target) { return new[] { new CustomAuthorizationAttribute() }; } }

You can now reference this authorization method from anywhere in xaml using the Rule property. The following snippet displays the hyperlink according to your custom authorization rule.

  <HyperlinkButton NavigateUri="/Accounts">
<s:Authorization.Rule> <my:CustomAuthorizationRule /> </s:Authorization.Rule> </HyperlinkButton>

Custom Behaviors

You may have noticed not all elements are hidden when the RequiresAuthentication and RequiresRole properties are applied. Pages, for instance, are simply disabled. Even though the default behavior is determined based on element type, each element can specifically declare how authorization should be applied using the TargetProperties property. The following snippet disables the hyperlink for users who are not in the ‘Administrator’ role.

  <HyperlinkButton NavigateUri="/Accounts"
s:Authorization.TargetProperties="IsEnabled" />

The TargetProperties property can be set on an element to any DependencyProperty that is a type supported by the AuthorizationConverter. Most notably, these types include Strings, Booleans, and Visibility. Also, like RequiresRole, the TargetProperties property supports a comma-separated list of property names.


Sometimes simply redirecting the user when they try to access a page they are not allowed to view is not the best option. Often, it is useful to prompt the user for their login credentials. If you set the NavigationMode to Prompt, the framework will attempt to do just that.

Using Prompt mode requires you to implement an AuthorizationPrompter, a simple interface used to prompt the user for credentials. A single instance can be created at startup and will be used throughout.

  public App()
      // ...
      Authorization.Prompter = new LoginRegistrationWindowPrompter();

Additionally, a Page and Frame can specify different NavigationModes. The value specified by the Frame will be used as the default. If a Page chooses to specify a value as well, it will be used instead of the default.

Comments (17)

  1. facingwaller says:

    what's  LoginRegistrationWindowPrompter?

    how to define?could you give me a link to sourcecode? or

  2. Matt says:

    Great stuff Kyle.  Is there any tricks to getting the NavigationMode="Prompt" to work in the AuthorizationSample project?  

    I've tried a few combinations with Requires Role & Authentication and TargetProperties, but I think this basic scenario should prompt with a Login dialog if the user isn't authenticated?

    <HyperlinkButton x:Name="LinkAbout" Style="{StaticResource LinkStyle}"


                                        NavigateUri="/About" TargetName="ContentFrame" Content="About Us"/>

  3. Matt says:

    Also… After digging around looking for straightforward methodology for page level security, it seems this approach should be included in the next Silverlight release directly…

  4. kylemc says:


    Thanks. NavigationMode is only designed to be set at a Frame level (and optionally overridden at the Page level). Using it with any other controls won't work. So there are really three steps to take for each page.

    1) Make sure the containing Frame has a NavigationMode specified

    2) Add authorization to the Page

    3) Add authorization to Hyperlinks that navigate to the page

  5. Matt says:

    Thanks so much for the quick response.  I have a better understanding of how this works now.  Will the code library likely be included in future RIA releases?  As RIA/SL continue to mature, I'd expect to see more core functionality such as this.

    I'm also somewhat surprised that although the aspnet Membership is quite mature, it does not provide support for more dynamic and discrete permission-level based security.  Hard-coding Role names throughout an application is not a very flexible solution for enterprise line of business applications.

  6. Mark says:

    Kyle this is once again amazing stuff.

    Just interestingly, I do get a warning:

    base type 'FirstLook.ServiceModel.DomainServices.Client.Security.AuthorizationPrompter' is not CLS-compliant

    Code does compile and work flawlessly.

  7. Charles says:

    I get the same CLS-compliant warnings.  What's up with that?

  8. visual guard says:


    It is easy to confuse the mechanism of authentication with that of authorization. In many host-based systems (and even some client/server systems), the two mechanisms are performed by the same physical hardware and, in some cases, the same software.nice one

  9. Olly says:


    I decided to use the NavigationMode.Prompt in my project which seems to work although i noticed that in your project after trying to directly access the Accounts URL and cancelling the LoginWindow then you return the user to the Home page.  How do you make it do this?  I am missing one line of code in my project which is: window.Closed += (sender, e) => completionCallback(userState); in your LoginRegistrationWindowPrompter and was wondering if this had anything to do with it as i am writing in VB i am unsure what this is exactly doing and how to convert it?  


  10. kylemc says:

    The redirect is baked in to the library. It should be sending you back to the page you default your frame to. Here's the VB equivalent of the code above and it's important to include it in the prompter.

     window.Closed += Function(sender, e) completionCallback(userState)

  11. ajin says:


    In my application when app loads,login is prompted. ie,on

    http://localhost:2555/AuthorizationSampleTestPage.aspx#/Home page, login child window pops.After sucessful login i click a link to redirect to 'about' page.

    ie,http://localhost:2555/AuthorizationSampleTestPage.aspx#/About. It works fine. But when the copy the above link and paste it to another tab, About page comes with login prompt. I mean login is prompted although the app get redirect to about us page. I can see the about page in background. So my question is how can i remain in Home page when i copy the 'about' page link in browser if i am not authenticated?Or when I paste a link to another page I should get redirect to first page,if i am not authenticated.

  12. kylemc says:


    If you want the default behavior to redirection, but you want prompting on the home page (or vice versa), then you should be able to set the default NavigationMode on the Frame and set exceptional NavigationModes on specific pages.

    The authorization logic is based on the current value in WebContext.Current.User. When you navigate in using a deep link, you need to make sure that value is up-to-date. Typically you'd call WebContext.Current.Authentication.LoadUser() and wait for it to return before loading the page with the navigation frame (for instance, you could make the call in App.xaml.cs before making MainPage the RootVisual.

  13. ajin says:

    ''s:Authorization.TargetProperties''. i cannot access the Targetproperties .

    cannot resolve targetproperties error.

  14. kylemc says:

    Have you added the following to the xmlns includes?

    xmlns:s="clr-namespace:FirstLook.ServiceModel.DomainServices.Client.Security; assembly=FirstLook.ServiceModel.DomainServices.Client.Security"

  15. Olly says:


    Im not sure if my previous question posted as there was no confirmation when i pressed "Post" and sorry if you have already seen this.  The following line in VB you suggested: window.Closed += Function(sender, e) completionCallback(userState) does not appear to work and so i was wondering what exactly you are trying to do here?

    Also is it correct that if i open a second tab after logging in that it reprompts for the login or is this a knock on effect from the above line of code.  Thanks again

  16. kylemc says:


    In the prompter, it's important to invoke the callback. If the prompter opens a window, then it's easiest to invoke the callback in the Closed event. How exactly you choose to do this is up to you.

    In my response to ajin on the 18th, I explain why this happens. Typically you'll want to fix it by loading the user in App.xaml.cs.