Silverlight Authorization Sample

There have been a lot of questions recently about how to write authorization-enabled UI in Silverlight. We’ve always floated suggestions from the RIA Services team, but never put something concrete together. I decided to take some of those ideas and run with them. So today I’m excited to announce we’ve made an authorization sample available. The core functionality is located in a single Silverlight assembly so it’s easy to reuse. Please take a look and let me know what you think. I’m still actively developing this so I appreciate any and all feedback.

Authorization based dynamic UI and Navigation

This sample shows how to use client-side authorization to customize UI and authorize navigation through xaml markup. The main functionality is contained in a Silverlight library to make it portable and reusable. Included with this sample are guides that cover common scenarios to make client-side authorization easy to understand and implement.

[Security Note]
Authorization in Silverlight should only be used for Navigation and UI customization. For true security, you need to secure your data by adding authorization to your web services. These msdn links describe how this can be done using WCF RIA Services.

Comments (19)

  1. vit100 says:


    Excellent code. Almost exactly what I need. Thanks

    One question for you:

    I have an application with many pages and each page has list of controls which RequireAuthorization must be linked with DB.

    DB structure somethin like this:





    So idea is to assign roles in run time. This will  control visibility/state of the GUI depending on user who is working with it.

    Why I need this? Because I want to change Control's group after application is deployed.

    Lets say today button Get report must be available for users Sales, tommorow they want to assign GetReport button to another people – managers. So instead of developing GUI with hard coded Roles like this <button ss: requiresRole="sales"/> I can do something like this: <button ss:requiresRole={Binding ValueFromDB}/> where ValueFromDB can be list of groups…U see what I mean?

    Pls advise.


  2. vit100 says:

    I think that even binding will not do the trick here: <button ss:requiresRole={Binding ValueFromDB}/>

    as I will need to apply binding on the root container and it will not allow me to use another data bindings for the page.

  3. Shah_X says:

    Hi Kyle,

    Thanks for sharing this wonderful library.

    I have found an issue , If you go to the Page which Prompts you for credentials and after giving required credentials if user refreshes the page or enter the same URL in another browser tab you get this exception

    Value cannot be null.

    Parameter name: target

    It will be great help if you could re-share your updated library with the fix of this issue.



  4. Shah_X says:

    Hi Kyle ,

    Any solution/fix for the above mentioned issue in Authorization library ?



  5. Ned Nedson says:

    When I try to unzip the zip file of the authorization sample available in the RIA Services code gallery it asks for a password for some of the files?  What would the password be?

  6. kylemc says:

    Shah, good news is the update is uploaded. Bad news is that some of the files might be password protected. I'll look into it.

  7. kylemc says:

    Also, with this update I've introduced some breaking changes. They're mostly in the extensibility hooks and I've updated the Authorization Sample 201 post accordingly. I'll do another post about extensibility later.

  8. kylemc says:

    Vitaliy, your scenario is interesting and I've done something similar (permissions-based) that I'll post later. Take a look at extensibility using an AuthorizationRule. It allows you a lot of flexibility beyond what you can express in markup.

    The one warning I'll mention is that authorization is synchronous. That means you won't be able to access the database when you need to authorize. The major implication for your (and other) scenarios is that all the data required for authorization should be on the client before you attempt to authorize things. Ideally it will all be pulled down as part of the User data when the user logs on.

  9. Carlos Queirós says:

    Hi Kyle,

    Can you give some sample code on how to use authorization with dynamic page loading from external xap, please?

  10. kylemc says:


    Feel free to email me and I can send you a site map sample I've been working on.

  11. kin says:

    could you make a sample of manage user roles in Silverlight?

    I want the user 'admin' role can edit  the other user's roles;

  12. Oleg says:

    Hi Kyle,

    Thank you for a great example on authorization-enabled UI in Silverlight.

    But one thing puzzles me and I’m hoping that maybe you can clarify this for me. It is the FirstLook.ServiceModel.DomainServices.Client.Security component, the classes in System.ComponentModel.DataAnnotations namespace in particular: AuthorizationAttribute, AuthorizationContext, et al.

    Do these classes provide the same functionality as these same classes in System.ServiceModel.DomainServices.Server made available through Service.ComponentModel.DataAnnotations? Is the reason for doing this that you cannot reference System.ServiceModel.DomainServices.Server in the project?

    Also, does the name FirstLook.ServiceModel.DomainServices.Client.Security suggest that RIA Services would make these classes available through System.ServiceModel.DomainServices.Client.Security namespace?

    Could you explain this part in more detail? Please.

    Thank you

  13. kylemc says:


    The types in S.CM.DataAnnotations are all duplicates of the types shipped in S.SM.DS.Server. I added them to these assemblies so they could be used in Silverlight (the Server assembly cannot be referenced from Silverlight).

    The implication is they could exist in the framework. If you look at this list (…/57026-wcf-ria-services), they're about half way down. That makes it a little difficult to know when they'd be prioritized for promotion into the framework. A strong push from the community might speed up the process a little, though.

  14. Hi Kyle,

    Thanks a lot for your reply.

    I also cast my vote at the link you gave.

    Thanks again,


  15. Hi Kyle,

    I have one other question. Let’s say I have a TextBox. The scenario I try to achieve is as follows:

    Role1 should be able to edit the text in it (TextBox visible, enabled, not read-only)

    Role2 should only have the ability to view the text but not edit it (TextBox visible and either disabled or read-only)

    Other roles should not even see the TextBox (not visible).

    Is this scenario achievable using the Authorization Sample model? What would I need to do to achieve this?

    Thank you,


  16. kylemc says:


    I touched on it in this post (…/authorization-sample-305-permission-based-authorization-for-silverlight.aspx). It's definitely a possibility, but it takes a little more work on your end.

  17. Tim Kelley says:

    Thanks for the article.  I was creating something simular to this to use in Prism and the article helped steer me in the right direction.

  18. Alex says:

    Dear Kyle, I am trying to use the code, but didn't manage to log in. The busy indicator never ends… Please advise. I know this is old thing but being a nub to Silverlight I need to implement some kind of the functionality that your code provides.

  19. yukun says:


    Great library and articles! I'm new to this and struggling with authentication and navigation. This provides a much cleaner solution. And I'm glad to learn that in addition to this, it's even more important to secure the services.

    Thanks for sharing!