Silverlight and Flex are plug ins that run on the browser, their security model is quite similar to the JavaScript model, the browser will make the requests to the server. For this storing credential information or any other sensitive information is not the recommended option as any user can download the SWF file or XAP file and be able to look inside the code, as well all requests going to the server, without using https, will be able to be seen in text.
For this server side should be used to protect the files that by default IIS will deliver to the user making a request. ASP.NET had HttpModules and HttpHandlers that are very useful in order to filter requests.
This is the steps to protect the SWF and XAP files from not authenticated users. On IIS you need to add those extensions as .NET managed extensions
Create a ASP.NET Website with a default.aspx page to login in connected to any database that you would like an a HttpModule. To create a HttpModule you need to inherit from IHttpModule
public class ProtectAll : IHttpModule { #region IHttpModule Members public void Dispose() { } public void Init(HttpApplication context) { context.EndRequest += new EventHandler(context_EndRequest); } void context_EndRequest(object sender, EventArgs e) { HttpApplication app = (HttpApplication)sender; HttpContext context = app.Context; if (context.Request.Url.AbsolutePath.ToUpper().Contains(".SWF") == true || context.Request.Url.AbsolutePath.ToUpper().Contains(".XAP") == true) { if (context.User == null || context.User.Identity.IsAuthenticated == false) context.Response.Redirect("Default.aspx?ReturnUrl=" + context.Request.Url); } } #endregion }
And the most important part on the httpmodules part of the web.config add the module to filter the requests
<add name="protectswf" type="ProtectAll" />
On the HttpHandler tell the .NET website to bypass the 2 extension:
<add path="*.swf" verb="*" type="System.Web.StaticFileHandler" validate="false" /> <add path="*.xap" verb="*" type="System.Web.StaticFileHandler" validate="false" />
The StaticFileHandler is built in on .NET for non .NET resources. That’s pretty much it, using this you can add as many extensions as you want to protect HTML pages or any other resources from non authenticated users. The result is when any user request any file with those extensions, gets redirected to the login page, upon authenticated will be redirected to the original request and requests after that will be bypass by the application.
Cheers
Al
Follow me in twitter | bookmark me | Subscribe to my feed
