none
Silverlight 2 Connect to Secure WCF Service

    Question

  • I want to connect to secure WCF service using silverlight. 

    • I am using Silverlight 2
    • I am using WCF with a custom binding configured on the server side
    • The WCF service uses secure conversation bootrapped with UserNameForCertificate
    • I don't care which binding I should connect to the service with

    This is what I did

    • Created a Silverlight solution
    • Added all my code to Silverlight projects
    • Compiled them all
    • Created a WCF proxy using the "Add Service" dialog in VS
    • Proxy class is created but is different from a normal WCF service proxy 

    The proxy does not contain ClientCredentials, so I have no way of specifying the username and password. I have heard other people mention that there is no way to use a secure WCF service from Silverlight. Is this true? Could someone please let me know. This is very important because if we can't use a secure WCF service, we can't use Silverlight. By the way, please no comments about workarounds. I know that there are probably ways to work around this but I want a very solid answer: does Silverlight 2 support secure WCF services?

     

    Tuesday, October 21, 2008 12:07 AM

Answers

  • I have basically come to a verdict that the kind of security I am talking about here can only be achieved with a certificate. However, there are a lot of issues around this. Please see the bottom of this thread:

    http://silverlight.net/forums/p/104785/239370.aspx

    Sunday, August 30, 2009 9:02 PM

All replies

  • See this thread, maybe can solve your problem

    http://silverlight.net/forums/p/25620/89933.aspx

     

     

    Tuesday, October 21, 2008 12:33 AM
  • That person has exactly the same problem I have. But, nobody has answered the question!

    People have only provided links vaguely related to WCF and Silverlight.

    This thread is specifically about calling a WCF service from Silverlight 2 with UserNameForCertificate security. Can someone please answer that?

    Tuesday, October 21, 2008 1:04 AM
  • Yes, Silverlight does support SSL Services. Look at this video.

     

    Please mark the post as 'Answered' if this Answers your question

    Tuesday, October 21, 2008 1:40 AM
  • Silverlight supports WCF BasicHttpBinding.  If you read up on basicHttpBinding...it only supports message and transport security.  So what does that mean...basically opt-in https.  I say opt-in because now in Silverlight 2 RTM, you can specify whether you allow certain domains to call your service with which transport.  I am not sure what you mean when you say there is "no way to secure a WCF service".  That is simply not true when speaking in terms of the transport/message security.

    I am not sure if you mean authentication (?).  On the authentication side this depends on your client and how you are hosting this.  Silverlight has some pass through integration with ASP.NET Forms authentication you can use or you can create your own.  Here is a pretty detailed example of adding Windows Live Authentication to Silverlight for example:

    http://blog.webjak.net/2008/08/13/silverlight-windows-live-id/

    If you are designing a RESTful service, then you are probably better off with a Token based mechanism similar to Facebook/MySpace etc.  BTW Myspace is a .net based site and on their developer site, you can get some really cool WCF code they prototyped when they created their REST API using WCF 3.x.  In an intranet scenario, you can simply use WIndows authentication.

    In conclusion to answer your question, yes Silverlight can be secure on the authentication side and on the transport/message side as well.

    Tuesday, October 21, 2008 2:00 AM
  • OK. Let me clear up my terminiology. By security I mean authentication, but I am also talking about WCF's security model. In my specific case, I need to use UserNameForCertificate authentication. There is a very simple reason: that's what my WCF service is configured to use. As I said, I don't really care what binding I use. However, it is now clear that I am limited to BasicHttpBinding. So, that means I am limited to whatever authentication BasicHttpBinding supports. The question becomes: does BasicHttpBinding support UserNameForCertificate authentication?

    "I am not sure what you mean when you say there is 'no way to secure a WCF service'". This was a question; not a statement. I didn't state that Silverlight can't call a secure WCF service; I was asking whether or not it can. More specifically, I want to know if Silverlight (seeing it is limited to BasicHttpBinding) can call a WCF service with UserNameForCertificate authentication. That is my specific question. And, of course, how is this done?

    The article provided has nothing to do with UserNameForCertificate authentication. It is related to Windows Live Authentication which is completely different. The article doesn't even go in to detail about how to call a WCF service with security.

    To be more clear about what I am trying to achieve. Here is my WCF server side binding config.

    <customBinding>

    <binding name="testBinding">

    <security authenticationMode="SecureConversation" requireSecurityContextCancellation="true" >

    <secureConversationBootstrap authenticationMode="UserNameForCertificate"></secureConversationBootstrap> </security>

    <textMessageEncoding>

    <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />

    </textMessageEncoding>

    <httpTransport transferMode="Buffered" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />

    </binding>

    <binding name="metadataBinding">

    <textMessageEncoding>

    <readerQuotas maxDepth="2147483647" maxStringContentLength="2147483647" maxArrayLength="2147483647" maxBytesPerRead="2147483647" maxNameTableCharCount="2147483647" />

    </textMessageEncoding>

    <httpTransport transferMode="Buffered" maxReceivedMessageSize="2147483647" maxBufferSize="2147483647" />

    </binding>

    </customBinding>

    This is the configuration for the WCF service on the client side (ASP app)

    <wsHttpBinding>

    <binding name="standardBinding" closeTimeout="01:00:00" openTimeout="01:00:00" receiveTimeout="01:00:00" sendTimeout="01:00:00" hostNameComparisonMode="StrongWildcard" maxBufferPoolSize="524288" maxReceivedMessageSize="2147483647" messageEncoding="Text" textEncoding="utf-8" allowCookies="true">

    <readerQuotas maxDepth="32" maxStringContentLength="2147483647" maxArrayLength="163840" maxBytesPerRead="4096" maxNameTableCharCount="16384"/>

    <reliableSession ordered="true" inactivityTimeout="01:00:00" enabled="false" />

    <security mode="Message">

    <transport clientCredentialType="Windows" proxyCredentialType="None" realm=""/>

    <message clientCredentialType="UserName" negotiateServiceCredential="false" algorithmSuite="Default" establishSecurityContext="true"/>

    </security>

    </binding>

    </wsHttpBinding>

    Obviously, my ASP application uses wsHttpBinding to achieve UserNameForCertificate authentication. So the first thing I have to figure out is how to achieve the same authentication with BasicHttpBinding if indeed it is possible at all.

    Further to this, normal (non-silverlight) WCF proxies have a ClientCredentials object which allows you to specify username and password. Silverlight WCF proxies do not have this. So, if it is possible to use UserNameForCertificate authentication, how do I specify the username and password?

    As I said in the original post, I'm not interested in workarounds, or other methods of achieving different kinds of security. I specifically want to know if I can use UserNameForCertificate authentication using Silverlight. If so, how?

     

     
    Tuesday, October 21, 2008 8:00 PM
  • Here is something that is strange. This configuration seems to be acceptable in the web.config of an ASP app:

    <basicHttpBinding>

    <binding name="Binding">

    <security mode="TransportWithMessageCredential">

    <transport clientCredentialType="Windows" />

    <message clientCredentialType="UserName" />

    </security>

    </binding>

    </basicHttpBinding>

    But, in Silverlight, the Xml validator complains about this. It only allows Transport and not transportwithmessage credential.

     

    Tuesday, October 21, 2008 8:33 PM
  •  Quote from the WCF Security Guidance Patterns & Practices:

    http://www.codeplex.com/WCFSecurity/Wiki/View.aspx?title=If%20you%20are%20coming%20from%20ASMX%20then%20use%20basicHttpBinding%20to%20support%20your%20existing%20clients&referringTitle=Guidelines

    basicHttpBinding has the following characteristics:

    • It does not support ws* stack, therefore it does not provide reliable messaging, message security, and secure transactions.
    • If you choose to use message security you can only use username or certificates authentication

    Also from looking at your ASP.NET client it using a WS* standards compatible binding (wsHttpBinding).  My guess would be that Silverlight doesn't support UserNameForCertificate. There was also an architecture presentation on WCF I saw where I remember them saying that basicHttpBinding doesn't support secure messaging 100%.  From the validator as your mention above it also seems that it is not an option.

    I hope someone from MS can elighten us with an answer as I am pretty curious about this myself.  There is very little documentation out there on this stuff.  I know MS is releasing a WCF Securty Guide this month or next month with detailed scenarios on how to do everything.

    Tuesday, October 21, 2008 9:32 PM
  • "If you choose to use message security you can only use username or certificates authentication"

    This statement sounds promising. However, I think that Silverlight in particular does not support UserNameForCertificate authentification because the configuration for BasicHttpBinding is different in Silverlight than normal ASP. It's as though Silverlight supports a less sophisticated version of BasicHttpBinding.

    Yes, Microsoft, please answer this. I've asked this exact same question of Ajax in another thread and so far nobody has been able to tell me if I can call a secure WCF service from JavaScript yet.

    Wednesday, October 22, 2008 1:46 AM
  • I've got solution for UserNamePassword, not for UserNameForCertificate.

    Binding configuration is:

    <security mode="TransportWithMessageCredential">
                <transport clientCredentialType="None"/>
                <message clientCredentialType="UserName"/>
    </security>

    Binding is BasicHttpBinding, so if it's what you're looking for - I can publish solution in this thread

    Wednesday, October 22, 2008 2:08 AM
  • I tried pasting this Xml in to my ServiceReferences.ClientConfig.

    <basicHttpBinding>

    <binding name="AssetFindServiceSoap" maxBufferSize="2147483647"

    maxReceivedMessageSize="2147483647">

    <security mode="TransportWithMessageCredential">

    <transport clientCredentialType="None"/>

    <message clientCredentialType="UserName"/>

    </security>

    </binding>

    </basicHttpBinding>

     

    But I get these errors

    Warning 1 The 'mode' attribute is invalid - The value 'TransportWithMessageCredential' is invalid according to its datatype 'String' - The Enumeration constraint failed. C:\AdaptSource\AssetValuation\Adapt.Silverlight.Administration\ServiceReferences.ClientConfig 7 27 Adapt.Silverlight.Administration
    Warning 2 The element cannot contain white space. Content model is empty. C:\AdaptSource\AssetValuation\Adapt.Silverlight.Administration\ServiceReferences.ClientConfig 7 59 Adapt.Silverlight.Administration
    Warning 3 The element 'security' cannot contain child element 'transport' because the parent element's content model is empty. C:\AdaptSource\AssetValuation\Adapt.Silverlight.Administration\ServiceReferences.ClientConfig 8 14 Adapt.Silverlight.Administration

    As I have said, Silverlight does not allow the same configuration that you would normally use for WCF.

    Incidentally, even if this worked, how would you specify the username and password? There is no ClientCredentials property on a Silverlight WCF proxy.

     

    Wednesday, October 22, 2008 7:05 PM
  • BTW: Amit, I watched the video on using transport security with https. That makes sense but again, it's got nothing to do with what I am trying to achieve.

    If we can't use something like UserNameForCertificate authentication, how does the server side WCF service know which user is making a call? As far as I am concerned, security in any application starts with knowing which user (if any) is trying to do what. Without a method of doing that, security is really just another way of saying "allow some people to do everything, and block everyone else from doing anything".

    Wednesday, October 22, 2008 7:25 PM
  •  You can use an encrypted+salted token to mask the user ID.  Its not the best solution (as the encoding/decoding code has to be put on the Silverlight client), but it will work.  How do you think REST APIs are called from Facebook, MySpace or Amazon?

    You can also obfuscate+encrypt your Silverlight assemblies using an obfuscation tool.

    Wednesday, October 22, 2008 7:44 PM
  • "You can use an encrypted+salted token to mask the user ID."

    I don't really understand what you are suggesting. Is what you're suggesting passing the encrypted username as a parameter of the methods? Obviously, that can be done, but there's nothing nice about it.

    Try to pretend that absolutely nothing can be changed on the WCF server side. I already have the configuration and methods defined and they are not changing. What I want to know is whether or not I can use Silverlight to connect to my existing WCF service which uses UserNameForCertificate authentifcation.

    Wednesday, October 22, 2008 8:25 PM
  • "...but there is nothing nice about it"

    Well a majority of REST services are called in that exact way.

    Fair enough, your answer is probably no...until someone from MSFT responds. If it depends on you using Silverlight...then I would say the answer to your question is also that in your specific case Silverlight is probably not a good option, unless you can provide another endpoint with a different binding/security.

    My last suggestion is to use a MSDN support ticket (they are a one time 300 fee and you get 3 for free if you have MSDN). MSFT is pretty good about getting real good experts to help you and I have used them to solve more obscure problems. Please tell me your not seriously banking "using or not using Silverlight" based on a forum reply.

    Wednesday, October 22, 2008 9:33 PM
  • Yes, SL doesn't support this type of security. Solution is adding security headers with every message.

    So, WCF binding is without changes - basicHTTPBinding with UserNamePassword + ssl.

    On Silverlight side:

    1. Config WCF client:

    <binding name="name"> <security mode="Transport" />

    </binding>

    2. Create security header DataContract:

    [DataContract(Namespace = CommonInfoStorage.sSecurityNamespace)]

    public class UserNameToken

    {

    [
    DataMember]

    public string Username { get; set; }

    [DataMember]public string Password { get; set; }

    }

    [
    DataContract(Namespace = CommonInfoStorage.sSecurityNamespace)]

    public class Security

    {

    [
    DataMember]public UserNameToken UsernameToken { get; set; }

    }

    CommonInfoStorage - class which contains currrent user data and also is helper for accessing service proxies

    3. Here is code of CommonInfoStorage:

    public static class CommonInfoStorage

    {

    private static Person _CurrentPerson;
    public static Person CurrentPerson

    {

    get

    {

    return _CurrentPerson;

    }

    set

    {

    _CurrentPerson =
    value; if (OperationContext.Current != null)

    OperationContext.Current.OutgoingMessageHeaders.Clear();

    }

    }

    public const string sSecurityNamespace = "http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd";private static void InsertAuthHeaders(string sLogin, string sPassword, IContextChannel channel)

    {

    if (string.IsNullOrEmpty(sLogin) || string.IsNullOrEmpty(sPassword))

    throw new ArgumentNullException("ЌҐ«м§п ЇҐаҐ¤ ў вм ЇгбвлҐ «®ЈЁ­ Ё Ї а®«м");

    OperationContextScope scope = new OperationContextScope(channel);

    MessageHeader header = MessageHeader.CreateHeader("Security", sSecurityNamespace,

    new Security() { UsernameToken = new UserNameToken() { Username = sLogin, Password = sPassword } }, false);

    OperationContext.Current.OutgoingMessageHeaders.Clear(); OperationContext.Current.OutgoingMessageHeaders.Add(header);

    }

    private static ServiceClient _Service;public static ServiceClient Service

    {

    get

    {

    if (_Service == null)

    _Service = new ServiceClient();

    else if (_Service.State == System.ServiceModel.CommunicationState.Faulted)

    _Service = new ServiceClient();

    if (CurrentPerson != null)

    {

    if (OperationContext.Current == null || OperationContext.Current != null && OperationContext.Current.OutgoingMessageHeaders.Count == 0)

    InsertAuthHeaders(CurrentPerson.sLogin, CurrentPerson.sPassword, _Service.InnerChannel);

    }

    return _Service;

    }

    }

    }

    Thursday, October 23, 2008 1:35 AM
  • "Yes, SL doesn't support this type of security."
    Thanks for the answer. Are you sure about that? How do you know?

    I really would like to hear this from the horse's mouth because I'd like to know when Microsoft is planning on supporting other bindings in Silverlight. 

    "Solution is adding security headers with every message."

    Thanks for the code post! I will try that out. It may actually provide the solution. I used to use SoapHeaders for security with web services. As long as I can pick up the username on the server side, and I don't have to redesign all my WCF code, this might be useful. I'll post again later.

     

    Friday, October 24, 2008 3:09 AM
  • BTW: Ajax seems to have exactly the same problem.

    http://social.msdn.microsoft.com/Forums/en-US/wcf/thread/b1306f06-b4f6-4f6c-abf8-e8f47d42affa#page:1

    I don't understand why the WCF technology only seems to have half implementations on the client side. WCF is a great technology but if it's only compatible with a few other technologies, it is less useful. Hopefully Silverlight will eventually support it in the same way ASP does.

    Friday, October 24, 2008 3:26 AM
  • This was mentioned several times on other posts, but Silverlight cannot support WCF now...because WCF 3.0 libraries that support WS* standards are tied to .NET 3.0 and are pretty big.  This would make Silverlight BALOON from 4.5 megs to a huge download.  I would be that they are offer an add-on assembly in the future.

    Your comment is completely wrong when you say "half implementations on the client side".

    Silverlight I explained why its not in the core RTW release.  Furthermore, how can you expect JavaScript to be able to call WS* standard services without help?  If you write a Windows or WPF client you can use WCF fine.  If you write a ASP.NET application you can communicate with WCF fine.  If you write a service that is a client to another WCF service (as long as it is hosted on a full .NET 3.0 compatible client) you are fine.

    Saying that because JavaScript and Silverlight don't support WCF is "half implmentation on the client side" is a bit of stretch.

    Friday, October 24, 2008 11:04 AM
  • "Silverlight cannot support WCF now...because WCF 3.0 libraries that support WS* standards are tied to .NET 3.0 and are pretty big.  This would make Silverlight BALOON from 4.5 megs to a huge download."

    Fair enough. That explains a lot. 

    "Saying that because JavaScript and Silverlight don't support WCF is 'half implmentation on the client side' is a bit of stretch."

    You can use whatever terminology you like. The fact is that Ajax (JavaScript), and Silverlight both have limitations when calling WCF.

    I will try the recommended code when I have a chance to be able to get user name authentication working. If that works, it may be enough to have an authenticated WCF service. If it doesn't, well, it means that Silverlight is not a silver bullet to solving my problem of being able to connect to WCF directly from the client.

    Friday, October 24, 2008 6:54 PM
  • That might be your other problem...looking for a "silver bullet".  Rarely do I find a technology that does everything I need.

    Remember ASMX services back in 2000-2004 or so were written that very way Silverlight supports now, so its not like some "will not work solution".  I completely agree with you that WS* standard WCF calls are miles ahead compared ASMX basic http services, but lets be real businesses implementing services several years ago (including Microsoft) ran fine without all the new bindings in WCF.

    Friday, October 24, 2008 9:42 PM
  • Leonid,

    I'm trying to digest your proposed solution. From what I can gather your suggestion is:

    • Create a DataContract called Security which has another class called UserNameToken as a DataMember
    • The UserNameToken class contains username and password
    • Then you have another class called CommonInfoStorage
    • My guess is that this is supposed to be a client side class. Is that correct?

    I think the magical code is here:  

       MessageHeader header = MessageHeader.CreateHeader("Security", sSecurityNamespace,
       new Security() { UsernameToken = new UserNameToken() { Username = sLogin, Password = sPassword } }, false);
    
       OperationContext.Current.OutgoingMessageHeaders.Clear(); OperationContext.Current.OutgoingMessageHeaders.Add(header);
    
    • I think you are passing a header across to the server with the credentials. Is that correct?
    • Is this the same thing as passing a SoapHeader across in Web Services?

    This seems like a very similar method to how I used to do security with Web Services. It makes sense, and you are probably right that this would roughly solve my problem. Unfortunately, it's not exactly what I was looking for from the beginning.

    If I were to use this method, is the transfer encrypted? This is something that customers care about. How about sessions? Can sessions be held in Silverlight with WCF? If Secure Conversation can not be enabled, there will be a significant performance loss.

    "That might be your other problem...looking for a "silver bullet".  Rarely do I find a technology that does everything I need."

    I started this thread with a goal in mind. I wanted to see if Silverlight had enough functionality to look cool and be as easy to develop in as WPF or ASP. It turns out that Silverlight has limitations that make it harder to develop WCF clients with. That's no criticism of Silverlight; it's a subset of functionality and makes no apologies about that. I believe it will be easier for me to develop my applications in WPF. It's just a shame that Microsoft is limited to keeping the Silverlight download small. But, I understand why they have to do that.

    Unless someone tells me otherwise, I'm going to assume that Silverlight does not support the kind of authentification that I am looking for. I could work around it but it would only make development more difficult thus thwarting the aim of the project in the first place.

    Sunday, October 26, 2008 11:48 PM
  • Yes, you're right. As I know all security tokens, session ID's - all wcf or WS* content is passing in SOAP header's. If you create MessageInspector or attach message logging you can see all you need to create same messages. Properties of classic .net WCF proxies - just wrapper over code, which construct message before sending it to server and observe message live circle - timeouts, connection state, etc. So, some of us doesn't waiting for Microsoft realisation.

    Monday, October 27, 2008 2:21 AM
  • Hi Leonid!

     I am trying to apply you solution and keep getting 404 error.

    I'm using TransportWithMessageCredentials on a server, but it is not critical. All I need is to call my WCF from Silverlight via SSL and pass credentials.

    You method should work, but looks like I'm missing something in a configuration.

    Here is my server's config:

     

    <system.serviceModel>
    <bindings>
    <basicHttpBinding>
    <binding name="secureTransport">
    <security mode="TransportWithMessageCredential">
    <transport clientCredentialType="None" proxyCredentialType="None"/>
    <message clientCredentialType="UserName"/>
    </security>
    </binding>
    </basicHttpBinding>
    </bindings>
    <behaviors>
    <serviceBehaviors>
    <behavior name="TestService_Behavior">
    <serviceDebug includeExceptionDetailInFaults="false" />
    <serviceMetadata httpsGetEnabled="true" />
    <serviceAuthorization principalPermissionMode ="UseAspNetRoles"
    roleProviderName ="SqlRoleProvider" />
    <serviceCredentials>
    <!-- Configure user name authentication to use the Membership Provider -->
    <userNameAuthentication userNamePasswordValidationMode ="MembershipProvider"
    membershipProviderName ="AspNetSqlMembershipProvider"/>
    <!-- Configure the service certificate -->
    <!--<serviceCertificate storeLocation ="LocalMachine"
    storeName ="My"
    x509FindType ="FindBySubjectName"
    findValue ="localhost" />-->

    </serviceCredentials>
    </behavior>
    </serviceBehaviors>
    </behaviors>
    <services>
    <service behaviorConfiguration="TestService_Behavior"
    name="ServiceImplementation.TestService">
    <endpoint address="" binding="basicHttpBinding" name="DefEndpoint"
    bindingNamespace="https://TEST/Silverlight/11/2008/" bindingConfiguration="secureTransport"
    contract="ServiceContracts.ITestService" />
    <endpoint address="mex" binding="mexHttpsBinding" contract="IMetadataExchange" />
    </service>
    </services>
    </system.serviceModel>

     
     And my clients config is:

     

    <system.serviceModel>
            <bindings>
                <basicHttpBinding>
                    <binding name="DefEndpoint" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
                        <security mode="Transport" />
                    </binding>
                </basicHttpBinding>
            </bindings>
            <client>
                <endpoint address="https://localhost/WCFHost/DefaultService.svc"
                    binding="basicHttpBinding" bindingConfiguration="DefEndpoint"
                    contract="DefProxy.TestService" name="DefEndpoint" />
            </client>
        </system.serviceModel>
     

     

    Could you help me please. What am I missing here?

    Thanks in advance. 

    Monday, November 17, 2008 2:59 PM
  • Never mind :)

    There was a wrong password send to the server. So everything works fine. Thanks for the solution! 

    Monday, November 17, 2008 5:28 PM
  • I've gone over this and over this. As far as I can tell, there is no way to directly call a WCF method which uses UserNameForCertificate, or UserNameForSslNegotiated. The consensus among people I have spoken to is that Silverlight supports what the browser supports, therefore we are limited to basicHttpBinding, which doesn't have much authentication functionality. Hoever, I could be wrong about this and I would still like to get a definitive answer on this question!

    However, I have found a way to achieve what I wanted to achieve originally. As far as I can tell, the only way to get a secure WCF service working in either Ajax, or Silverlight is to use WCF's ASP.NET Compatibility Mode to pass through to WCF services. I have gotten this working. It works reasonably well except for a few shortcomings. This is how to achieve it:

    • Create your original WCF services with whatever binding/authentication you want
    • Create your proxy classes
    • Create an ASP application
    • Test that you can connect to the WCF services using your ASP app
    • Now create your ServiceContracts, DataContracts and OperationContracts inside your ASP app which replicate the methods in your original WCF services (or reference them from somewhere else)
    • Create an svc file to expose the WCF service from ASP (it should be in an ASP secure folder)
    • Add server side WCF configuration to your ASP app's web.config (it will have client side config as well so it will be confusing)
    • Use this link to help you set up WCF the services with ASP.Net compatibility (http://blogs.msdn.com/wenlong/archive/2006/01/23/516041.aspx#_Toc125715998)
    • The important thing to note about asp compatibility is that it allows you to access the ASP session state from the WCF service
    • Now when a call a WCF method from Ajax,or Silverlight, it comes in to your ASP app. You can use the session information to talk to your original WCF service. I keep a Username/Password in my ASP session so that that information can be passed to the original WCF service.

    All this is way to complicated when you think that WCF has a great and flexible security model. People tell me that the browser doesn't support different kinds of binding etc. but why should that limit Silverlight? Why can't the Silverlight runtime/plugin itself handle the binding? Perhaps this will be a feature that is added in time. How knows?

    Tuesday, March 17, 2009 7:40 PM
  • I should point out that the workaround above has proved to provide poor performance. It's a passthrough solution so for starters there is a service on top of a service which slows things down, but secondly, there is no secure conversation so the WCF proxies get created and then killed on every call which is wasteful.
    Sunday, May 03, 2009 7:27 PM
  • Sorry to Leonid. I have unmarked his post as an answer. There are various workarounds which have been suggested on this thread. Some work, and some don't. However, what is really required is to address the underlying issue which is that Silverlight 2 did not support any real authentication for WCF at the binding level. I am hearing that Silverlight 3 has some support for this. This article says that TransportSecurityWithMessageCredential is supported.

    http://blogs.msdn.com/endpoint/archive/2009/03/20/what-s-new-with-web-services-in-silverlight-3-beta.aspx

    I have also heard that Silverlight 3 supports binary binding.

    Has anyone been succesful in setting up a WCF service with username/password authentication for Silverlight 3?

    Sunday, June 28, 2009 7:31 PM
  • To tell you truth , In my option it 's not nessery to apply securty issue on silverlight calling wcf. Bz all of silverlight assembly can easy been download by end user , and most of it can easy been reflect , Any securty call to wcf need fix some use information on client side , My mean is in xap assembly . so it will be tranpart to end user ,  so i think it not nessensry to apply any securecty policy on silverlight calling wcf.

     

    Thanks

    Monday, June 29, 2009 4:40 AM
  • Sorry, but that doesn't make a lick of sense. The point of username/password security is that a user of the Silverlight (or other app) will supply a username and password to connect to the WCF services which are completely separate from what is inside the Xap file. It would never make any sense to store user credentials in the Xap file, nor does it make any sense to store sensitive data inside the Xap file. The whole point of security on WCF is so that any application, regardless of its platform can be authenticated and have data served up to it based on security.

    Monday, June 29, 2009 5:56 PM
  • BTW: I have started a new thread because it seems as though Silverlight 3 has support for what I need to do:

    http://silverlight.net/forums/p/104785/239370.aspx#239370

    Monday, June 29, 2009 9:07 PM
  • I have basically come to a verdict that the kind of security I am talking about here can only be achieved with a certificate. However, there are a lot of issues around this. Please see the bottom of this thread:

    http://silverlight.net/forums/p/104785/239370.aspx

    Sunday, August 30, 2009 9:02 PM
  • We can use messageHeaders to check and authenticate the connection between the Silverlight and WCF service. Operation context of type System.ServiceModel holds the information for the current operation in client and service side. For sending messages from the client side we will use the OutgoingMessageHeaders of type System.ServiceModel.Channels.MessageHeaders and similarly for receiving header information in service side we will use IncomingMessageHeaders.
    Wednesday, February 17, 2010 5:23 AM
  • We can use messageHeaders to check and authenticate the connection between the Silverlight and WCF service. Operation context of type System.ServiceModel holds the information for the current operation in client and service side. For sending messages from the client side we will use the OutgoingMessageHeaders of type System.ServiceModel.Channels.MessageHeaders and similarly for receiving header information in service side we will use IncomingMessageHeaders. Suppose we want to send the username and password from the client and check in the service side we can use messageHeaders. Here in the client side we can create header with the CreateHeader function with the parameter CreateHeader(name as string,ns as string,value as object) Imports System.ServiceModel.Channels Dim PersonObj As New Person PersonObj.UserName = "Soumyap" PersonObj.Password = "Mindfire" Dim messageHeadersElementOutgoing As MessageHeaders = OperationContext.Current.OutgoingMessageHeaders messageHeadersElementOutgoing.Add(MessageHeader.CreateHeader("Authentication", "", PersonObj)) http://www.mindfiresolutions.com/Communicating-between-Silverlight-and-wcf-service-using-MessageHeaders--644.php
    Wednesday, February 24, 2010 5:16 AM