security model for .net smart clients (or even web) RRS feed

  • Question


    I have been tasked to research on the possible security models that could be used in a smart client application for an application which we are developing. We are not talking about any implementation or low-level architecture right now, but we do want a conceptual view of the model.


    The whole situation can be described as follows:

    1. There is a winforms application (going to be developed) that would have authentication built in (No windows authentication)

    2. Being a smart client application, it calls certain web services residing on the server.

    3. In many cases, server will be in intranet. However, since our company provides hosted solutions, so there would be many cases where these web services are accessed over the internet. Same may be the case with reporting services which could be hosted either on a intranet server or a remote server (although I don't have much clarity on how are we going to use reporting services yet)

    4. The application will be launched from another windows client application (which is written in Delphi & Interbase!). Login dialog will be as it currently is in the delphi program (that mean there will be only one login dialog as it belongs to the parent program).

    5. However, the authentication & authorization for the new smart client application would be separate. That means, after user logs into the delphi program and launches this smart client, the smart client will once again authenticate the user and check for authorization as well, thus not requiring the user to enter its credentials again. This approach is preferrable, however is open for debate.. as its feasibility and security aspects has not been studied yet.. Its just a thought out of someone's mind.


    Now I am aware of the role based security which .net supplies and seems good to me. However, I would like to know if we have any other security models available that can be custom implemented or provided by any third party. I do not know much beyond the typical role based security thing and would like to gather some information about different models and evaluate them in the context of my application.

    So basically, what are the popular security models that we have around today and which is suited for what?


    Also, how do we make web services communication secure? Is ssing SSL enough?

    Lastly, has anyone ever come across a situation as I mentioned in point 5 above? What do you think can be the best way to solve the problem? Or could you suggest an alternative approach?


    In case you are more aware of security models for web application, then do let me know so that I can see if it fits in for smart clients too with some or no tweaking.


    FYI, if it helps, we are building the application in VS 2008\.NET 3.5\SQL Server 2005 environment along with reporting services.


    Any suggestions, pointers or references would be highly appreciated.
    Tuesday, June 17, 2008 8:15 PM


All replies


    Hi Sparx,


    Consider using token-based security. Namely an STS that spits SAML tokens that can be cached on the client (like kerberos token but with open standards). Your webservices can be secured with the wsFederationBinding and you can do access checks based on saml assertions that contain claims.


    I used that architecture in many projects already and it proven to be succesfull.


    This post might give you a better idea (it shows a web client but it applies to smart client as well) 




    Tuesday, June 17, 2008 10:49 PM
  • Many thanks Matias.

    The concept looks interesting. I'll go through the post and come back to you if I have any questions.


    In the meantime, I'll look forward for other users who can suggest me something.


    Wednesday, June 18, 2008 1:15 PM
  • Hi Matias


    I have been lookin at the WCF security model the way you suggested and I am really liking it.

    I am very new to WCF and still learning it. I have some questions which may sound dumb, but would appreciate if you could help me in this regard:


    I have seen many examples available online, theory, articles and everything. I do have more or less a clear bug picture of

    the thing now. But I am not able to drill things down to my specific requirement.

    Basically, I would use forms authentication on my smart client. That means I would validate the user names and passwords stored in my database. And then use this authentication to access the application further.

    Can you point me to a simpler example on web which does just this? Or could you list down the steps in brief?


    Also, I am not sure yet how do I exactly issue a SAML from a STS. Code samples out there are too complicated for me to fully understand at this point.


    Any help would be appreciated. Thanks.
    Thursday, June 19, 2008 5:51 PM
  • STS is quite complex, I understand. I suggest you to do this hand on lab that will give you a better idea of the STS architecture.

    Saturday, June 21, 2008 7:51 PM
  • Thanks Matias. This would really help me a lot.
    Sunday, June 22, 2008 7:53 PM
  • Also you will find the new Identity framework "zermatt" (in Beta) will make all this easier. Blogged about it here:

    Saturday, July 12, 2008 2:49 PM
  • Thanks Matias. Sorry for replying so late but I must say that is very nice of you to provide that information.
    Thursday, October 16, 2008 5:10 PM