Authentication is the third in a series of posts covering the key concepts of RIA Services using the Book Club application to digger deeper and go beyond the basics. Links to the first two posts on validation and authorization as well as an overview of the application/source code are at the end of this post.

Authentication Overview

Like authorization, RIA Services provides a higher level programming model, and out-of-the-box, but extensible solution. Authentication answers the question:

"Do these credentials represent a valid user?"

Credentials might be user name and password, or any other piece of data that can be used to verify that the user is who he/she says they are. Generally, a side-effect of authentication is to produce a representation of the user, usually represented as an IPrincipal, as well as establishing an authenticated session for the client to use in making subsequent requests.

RIA Service defines an authentication service as a domain service that implements IAuthetication<TUser> where TUser is application’s notion of a user that brings together identity, roles and settings that span across client and server.

RIA Services also provides an out-of-box implementation based on the standard asp.net membership, roles and profile infrastructure services. If you use the business application template, this is all setup for you by default. However RIA Services also lets you implement your own authentication service when you want to use your own custom credential store, or a different authentication mechanism such as OpenID.

This post covers using authentication and the User object on client and server, as well as building a custom forms authentication service that works against the application’s data model.

Using Authentication on the Client

I created an inplace-LoginControl with a number of visual states (Unauthenticated, CredentialInput, Authenticating and Authenticated) as shown here.

Authentication functionality is accessed through a class called WebContext on the client. WebContext represents the functionality provided by the home web server to the client application. This is how WebContext is initialized in the application:

[Full post continued here...]

No tags

As I write this in my hotel room now on the eve of me leaving the state of Arizona, I am left with mixed emotions.  Most of them frankly are deeply personal which I’ll spare you the details.  However, it is here – specifically in the Phoenix metro area – that I grew the most technically. 

NOTE: Yes there are some Microsoft employees that live outside of the ivory towers of Redmond.  However, and to be frankly honest, when you work for a product team — *currently* – it is fair to say that growth could be limited when you aren’t near the decision makers.  It is for this reason that I’ve decided to relocate.

Allow me to reminisce a bit…

Out of college I actually worked for my fraternity (Delta Chi for those interested).  I was immensely interested in educational leadership and traveled the northeast area of the country visiting undergraduate and alumni organizations to share my knowledge learned in the world of educational leadership.  It was through a freak accident…getting lost in Pittsburgh while trying to find Duquesne where my life took a twist.  I wasn’t paying attention and ran a red light in an intersection.  My car was met by another – otherwise known as ‘getting t-boned.’  Both of us survived fine although my car did not.  Through a series of other events within weeks I quit that job and was left jobless and headed back to Arizona where I had to beg my father for help (not really, my parents are great).  I also had met a lady that had really caught my attention.  I wanted to marry her quickly.  With no job, no prospects and no home, I asked her parents for her hand in marriage.  Yeah, I know. 

Anyway, I took a temp job with FHP Healthcare in Arizona (an HMO) doing data entry during their busy season (open enrollment).  I was informed that I was the 4th temp they brought in in as many days and they were way behind in the applications.  If I couldn’t cut it they weren’t going to wait.  I found this to be odd because data entry seemed really simple to me. 

SIDENOTE: My father was a programmer and always involved in IT.  I lived around it.  He brought home his ‘portables’ (basically a 27-inch TV dumb terminal) a lot and I was always around it.  I pretty much grew up around computers although never really programmed them much beyond BASIC.

Before lunch on that first day I had completed the stack that was provided me…about 1500 applications if I recall.  I told my supervisor who effectively called ‘BS’ on my and went to verify my work.  She was amazed and brought me in to the big boss’ office.  He asked why I was working as a temp and what my skills were.  Of course, my degree in Criminal Justice didn’t shine for an IT job, but he saw something in me.  He took a chance that I’ve been grateful ever since (thanks Charles!).  That week I was offered a full-time job as a junior analyst for the sales and marketing systems and worked under the wing of a programmer (our system was PowerBuilder at the time).

Fast-forward about 2 years I got the chance to join a consulting company, one of the biggest/best in the valley in Phoenix.  To date, it still has been the most fun place to work.  Ah the days of ordering random crap on Skymall to “test” the e-commerce updates (our company built their first site).  It was there that a group of us started to host impromptu meet-ups of like-minded geeks in the Microsoft world…’user groups’ as I would learn them to be called.  Some more driven folks like Scott Cate and Dan Wahlin put some more structure, organization and ‘official-ness’ behind them and the Arizona .NET User Group was formed a long while ago.  I’ve been involved in some way ever since.  I have fond memories of organizing and participating in DevDays events, working with partners and customers, building some of the most unused systems for large companies , and just having loads of fun working with great people.

It is through community that I’ve learned so much of what I know and, perhaps more importantly, what I don’t know.  My paths and aspirations eventually brought me to Microsoft about 5 or so years ago and here I stand now – headed to the mothership to be closer to my team.

I’m immensely grateful for those in the Arizona technical community that I’ve met and learned from over the years.  There is a lot of smart people here (well I think they are smart but I still can’t figure out why we all sit in the 115F temperatures!!!) that I admire a lot.  Whether it be Microsoft technologies, Linux user groups, Ruby, whatever the tech, I’ve learned a lot and I thank you.

The decision to leave Arizona was much more challenging on personal levels, of course, but along with my personal friends exists my ‘professional’ ones who I’ve had just as much fun with over the years.  I’m not sure if my paths will bring me back to Arizona in the near future, but until then – thank you Arizona.

I’m still working with Silverlight, still working with the community and hopefully taking a broader feature role in the coming versions.  My responsibilities haven’t really changed, but some were questioning my move so I thought I’d drop a note.  In a nutshell to Silverlight folks: your feedback has a smaller distance to travel from my inbox/blog/forums to those who make decisions!

No tags

I just got back from speaking/attending the Norwegian Developers Conference in Oslo, Norway.  It was a great time and a well run conference.  Like many other conferences I found myself looking for two things I wanted on my mobile: the schedule and a map/guide for the city (I’ve never been to Oslo).  You see every time I take a trip, here’s what I do:

1. Search for an app that contains the schedule (or offline version).  Ideally allows me to build my schedule and gets updates for changes
2. Find the metro/map/guide for the city because I know I’ll be lost.

Rinse, repeat.  I do this every conference, trip.  And then I end up with a multitude of apps installed that are single purpose throw-away.  Seesmic Desktop platform has spoiled me in thinking of this eutopia of a single-purpose shell which can have pluggable content.  For Seesmic, this is my ‘social media’ shell.  But I want more now.

You see, at MIX10 there was a great mobile app that was created by Chris Hardy.  It was written in MonoTouch, nonetheless!  It pretty much did everything I would want in a conference app.  But after MIX it is kind of dead.  Uninstall. (Yes I know it looks like someone repurposed the app for a REMIX event, but same purpose…delete.).  Same thing after my trip to Berlin last year.  After that trip I didn’t need the metro rail map anymore.  Delete.

But then I head to Norway.  I want the Oslo guide/metro schedule.  I want a conference app.  There is both, but again they are separate apps.  Is my vision that far off?

I have been bugging Chris to modify his app to be more of a shell.  I like everything about the structure and think he should make it a basic “Mobile Conference Guide” app – enabling conference providers to publish a feed of their data and personalization (i.e., for background, icons, etc).  As an end user I would have one app installed.  I could then launch the app and (perhaps) browse a catalog of known events (organizers can publish to a specific feed location) or enter a URL to a conference feed that conforms to the data specification.  I don’t care if that data specification is OData, RSS, whatever – just have the app define a standard.  What conference provider wouldn’t love to just worry about providing data and not worry about providing the app?!  Am I way off here?

Same goes for travel guides (I’m guessing this one is out there and I’m just not finding it).  I have an app called “Metro” that allows me to subscribe to metro/public transportation for various cities in a singular app.  That’s great, but what about city guide information?  Restaurants?  Museums, etc.  I want more.  You know I want the Rick Steves travel app (does it exist and I’m just an idiot) with in-app purchases for more guides for other cities…all offline.

Anyhow, just a rant as I uninstall, yet again, two very useful apps after a trip.  Please bombard Chris with requests .

No tags

I’ve returned my blog to its original URL:

http://adamkinney.com/blog/

Thanks for following!

No tags

This post digs deeper into the Book Club application from the perspective of the authorization feature of RIA Services. You can check out more information about the application via its associated table of contents post.

The post covers how the out-of-box authorization rules can be applied, how custom rules that can be implemented, how custom rules can use additional bits of information in their implementation, and how client-side UI can be customized to account for authorization.

The sample application has been updated, so you might want to download the latest release of the code from the RIA Services Essentials project on CodePlex or browse the checkin history.

Authorization and validation share a lot of common concepts and patterns, so the deep dive into validation with RIA Services might be particularly interesting.

Authorization Overview

Authorization allows you to secure operations and data in your application based on the authenticated user. It essentially answers the question:

"Can X do Y [with Z]?"

where X is the user (the subject), Y is the operation (the verb), and optionally, Z is the entity being operated upon (the object). In RIA Services, each authorization rule encapsulates a specific question that you can associate your services and its operations with. These rules help create a more complete picture of the domain or application semantics that are being encapsulated within a domain service. Rules are associated with operations as metadata attributes that derive from AuthorizationAttribute.

[Full post continued here...]

No tags

In the Silverlight world, there are two types of “cross-domain” things that may leave some banging their head against a wall for a while.  The first involves making network-based calls (WebClient, HttpWebRequest, etc) to services hosted on a domain other than the one that is the site of origin for the XAP.  This is solved by ensuring the service provider enables a clientaccesspolicy.xml file for their service.  More information here: Cross Domain Policy Files with Silverlight.

NOTE: “site of origin” is a term you might see a lot with regard to Silverlight.  This refers to the URI domain of the Silverlight XAP file.  For example: http://apps.mysite.com/sources/coolapp.xap might be a URI that you have for an app.  The site of origin in this is apps.mysite.com (more specifically it is actually the entire URI usually when people refer to this term).  This might help when you read things about cross-domain issues.

The second issues is one of hosting Silverlight applications (XAPs) on your site that are from a different domain.  What I mean here is that your site (www.coolwebapp.com) has an <object> tag for Silverlight plugin that has the Source parameter set to apps.anothersite.com/foo.xap.  This is essentially the cross-domain hosting situation.  What happens in this situation is that the plugin loads but the app does not, presenting in just a big blank space where the app should be.

A recent head-banger sent me a note and I sent him my items to check on how to solve this.  I thought I’d share.  When I see issues with this, I normally tell people to check for one (or more) of three things:

HTML Access

If the Silverlight application is doing anything to work with the HTML DOM of your hosting page, this is the first place to look.  Don’t know if this is happening?  If the Silverlight application uses System.Windows.Browser anywhere it likely does.  By default the tools and templates from Visual Studio generate the bar minimum <object> tag.  There is one property of the plugin, EnableHtmlAccess, that is set (essentially) to true for same-domain applications.  However, for cross-domain applications, you will need to opt-in for this adding this parameter to the <object> tag:

   1: <object data="data:application/x-silverlight-2," type="application/x-silverlight-2">

   2:   <param name="source" value="http://apps.somesite.com/foo.xap"/>

   3:   ...

   4:   ...

   5:   <param name="enableHtmlAccess" value="true" />

   6: </object>

By doing this, you are granting the XAP access to the HTML DOM of the hosting page.  Don’t say I didn’t warn you.

XAP MIME type

When the plugin loads a XAP from another domain, it checks what the MIME type is.  If it is not a valid Silverlight type, it won’t load the app.  This is a security mitigation.

If you are loading a cross-domain XAP, make sure the site delivering the XAP is delivering it with the appropriate MIME type: application/x-silverlight-app.  By default this is set in IIS7/Windows 2008, but not in IIS6/Windows 2003.  You can put this on the server level or the application level…wherever you feel comfortable, just as long as it is delivering it with the XAP. 

Obviously on non-Windows servers, this will not be set at all regardless of the version.  If you are getting a XAP from a Linux/Apache server for instance, the server administrator will want to add the type.  This is simple and you can do it at the global level in the mime.types file.  Or on a per-site basis you can do it by editing the .htaccess (or creating one) in the directory level that will serve the XAP and add:

   1: AddType application/x-silverlight-app xap

If you are using a CDN like Azure or Amazon S3 or something else and they don’t have the type associated, you will need to be creative.  Most CDNs enable you to set the MIME type (or Content-Type) on the file during upload.  For Azure, Silverlight should already be there.  For something like S3, tools like CloudBerry Explorer enable this feature for you (and actually already have a list of types built-in to their tool).

This situation (identifying the MIME type) can be quickly tested using a tool like Fiddler to see what the response and Content-Type are being delivered.  Fiddler is an indispensable tool…go get it, it’s free.

ExternalCallersFromCrossDomain

This is the black hole property right here.  This one is probably a last resort for most.  This property, in the Deployment node of your AppManifest.xaml file controls Javascript and HTML DOM access to scriptable objects defined in the XAP.  Like EnableHtmlAccess, for same-domain situations the setting is irrelevant, but in cross-domain hosted XAPs, the default is the NoAccess option.

To enable this you’ll need to manually edit the AppManifest.xaml file to add the ExternalCallersFromCrossDomain attribute.  There are two properties: NoAccess (default) and ScriptableOnly.  You’d want to *add* the attribute and set it to ScriptOnly.

   1: <Deployment xmlns="http://schemas.microsoft.com/client/2007/deployment" 

   2:             ExternalCallersFromCrossDomain="CrossDomainAccess" .../>

REMEMBER: This is is only if you need to.  Read the documentation to see if this applies to your scenario.

Summary

Sometimes debugging this stuff can be tricky.  Having the tools and knowledge makes this easier to track down.  Not all situations involve multiple of the above and if none of them fix it, then you might have another issue.  Hopefully this helps provide some places to look.

No tags

Earlier this week, I published the RIA Services Essentials project on CodePlex to share some sample code. The first sample included is an updated version of the Book Club application.

This application has become sort of a reference application. It was written to demonstrate some aspects of writing a semi-real-worldish application (note that it is still very much a demo app), but more importantly, demonstrating how you can use RIA Services effectively by going beyond the basics. As such, it isn’t meant to be a HelloWorld app, which I agree would be useful. This post is a sort of guide for what is in the sample.

Here is a list of what the application demonstrates:

• Entity framework data model with one-to-many and many-to-many relationships as well as use of stored procedures
• Local data model augmented/mixed with a web service-based data model (in this case Amazon).
• CRUD and more (queries, insert, update, delete, as well as named update methods, and invoke methods)
• Use of convention and configuration for identifying CRUD operations
• Validation (field level, entity level, operation level, change-set scoped, server-only validation, async validation)
• Custom authentication (i.e. using your DAL/user table, rather than asp.net membership)
• Authorization (including custom authorization rules)
• Using authentication service and your User object in server code
• Usage of DomainServiceFactory
• Exposing reference data
• Presentation model for defining custom (non-DAL) types for use between client and server
• Shared code between client and server for validation rules
• Query limits, and caching
• Using RIA Services with MVVM on the client
• Adding computed properties on Entities on the client along with propagation of change notifications
• "More" style paging (as seen for example on twitter.com)
• Display of pending changes, validation errors
• Reference data used to fill lookup dropdown lists.

[Full post continued here...]

No tags

Today (7-Jun-2010) at Information Week in New York, Microsoft announced the general availability of Expression Studio 4 which includes upgraded versions of Expression Blend (including Sketchflow), Encoder, Web (including SuperPreview) and Design.

You can find out the details of each product and download a trial at http://www.microsoft.com/expression right now.

With this release comes a free Upgrade for licensed version 3 (Studio or Web) users!  All you need to do is install the trial version of v4 on top of your licensed version of Expression Studio 3 or Expression Web 3 and the installer will find your license and upgrade it to the full v4 product with no expiration.  This applies to customers who received their software through retail channels or electronic software download direct.  For customers who have broader license agreements (i.e., MSDN, WebsiteSpark, BizSpark) you should install the product using the software provided from your program site.

Here’s a quick break-down list of what’s new in this release:

Expression Blend 4 New Features include:

• VS2010 compatibility
• Windows Phone support
• Deeper Adobe Photoshop import (layer effects)
• New behaviors & conditional behaviors
• Enhanced sample data support
• Listbox path layout for designing with data
• Pixel Shader effects (including animations)
• Easier styling and customization
• Model View View-Model support
• Mockup controls for SketchFlow

Expression Web 4 New Features include

• SEO Reporting from inside of the application
• New extensibility model enables creating add-ins with HTML, JS, and CSS
• New SuperPreview online service beta for browser compatibility testing now supports Macintosh Safari

Expression Encoder 4 Pro New features include

• Live Smooth Streaming (VC-1 & H.264)
• New H.264 encoder from MainConcept
• Enhanced Screen Capture
• DRM (PlayReady) for Live Content

This is an awesome release for XAML, web and media developers creating interactive solutions. 

NOTE: If you are developing in Silverlight for Windows Phone 7 and need/want to use Blend for this, do not install the released version of Expression Studio 4. You must continue to use the Blend 4 Beta and Add-in Preview for Windows Phone. This Beta will be refreshed with each Phone SDK pre-release and will be unified with released Blend 4 in a service pack which will release when the Windows Phone SDK releases.

There will be a bunch of information coming out about these features and tutorials by the Expression team along with videos, etc.  I would keep an eye on Adam Kinney’s site for details on some of this information.  As the Expression Evangelist, Adam is a ‘must subscribe’ resource that you should have in your toolbox!  So go check out an overview of Expression Studio 4 and get the trial!

Hope this helps!

No tags

Announcing a CodePlex project with RIA Services sample apps and extensions…
[Full post continued here...]

No tags

The feedback from the Silverlight 4 application themes released and the latest in process have been overwhelmingly toward the positive.  We appreciate the feedback and hopefully you appreciate the transparency in the process.  As a developer I want my fellow brethren to appreciate good design and use it whenever possible … even as a default if you don’t have designers on board.

In the initial release we had some issues getting the RIA Services ones out at the same time but we’ve got those finished now for Silverlight 4 Business Application Template. 

Download the refreshed Silverlight 4 themes (inlcuding RIA Services templates) here.

NOTE: If the page still says version 1.0, then refresh a while or wait a bit.  Seems our servers have been having a bit of caching issues lately.

At the link above you’ll find 3 files to download:

• README_FIRST.txt – please read this but basically I’m writing the same thing here.
• SL4Themes-templates.zip – this includes a folder for Expression Blend and Visual Studio templates.  The VS folder also has a sub-folder for the RIA Services templates.
• SL4Themes-rawassets.zip – this is another (optional) zip that includes the resource dictionaries for each template on their own without any Silverlight project.

We had an issue with the VSIX format (VSIX is the community installer format for Visual Studio to make deployment of things like templates a bit easier) and the RIA Services templates, so for now it is a manual copy process (see the README_FIRST file for location).  Thanks to Corrina, Tsitsi and Deepesh for their help in refreshing these templates!

ETA on the new template will be a few weeks.  I’ll post updates of the progress likely on my Twitter feed.

Hope this helps!

No tags