VSC01 Securing WPF Client Applications About Brian

Visual Studio Connections November 1-4, 2010 Las Vegas, NV

VSC01 Securing WPF Client Applications

Brian Noyes IDesign Inc (www.idesign.net) [email protected] @briannoyes

About Brian Publishing Developing Applications with Windows Workflow Foundation, Chief Architect LiveLessons training DVD, June 2007 IDesign Inc. (www.idesign.net) Smart Client Deployment with ClickOnce, Addison Wesley, Microsoft Regional Director January 2007 (www.theregion.com) Data Binding in Windows Forms 2.0, Addison Wesley, January 2006

MSDN Magazine, MSDN Online, Microsoft MVP CoDe Magazine, The SilverlightShow, Connected Systems The Server Side .NET, asp.netPRO, Visual Studio Magazine

Speaking E-mail: [email protected] Blog: http://briannoyes.net Microsoft TechEd US, Europe, Malaysia, Visual Studio Connections, DevTeach, Twitter: @briannoyes INETA Speakers Bureau, MSDN Webcasts

Agenda

• .NET Security Overview • Membership and Role Providers • Client Application Services • Code Access Security • ClickOnce Security • WCF Client Security

Security Concerns

• Authentication ● Client and services • Authorization ● Client and services • Application protection ● Restrict what the application can do on the machine ● CAS-based ● Affects ClickOnce and WPF Browser apps • Service message protection • Intellectual property protection ● Obfuscation

Security

• WPF has no separate security mechanisms of its own • Leverage existing security mechanisms of .NET Framework ● Code Access Security (CAS) ● Role-based security ● ASP.NET Security providers • Membership • Roles ● Client Application Services ● ClickOnce partial trust • May need to call a remote web service to authenticate ● WCF has built-in authentication mechanisms that can work against many different kinds of credential stores • May need to disable portions of the UI based on roles ● Thread.CurrentPrincipal.IsUserInRole()

Principal

• Principal implements IPrincipal ● System.Security.Principal

public interface IPrincipal { IIdentity Identity {get;} bool IsInRole(string role); } • An object representing identity and role(s) information ● Everything you need to know to make authorization decision • Every thread has a principal • Available implementation ● GenericPrincipal ● WindowsPrincipal

Principal

• Every thread has a principal

public class Thread { public static IPrincipal CurrentPrincipal{get;set;} //More members } • Can discover user name and authentication ● Without authentication, role-based security is meaningless

IPrincipal principal = Thread.CurrentPrincipal; string userName = principal.Identity.Name; bool isAuthenticated = principal.Identity.IsAuthenticated;

Principal

• IPrincipal provides access to user identity via IIdentity public interface IIdentity { string AuthenticationType{get;} bool IsAuthenticated{get;} string Name{get;} }

• Available implementation ● GenericIdentity ● WindowsIdentity

Agenda

• .NET Security Overview • Membership and Role Providers • Client Application Services • Code Access Security • ClickOnce Security • WCF Client Security

ASP.NET Security Provider Model

Provider Base

Role Provider Membership Provider

Sql Server Authorization Store Windows Token Sql Server Active Directory

Membership provider

• Can obtain configured provider from Membership

public static class Membership { public static string ApplicationName{get;set;} public static MembershipProvider Provider{get;} public static bool ValidateUser(string userName,string password); //Additional members } • Can use Membership directly as shorthand

Role provider

• Can obtain configured provider from Roles

public static class Roles { public static string ApplicationName{get;set;} public static string[] GetRolesForUser(string username); public static bool IsUserInRole(string username,string roleName); public static RoleProvider Provider{get;} //Additional members }

• Can use Roles directly as shorthand

Membership and Role configuration

• system.web section of config file • membership element ● Specify app default provider ● Provide collection of named providers • roleManager element ● Enable to turn on roles ● Specify app default provider ● Provide collection of named providers

Leveraging Membership and Roles

• Can use directly in the client against a store reachable from the client • WCF service calls can be authenticated and authorized via ASP.NET providers • Client Application Services provides client implementations of the providers that use service calls to authenticate against remote service/store

Agenda

• .NET Security Overview • Membership and Role Providers • Client Application Services • Code Access Security • ClickOnce Security • WCF Client Security

Client Application Services

• Declarative / configuration based approach • Uses client implementations of membership / role providers ● They make ASP.NET Web Service calls to IIS hosted service ● Service does the actual authentication and role lookup and returns results to client • Establishes role principal on client for authorization checks • Also supports profiles (user prefs)

Client Application Services

• Create an ASP.NET site that will be called to authenticate user ● Configure to answer Client Application Services calls • Enable Client Application Services in the client app ● Configure addresses for the services • Login the user • User Membership and Role providers in client code as needed • Or use Principal on the thread

Agenda

• .NET Security Overview • Membership and Role Providers • Client Application Services • Code Access Security • ClickOnce Security • WCF Client Security

Code Access Security

• Intricate system that determines what a managed application can do based on ● Who created it ● Where it is running • Greatly simplified in .NET 4

Agenda

• .NET Security Overview • Membership and Role Providers • Client Application Services • Code Access Security • ClickOnce Security • WCF Client Security

ClickOnce Security

• Can deploy apps with ClickOnce with partial trust ● Specific set of granted permissions ● App runs in constrained AppDomain • Can specify trusted publishers based on the publisher certificate ● Avoid user prompting on install • WPF Browser Apps ● Really ClickOnce deployed ● Partial trust by default • Based on launch location ● Can run full trust

Agenda

• .NET Security Overview • Membership and Role Providers • Client Application Services • Code Access Security • ClickOnce Security • WCF Client Security

WCF Client Security

• Client needs to provide credentials to service • Windows security ● If secured with Windows and inside the firewall, happens automatically • Process identity collected by WCF stack ● If outside the firewall, can pass domain-qualified username/password explicitly • ClientBase.ClientCredentials.Windows • Username credentials ● Can pass username/password via proxy • ClientBase.ClientCredentials.Username • Client does not automatically establish a security context

Resources

• Client Application Services Walkthough: ● http://msdn.microsoft.com/en-us/library/bb546195.aspx • Client Application Services, Bilal Haidar, ASP Alliance: ● Part 1: http://aspalliance.com/1595_Client_Application_Services__Part_1 ● Part 2: http://aspalliance.com/1596 • Smart Client Deployment with ClickOnce, Brian Noyes, Addison Wesley, 2007. http://www.amazon.com/Smart-Client-Deployment-ClickOnce- Applications/dp/0321197690

E-mail: [email protected] Blog: http://briannoyes.net Twitter: @briannoyes

Your Feedback is Important

Please fill out a session evaluation form drop it off at the conference registration desk.

Thank you!