stackoom
  简体   繁体   中英

Silverlight Security Concern when Dynamically Setting Connection String with Entity Framework

 原文  2010-12-03 03:58:27       silverlight/ security/ entity-framework/ wcf-ria-services

Question

I am using Entity Framework and have the same model on many databases and servers. I want to set my connection string at runtime based on the logged in user. I am currently overriding CreateObjectContext() in my DomainService and setting the connection string there. This works great, but I'm concerned with the lack of security. For example, in my DomainService, I have an invoke method called SetConnectionString() where I pass in the connections string each time I need a new Entity. This is being done from the DomainContext (client side). Since I am using SQL Integrated Security, I am concerned that someone could manipulate the connection string on the clinet and get access to a database that they are not authorized to use.

What is the most secure way to dynamically set the connection string for the domain entity I want to use at runtime?

I do have the database name and server settings in a database that I could look up from the DomainService if I passed in my project id or some other piece of information, but I am then right back to the same issue - someone could easily spoof this info.

Ideas??

-Scott

2 answers

solution1
 0  2010-12-03 08:06:54

Hopefully my answer is relevant as the same security issues are faced by flash developers...

The only way to make this really secure ("this" being database connections from your client side code) is to make each user only have read-only access to their data in the database.

As you are realizing, there is no way to stop the user from monitoring/modifying data that you are sending back to the server. Even if you encrypt the communication, the user still has access to the code and in the case of flash, source code due to trivial decompilation.

I am not a DB developer, but I do security audits of stuff like you are asking often, so the following advice could be wrong, but I just googled, and it seems like maybe you could use views to restrict users (sets of credentials) to specific information.

If not, this article seems relevant to what you want:

http://technet.microsoft.com/en-us/library/cc966395.aspx

solution2
 0  2010-12-09 19:01:45

What about using the ASP.NET membership framework? Tie the user login with a Login call in the framework to make sure the user an authorized user. Add a "RequiresAuthentication" attribute to each of the functions you want to protect in your domain service.

Here are more details on using ASP.NET membership with Silverlight: WCF RIA Services - Authentication, Roles, and Profiles

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Silverlight Entity Framework Dynamic Connection String Is the usage of Isolated Storage in Silverlight 3 a security concern MVVMLight, Silverlight, Entity Framework Silverlight and Entity Framework creating a binding dynamically and setting it to a string object that was created silverlight Silverlight: Exposing entity framework ENTITY classes to silverlight? Silverlight WCF RIA Services Dynamically Change Connection String Trouble with metadata in Entity Framework connection string Unit testing in silverlight and entity framework DbGeography + entity framework 5 + Silverlight + DomainService
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM