Vibrant discussion about CSLA .NET and using the framework to build great business applications.
I am about tot develop a SL app - I know my client with ask me about Data Protection/sensitive data and security - my understanding is limited here.
I have a little understanding that calling https:// is SSL and makes that communication secure - but with SL you don't call https:// (or do you?) - anyway, how (if any) does/can CSLA and SL send sensitive data across the wire securely? And if there is not an easily ready way (e.g. web.config stuff) has anyone any advice on fielding these types of questions?
I don't know all the options involved with this, but under the covers CSLA uses WCF for communicating with the remote data portal. And WCF communication can be done over SSL. You'll notice that in any of the available SL examples that use a remote data portal, the ServiceReferences.ClientConfig file (found in the SL project) contains a service endpoint so that it can communicate with the server:
<endpoint address=http://myappserver/myproject/SlPortal.svc binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IWcfPortal" contract="WcfPortal.IWcfPortal" name="BasicHttpBinding_IWcfPortal"/>
So you should be able to adjust the address to https instead of http. In addition, you might have to modify your bindingConfiguration...not sure about that, though.
SL can call WCF services using HTTPS / SSL. This will make the client/server communicate over an encrypted connection.
CSLA is out-of-the-box configured to use basicHttpBinding and this can use SSL.
There's a lot more that CAN be done to secure data using other bindingd and maybe MessageSecurity but that is a whole other aspect is will require some code to implement your own DataPortal.
For a general introducution to WCF Security read the WCF Security Guidelines http://blogs.msdn.com/b/jmeier/archive/2009/02/11/new-release-patterns-practices-wcf-security-guide.aspx
altho' not updated for WCF 4 it is still applicable.
Jonny Bekkum, Norway
thanks for your replies - will look into - TSF if your suggestions works that looks like a nice and easy solution - happy to hear from people whop have maybe gone down this route
One other thing to consider. If you have objects which have some properties that will contain sensitive information, while you can use the Csla security, you might consider not loading the value into the property at all. Using debuggers, people could still access the property value even with Csla security.