I am working on a contract which uses Silverlight 2.0, WCF, Entity framework, LINQ and so on to provide remote insight in the drilling status in the mining industry. While the project is interesting the problem I faced is securing the WCF service as the Silverlight app is used in the field and the data is stored at the client’s office.
Since Silverlight is a scaled down version of the .NET framework most if not all of the security goodies are left out. So if you are trying to prevent your WCF service from prying eyes or abuse you are having to put on your think hat.
What I planned to do in my situation was to pass username and password info in the SOAP header of a WCF call to the server, authenticate and then pass a security token (a GUID of some sort) back to Silverlight which is then used in every other WCF call. There are many questions like this on the web, one solution could be to create a custom WCF channel as described here and here. As you know, Silverlight only supports the basicHttpBinding so these solutions could be working well if you need more interaction between Silverlight and WCF.
What I was looking for was just something more easy to implement, I hate coding if I have to copy and paste somebody else’s code and make it work. Luckily I had found the Silverlight Web Services Team blog already in my list of RSS feeds and as I was going through the blog entries I found the following one : New Web Services Features in Silverlight 2 RTW with on the second line in the post saying SOAP Headers, now that peeked my interest.
As it turns out, the Silverlight Web Services Team had many requests from customers about access to SOAP Headers so they provided a way to get or set headers. It turns out you can use the OperationContext in combination with the IncomingMessageHeaders and OutgoingMessageHeaders to transport SOAP Headers…and it is simple.
The SL Web Services Team blog entry even gives you an easy way and a hard way. The easy way is for when you have one WCF call to make to which you want to add a SOAP Header, the hard way is when you want every call to have the added SOAP header, in this case you need imitate the IClientMessageInspector provided in the WCF stack but not supported in Silverlight. The sample code available in the blog post will get you there.