PRISM + ASP.NET Membership Security Model

Topics: Prism v2 - Silverlight 4, Prism v2 - WPF 4
Jul 6, 2010 at 9:04 PM

Hello everybody,

As you all know, I've been working on the new version of my smart client framework, The Genesis Smart Client Framework, building it from the ground up using only the best standards and practices. This include for one, using the Composite Application Library to achieve better modularization than what I had in the previous version, and of course open the framework up to a broader audience skilled in its methodologies. One of the other standards that I'm implementing is the use of the Microsoft ASP.NET Membership Security Model.

I have applied an ASP.NET Membership database, and by using the Application Services I have exposed an Authentication, Membership and Profile WCF service to the client.

My problem is that Microsoft by default implements the Client Services (a.k.a. Application Services) for Windows Forms applications, and while this is available for use with WPF, it is sadly not available for Silverlight. I have implemented my own client calls for the Authentication, Membership and Profile WCF services that compile on both WPF and Silverlight (BTW: I am attempting a 100% Multi-Targeted development for this project, with as much code-reuse between WPF and Silverlight as possible) and that enable access to the back-end services from a single code base.

I need some guidance on the correct approach to implement the login dialog box for WPF and Silverlight to prevent any loading of the Shell until a user has been authenticated. I'd also like some basic support for Unauthenticated users as well, so maybe the shell should load, however only the modules should be loaded for the Authenticated user once they've signed in. Any ideas are welcome.

Please download my latest checkin on Changeset 48420 and review the Ruby project.

The services are located in the BlueMarble.Genesis.Service project.

The Security classes are located in the BlueMarble.Genesis.Infrastructure, Desktop & Web projects under the Security folder.

The Bootstrapper has been modified to allow the initial authentication.

Thanks in advance,


Jul 8, 2010 at 4:17 PM

Hi Stephan,

Nice to see that you are building your framework based on the guidance that p&p provided. Regarding the login topic, it was also discussed in the following threads:

Please let me know if this helps.

Fernando Antivero


Jul 8, 2010 at 9:17 PM

Hi Fernando,

Thanks for the reply, I found the articles to be very informative. However all of these articles focus on enforcing the authentication before the user is allowed to access the system. One briefly mentions allowing the user access to the software before authentication without much elaboration.

I'd like to have the potential for Anonymous users for this release of Genesis. My idea is that I can provide a working surface similar to, Sharepoint or DotNetNuke. Anonymous users should have access to the system, and depending on the developer implementation of his/her application, there could be public modules, or none at all.

I have no intention of writing a Content Management System, however PRISM, with dynamic module loading and IOC, lends itself so nicely to the idea. Users are already used to being able to drag and drop their own "modules" to where they like to use them on a screen layout that they are comfortable with. I'd like to be able to provide some level of user-personalization support in this version of Genesis.

If you have a look at the standard Silverlight Business/Navigation applications, users have anonymous access until they click on the Login link, whereafter the application is aware of who the user is. This implementation has no real intelligence as to what screens to show/hide based on authentication. Custom code has to be written on each screen to prevent unauthorized access. If the developer chooses to apply Role requirements to the RIA services, he/she still has to write code to prevent an unauthorized user from accessing a view that would call the RIA method. If they did not, an ugly exception is shown to the user, in most cases not even telling the user what he/she did wrong.

I am also not looking for a de-facto implementation of said security system, I am really asking for some idea's from the community at this point in time. I have been playing with the security in Genesis for the last two weeks and I feel that I'm just not being creative enough. ie. Today I was thinking of running two bootstrappers, one for authentication and then the main application one. However all of my thinking keeps along the lines of sign-in-first.

I have to take into account that allows no customization until the user has been authenticated, however Sharepoint and DotNetNuke allow for anonymous access. Facebook is useless until you've signed in, and Twitter allows you to read the public tweets. My problem is that I don't know what applications I, or anybody else using Genesis, will develop on the framework. I cannot enforce a model, it has to be flexible to allow the developer to choose how he/she wants the application to behave.

Any feedback is appreciated


Stephan Johnson