Solved

Architecture Decisions For Silverlight and MSSQL

Posted on 2008-06-17
2
621 Views
Last Modified: 2008-07-02
I am trying to understand the appropriate architecture decisions and options for a new application to be developed in Silverlight with SQLServer as the back end database.

The Application will be distributed to all and Sundry who wish to use the application and the users data will be hosted in a secure centralised location.  The users are standard Internet users like you and me who use the Internet for something different everyday.

The application will run in Silverlight in the clients web browser.

I am considering using Web Services to allow the client to communicate directly with the SQL Server however the thought of having SQL Server Web Services (SODA/Native HTTP SOAP Access) directly accessible from the Internet really scares the heck out of me, not to mention I do not understand how the authentication would work.

It seems to me that if I can work out the authentication and authorisation I can just do:

<Silverlight> <--Internet--FW-->  [<MS SQL Native Web Services><SQL Server>]
(FW = Firewall)

But this seems really stupid, as I do security for a living and the thought of putting my SQL Server on the Internet (port 443/80 or otherwise only) seems pretty stupid...

So the other option seems to be:

<Silverlight> <--Internet--FW--> [<IIS><ASP.NET Web Service>] <---Local LAN--FW-->  [<MS SQL Native Web Services><SQL Server>]

Of course this now seems like a whole lot more work for very little gain....

I guess that the Silverlight Client will have to pass in a "username and password" with every Web Service Request which the ASP.NET server will verify via a web-service against the SQL Server and will then pass the request off to the SQL Server using impersonation.

The idea is that all the logic will be in the SQL Server, if something can not be done using a TransactSQL it will be done using a C# CLR, so the ASP.NET Service will merely be a pass-though proxy with some initial authentication for the username and password of the user.

Thoughts?
0
Comment
Question by:rowansmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Expert Comment

by:nmcdermaid
ID: 21827204
I thought the whole point of web services was they are accessible over the internet.

And I am by no means an expert on this, but can't you just use SSL to encrypt your clear text authentication details?
0
 
LVL 11

Accepted Solution

by:
rowansmith earned 0 total points
ID: 21854846
I found this great Microsoft document:

http://www.codeplex.com/WCFSecurityGuide

Patterns & Practices - Improving Web Services Security
Scenarios and Implementation Guidance for WCF

It is only in Beta at the time of me writing this, but it really summed up everything I needed to know.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
SQL query for highest sequence 4 61
sql query help 15 51
Evaluating Enterprise Antivirus solutions 2 35
RDP to Windows Server 2012 R2 after disabling TLS 1.0 7 34
The next five years are sure to bring developments that are just astonishing, and we will continue to try to find the balance between connectivity and security. Here are five major technological developments from the last five years and some predict…
OnPage: Incident management and secure messaging on your smartphone
Via a live example, show how to setup several different housekeeping processes for a SQL Server.
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question