Securing an OData Service in LightSwitch
It's a good practice to secure an OData service (not only if it's generated by LightSwitch), especially if you'll be exposing private data through public networks. Before discussing how to consume OData feeds from a Windows Phone application, we must implement authentication and authorization on the OData service.
In part 2 of this series, we created an OData service from a LightSwitch data source and deployed that service to an Internet Information Services (IIS) web server. Continuing from that example, imagine that you want to allow any user to read data, but reserve the ability to delete entities for users who have a specific authorization. The first step in this process is to enable the Forms authentication in LightSwitch:
- In the LightSwitch project properties, click Access Control and then select Use Forms Authentication.
- Add a new permission called EmployeePermissions, which will be used to restrict resources in the service to users who have this permission. For instance, only users with EmployeePermissions will be able to delete orders; other users won't be allowed to do that. Figure 1 shows the newly added permission.
- After you've enabled authentication and authorization, double-click the Orders table in Solution Explorer. When the Table Designer opens, select the Orders_CanDelete security method from the Write Code drop-down list (see Figure 2). This is the point where you'll specify who is authorized to delete orders.
- The security code is very easy, as shown in Listing 1.
- Now we need to deploy the application to the web server again. We'll follow the same steps described in part 2, but in this case we also need to specify an application administrator to manage users and roles once the application has been deployed. Figure 3 shows the Authentication tab of the Publish Application Wizard, where an application administrator has been specified.
Figure 1 Enabling forms authentication and setting a new permission.
Figure 2 Accessing the Orders_CanDelete security method.
Listing 1Assigning entity-deletion permission to specific users.
Private Sub Orders_CanDelete(ByRef result As Boolean) result = Application.User.HasPermission(EmployeePermissions) End Sub
This code specifies that only users with EmployeePermissions assigned for their permission will be allowed to perform a deletion.
Figure 3 Specifying the application administrator.
Once the application has been published, launch the application and log in with the administrator credentials previously supplied.
Next, we'll create a test user to demonstrate how an authorized user can perform specific operations from the Windows Phone application. Follow these steps:
- In the Administration group, select the Roles screen and add a new role called Employee.
- In the Permissions box, assign the EmployeePermissions to the new role. (The permission will be visible, given the description you supplied in LightSwitch.)
- Open the Users screen and create a new user called TestUser, with TestUser$ as the password.
- Assign the Employee role to the newly created user.
- Save your changes.
Permissions work perfectly in LightSwitch, but now we need to see how to consume the OData service from a Windows Phone application, supplying the appropriate credentials.