Updates to Amazon S3 and Silverlight

< Gary Krakow is off his rocker, blames MSFT for iPhone battery woes | Home | Making SL2 Video Player an Encoder Template >

via Twitter:

Updates to Amazon S3 and Silverlight

posted @ Tuesday, July 15, 2008 9:44 PM | 6 Comments

After posting my sample implementation of accessing Amazon Simple Storage Solution (S3) via Silverlight, I reflected quickly and also chatted with some AWS engineers.

Cross-domain Policy

One thing that you should never do is just deploy a global clientaccesspolicy.xml file blindly. Often times in samples, we (I) do this. I need to be better about this guidance to be honest, so I’ll start here. As an example, for the S3 cross domain policy file, we really should add some additional attributes to it to make it more secure. Since we know it is a SOAP service, we can ratchet down the requests a little bit by adding the http-request-headers restrictions like this:

        1: <?xml version="1.0" encoding="utf-8" ?>

       2: <access-policy>

       3:   <cross-domain-access>

       4:     <policy>

       5:       <allow-from http-request-headers="SOAPAction,Content-Type">

       6:         <domain uri="*"/>

       7:       </allow-from>

       8:       <grant-to>

       9:         <resource include-subpaths="true" path="/"/>

      10:       </grant-to>

      11:     </policy>

      12:   </cross-domain-access>

      13: </access-policy>

Additionally (and ideally) we’d be hosting our application from a known domain. In this instance let’s say I was going to host my application on timheuer.com in the root domain. I would add the allow from attribute and complete my security like this:

       1: <?xml version="1.0" encoding="utf-8" ?>

       2: <access-policy>

       3:   <cross-domain-access>

       4:     <policy>

       5:       <allow-from http-request-headers="SOAPAction,Content-Type">

       6:         <domain uri="http://timheuer.com"/>

       7:       </allow-from>

       8:       <grant-to>

       9:         <resource include-subpaths="true" path="/"/>

      10:       </grant-to>

      11:     </policy>

      12:   </cross-domain-access>

      13: </access-policy>

Of course if I had a cool application and others wanted to embed it, I could add more domains to that allow list as well and just list them in there. But restricting it makes sense if you want to provide some secure access to your APIs (as a service provider) and to you (in methods of doing things like this sample).

More security with SSL

As I mentioned in the initial sample I changed the binding configuration, modifying the binding to use a security mode of “None” instead of “Transport.” I actually did this because I use the built-in web server from Visual Studio for most of my development and it doesn’t support HTTPS connectivity. To demonstrate my sample with S3 I had to ensure the schemes matched because in Silverlight 2 right now to access a secure service, the XAP itself would have to be served from a secure location. The contexts must match.

I’ve come to learn that even with a bucket alias (except ones with “.” characters) you can use the SSL cert from Amazon S3 as it is a wildcard certificate. So your endpoint (assuming a bucket name of timheuer-aws) could be https://timheuer-aws.s3.amazonaws.com/soap and it would work.

Using SSL of course means that currently you will have to serve your application from an SSL endpoint as well to avoid cross-scheme violations.

I hope this helps clear some things up and provide you with a more secure and recommended way of accessing Amazon S3 services with Silverlight!

tags: silverlight, s3, amazon, amazon s3, xaml, wcf, asmx, wsdl, clientaccesspolicy, ssl

This work is licensed under a Creative Commons Attribution By license.

Comments

John Papa

7/22/2008 1:17 PM | # re: Updates to Amazon S3 and Silverlight

Good points, Tim. I often catch myself a bit late after telling people how to create a ClientAccessPolicy file that allows just about anyone to hit their services. Its like the old sa/[blank] passwords :-)

I'm always like ... oh ... don;t do this, add these restrictoins instead.

I've got to make a mental note of that too.
Voodoo

8/3/2008 7:09 PM | # re: Updates to Amazon S3 and Silverlight

Why can’t you access a Web Service using a SSL with Silverlight?

This seems to be a big issue because most services you want to mash-up in your Silverlight application will be on a SSL Connection.

Competitor application like Flex from adobe does allow SSL connections cross domain which I think will be a deciding factor on which one to use.

I'm hoping this is just a issues with Silverlight 2 Beta 2
timheuer

8/3/2008 8:20 PM | # re: Updates to Amazon S3 and Silverlight

Just an issue with Beta 2 :-)
Adrian

9/5/2008 3:21 PM | # GetObject with InlineData=false

Hi,
Great article. Thanks very much.
But I have a question:

I'm trying to extend your example to use the S3 GetObjectAsync.
This works fine when I set InlineData=true.
But for larger objects I apparently need to use InlineData=false. When I do that I get this exception:

ProtocolException was unhandled by user code.
The content type application/dime of the response message does not match the content type of the binding (text/xml; charset=utf-8)....

Any idea how I can fix this? I'm using your clientaccesspolicy.xml.

Thanks!
Adrian
James Auld

6/23/2009 5:42 PM | # re: Updates to Amazon S3 and Silverlight

Hi Tim - fantastic resource.

I got things working for uploading to S3 from Silverlight using PutObjectInline(), however that gives a file size limit of < 1MB. Have you come across a way to upload larger files? With PutObject() (which I couldn't get to work in Silverlight) or any other way? I'm desperate!

Thanks for your help :)

James Auld
timheuer

6/25/2009 1:58 PM | # re: Updates to Amazon S3 and Silverlight

James -- in the Silverlight 3 some of the PUT stuff wouldn't work with the beta. I haven't tried with recent builds, but I'd encourage you to revisit the method when SL3 releases :-)