< Gary Krakow is off his rocker, blames MSFT for iPhone battery woes | Home | Making SL2 Video Player an Encoder Template >

Advertisement

Updates to Amazon S3 and Silverlight

posted @ Tuesday, July 15, 2008 9:44 PM | 13 Comments

After posting my sample implementation of accessing Amazon Simple Storage Solution (S3) via Silverlight, I reflected quickly and also chatted with some AWS engineers.

Cross-domain Policy

One thing that you should never do is just deploy a global clientaccesspolicy.xml file blindly.  Often times in samples, we (I) do this.  I need to be better about this guidance to be honest, so I’ll start here.  As an example, for the S3 cross domain policy file, we really should add some additional attributes to it to make it more secure.  Since we know it is a SOAP service, we can ratchet down the requests a little bit by adding the http-request-headers restrictions like this:

   1: <?xml version="1.0" encoding="utf-8" ?>
   2: <access-policy>
   3:   <cross-domain-access>
   4:     <policy>
   5:       <allow-from http-request-headers="SOAPAction,Content-Type">
   6:         <domain uri="*"/>
   7:       </allow-from>
   8:       <grant-to>
   9:         <resource include-subpaths="true" path="/"/>
  10:       </grant-to>
  11:     </policy>
  12:   </cross-domain-access>
  13: </access-policy>

Additionally (and ideally) we’d be hosting our application from a known domain.  In this instance let’s say I was going to host my application on timheuer.com in the root domain.  I would add the allow from attribute and complete my security like this:

   1: <?xml version="1.0" encoding="utf-8" ?>
   2: <access-policy>
   3:   <cross-domain-access>
   4:     <policy>
   5:       <allow-from http-request-headers="SOAPAction,Content-Type">
   6:         <domain uri="http://timheuer.com"/>
   7:       </allow-from>
   8:       <grant-to>
   9:         <resource include-subpaths="true" path="/"/>
  10:       </grant-to>
  11:     </policy>
  12:   </cross-domain-access>
  13: </access-policy>

Of course if I had a cool application and others wanted to embed it, I could add more domains to that allow list as well and just list them in there.  But restricting it makes sense if you want to provide some secure access to your APIs (as a service provider) and to you (in methods of doing things like this sample).

More security with SSL

As I mentioned in the initial sample I changed the binding configuration, modifying the binding to use a security mode of “None” instead of “Transport.”  I actually did this because I use the built-in web server from Visual Studio for most of my development and it doesn’t support HTTPS connectivity.  To demonstrate my sample with S3 I had to ensure the schemes matched because in Silverlight 2 right now to access a secure service, the XAP itself would have to be served from a secure location.  The contexts must match.

I’ve come to learn that even with a bucket alias (except ones with “.” characters) you can use the SSL cert from Amazon S3 as it is a wildcard certificate.  So your endpoint (assuming a bucket name of timheuer-aws) could be https://timheuer-aws.s3.amazonaws.com/soap and it would work.

Using SSL of course means that currently you will have to serve your application from an SSL endpoint as well to avoid cross-scheme violations.

I hope this helps clear some things up and provide you with a more secure and recommended way of accessing Amazon S3 services with Silverlight!

This work is licensed under a Creative Commons Attribution By license.

  1. Gravatar
    John Papa
    7/22/2008 1:17 PM | # re: Updates to Amazon S3 and Silverlight
    Good points, Tim. I often catch myself a bit late after telling people how to create a ClientAccessPolicy file that allows just about anyone to hit their services. Its like the old sa/[blank] passwords :-)


    I'm always like ... oh ... don;t do this, add these restrictoins instead.

    I've got to make a mental note of that too.
  2. Gravatar
    Voodoo
    8/3/2008 7:09 PM | # re: Updates to Amazon S3 and Silverlight
    Why can’t you access a Web Service using a SSL with Silverlight?

    This seems to be a big issue because most services you want to mash-up in your Silverlight application will be on a SSL Connection.

    Competitor application like Flex from adobe does allow SSL connections cross domain which I think will be a deciding factor on which one to use.

    I'm hoping this is just a issues with Silverlight 2 Beta 2
  3. Gravatar
    timheuer
    8/3/2008 8:20 PM | # re: Updates to Amazon S3 and Silverlight
    Just an issue with Beta 2 :-)
  4. Gravatar
    Adrian
    9/5/2008 3:21 PM | # GetObject with InlineData=false
    Hi,
    Great article. Thanks very much.
    But I have a question:

    I'm trying to extend your example to use the S3 GetObjectAsync.
    This works fine when I set InlineData=true.
    But for larger objects I apparently need to use InlineData=false. When I do that I get this exception:

    ProtocolException was unhandled by user code.
    The content type application/dime of the response message does not match the content type of the binding (text/xml; charset=utf-8)....

    Any idea how I can fix this? I'm using your clientaccesspolicy.xml.

    Thanks!
    Adrian
  5. Gravatar
    James Auld
    6/23/2009 5:42 PM | # re: Updates to Amazon S3 and Silverlight
    Hi Tim - fantastic resource.

    I got things working for uploading to S3 from Silverlight using PutObjectInline(), however that gives a file size limit of < 1MB. Have you come across a way to upload larger files? With PutObject() (which I couldn't get to work in Silverlight) or any other way? I'm desperate!

    Thanks for your help :)

    James Auld
  6. Gravatar
    timheuer
    6/25/2009 1:58 PM | # re: Updates to Amazon S3 and Silverlight
    James -- in the Silverlight 3 some of the PUT stuff wouldn't work with the beta. I haven't tried with recent builds, but I'd encourage you to revisit the method when SL3 releases :-)
  7. Gravatar
    Jon Stirling
    7/11/2009 10:56 PM | # re: Updates to Amazon S3 and Silverlight
    Hi Tim,

    Thanks for publishing this article. It really helped my efforts, but it seems that the new protocol stack for Silverlight 3 doesn't work on the Apple Macintosh very well.

    It seems that it just throws an exception after I finish putting my data into the Stream object and return from the asynchronous callback. No packets are sent at all.

    My site is live and functional on the web( http://hear-it-live.com), and I'm willing to share code. This is going to kill my product release since a ton of artists use the Macintosh. Do you have any advice?
  8. Gravatar
    Dustin
    10/8/2009 12:43 PM | # re: Updates to Amazon S3 and Silverlight
    My big question deals with security. For obvious reasons I don't want to store my AWS secret key in a client App. I don't want it in anything that will get downlodaed to the client. I was considering building a file storage engine that would allow users to log in and store files. They would be able to log in and access a Silverlight uploader so the physical files would never go through my web server. How could I accomplish this without ever having the secret key downloaded to the client?
  9. Gravatar
    Dustin Horne
    10/8/2009 5:57 PM | # re: Updates to Amazon S3 and Silverlight
    Nevermind...I was being an idiot and misreading the docs. I thought the secret had to be sent alongside the signature, but it doesn't, only the AccessID. Check out my post on the other part of this article for my proposed solution and let me know if anyone thinks of a better approach.
  10. Gravatar
    Cory
    11/9/2009 10:59 PM | # re: Updates to Amazon S3 and Silverlight
    Can anyone get this to work lately? I'm wondering if something has changed since this post. I have a clientaccesspolicy.xml file that I know is valid because I use it elsewhere. I put the file into an Amazon S3 bucket, and I can't even load XML from the bucket because Silverlight throws a SecurityException. I haven't tried the CNAME record route yet. Is that necessary for some reason now?
  11. Gravatar
    Cory
    11/10/2009 1:15 PM | # re: Updates to Amazon S3 and Silverlight
    Just wasn't setting the content-type when putting the clientaccesspolicy file into S3. You have to set it to text/xml.
  12. Gravatar
    Dustin
    12/4/2009 2:25 PM | # re: Updates to Amazon S3 and Silverlight
    I'm still trying to figure out how to upload large files via Silverlight to the S3.
  13. Gravatar
    Eric
    1/11/2010 1:07 PM | # re: Updates to Amazon S3 and Silverlight
    Anyone have any luck uploading files to Amazon S3 with Silverlight 3 that are >1mb ? Just wondering if I am doing something wrong or perhaps the demo here is outdated and designed for SL2 and not SL3

 
Please add 7 and 3 and type the answer here:
First time here? You are looking at the most recent posts. You may also want to check out older archives. Please leave a comment, ask a question and consider subscribing to the latest posts via RSS or email. Thank you for visiting! (hide this)