×

First time here?

You are looking at the most recent posts. You may also want to check out older archives. Please leave a comment, ask a question and consider subscribing to the latest posts via RSS or email. Thank you for visiting!

Now that Silverlight 2 has been released, one of the features (or should I say fixes) that is included is the ability for non-secure applications to call secure services.  Previously this was not allowed and we referred to it as “cross-scheme violation.”  That means that a particular protocol scheme (file, http, https) could not access another.  Prior to release this meant that a XAP hosted in an HTTP context could not call a secure service.  Now we no longer have that restriction with the release.  There are some things you have to do, so let me take a brief moment to demonstrate.

First, let’s assume this environment:

We have our application that is served from our web server via HTTP.  so our site is hosting the app on http://foo.com/MyApp.XAP.  Our service is hosted on a secure endpoint which represents our segmented API. 

NOTE: For sake of simplicity and lack of “real” hardware to actually segment out a totally representative environment.  Translated: I only have one SSL certificate and wanted to keep hosting simple…the important note is that we have two separate domains.

And what we have created here is a double-whammy – a cross-domain, secure service request.  So even though when you look at the diagram above, you might ask isn’t the client machine making the request?  Yes, but from an application with a different source-of-origin, which is what creates this scenario.  Let’s continue, shall we?

Prior to release, this simply wasn’t enabled yet.  Now that it is enabled, we can have our MyApp.xap application call our secure service (in this example is a SOAP service hosted in ASP.NET).  In Silverlight 2, the service owner still has to opt-in for this to occur.  We make use of the clientaccesspolicy.xml file which is leveraged for cross-domain scenarios (more information about cross-domain and policy files can be found here including a code snippet for Visual Studio to generate them).  In our case here we need that to support our cross-domain scenario anyway, but we’re also going to leverage it to enable non-secure callers to our service. 

Let me make that clear:  even if your secure service was hosted on the same domain as your non-secure caller, you would still need a policy file in place to enable non-secure callers.

What does the clientaccesspolicy.xml file look like then?  Here’s what we’re using for our application:

   1: <?xml version="1.0" encoding="utf-8" ?>
   2: <access-policy>
   3:   <cross-domain-access>
   4:     <policy>
   5:       <allow-from http-request-headers="SOAPAction">
   6:         <domain uri="http://*"/>
   7:         <domain uri="https://*" />
   8:       </allow-from>
   9:       <grant-to>
  10:         <resource include-subpaths="false" path="/"/>
  11:       </grant-to>
  12:     </policy>
  13:   </cross-domain-access>
  14: </access-policy>

Now that this is in place, we’re done.  Notice the two (2) domain nodes there?  I couldn’t have just put “*” in there as we require you to explicitly allow non-secure callers in this scenario.  And once you do that, if you didn’t add the secure callers (https://*) then you’d leave them out.  So although it looks a little weird (as if to say Tim, in my mind that reads “*”), it is correct.  That’s right, there isn’t anything more you need to do.  Our code would look the same.  When we add a service reference to our Silverlight application, you’ll see that the ServicesReferences.clientconfig makes note of the secure transport:

   1: <configuration>
   2:     <system.serviceModel>
   3:         <bindings>
   4:             <basicHttpBinding>
   5:                 <binding name="fooSoap" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
   6:                     <security mode="Transport" />
   7:                 </binding>
   8:             </basicHttpBinding>
   9:         </bindings>
  10:         <client>
  11:             <endpoint address="https://www.timheuer.com/foo.asmx" binding="basicHttpBinding"
  12:                 bindingConfiguration="fooSoap" contract="Bar.fooSoap" name="fooSoap" />
  13:         </client>
  14:     </system.serviceModel>
  15: </configuration>

Here’s the rest of the code I’m using in XAML:

   1: <UserControl x:Class="XDomain.Page"
   2:     xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" 
   3:     xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" 
   4:     Width="300" Height="300">
   5:     <Grid x:Name="LayoutRoot" Background="White">
   6:         <StackPanel>
   7:             <TextBox x:Name="MyName" FontSize="24" />
   8:             <Button Content="Repeat" FontSize="24" Width="150" Height="50" 
   9:                     Click="Button_Click" />
  10:             <TextBlock FontSize="24" x:Name="RepeatedName" />
  11:         </StackPanel>
  12:     </Grid>
  13: </UserControl>

and the code for the event handler on the button:

   1: using System;
   2: using System.Collections.Generic;
   3: using System.Linq;
   4: using System.Net;
   5: using System.Windows;
   6: using System.Windows.Controls;
   7: using System.Windows.Documents;
   8: using System.Windows.Input;
   9: using System.Windows.Media;
  10: using System.Windows.Media.Animation;
  11: using System.Windows.Shapes;
  12:  
  13: namespace XDomain
  14: {
  15:     public partial class Page : UserControl
  16:     {
  17:         public Page()
  18:         {
  19:             InitializeComponent();
  20:         }
  21:  
  22:         private void Button_Click(object sender, RoutedEventArgs e)
  23:         {
  24:             Bar.fooSoapClient foo = new XDomain.Bar.fooSoapClient();
  25:             foo.SayMyNameCompleted += (sdr, args) =>
  26:                 {
  27:                     RepeatedName.Text = args.Result;
  28:                 };
  29:             foo.SayMyNameAsync(MyName.Text);
  30:         }
  31:     }
  32: }

So there you have it.  Add a simple policy file and you are enabled!  I hope this helps!  You can download a copy of this VS project here: XDomain.zip


This work is licensed under a Creative Commons Attribution By license.


10/14/2008 4:58 PM | # re: Calling secure (SSL) services from Silverlight 2
Hey Tim - thanks for that tip, will definitely come in handy for me in the future as i'm considering taking on a silverlight project (hard for me as i'm severely graphically challenged).

nice tip!
10/14/2008 5:25 PM | # re: Calling secure (SSL) services from Silverlight 2
Tim! Thanks for this tutorial, it's very helpful.
Rachida

10/14/2008 6:53 PM | # re: Calling secure (SSL) services from Silverlight 2
I know this is going to seem like a very stupid question, but if I am calling a public webservice, and the webservice does not have this clientaccesspolicy.xml file in play.. Then, I am understanding that with silverlight I cannot do this.? Is this true.? If so, what is the underlying reason for doing this when I do not need this file with ASP.Net or a webform app, etc.. If I am completely wrong in understanding this, please let me know. :)

Thanks.
10/14/2008 7:13 PM | # re: Calling secure (SSL) services from Silverlight 2
Tim: thanks for the question. Yes that is true, Silverlight cannot access a web service of any kind not on it's same domain unless a policy is in place. In web client technologies, this is not a new concept. On ASPNET and WinForms, etc. it isn't needed because there is no web domain in place in the application. This limitation is in place to prevent among other things cross-site scripting attacks. The concept of policy files for rich web platforms was first introduced by Macromedia in Flash 7 (see: www.adobe.com/.../fplayer9_security.html for some great history). Since 2003 this concept really hasn't progressed and policy files are still in use because most of these platforms use the browser's networking stacks.

In future versions of these platforms I'd imagine vendors like Adobe and Microsoft considering alternate network options to enable a richer capability for developers.
10/14/2008 7:24 PM | # re: Calling secure (SSL) services from Silverlight 2
there are missing a lot of source files in XDomain.Web

there only Silverlight.js and XDomainTestPage.html there, all cs files are missing
10/14/2008 7:49 PM | # re: Calling secure (SSL) services from Silverlight 2
Thanks for the quick reply Tim, and btw I have always enjoyed your blogwork. It just seems that from a developers standpoint this is a real nuisance given that now, to call a webservice from a silverlight app I am going to have to petition the owner of the service to update their service with this file, and they may be protective/may not have clue one of why they are doing it if they do not understand silverlight (a pretty new technology in the scheme of things). I am sure this has been well thought out by Microsoft, and I know you dont want to unnecessarily hobble Silverlight development. I am a developer in a very large corporation, one that has put alot of money into SOA and web services against large data stores we also use Sharepoint. My hopes have been to start showing off the power of Silverlight in the corporation with some pretty sweet ways I have seen data be presented, but, before I can now I am going to have to go lobby a bunch of infrastructure folks to get educated on silverlight and add the file. Bureaucracy in a big corp can be pretty mind boggling... so its tough to run with this instead of just doing something in ASP.Net and Ajax.. (as much as I hate the idea). Is there any push by Microsoft to incorporate this file by default when creating an asmx or WCF web service.? Or at least a question on deploy about whether or not it should be included.? I apologize for probably not knowing enough about these web domains and the security issues you speak of. Thanks again for keeping us informed.. !
10/14/2008 8:24 PM | # re: Calling secure (SSL) services from Silverlight 2
Tim: I don't think we'd incorporate the file by default, but we are looking at ways to have the ability to load the file from a location other than the domain root (current requirement). In a conversation with an infrastructure admin, I'd tell them that the service is already there and it is enabled for people to access it, so adding a policy to enable a web platform to enable it, and securely enable it to prevent cross-site scripting attacks and restrict *which* web platforms calling from which areas is something they'd want to do. In fact, at times the policy file will provide additional protection by administrators being able to determine 'only my company's applications can call this service' and other policy formats.

To me, if the service is already public, I get confused why someone wouldn't want to enable that same level of accessibility to another type of client?
Gravatar
10/15/2008 2:22 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim.

I require a user to be logged in before he may call certain methods, so I added the [PrincipalPermission(SecurityAction.Demand)] attribute to those methods. I also set Thread.CurrentPrincipal = HttpContext.Current.User; in the constructor of the method, but I still get a SecurityException.

Is it possible to add the [PrincipalPermission] attribute to services that run over SSL, and if so, do I need to change anything else in the web.config to make it work?

Thanks.
JD.
Gravatar
10/15/2008 8:35 AM | # re: Calling secure (SSL) services from Silverlight 2
JD,

I don't know if this is the same issue that you are running into or not, but, I found that if you host a WCF service using HTTPS rather than HTTP, WCF will wipe out Thread.CurrentPrincipal if you have set it in the constructor. This doesn't happen if you use HTTP. I submitted the following bug report. If you agree with me that the behavior should be the same for both, please rate my bug report.

connect.microsoft.com/.../ViewFeedback.aspx

Also, I don't see what the point of being able to call a secure web service is from a non-secure web app. I would assume that in most cases if you are calling a secure web service, that means you are doing authentication. If that's the case, you don't want the credentials going over the net in the clear. Last time I checked, there was no way to set the credentials in the web service client. i.e. the property is missing in Silverlight. So, calling a secure service from a non-secure app seems pretty pointless to me.
Gravatar
10/15/2008 10:24 AM | # re: Calling secure (SSL) services from Silverlight 2
Actually, I was confused on that last comment. My brain is only now starting to wake up today. Scratch what I say about being able to call a secure service pointless. Actually, it's useful, particularly for testing since the ASP.NET development server that is included with Visual Studio doesn't support SSL.
10/15/2008 2:40 PM | # re: Calling secure (SSL) services from Silverlight 2
Do you have to have a valid SSL for this to work? I've created my own SSL for testing and it fails - I was wondering if maybe I was doing something wrong, or if it needed to be a valid SSL before Silverlight will connect - regardless of the policy file.

Thanks!
10/15/2008 6:33 PM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim.

I have a S2B2 user control hosted on a web page. It is able to send information to a local VB.Net app via sockets. The callbacks and policy response on port 943 was a bit of a bear, but eventually it worked..

I now have an odd problem. I am attempting to have my SilverLight user control request data from the aforementioned local VB.Net app. It works great (after more callback consternation) in the Visual Studio 2008 debugger, but when I post the files to a web server and run from there the SilverLight app never seems to receive a response to its request. The SilverLight app CAN send data to the local VB.Net app, and the VB.Net does receive the request, hte response never seems to get to the SilverLight app..

Could this be related to the cross domain issue you mentioned above?

Regards,

-Jay
11/19/2008 7:43 PM | # re: Calling secure (SSL) services from Silverlight 2
We've implemented the recommended clientaccesspolicy.xml per your post:
















The clientaccesspolicy.xml lives in the root of the webserver.
(services.mydomain.com/clientaccesspolicy.xml)

I get the following error
"An error occurred while trying to make a requres to URI 'https://services.mydomain.com/product/service.amx' This could be due to attempting to access a service in a cross comain way without a proper cross-domain policy in place or a policy that is unsuitable for SOAP services. You may need to contact the owner of the services to publish a cross-domain policy and to ensure it allows for SOAP-related HTTP headers to be sent.

The site is HTTPS the Service is HTTPS

The odd thing is if I build and compile this project locally and run it I don't get any errors and the page that the webserver for VS2008 is HTTP.

We're really at a loss on this one. Any ideas?

if you need specific URIs please let me know
11/28/2008 10:18 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim!

I found several posts that it is impossible to call a web service from Silverlight 2 via https with a self signed certificate.

Do u know a way around this issue (without passing the data out to Javascript and pushing it back into the Silverlight-App from "outside") ?

ServicePointManager.ServerCertificateValidationCallback += new System.Net.Security.RemoteCertificateValidationCallback(customXertificateValidation);

is missing in Silverlight...

Thx!
12/2/2008 7:52 PM | # re: Calling secure (SSL) services from Silverlight 2
Bernhard: right now that is not possible
1/9/2009 1:25 PM | # re: Calling secure (SSL) services from Silverlight 2
Tim, I was getting a "Security Error" with this setup when using a HttpWebRequest SOAPAction to an asmx service. It turned out that changing the follwoing line to true resolved the problem. I have Jesse Collins at MS to thank for this tip.

<resource include-subpaths="true" path="/"/>
Gravatar
1/15/2009 3:37 PM | # re: Calling secure (SSL) services from Silverlight 2
In our environment, we are using Microsoft ISA Server 2006 to publish a Silverlight2 web application (VS2008 SP1) that communicates with a WCF webservice (basicHttpBinding). The ISA acts as our reverse proxy and handles all the SSL. The Silverlight2 app requires the user to enter a username and password which is validated at the start of the webservice.

When we click on a silverlight button that calls a web service from a HTTP page, everything works fine. When we do it from a HTTPS page, an exception is thrown. However, HTTPS works when we bypass the ISA server from the intranet using host files.
Does anyone know why this is happening? Maybe there's a way to lower the security checks or adjust how ISA behaves? How do I debug this problem? I tried Fiddler but clicking on the button is not generating anything.
ISA is set to "Foward the original host header instead of the actual one". In the Proxy Requests settings, "Requests appear to come from the ISA"
Thanks


WEB.CONFIG Settings

=== Start ==========

<system.serviceModel>
<bindings>

<basicHttpBinding>

<binding name="basicHttpBinding">
<security mode="Transport">
<transport clientCredentialType="Basic" proxyCredentialType="None"/>
</security>
</binding>

<binding name="mtomHttpBinding" receiveTimeout="00:25:00" sendTimeout="00:25:00" maxBufferSize="524288000" maxReceivedMessageSize="524288000" messageEncoding="Mtom">
<readerQuotas maxArrayLength="524288000" />
</binding>

</basicHttpBinding>

<mexHttpBinding>
<binding name="mexHttpBinding" />
</mexHttpBinding>
</bindings>

<behaviors>
<serviceBehaviors>
<behavior name="DefaultBehavior">
<serviceMetadata httpGetEnabled="true" />
<workflowRuntime />
<serviceDebug includeExceptionDetailInFaults="true" />
</behavior>
</serviceBehaviors>
</behaviors>

<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />

<services>
<service behaviorConfiguration="DefaultBehavior" name="DotNetNuke.Modules.IWebCF.CoreService">
<endpoint address="IWebTabManager" binding="basicHttpBinding" bindingConfiguration="basicHttpBinding" name="IWebTabManager" contract="DotNetNuke.Modules.IWebCF.IWebTabManager" />
</service>
</services>

</system.serviceModel>

====== END ==============
1/15/2009 4:34 PM | # re: Calling secure (SSL) services from Silverlight 2
eqx are you seeing requests in fiddler for a clientaccesspolicy.xml file to enable the cross-scheme request?
1/16/2009 11:07 AM | # re: Calling secure (SSL) services from Silverlight 2
We are experiencing a similar issue as EQX but we use a hardware SSL accelerator instead. Once behind the accelerator all traffic is non-ssl to IIS. The error we end up getting from Silverlight tells us that "the provided uri scheme 'https' is invalid; expected 'http'". Is there a way around this in WCF? Thank you greatly for any help!
Gravatar
1/22/2009 8:24 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim !

10/14/2008 7:24 PM |
# re: Calling secure (SSL) services from Silverlight 2
there are missing a lot of source files in XDomain.Web
there only Silverlight.js and XDomainTestPage.html there,
all cs files are missing

This is an earlier published mail and the problem haven't been
solved jet (3 month to publish a new set of files ???)
I have tried to get data from a web service to be handled by a
Silverlight application, but I'm always getting the same disapointing
result with an exception error:
(both the SL-App and the service runs from the localhost:)

An error occurred while trying to make a request to URI 'localhost:XXXX/.../TService/'.
This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. Please see the inner exception for more details.

It would have been nice to see that at least one of your examples works,
in all of my tests I have used both CrossDomain.xml and ClientAccessPolicy.xml
files. I think both of them are working as they return status 200.

Regards
1/22/2009 10:52 AM | # re: Calling secure (SSL) services from Silverlight 2
Tom the source files for the Silverlight application are in the XDomain project, not the XDomain.Web project...that is just the hosting web app for the Silverlight application. Also regarding the exception have you looked at the traffic?
Gravatar
1/27/2009 3:27 PM | # re: Calling secure (SSL) services from Silverlight 2
Tim,
Thanks for the great information on Silverlight (and I enjoyed your visit on .Net Rocks). Quick question related to the ServicesReferences.clientconfig file. I have an ASP.NET web service on a web site that uses SSL. I added the service to my Silverlight app but it did not setup the security correctly in the clientconfig file. It has transport set to "none" and the endpoint address is http (see below). Until I figured out what was going on, I was getting a cross-domain error. Is there any reason why VS had problems creating the clientconfig file correctly?

<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="UtilSoap" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="None" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="http://abc.org/ws_xmit/util.asmx"
binding="basicHttpBinding" bindingConfiguration="UtilSoap"
contract="Util2.UtilSoap" name="UtilSoap" />
</client>
</system.serviceModel>
</configuration>

And a problem I continue to have is that after I move my Silverlight app over to the server (same domain as the web service), I get a cross-domain error from IE only (and a "display mixed content" warning). It works fine with Firefox. And both browsers work when I'm running my app from localhost. Any ideas on that?
1/27/2009 8:48 PM | # re: Calling secure (SSL) services from Silverlight 2
Rob, are you saying when you added the service reference you specified HTTPS and it did not add that information?
Gravatar
1/28/2009 8:13 AM | # re: Calling secure (SSL) services from Silverlight 2
Tim, that's correct. I specifically used HTTPS when I added the reference but it doesn't seem to take. I manually changed the security mode to Transport and added the "s" in the endpoint address and then things mostly work but I still have the problem in IE. I put a few quick screen shots on my skydrive of adding the reference if you'd like to see. (Also, abc.org was an example, it's not my site - I probably shouldn't have used a domain that really exists.)

cid-a458dffbf8ef5e04.skydrive.live.com/.../Public

Thanks for taking the time to look into this.
1/28/2009 8:40 AM | # re: Calling secure (SSL) services from Silverlight 2
Rob, is this a public web service at all I could take a look at? Even though the service reference is HTTPS -- what does the WSDL say about the service?
Gravatar
1/28/2009 11:54 AM | # re: Calling secure (SSL) services from Silverlight 2
Interesting - I didn't think to look at the WSDL. Yes, it is a "public" web service. I guess this would be the pertinent snippet of WSDL and it looks to be pointing at http (I guess that would explain the "mixed content" message from IE). I don't know enough about how VS generates the WSDL to know where this comes from. Is the Add Service reference doing something wrong or is there information in the actual web service which is causing it to behave this way?

<wsdl:service name="CMSUtil">
<wsdl:port name="CMSUtilSoap" binding="tns:CMSUtilSoap">
<soap:address location="nhescmsdev.rti.org/ws_xmit/cmsutil.asmx" />
</wsdl:port>
<wsdl:port name="CMSUtilSoap12" binding="tns:CMSUtilSoap12">
<soap12:address location="nhescmsdev.rti.org/ws_xmit/cmsutil.asmx" />
</wsdl:port>
</wsdl:service>
1/28/2009 1:25 PM | # re: Calling secure (SSL) services from Silverlight 2
Yes it's going to get the service endpoint information from the WSDL, so you can either change the transport yourself after the proxy config is generated, or alter the WSDL (i.e., change the config of the service)
Gravatar
1/28/2009 3:20 PM | # re: Calling secure (SSL) services from Silverlight 2
Is there an easier way to make the asmx generate https in the WSDL than what is described in this blog post?

blogs.msdn.com/.../493496.aspx
3/9/2009 10:03 PM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim,

Regarding this topic, i have created a wcf service hosted in https iis server. The problem is that i cannot consume it throught visual studio Add Service Reference. I have spent a week trying to find the solution. Everything are working fine using http environent. I have posted this issue in the forum but still dont have any solution on it. Here is the link to that forum --> http://silverlight.net/forums/t/77215.aspx

I hope that you can assist me on this issue. I have tried to replace the wcf with normal asmx web service but still the same problem occured.
3/10/2009 8:41 AM | # re: Calling secure (SSL) services from Silverlight 2
Murad -- the forum replyers are sending you on the right track. We only support basicHttpBinding and you are missing the metadata binding information. If you added your service using the 'Silverlight-enabled WCF Service' then this would be done for you. If you didn't, then you need to make sure you add those items yourself.
4/21/2009 10:59 AM | # re: Calling secure (SSL) services from Silverlight 2

Hello Tim!

I published some services that I did and put on a test server with Windows Server 2003. They are under HTTPS protocol (I created my own CA and a certificate signed by it).

I created a silverlight application to consume this service. I made the reference services, through the https/fixed external IP/ Services(virtual directory)/folder/service.svc. The application is published on the same server in a different virtual directory in the same web site. He also is under HTTPS protocol. Before publishing the application, I did all the references to services and everything worked smoothly.

I am using the default folders that IIS provides (Defaul web sites | InetPub / wwwroot).

I can't execute the methods of service. Here is the error:

The remote server returned an error: notfound

I installed the sniffer you suggested me in IE and him returns the following error:

URL https: / / External IP / Services / User
Status 405

I had to create the service project, a folder for each service, because, how I am using https, the services need to be in different addresses to not cause any error.

I put the clientaccesspolicy.xml in wwwroot, but still had no success.

I'm using Silverlight 3, because I need to use the mode TransportWithMessageCredential that don't exists in Silverlight 2.
4/29/2009 4:38 AM | # re: Calling secure (SSL) services from Silverlight 2
Hello Tim,
Thanks for the Great Post.
I tried Cross Domain access as specified in the Post.
Its not working for me.
ASMX Webservice: https://199.63.34.25/HelloWorldService/HW.asmx
Silverlight 2 App: https://199.63.34.50/HelloSilverlight

ClientAccessPolicy.XML file placed in wwwroot folder(in the machine where service is hosted) of IIS 5.1 (Windows XP)
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from>
<domain uri="http://*"/>
<domain uri="https://*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>

I tried using selfsigned SSL certificates in both the machines.

Still I am getting CommunicationException
"An error occurred while trying to make a request to URI 'https://199.63.34.25/HelloWorldService/HW.asmx'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. Please see the inner exception for more details."
Let me know if I am missing something.

I am in the middle of project evaluation with Silverlight. Kindly let me know if any workaround possible with Silverlight 2

Thanks and Regards,
ManiX
4/29/2009 7:30 AM | # re: Calling secure (SSL) services from Silverlight 2
ManiX -- you are missing the http-request-headers attribute in your allow-from node.
4/29/2009 12:00 PM | # re: Calling secure (SSL) services from Silverlight 2
Hey Tim,

We're using SL3 Beta 1. I've setup my ClientAccessPolicy.xml file and everything works great on POSTs but not on GETs.

We're using the WebClient class to make cross-domain, secure service requests to services created using the WCF REST Toolkit.

When using https, GETs have a "NotSupportedException" when handling the "OpenReadCompleted." The request never even gets to the server. Everything works fine using https and POSTs.

Both work fine when using http.

Any ideas?
4/29/2009 4:40 PM | # re: Calling secure (SSL) services from Silverlight 2
Ryan -- as I'm not familiar too much with the REST toolkit, perhaps is there something there that has to be annotated on the service to enable secure gets?
4/30/2009 7:57 PM | # re: Calling secure (SSL) services from Silverlight 2
I don't see anything like that in the rest toolkit. Since I don't see the request leaving Silverlight, I would doubt it. I'll set up a REST Toolkit-less WCF service and verify.
5/4/2009 12:10 AM | # re: Calling secure (SSL) services from Silverlight 2
Tim, Thanks for your reply.
I modified clientaccesspolicy.xml as follows

<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*"/>
<domain uri="https://*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>

My Silverlight Reference to Webservice
<configuration>
<system.serviceModel>
<bindings>
<basicHttpBinding>
<binding name="ServiceSoap" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">
<security mode="Transport" />
</binding>
</basicHttpBinding>
</bindings>
<client>
<endpoint address="199.63.34.25/HelloWorldService/HW.asmx"
binding="basicHttpBinding" bindingConfiguration="ServiceSoap"
contract="HelloWorldSvcRef.ServiceSoap" name="ServiceSoap" />
</client>
</system.serviceModel>
</configuration>

Still the same problem exists. no luck for me :(
I am getting CommunicationException
"An error occurred while trying to make a request to URI 'https://199.63.34.25/HelloWorldService/HW.asmx'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. Please see the inner exception for more details."
5/4/2009 12:22 AM | # re: Calling secure (SSL) services from Silverlight 2
Endpoint address has https://199.63.34.25/HelloWorldService/HW.asmx address
<endpoint address="199.63.34.25/HelloWorldService/HW.asmx"
binding="basicHttpBinding" bindingConfiguration="ServiceSoap"
contract="HelloWorldSvcRef.ServiceSoap" name="ServiceSoap" />

I tried with <allow-from http-request-headers="SOAPAction"> in clientaccesspolicy.xml still the problem exists.

Please help.

Thanks and Regards,
ManiX.
5/4/2009 7:06 AM | # re: Calling secure (SSL) services from Silverlight 2
ManiX -- take a look at the network information to get finer details of the actual error.
5/8/2009 1:39 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim,
I have a self hosted WCF service, which a Silverlight app is connecting to, using the techniques you have outlined. I switched from HTTP to HTTPS and now the cross domain scripting error is back. I can hit the URL for the ClientAccessPolicy from IE, and receive a valid file when my service is running:

<?xml version="1.0" encoding="utf-8" ?>
- <access-policy>
- <cross-domain-access>
- <policy>
- <allow-from http-request-headers="*">
<domain uri="http://*" />
<domain uri="https://*" />
</allow-from>
- <grant-to>
<resource path="/" include-subpaths="true" />
</grant-to>
</policy>
</cross-domain-access>
</access-policy>

However, it doesnt work from the Silverlight app, even though it worked over HTTP. I have changed the config of the Silverlight app to connect using Transport security and the https in the URL.

I am wondering if the problem is that I am using a self signed certificate. Is that supported?

5/8/2009 3:42 AM | # re: Calling secure (SSL) services from Silverlight 2
John -- self signed certs may give you problems. It probably works in IE fine because it prompts you to accept the cert. Silverlight won't surface those prompts. If the cert is installed on the client (i.e., trusted root/CA) then I would expect it to work better.
5/8/2009 3:54 PM | # re: Calling secure (SSL) services from Silverlight 2
Thanks Tim. The SSL cert is on the computer's cert store, and the self signed CA cert is in there too, and the client has access to the public key. But it still doesnt work. I have seen some blogs indicating difficulties with self signed certs but nothing definitive. (it is the same in the CF, but there you can define a handler that emulates the IE prompt dialog in code and accepts untrusted certs), that doesnt seem to be available in SL.
I will order a real cert and see if it helps.
5/10/2009 10:19 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim, great post! I have one extra question for you (not strictly related to HTTPS but related to cross site errors in Silverlight). I have read in another post from you, that cross scheme request were not allowed. That is if my Silverlight App is hosted in a c:\\something path, like when VS generates one for me, then my App cannot access an http://other service" title="http://other service">http://other service, even if I configure a clientaccesspolicy.xml file on the root of http://other. Well, I found out, using tracing, that the Silverlight App still requests the file (and gets it successfully with an HTTP 200), but it never works. This confirms what you say, but at the same time, if I put the ADOBE file crossdomain.xml, then, it works. How come? Is there a syntax I can put in the clientaccesspolicy.xml that make it works just like the crossdomain.xml one? (I have tried to use domain="file://", domain="file:///", domain="file:///*" to no avail :)).
5/10/2009 4:42 PM | # re: Calling secure (SSL) services from Silverlight 2
Thanks for the blog. It was very useful as none of the sites helped in solving the cross browser issues for the WCF Services hosted under IIS used in Silverlight applications.

<allow-from http-request-headers="SOAPAction"> This line helped in solving the Security Exception.
5/11/2009 10:28 PM | # re: Calling secure (SSL) services from Silverlight 2
Well, it seems to work with a real SSL cert from GoDaddy...for the most part. I still get sporadic cross domain scripting errors from time to time, but it seems that self hosted apps seem to work best with none self signed ssl certs.
5/24/2009 1:38 PM | # re: Calling secure (SSL) services from Silverlight 2
Simon -- the adobe file working is likely due to a bug.
6/11/2009 6:41 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi,
I have a silverlight application which works fine on my local system.But gives me error while hosted in IIS.

I have a Silverlight-Enabled WCF service in "MyProject.Web" project.A service reference in silverlight project is hosting that WCF.
(MyProject.Web and silverlight app are in same solution).Everything works fine on my localsystem.But the application fails in IIS throwing the following exception:
An error occured while trying to make a request to URI 'http://localhost:2727/Service.svc'.This could be due to attempting to access a service in a cross-domain
way without a proper cross-domain policy in place, or a policy that is unsuitable for soap services.You may need to contact the owner of the service to publish a
cross-domain policy file and to ensure ita llows SOAP-related HTTP headers to be sent.Please see the inner exception for more details.


Can anyone please suggest how to overcome this error.I have added both policy files but I think they are not detected at all.Pls suggest where the files should be added or some other solution.
6/28/2009 9:54 PM | # re: Calling secure (SSL) services from Silverlight 2
Hi,
I've a Silverlight Enabled WCF service in my Silverlight application. As mentioned in above post i've placed the clientaccesspolicy.xml at the root of my hosted service and running my applciation under IIS virtual directoy. The application still trows an exception. I did a quick chekc by specifing the url for cap.xml it shows me the file. When i run my application in VS development Server it works fine without any problem.
Can anyone help me to get this resolved.
Thanks
7/30/2009 4:34 AM | # re: Calling secure (SSL) services from Silverlight 2
i tried to publish silverlight web service and followed this article, but it does not work, problem mentioned here
http://silverlight.net/forums/t/115193.aspx
please guide me to get rid of this error
10/9/2009 1:44 PM | # re: Calling secure (SSL) services from Silverlight 2
I followed your instruction and my SSL enabled service runs fine.

But padlock security logo will not show up on browser when called from my silverlight client under http://

Browsers will not detect if the silverlight client is transmitting SSL data. Obviously I cannot run the client app with https:// all the time for a shopping app.

Is there anyway around this - to switch to https:// only when needed? (while authenticating)

I believe almost all users of a shopping app would like to see the security padlock before enter their credentials.
10/9/2009 1:55 PM | # re: Calling secure (SSL) services from Silverlight 2
Soulforged - the padlock icon will not display for secure communications via the network stack.
10/16/2009 3:21 PM | # re: Calling secure (SSL) services from Silverlight 2
Sherwood -- you need to look at the network traffic to see the real error message using something like Fiddler, etc.
10/28/2009 3:54 PM | # re: Calling secure (SSL) services from Silverlight 2
Thanks for the good information. I am using SL3 and I am trying to connect from Http to Https but using custom binding with binary encoding, I am not able to get this to work with the setup you have showed. I keep getting an error that client access policy file is missing.

Is there anything I need to do with custom binding... can you point me to an example... thanks.
10/28/2009 4:14 PM | # re: Calling secure (SSL) services from Silverlight 2
Mike - make sure the clientaccesspolicy.xml file is at the ROOT of your service endpoint, not just where the service is located. Use a tool like Fiddler to help you see the requests and where it is looking/failing as well as more detailed HTTP response information.
2/4/2010 6:25 AM | # re: Calling secure (SSL) services from Silverlight 2
Hello every one,

I am facing similar challenge. below is my clientaccesspolicy.xml file. I am still getting "display mixed content?" warning. is there any way we can get rid of this message programatically (eg: using javascript !?)

I really aperciate any replies.

Thanks
Murali

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
2/4/2010 6:29 AM | # re: Calling secure (SSL) services from Silverlight 2
Murali -- is the site in a place I can take a look. Typically these are *browser* messages and not something Silverlight can control.
4/7/2010 2:44 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim,

Currently I am working with Silverlight & Sharpoint. I had hosted asp.net website in sharepoint in secure mode. whereas my WCF service is in non secure zone.


Currently I am getting DISPLAY MIXED CONTENT Error. When I am try to access Silver light Page which consist of WCF call..


Please suggest if any configuration applicable
4/22/2010 1:58 PM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim...
Do you have a working sample Silverlight4(hosted https)/WCF(hosted https) application?
What I have works perfectly in HTTP, but not in HTTPS.
I think I have tried everything -- crossdomain, basicbindings etc..
6/10/2010 11:20 AM | # re: Calling secure (SSL) services from Silverlight 2
Tim, I have a SL3 app/WCF service (both are https) situation that I can't get resolved. I've been at it it for a few weeks now, and I'm not making any head-way. Both my app and my service are on different secure servers within the same domain (it's a DoD domain). If you have time, I would really appreciate some advice. I'll wait to hear back so I don't clog your blog with too much stuff.

Many thanks in advance.

8/12/2010 1:53 PM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim,

I am having trouble accessing an asmx (yes, yes, I still have a couple of those) web service from a silverlight application. The connection is a HTTPS call and everything works fine until i check the Require SSL in IIS 7. What have i missed?
8/13/2010 11:54 AM | # re: Calling secure (SSL) services from Silverlight 2
Ok, found it. Please disregard my former post. Load balancer issue, duh...
11/19/2010 6:08 AM | # re: Calling secure (SSL) services from Silverlight 2
Hi Tim,
I am facing issue calling secure Java service from SL4. I have mentioned details in Silverlight forum at: forums.silverlight.net/forums/p/209831/493605.aspx

I have done every step you mentioned. Not sure what am i missing. Could you please let me know your inputs?

Thanks in advance!
Abhilash
1/23/2011 5:22 PM | # Calling WCF Servive in SL4
Hi Tim/All,

We are working on Moving the Website from HTTP to Https(which is in to another domain).Everything is working fine in Http on both the Domains,But when I am trying to configure to Https.I am getting the below error(When I am trying to run the services on HTTPS).

The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: context.ListenUriBaseAddress.

Please let me know,If there are any changes to be done.

Thanks in Advance..
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.ArgumentException: The provided URI scheme 'https' is invalid; expected 'http'.
Parameter name: context.ListenUriBaseAddress


I have tried adding the clientaccesspolicy.xml in the root folder and I have changed the Secutiy mode from None to Transport and changed the URL from http to Https for all the services.

But when I am trying to run the website,I am getting this error."Message: Unhandled error in Silverlight Application.[PreconditionFailed_Cnd]
Arguments: serviceLocator != null
Debugging resource strings are unavailable. Often the key and arguments provide sufficient information to diagnose the problem. See go.microsoft.com/.../ serviceLocator
Parameter name: serviceLocator
Line: 1
Char: 1
Code: 0
URI: https://XXXXXX/XXXX/".

PLease find the below web.config(Bindings) which we are using.

<bindings>
<basicHttpBinding>
<binding name="basicBindingConfiguration">
<security mode="Transport" >
<transport clientCredentialType="None" proxyCredentialType="None"/>
</security>
</binding>
</basicHttpBinding>
<customBinding>
<binding name="binaryMessageEncodingBinding">
<binaryMessageEncoding />
<httpsTransport></httpsTransport>
</binding>
</customBinding>
</bindings>

In ServiceReference.ClientConfig I have made changes to All the Services from Http to Https://

8/7/2011 2:13 AM | # re: Calling secure (SSL) services from Silverlight 2
I have this error while access my https: wcf service from IIS,, I have self signed certificate for https:

cannot establish trust relationship for ssl/tls secure channel with authority 'localhost'
8/7/2011 4:17 AM | # re: Calling secure (SSL) services from Silverlight 2
my above problem is sloved,, in the self signed certificate the IssuedTo name and the reference i added in my SL application was different, thats why it was giving the above problem..
8/7/2011 4:28 AM | # re: Calling secure (SSL) services from Silverlight 2
I have the same problem.. I can in accessing the clientaccesspolicy.xml file..

here is my xml file content for https://

<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="http://*"/>
<domain uri="https://*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>

Not working.. with me..

my 2nd question is that.. if i change the clientaccesspolicy.xml file.. so will i again publish my wcf service ?


Please help.. I am struck from days ?

I have used selfsigned Certificate

Regards
3/16/2012 4:53 AM | # re: Calling secure (SSL) services from Silverlight 4
Hi Tim,

We are working on a Silverlight 4 web application with WCF basicHttpBinding and it is working fine with "HTTP". Now we have a requiremnt to support "HTTPS".

Will you please provide us a sample example?

Thanks,
Bijay.

 
Please add 5 and 2 and type the answer here:

DISCLAIMER:

The opinions/content expressed on this blog are provided "ASIS" with no warranties and are my own personal opinions/content (unless otherwise noted) and do not represent my employer's view in any way.