Now that Silverlight 2 has been released, one of the features (or should I say fixes) that is included is the ability for non-secure applications to call secure services. Previously this was not allowed and we referred to it as “cross-scheme violation.” That means that a particular protocol scheme (file, http, https) could not access another. Prior to release this meant that a XAP hosted in an HTTP context could not call a secure service. Now we no longer have that restriction with the release. There are some things you have to do, so let me take a brief moment to demonstrate.
First, let’s assume this environment:
We have our application that is served from our web server via HTTP. so our site is hosting the app on http://foo.com/MyApp.XAP. Our service is hosted on a secure endpoint which represents our segmented API.
NOTE: For sake of simplicity and lack of “real” hardware to actually segment out a totally representative environment. Translated: I only have one SSL certificate and wanted to keep hosting simple…the important note is that we have two separate domains.
And what we have created here is a double-whammy – a cross-domain, secure service request. So even though when you look at the diagram above, you might ask isn’t the client machine making the request? Yes, but from an application with a different source-of-origin, which is what creates this scenario. Let’s continue, shall we?
Prior to release, this simply wasn’t enabled yet. Now that it is enabled, we can have our MyApp.xap application call our secure service (in this example is a SOAP service hosted in ASP.NET). In Silverlight 2, the service owner still has to opt-in for this to occur. We make use of the clientaccesspolicy.xml file which is leveraged for cross-domain scenarios (more information about cross-domain and policy files can be found here including a code snippet for Visual Studio to generate them). In our case here we need that to support our cross-domain scenario anyway, but we’re also going to leverage it to enable non-secure callers to our service.
Let me make that clear: even if your secure service was hosted on the same domain as your non-secure caller, you would still need a policy file in place to enable non-secure callers.
What does the clientaccesspolicy.xml file look like then? Here’s what we’re using for our application:
Now that this is in place, we’re done. Notice the two (2) domain nodes there? I couldn’t have just put “*” in there as we require you to explicitly allow non-secure callers in this scenario. And once you do that, if you didn’t add the secure callers (https://*) then you’d leave them out. So although it looks a little weird (as if to say Tim, in my mind that reads “*”), it is correct. That’s right, there isn’t anything more you need to do. Our code would look the same. When we add a service reference to our Silverlight application, you’ll see that the ServicesReferences.clientconfig makes note of the secure transport:
Here’s the rest of the code I’m using in XAML:
and the code for the event handler on the button:
So there you have it. Add a simple policy file and you are enabled! I hope this helps! You can download a copy of this VS project here: XDomain.zip