Wednesday, January 27, 2010

Working with Crossdomain Client Access Policy

Working with Crossdomain Client Access Policy


We have seen that all accesses from Silverlight application out of the domain are forbidden by default. However it is necessary to allow accesses from other domains in some situations.



Actually at the access to a resource from other domain, Silverlight Runtime checks if "clientaccesspolicy.xml" file which should be in a root of the given domain exists. If this file is found, parameters of the access to this domain are set in it.



If the file is not found, attempt of search of "crossdomain.xml" file, which is necessary for Adobe Flash applications work, will be made. If both files are not found, the access to the domain is blocked outside.



To understand how it works, let us make some experiments. For this purpose we need to create some websites that work in different domains. For our experiment, such sites can be defined in a "hosts" file which is located in a "%windir %\System32\drivers\etc" folder. For example, it is possible to define this file as follows.



Listing 4 - The "host" file sample



127.0.0.1 site1.com

127.0.0.1 api.site1.com

127.0.0.1 subdomain.api.site1.com

127.0.0.1 site2.com

127.0.0.1 site3.comFrom this listing we can see that we define some domains which refer to local IP-address. It is now necessary to create in some sites in IIS for each of the domains.



Let us place a file "data.xml" on a web-site "api.site1.com" and we will create small Silverlight application which will access this file. There will be some lines of a code which load a XML-file in an asynchronous mode to this application.



Listing 5 - Sample of Silverlight application



private void GetDataButton_Click(object sender, RoutedEventArgs e)

{

var client = new WebClient();

client.DownloadStringCompleted += client_DownloadStringCompleted;

client.DownloadStringAsync(new Uri(ServerURI.Text));



Data.Text = "Loading..";

}



void client_DownloadStringCompleted(object sender, DownloadStringCompletedEventArgs e)

{

if (e.Error == null)

{

Data.Text = e.Result;

}

else

{

Data.Text = "Error: " + e.Error.ToString();

}

}Let us place this application in each domain and try to access to service. Now applications in all domains, except api.site1.com, will throw a SecurityException.



To resolve cross-domain access to "api.site1.com" the domain we will place "clientaccesspolicy.xml" within a web-site "api.site1.com". Thus this file should have the address "http://api.site1.com/clientaccesspolicy.xml". This file has the following format.



Listing 6 - Sample of "clientaccesspolicy.xml" file



























When we place this file within the specified domain all cross-domain access becomes possible and all applications from various domains can access it. We can be sure that our Silverlight application has been correctly set up if we can access our test application from the different domains that we have previously deployed.



Besides, it is possible to adjust the policy so that access is possible from only some domains. For example, the "clientaccesspolicy.xml" file can look as follows.



Listing 7 - Sample of "clientaccesspolicy.xml" file





























In this case we allow access only from domains site1.com and site2.com.



In other case we can define not only certain domains, but also subdomains.



Listing 8 - Sample of "clientaccesspolicy.xml" file



























In this case access is possible from all subdomains *.site1.com.



Also it is possible to limit which port and protocol will be used. For example, we will allow access only via HTTPS for all sites.



Listing 9 - Sample of "clientaccesspolicy.xml" file



























Besides, it is possible to limit a set of resources which are accessible from outside of current domain. For example, it is possible to specify that only the "data.xml" file can be accessible out of the domain.



Listing 10 - Sample of "clientaccesspolicy.xml" file



























Besides, it is possible to demand HTTP-heading presence in request.



In this case cross-domain access is allowed only in case of this header presence.



Listing 11 - Sample of "clientaccesspolicy.xml" file



























Undoubtedly such permission of access to the domain can have the consequence of reducing security of a resource. It is possible to give access to the inattentive application. That is why all web-services which should be accessible to other domains are frequently taken in a separate domain. For example, our application can work within "site1.com" domain, and web-services within "api.site1.com" domain. Thus we can save us from the attack that uses cookie of the user.

Debugging Web Service Usage in Silverlight 2

Debugging Web Service Usage in Silverlight 2


(Cross-posted from http://eugeneos.blogspot.com/2008/04/debugging-web-service-usage-in.html)



Silverlight 2 Beta1 makes it easy to use Web Services based on either the WCF technology (Windows Communication Foundation), the “.asmx” technology (ASP.NET Web Services), or practically any other SOAP platform.



Unfortunately, when something goes wrong with service consumption, you often run into cryptic and incomprehensible error messages that don’t help you much. We are looking into various ways to make this better by the time we fully ship Silverlight 2, but for now I hope that this post will be useful in helping you debug common problems. Here are the things you can try:



Does your proxy compile?



After you use the “Add Service Reference” dialog to add a reference to a service, try building your project. If you get compilation issues in the generated proxy code, you are probably using a service that uses some feature that is not supported in Beta1. We are trying to fix all or most of these by the time we ship, but for now the easiest thing to do is to find the offending code in the generated proxy and just remove it – naturally this workaround does not work in all cases :) Some common things that will cause non-compilable proxies in Beta1:



- Using custom SOAP headers in your service

- Using custom SOAP faults

- Using “wildcard” schema in your service like xsd:any or xsd:anyattribute



And specifically if your service is a WCF (or in some cases .ASMX) service:



- Using XML types like XmlElement/XElement/XmlNode[]/XmlAttribute/etc. in your service

- Using Datasets in your service

- Using types that implement ISerializable in your service (except for collections)

- Using WCF Transactions features

- Using the Stream type in your service

- Using MessageHeaderAttribute in Message Contracts



Check the Configuration



The next step is to check whether the service is configured correctly. You should have a file called ServiceReferences.ClientConfig generated by Add Service Reference. It actually doesn’t do anything at all in Beta1! This (understandably) confuses a lot of people. Starting with Beta2, we will actually start using this file, but for now any changes that you’ll make in it won’t actually affect anything.



However, the file is still useful for debugging. Look in the file – it should look something like this:



















Notice that it has exactly one endpoint element for the service you just added a reference to, and the binding is basicHttpBinding.



If you don’t see an endpoint element for your service, chances are your service wasn’t actually configured correctly for Silverlight consumption. Silverlight can only talk to simple SOAP services at this point – only SOAP 1.1, without any advanced WS-* protocols like WS-Addressing or WS-Security. If you are using “.ASMX” web services, they should just default to this simple configuration. If you are using WCF services, you need to check the configuration on the service side. Open web.config in your service-side project and find a place that looks like the following (usually towards the end):





...









...









Find the endpoint whose “contract” attribute refers to your service. Make sure that the “binding” attribute is set to “basicHttpBinding”. Unfortunately the default for WCF is “wsHttpBinding”, but it doesn’t work with Silverlight. We are hoping to ship a Visual Studio item template in the future (“Add New Item… Silverlight-enabled WCF Service”) that will have a number of Silverlight-friendly defaults, including the correct binding.



It is ok to have other endpoint elements for other contracts with other bindings - for example, do not change the "mexHttpBinding" in the second endpoint element above.



You should check your service-side configuration even if the client-side ServiceReferences.ClientConfig appears to be correct.



If ServiceReferences.ClientConfig contains more than one endpoint for your service, you may need to use a more complicated constructor to new up your service proxy – the one that takes a Binding and an EndpointAddress. Not to worry – just pass a new BasicHttpBinding() and a new EndpointAddress built from the URL of your service.



By the way, our long-term (post-Beta1) plans for the config file are described here: http://blogs.msdn.com/suwatch/archive/2008/04/07/tutorial-using-silverlight-web-service-client-configuration.aspx



Check if the Service is Running



Before looking for problems on the Silverlight side, it is useful to first check whether the service itself is working. A quick-and-dirty way to check is to just type the service address into a web browser (not the address you typed into the “Add Service Reference” dialog, but the address you can find in ServiceReferences.ClientConfig). In many cases, the “service help page” feature will be turned on and you will see either a page indicating that the service is running, or an error page which you can use as a starting point for debugging.



A more reliable way to test whether the service is working is to use a test tool such as the WCF Test Client (http://msdn2.microsoft.com/en-us/library/bb552364.aspx) to try and talk to the service.



Finally, an almost sure-fire but sometimes lengthy way of finding out whether the problem is with the Silverlight code or with the service code is to try using the service without Silverlight :) Just create a new project of type “Console Application”, do an Add Service Reference to that project just like in Silverlight, and write service consumption code inside Main() – again, just like in Silverlight. Use Console.WriteLine to show the results.



Check for Cross-Domain Issues



Start your Silverlight application. Note the URL that appears in the browser (e.g. http://localhost:1111/something/MyGraphicalApp.aspx) – this is your “Application URL”. (Actually, what matters here is the URL of the XAP file, e.g. http://localhost:1111/somethingelse/MyGraphicalApp.xap, but in most simple cases this URL would be in the same domain as the hosting web page, so I’m ignoring the difference for now). Then, look at the URL in the ServiceReferences.ClientConfig file – e.g. http://localhost:5678/foo/TestService.svc or local.live.com/SearchService/LocalSearch.asmx - this is your “Service URL”.



In Beta1, both the “Application URL” and the “Service URL” must be HTTP URLs (not HTTPS) for service consumption to work. This is the first thing to check.



Also, a common mistake is to run your Silverlight application from a file:// Application URL, resulting in cross-domain issues. Sometimes, you run into this if you just hit F5 to run your Silverlight app – instead, right-click on the .aspx page in your project and choose “View in Browser”.



Now you need to figure out the domains for these URLs. The domain is just the basically everything between http:// and the first slash / after that, including the port number (assumed to be 80 if not present). If the domain of the Application URL is different in any way from the domain of the Service URL in any way (even if it’s just a port number difference, or just one part of the domain name is different), you have a cross-domain situation. For example, if your app is at http://localhost:1111/something/MyGraphicalApp.aspx and it is trying to call into http://localhost:5678/foo/TestService.svc, you have a cross-domain situation because localhost:1111 is different from localhost:5678.



Silverlight documentation tells you that if you are in a cross-domain situation, you need to have a “cross-domain policy file” (clientaccesspolicy.xml or crossdomain.xml) present if you want services to work. There is an easy way to check if you have everything set up correctly: Just open a browser and browse to http://service_domain/clientaccesspolicy.xml and http://service_domain/crossdomain.xml. If at least one of these is present, valid and allows cross-domain access – you’re fine. If not, you need to make sure at least one of these files is present.



A common mistake is to put the cross-domain policy file not directly at the root of the domain – for example, at http://localhost:5678/foo/clientaccesspolicy.xml instead of at http://localhost:5678/clientaccesspolicy.xml. It is easy to run into this situation when working with older (.NET 2.0) projects – see http://timheuer.com/blog/archive/2008/04/09/silverlight-cannot-access-web-service.aspx.



Also, make sure to check the syntax of these files – an error in parsing will be treated essentially the same way as if the file was not there. Also note that clientaccesspolicy.xml and crossdomain.xml have different syntax – make sure you use the appropriate content for the file you choose.



A neat trick for adding cross-domain policy files to WCF services that are not hosted in IIS is described here: http://blogs.msdn.com/carlosfigueira/archive/2008/03/07/enabling-cross-domain-calls-for-silverlight-apps-on-self-hosted-web-services.aspx



Enable Exceptions



Normally, Silverlight does not give you much information in exception messages. This decision was made to make the Silverlight download size smaller (exceptions take up a lot of space, especially once they’re translated into all of the languages Silverlight supports). You can read more about this, and find out how to turn on full exceptions for debugging, here: http://blogs.msdn.com/silverlightws/archive/2008/04/06/getting-full-exceptions-in-silverlight-2-beta-1.aspx



Also, if you are using a WCF service, WCF does not normally return much information about server-side exceptions. This is a security measure: you normally don’t want to expose internal information about your service to the outside world. However, during debugging, you can change this by following the steps here: http://blogs.devdeo.com/carlos.medina/PermaLink,guid,b3bff742-0ec9-4f5c-a178-625220a46652.aspx. Make sure to turn it off once you’re done debugging!



Finally, this seems obvious but a lot of people forget about it for some reason - when you get an exception, don’t just look at the exception itself - look at its innerException, and the innerException inside it, etc. Especially in web service scenarios, the truly useful exceptions are often “wrapped” in several layers.



Unfortunately, even with all of the steps above, you often still won’t see much useful information when a web service call fails. This is due to a pretty fundamental limitation of Silverlight Beta1 (that unfortunately may stay around even after the Beta) – the lack of support for SOAP Faults. So, to truly debug, you need to see what is actually going on – this is what the next section is about.



Getting Down to the Wire



The ultimate way to debug Silverlight service consumption issues is by using an “HTTP spying” tool such as http://www.fiddlertool.com/fiddler/ or http://projects.nikhilk.net/webdevhelper/ that shows you the actual HTTP traffic as it happens. Before using it, make sure to enable server-side exceptions (see above). Start your Silverlight app and your tool side-by-side, and make your app do a web service call. Here are some common patterns you will see:



1.Nothing

- Your HTTP spying tool may be misconfigured (try running another, non-Silverlight app, like a regular web browser, to make sure it works)

- Your app may be broken – put a breakpoint where you invoke the service, make sure it’s hit

- You may have a configuration issue – see Configuration section above

- You may be trying to host your application from a file:// or https:// URL, or trying to call an https:// service



2. Just a service request

- Congratulations – you’ve avoided a cross-domain situation if you see the actual request to the service on the wire.

- Is the address what you expected it to be?

- Look at what’s coming back. Is it timing out or are you getting a 404? Your service or even WCF itself may not be set up correctly.

- Are you getting a SOAP fault back? If so, read carefully what’s in the fault – it will usually have enough information to debug the issue.

- In general, look very carefully at both the request and the reply (including the body and HTTP headers)

- Did you remove anything to get the proxy to compile? The service may actually require some items that you removed (e.g. may require certain SOAP headers)



3. A request to clientaccesspolicy.xml (and possibly crossdomain.xml afterwards), followed by a request to the service

- Congratulations – you have a cross-domain situation but you have successfully set up your cross-domain policy files

- This is now equivalent to situation #2 above



4. Just a request to clientaccesspolicy.xml and nothing else

- Most likely a malformed clientaccesspolicy.xml, or one that contains a policy that forbids cross-domain access



5. A request to clientaccesspolicy.xml, then crossdomain.xml, then nothing else

- Basically, something went wrong with cross-domain policy files.

- Are you getting 404s back? Check if you’re hosting the files correctly and at the correct locations

- Are you getting the actual files back? They may be malformed or may forbid cross-domain access