Silverlight Security Issue: Self Signed Certificate - silverlight

I am using silverlight 4 application, in two scenarios.
Scenario 1: Silverlight and RPC on same machine
Being run hosted on a web page on the file system, silverlight XAP is also on the file system:
C:\Silverlight\FSSilverlightApp\bin\Debug\SilverlightApplication2TestPage.html
Connecting to a web site on localhost, being accessed:
https://localhost/rpc/someMethod
These are two separate URI's so the browser detects and immediately requests (track via fiddler):
https://lcoalhost/clientaccesspolicy.xml
sucessfully returns:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*"/>
<domain uri="https://*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
The application is then able to make the rpc requests (observed via fiddler)
Everything is fine. If i change the remote host to the local machine name instead of localhost, that works fine as well.
Scenario 2: Silverlight on local machine and RPC is remote
In this scenario, I am using a different desktop to access the same RPC server used in scenario 1.
Silverlight starts up, and no request to: clientaccesspolicy.xml is made
Fiddler shows a ton of https tunnels being established, but no commuinication between my machine and the remote server.
The following security exception is returned:
System.Security.SecurityException ---> System.Security.SecurityException: Security error.
at System.Net.Browser.ClientHttpWebRequest.InternalEndGetResponse(IAsyncResultasyncResult)
at System.Net.Browser.ClientHttpWebRequest.<>c__DisplayClass5.<EndGetResponse>b__4(ObjectsendState)
at System.Net.Browser.AsyncHelper.<>c__DisplayClass2.<BeginOnUI>b__0(Object sendState)
--- End of inner exception stack trace ---
at Microsoft.FSharp.Control.WebExtensions.AsyncGetResponse#1781-1.Invoke(Exception _arg1023)
at Microsoft.FSharp.Control.AsyncBuilderImpl.callA#736.Invoke(AsyncParams`1 args)
I assume this is an IE configuration issue. I tried setting the machine in scenario 1, as a trusted site inside of internet explorer and that didn't seem to work... This must be a self signed or mismatched certificate issue. Any thoughts?
Using: IE 8 and Windows 7
Thoughts?

I used Fiddler to sit in between the sliverlight client and the server. IN order to get that to work properly I needed to export the fiddler certificate (tools\fiddlerOptions\https) and install it locally as the root certificate authority.

Related

Silverlight clientaccesspolicy.xml

We have Silverlight Application with RIA web service. URL: https://mysite.mydomain.com/services/mysitewebservice.svc
Also, we have a Sharepoint (SharePoint 2013) site hosted in separate domain. URL: https://mysharepointsite.mydomain.com
The Silverlight RIA service is called in SharePoint Silverlight Web Part.
I placed the "clientaccesspolicy.xml" file in the Silverlight root site (URL: https://mysite.mydomain.com/clientaccesspolicy.xml) and I can view this file in IE v11 browser. Compatibility view is ON.
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
But calling the service in SharePoint Site SL Web Part. an exception error still occurs.
"Load operation failed for query 'GetMyData'. An error occurred while trying to make a request to URI 'https://mysite.mydomain.com/services/mysitewebservice.svc/binary/GetMyData?category=sales'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details."
I read bunch of forums and articles but they all points to placing the clientaccesspolicy.xml in root site.
What is missing. Please help.

getting crossdomain error in silverlight and clientaccesspolicy 304 error

I need to write some data to the DB from a Silverlight 4 application.
I'm using a Silverlight Enabled WCF Web Service. I've published it to IIS7 and added a ClientAccessPolicy.xml file to the inetpub/wwwroot (among other places) so I can access localhost/ClientAccessPolicy.xml just fine. I also added crossdomain.xml just in case.
I also have a Silverlight4 client app which accesses this service and runs through VS2010 on development server.
When trying to invoke a method in the WebService I'm getting a crossdomain error although I have a crossdomain policy in place and the web service is working fine.
When using Fidler I see I'm getting a 304 error when the client app is trying to access the clientaccesspolicy.xml
If I also publish the client app to IIS7 (both under port 80), I can run it using a browser on the same machine with no problem. But when I try to access it on a different machine, I again get a crossdaomain error.
I tried everything but I can't find an answer for this problem anywhere! Please help!!
This is what my ClientAccessPolicy.xml looks like:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="http://*"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
I have struggled with this misleading error "crossdomain error" before and after reading your situation I can tell for sure that ClientAccessPolicy.xml configuration is not the issue here you should look elsewhere.
few things i would do
Check my client config & web service configs(double check endpoints, behaviours and finally binding protocols) on the silverlight app.
Enable error logging for your wcf service.
Make sure you are passing the right authentication token to your web service (enable anonymous authentication for the web application hosting WCF service)).

WCF RIA Services domain service over https client access policy problems

We have a WCF RIA domain service with
[EnableClientAccess(RequiresSecureEndpoint = true)]
We have the website set to use http and https. We have a client access policy file in the root of the website like this:
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="http://*"/>
<domain uri="https://*"/>
</allow-from>
<grant-to>
<resource include-subpaths="true" path="/"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
When we access the Silverlight application over https everything is fine. When we access it over http we get the following error:
Invoke operation 'Working' failed. An error occurred while trying to make a request to URI 'https://localhost/ClientBin/SilverlightApplication3-Web-DomainService1.svc/binary/Working'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details.
Which implies that our policy file is incorrect, but can't see what. Any ideas?
The reason that it wasn't working was that we were using a self-signed certificate, generated withe the machine name and then using localhost on the url. The url has to match to ensure that the ssl gets no certificate errors.
A good way to check this was to run the entire site over https and ensure that the browsers do not give a certificate error.

Silverlight 4 WCF "Cross-Domain" error

We have a WCF service running on a remote server. It runs as a Windows Service, not hosted in IIS. We can hit this WCF service from our WinForms and WFP apps without any problem. However, when we attempt to hit it from a Silverlight 4 app, we get the following error:
An error occurred while trying to make a request to URI 'http://111.111.111.111/8484/Psn'. This could be due to attempting to access a service in a cross-domain way without a proper cross-domain policy in place, or a policy that is unsuitable for SOAP services. You may need to contact the owner of the service to publish a cross-domain policy file and to ensure it allows SOAP-related HTTP headers to be sent. This error may also be caused by using internal types in the web service proxy without using the InternalsVisibleToAttribute attribute. Please see the inner exception for more details.
Could someone put this into English and explain what I might be able to do to satisfy Silverlight?
The first thing to check is that you have a clientaccesspolicy.xml file or crossdomain.xml file on the WCF service host. Either of these files can be used to control which domains have access to your service. Without them no one has any access from Silverlight. These files live in the root of the WCF service host:
If, for example, the service is hosted in http://fabrikam.com then the file must be located at http://fabrikam.com/clientaccesspolicy.xml ... [or] ... http://fabrikam.com/crossdomain.xml.
The following clientaccesspolicy.xml file will allow access from http://www.example.com but block it from everywhere else:
<?xml version="1.0" encoding="utf-8"?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction">
<domain uri="http://www.example.com"/>
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
A similar crossdomain.xml file would be:
<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.macromedia.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-http-request-headers-from domain="http://www.example.com" headers="SOAPAction,Content-Type"/>
</cross-domain-policy>
Source

Using web client in Silverlight

I am having a heck of a time calling a RESTful service from within silverlight. I am encountering this error:
{System.Security.SecurityException ---> System.Security.SecurityException: Security error.
at System.Net.BrowserHttpWebRequest.InternalEndGetResponse(IAsyncResult asyncResult)
at System.Net.BrowserHttpWebRequest.<>c__DisplayClass5.<EndGetResponse>b__4(Object sendState)
at System.Net.AsyncHelper.<>c__DisplayClass2.<BeginOnUI>b__0(Object sendState)
--- End of inner exception stack trace ---
at System.Net.AsyncHelper.BeginOnUI(SendOrPostCallback beginMethod, Object state)
at System.Net.BrowserHttpWebRequest.EndGetResponse(IAsyncResult asyncResult)
at System.Net.WebClient.GetWebResponse(WebRequest request, IAsyncResult result)
at System.Net.WebClient.OpenReadAsyncCallback(IAsyncResult result)}
Which seems to be a popular error when using the webclient. I have put in place a clientaccesspolicy.xml
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="*">
<domain uri="*" />
</allow-from>
<grant-to>
<resource path="/" include-subpaths="true" />
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
and I have watched the silverlight in fiddler and it does make a request to the web site and does get a 200 status back.
public void login(string userName, string password)
{
WebClient client = new WebClient();
Uri uri = new Uri(serverURI + "/clientaccesspolicy.xml");
client.OpenReadCompleted += new OpenReadCompletedEventHandler(login_Complete);
client.OpenReadAsync(uri);
}
private void login_Complete(object sender, OpenReadCompletedEventArgs e)
{
byte[] buffer = new byte[e.Result.Length]; //crashes here with exception
...
}
I am more or less out of ideas. Anybody know what I'm doing wrong? Is there some issue with running the silverlight directly from a file:// uri?
Update: I deleted the clientaccesspolicy.xml file and kept just the crossdomain.xml file in place and bingo everything worked. That makes me believe that the error is in the clientaccesspolicy file but I copied that directly from microsoft. What gives?
I just spent 3 hours looking into this very issue. The cross domain access policy and client access policy files were a dead-end for me. Nothing would work. Then finally I ran into a post on the Silverlight.net forums by a Microsoft employee that helped me fix the issue.
The answer, at least in my case was the test webpage that Visual Studio generates when you create a new Silverlight application.
Basically you get two options when you start a Silverlight project. The first option will generate an html page dynamically when you run your application. The second option will create a separate ASP.NET project that will host your Silverlight application. If you choose the first option (dynamic test page) you will not be able to do any cross domain requests, even if both your projects are on the same box it will somehow consider this a cross domain call and fail (I am not sure why)
Create another Silverlight project, choose the second option, and move your XAML files in. That should fix your issue.
You can't request content from a website if your Silverlight application is running from a file:// URL.
For more information, see URL Access Restrictions in Silverlight.
Mmm...
Try with this cross domain file
<?xml version="1.0" encoding="utf-8" ?>
<access-policy>
<cross-domain-access>
<policy>
<allow-from http-request-headers="SOAPAction" >
<domain uri="*"/>
</allow-from>
<grant-to>
<resource include-subpaths="true" path="/"/>
</grant-to>
</policy>
</cross-domain-access>
</access-policy>
X-Cubed is correct, you cannot do cross-domain requests from file://, as Adam Berent pointed out, this means if you use the TestPage generated by visual studio your network requests will fail.
A workaround is to launch the TestPage using Chiron (usually used for dynamic languages) to serve it (because then the access is on http://) or off a development web server.
The catch is you actually have to attach the debugger manually to the browser in order to debug with networking (you can't just hit F5.)

Resources