I am accessing Sharepoint web services from a Silverlight application, I have put the clientaccesspolicy.xml file in the root of my Sharepoint site, so I can access fine.
What I would like to do though is hard code the user credentials so the web service always connects with the same user.
Is this possible and if so how?
Thanks in advance.
After emailing Tim Heuer, I was informed that is not possible in SL3, but will be in SL4!
I've recently ran into similar case where I need to pass a specific credential to the generated web service client proxy in Silverlight 4 OOB. For whatever reason I am still getting prompted for authentication so, I'm not sure if it's there in SL4.
What I know possible in SL4 is you can force an HttpRequest to use a ClientHttp stack instead of the WebBrowser one. I've used this with SharePoint 2010 OData feed (_vti_bin/listdata.svc) before successfully, but to access SharePoint Web Services (for example: _vti_bin/lists.asmx), it's a different story.
I finally decided to create my own workaround (specific to SL OOB w/ Elevated Privilege) for this that should work on SL3 OOB and SL4 OOB with elevated privilege. Basically creating my own SharePoint Web Service proxy using the ClientHttp stack and composing and passing my own SOAP message manually using WebRequest.
I blogged about how to do this here.
Related
Last year someone reported encountering this problem ("The Silverlight project you are about to debug uses web services. Calls to the web service will fail unless the silverlight project is hosted in and launched from the same web project that contains the web services.") and accepted the answer to "set the web project which hosts the Silverlight application to be your startup project."
I'm seeing the same message, but think the solution might have to be different. I am building in VS 2010 a Silverlight application to access the Google Weather API, with VB as the code-behind. The API will return a XML file with data for the specified city (ex., "http://www.google.com/ig/api?weather=london,england"). The Solution Explorer only shows my VB/Silverlight project ("GetWeather"), and the Project Properties dialog box shows the Startup Object as "GetWeather.App" -- the only choice. I'm trying to use a WebClient object to make the call and an XDocument object to parse the return. But I repeatedly get the above error message, with no other result. What am I doing wrong?
Thank you in advance!
I would add a simple Web project and configure it to host the Silverlight app. You'll need to host the app somewhere anyways, so why not create a stub ASP.NET application in your solution? The easiest way is to create a new Silverlight app solution selecting an ASP.NET web project as the host, and then copying your existing code to that solution. Then you should set the web project as the startup one. This should make debugging a lot easier.
Besides, do remember to configure the client access policy to enable cross-domain calls. Check out this article
I'm trying to authenticate my silverlight application to get windows user name, which then I use to get some further information. Have looked it up, but the answers I found were about configuring the web service to get it. Is there a way, to get windows credentials strictly in Silverlight? I cannot find .Credentials, the only thing I see is .ClientCredentials, but apparently it doesn't show the required information. I am getting the string "System.ServiceModel.Security.UserNamePasswordClientCredential". It actually allows me to set up the name, not retrieve it. Also there is a web service called authentication.asmx, but as before it applies to other purposes. Neither do I have any web service I could reference to and configure them. Or am I missing something? Perhaps I can retrieve the windows credential by NTLM or Kerberos? I am using Visual Web Developer 2010 Express with Silverlight 5.
My Experience is that the Membership framework that is present in the asp.net world is not available in silverlight. In order to achieve something similar I had to implement a web service (WCF) that was directed at the domain's active directory (ldap) server. Silverlight is a very strict framework in terms of interoperability, its good for security but has some limitations.
I am not sure about your level of knowledge of the active directory but here is a link that deal with a lot of the possible operations and has sample C# code to go along.
http://www.codeproject.com/Articles/18102/Howto-Almost-Everything-In-Active-Directory-via-C#40a
I am confused by when and how to use the clientaccesspolicy.xml file in Silverlight. What is it for? Right now, my deployed site (not localhost but the remote server) does NOT have it and I can still access the web site and query the database through a WCF web service. Why should I include it in my root directory?
You only need it if your Silverlight app will be accessing a service in another domain.
e.g (from the MS site)
"For example, a Silverlight control hosted at http://contoso.com/mycontrol.aspx can access only services on that same domain by default – for example http://contoso.com/service.svc, but not a service at http://fabrikam.com/service.svc."
When your silverlight application try to access the method of web service.
For the security silverlight first identify the service is valid one not the fake.
For that silverlight first request the "ClientAccessPolicy.xml" file, then requested web service will returns the xml file after that silverlight checks that application is allowed to accept call from current service..if yes then app can free to make a service call to verified service.
I want to use Silverlight to parse http://www.downforeveryoneorjustme.com/http://bing.com/ and see if "bing.com" is up. Is this possible in a Silverlight site (running in-browser with no elevated trust)?
It's possible if you can get their participation- they'd need a clientaccesspolicy.xml or crossdomain.xml that allows your hosting domain (or all domains) access. Without that, you're pretty much hosed for direct access from Silverlight without elevated trust.
That said, you could easily have the server that's hosting your Silverlight xap make the outbound connection via a service call, then proxy the result back to a Silverlight client.
We have a Silverlight app which we wrote which calls a Silverlight-enabled data service. The Silverlight app cannot require a login, as it is required to present data to the unauthenticated public.
We have some schmoe who took the time to examine our Silverlight app, one way or another figure out what service it is calling, and then wrote his own client to slurp off the data so he can post it on his site and pretend like it is his. We need to prevent this.
How can i limit my data service somehow to ONLY accept requests from my silverlight app? I tried using the allow-from domain uri setting in the clientaccesspolicy.xml file to limit access to the service only from the domain in which the silverlight app sits (say mydomain.com). This did absolutely nothing though, and the service is still serving up requests to clients from outside the domain. (I tested this by putting my SL app on a different domain under our control).
What is the proper/best/most effective way to limit the data service so only our app can use it? Thanks!!!
I'm using SL 3 and .NET 3.5.
The clientaccesspolicy.xml tells the Silverlight application which Webservice it can consume. Not preventing people accessing the Webservice.
You can try using a authentication login even though its not required. This prevents 'schmoes' accessing your webservice.
Also use Dotfuscator to prevent 'schoes' to disassemble your Silverlight application and acquire the login.
Silverlight webservice security follows the same patterns you'd use for ASP.NET security, especially services exposed to AJAX. The best way to do make use of ASP.NET's authentication.
RIA Services is an even better way to handle this. It rides on top of the ASP.NET authorization, but validates on both the client and server-side automatically to combat service spoofing. It let you take care of both client and server-side authorization by adding attributes to your methods indicating that the method requires authorized access, and by which groups or users if you need to be specific.
In addition to wire-side security and obfuscation, remember that clients can attach a debugger to Silverlight applications running in their browser. See this example from MSDN Magazine's Security IQ Test, November 2008.