Silverlight looking at wrong url for clientaccesspolicy file - wcf

i have a silverlight app connected to a webservice over https.
The webservice is hosted on mydomain.com (not localhost).
When i run the silverlight, it makes https calls to webservice on mydomain.com, but also tries to access "http://localhost/clientaccesspolicy.xml" and fails obviously. Why is my SL app looking for cal.xml in localhost? why is it not looking for cal.xml in the mydomain.com?
Appreciate your thoughts.
Thanks!

"Before allowing a connection to a network resource, the Silverlight runtime will try to download a security policy file from the domain that hosts the network resource. There are two different methods used to download the security policy that depend on whether the connection request was from a WebClient or HTTP class or whether the connection request was from sockets.
If the connection request was from a WebClient or an HTTP class to a cross-domain site, the Silverlight runtime tries to download the security policy file using the HTTP protocol. The Silverlight runtime first tries to download a Silverlight policy file with a name of "clientaccesspolicy.xml" at the root of the requested target domain using the HTTP protocol.
If the "clientaccesspolicy.xml" is either not found (the web request returns a 404 status code), returned with an unexpected mime-type, is not valid XML, or has an invalid root node, then the Silverlight runtime will issue a request for a for the Flash policy file with a name of "crossdomain.xml" at the root of the requested target domain, using the HTTP protocol."
http://msdn.microsoft.com/en-us/library/cc645032%28VS.95%29.aspx

What does the address look like inside your SL application?
Is the address coming from the ServiceReference.ClientConfig file? If so, make sure that it has a mydomain.com and not a localhost address there.

Related

ASP.NET Core Site Deployement

I am deploying my asp.net core site on Local IIS and binding is
http//localhsot:{portnumber} but the website is not running and giving me error
HTTP Error 404.4 - Not Found
The resource you are looking for does not have a handler associated with it.
Detailed Error Information:
Module IIS Web Core
Notification MapRequestHandler
Handler Not yet determined
Error Code 0x8007007b
Requested URL http://localhost:9001/
Physical Path D:\Deploy\Stagging - Copy
Logon Method Anonymous
Logon User Anonymous
But when my binding is
https//localhsot:{portnumber}
web site runs fine
why this is happening I don't want to run the site on Https
It seems that there is already a binding rule binding your localhost domain name and HTTP protocol.
If you just installed the IIS service and it will create a default site automaticly and bind your 80 port.
Try removing the default website and try again.
And try not set the HTTP host name of your binding and just leave it empty. When you leave the host name empty it will bind all incomming requests from the port.
The difference between IIS http binding and https binding is that HTTP binding is based on the host header in the HTTP request and the https binding is based on SNI. Now your https binding is working fine so it is possible that your HOST name settings caused this issue.

Is there a way to force an application to post using https instead of http

I have an application that sends a request to a web service. Unfortunately the application is compiled and the link to the web service is embedded in the application as http. (Yes I know how dumb that is, I didn't write it)
Recently, the 3rd party company is no longer allowing http requests, everything must be https.
The application runs as a webapp on Tomcat. The server is a windows server.
Is there a way to intercept the call to this web service and force it to use https?
As you can't change the application's source code (as it is compiled), and you can't change the web service (as it is 3rd party) either, the only way to solve this problem is making a proxy between the application and web service. To do that, you need to (assume the proxy is running in localhost):
As the web service URL is embedded into the compiled application, in order to let application send HTTP request to our proxy, hosts mapping need to change (e.g. /etc/hosts) to override DNS. For example, if the HTTP request in application is GET http://example.com/api/sample, in /etc/hosts, example.com need to be mapped to 127.0.0.1.
Make a proxy web server in localhost and open the same port as the web service. This proxy is a very simple web server (any backend programming tech can do it), it is only responsible for request-forwarding. In this way, when application send HTTP request to example.com, it sends the request to the proxy server.
After receiving HTTP request from application, the proxy server extract the request URL/header/body and send HTTPS request to example.com's real IP address. Please note: in this HTTPS request, a header host whose value is example.com should be added. 3rd party web service may check this header.
After the real response is returned from example.com, proxy will return it to the application.
Of course, you can also use reverse engineering (Java Decompiler) to get the application's "source code", change the web service URL and then compile again to a webapp. However, as the application may need to update/upgrade and it is may not under your control, this reverse engineering method is not recommended.
You could use a proxy script. Write it in any server-side language you want, for example PHP, set the API URL to this script, the script does the https request for you and pass the results back to your app.
You could also use Apache itself as the proxy and use something like: Apache config: how to proxypass http requests to https

IIS How to block http request from browser

In Windows domain, Sliver-light out-of-browser app(used by many user) consuming a couple of WCF services hosted on IIS. Now users know WCF service endpoints, they might able to execute methods without Sliver-light App. So is that possible IIS can identify http request from browser or Sliver-light out-of-browser App then block all requests from browser but only allow http request from Sliver-light app?add IP Security on IIS not an option as that will block user use Sliver-light app, and add PrincipalPermission attribute on WCF not an option as well because need too many domain user group and WCF methos need to handle.
The problem resolved by implement Url re-write module in IIS. just use this module add a rule which only allow http request header HTTP-REFERER field include sliver-light .xap file. REFERER in header always has same value which is .xap file.

Https WCF webservice giving Http 400 error while calling method from browser

I have created a wcf web service. When i run it for http it works fine and gives result in wcftestclient as well as browser.
But when i test for https by changing it fot https it gives result in wcftestclient but when i try to call method from url by passing parameters. i receive error.
HTTP 400 error
It’s not you, it’s this link (it appears to be broken).
I have changed configuration file for https. It is working in wcftestclient but not in browser. it gives wsdl file but error for method calling.
I call method as
https://my-pc/Service.svc/LogIn?a;a
Quick way is Goto project properties of your WCF Service Project in Visual studio, open Web tab/page and make sure IIS web server is selected and IIS Express not selected mention your web address like https://localhost/WcfService1 and if virtual directory is not created then Click on "Create Virtual Directory Button", visual studio will create with required SSL settings for you.
To verify open Internet Information Manager(inetmgr), select service virtual directory/website and verify binding in Actions pane on the right hand side.
It should have two browse links under Manage Application heading one for HTTP and one for HTTPS.
Hope this helps.

Generate WSDL schemalocation as HTTPS URL

I have a WCF service that I have set up to be consumed via HTTPS. Unfortunately when my client tries to consume it he immediately gets an error because the referenced schema locations generated in the WSDL are set as HTTP which throws an error when he tries to reference it in a client project. Indeed from his network he cannot get to the XSD via the HTTP URL however, if he pastes the URL into a browser and changes the HTTP to HTTPS then he can see it.
So is there anyway that I can specify the proper generation of the URL, i.e. as HTTPS?
FYI... Our environment does not use SSL or certs, using WAF and a proxy instead.