Consuming Web Services in Microsoft Silverlight 3Eugene OsovetskyProgram ManagerMicrosoft Corporation
We'll Cover 3 Scenarios:Simple Back-End Data Access
WCF,SOAP
REST,XML/JSON,Atom/RSS
Mashups (Using REST APIs)
WCF
“Data Push” (Server to Client)
Simple Back-End Data Access
WCF,SOAP
REST,XML/JSON,Atom/RSS
Mashups (Using REST APIs)
WCF
“Data Push” (Server to Client)
Back-End Data Access: Silverlight 2 Recap
WCF
Server:“Add New Item…” “Silverlight-enabled WCF Service”Or any BP SOAP service…
Client:“Add Service Reference”
Product Catalog – Accessing Server Data from Silverlight
demo
Common Pain Points
WCF
PerformanceSOAP / XML “bloat”
Handling Error ConditionsDebugging impossible:
Can’t use SOAP Faults
SecurityNo automated way to send user credentials (if cannot rely on browser)
Can’t do “Add Service Reference” as part of build process
System.ServiceModel.CommunicationException: The remote server returned an error: NotFound
Silverlight 3 Addresses All These
PerformanceErrors / Faults / DebuggingSecurityProxy Creation
Optimizing Performance withBinary XML
demo
Binary XML
Browser apps are often “chatty”
You pay for bandwidth and server capacity
Sometimes a tradeoff…
Bandwidth: Compression at HTTP level (Turn on in IIS)
Server Capacity: Binary XMLMore clients with existing server capacity
Binary XML Characteristics
NOT Compression (but usually reduces size)Optimizes for Speed, not Size
Biggest gainsArrays, Numbers, Complex type graphs, Byte Arrays (binary blobs)
Not optimizedVery small messagesStrings
Even repeated strings - Difference from netTcpBinding
Recommendation: Always use Binary“Silverlight-enabled WCF Service”- now Binary by default
Binary XML: Server ThroughputUsing "typical" message payloads
20 objects 100 objects
6122
2702
7570
4615
HP BL680c: 8 Intel EMT64 [email protected] Server 2008 64-bit, IIS7
Text / HTTPBinary / HTTP
Message size
Web s
erv
ice r
equest
s/se
c
24%
71%
Your mileage may vary
Binary XML: Message Size ReductionUsing large messages with arrays of "typical" data
15%
34%
40%
String IntLarge object graph
Siz
e r
educt
ion
Your mileage may vary
PerformanceErrors / Faults / DebuggingSecurityProxy Creation
Fault / Error Handling and Debugging
Attempt #1: Naïve Approach
demo
Naïve Approach: Just call the service
No error info on the wire:Security reasons
So… No error info in Silverlight
Need to Enable DebuggingIncludeExceptionDetailsInFaults=true
Fault / Error Handling and Debugging
Attempt #2: Enable Debugging
demo
With Debugging Enabled:Error info is on the wireError info still not in Silverlight!
Can use “Fiddler Debugging”, but…… not with Binary XML… not with HTTPS… can be hard to set up
System.ServiceModel.CommunicationException: The remote server returned an error: NotFound
Why No Error Info in Silverlight?
WCF
ServerSends HTTP 500 Error Code (SOAP standard)Not supported by browser plugins (like Silverlight)
Solution: Switch to HTTP 200 Code
How? WCF Sample (“Message Inspector Sample”) athttp://code.msdn.com/SilverlightWSLooking into a better solution after Beta1
Why No Error Info in Silverlight?
WCF
Client:No support for faults in Silverlight 2 Even with HTTP 200
Supported in Silverlight 3ExceptionDetailFaultException<T>Etc …
Fault / Error Handling and Debugging
With Silverlight 3 Faults Support
demo
PerformanceErrors / Faults / DebuggingSecurityProxy Creation
Securing Services: 2 Options
How is identity communicated to the service?
Browser-Based (Automatic)Examples
Windows AuthenticationCookies
Message-Based (Manual) Examples
URL parametersSOAP headers with Username/Password
Browser-Based Authentication Example with Cookies + Forms Auth
Browser
E.g.: ASP.NET login
User:Password:
YourDomain.comCredentials
Auth info (cookie)
Service calls + Auth info
Browser-Based AuthenticationLogin through Silverlight
User:Password:
YourDomain.comCall with credentials toASP.NET Auth Service
Reply contains cookie
Service calls + Auth info
ASP.NET Auth Service
Browser
Browser-Based Authentication Using Windows Authentication
Windows login
User:Password:
YourDomain.com
Service calls + Creds
Browser
MyBank.com Login
User:Password:
MyBank.comCredentials
Auth info (e.g. cookie)
Malicious call + Auth info
EvilApps.comMalicious application
Could steal orchange dataif protection wasn’t in place
Browser-Based Authentication: Cross-Domain Threat
Cross-domain access blocked by defaultCan enable with “cross-domain policy file”
Browser-Based Auth is only appropriate if
No cross-domain access, orAccess limited to a few trusted domains
If you enable access for “*”:MUST NOT use a browser-based methodMUST use message-based method instead
Message-Based AuthenticationIdentity managed by Silverlight, not the Browser
User:Password:
YourDomain.com
Creds are added by Silverlight, not browser
No creds
BrowserEvilApps.com
Enabling In-Message Auth:
Option 1: Change the Contract[OperationContract]
public decimal GetAccountBalance(int accountID, string userName, string password);
Option 2: Automatically inject SOAP headers using WCF Extensibility
See “Message Inspector Sample” for SL2
Option 3: Built-in Support in Silverlight 3
Securing Services withMessage Credentials
demo
Transport With Message Credential Mode
<soap:Envelope><soap:Header>
<!-- WS-Security Header --><!-- With UserName, Password, Timestamp -->
</soap:Header><soap:Body><!-- Message Payload --></soap:Body>
</soap:Envelope>
Plain-text password sent over the wireRequires SSL (HTTPS). Restriction is enforced
Timestamp, Lifetime, Max Clock SkewSimple replay protectionEnforced in both directions (client server)Default max skew is 5 minutes – may require changes(Client clock can’t be more that 5 minutes out of sync with server)
PerformanceErrors / Faults / DebuggingSecurityProxy Creation
Proxy Creation
SL2: Only through Visual Studio
SL3: Command-line Tool availableslsvcutil.exeSilverlight version of svcutil.exe (simplified)More flexibility than Add Service Reference
Slsvcutil.exe
demo
Simple Back-End Data Access
WCF,SOAP
REST,XML/JSON,Atom/RSS
Mashups (Using REST APIs)
WCF
“Data Push” (Server to Client)
Pushing Messages to Silverlight
Useful for real-time interaction (e.g. chat),monitoring (e.g. stock ticker), etc.
“Duplex” feature introduced in Silverlight 2
Based on “smart polling”
Hard to use in SL2Advanced WCF knowledge required
Significantly simplified in Silverlight 3 Beta1May improve even more after the Beta
Pushing Data to a Silverlight 3 Client
demo
Using Duplex: Client Side1. “Add Service Reference”
2. Open the Proxy (Config not supported)
May get easier in final SL3 release
3. Call Methods and Handle Events
EndpointAddress address = new EndpointAddress("http://example.com/Service1.svc");
CustomBinding binding = new CustomBinding( new PollingDuplexBindingElement(), new TextMessageEncodingBindingElement(
MessageVersion.Soap12WSAddressing10, Encoding.UTF8), new HttpTransportBindingElement());
Using Duplex: Server Side
1. Define a Service with a Callback Contract
[ServiceContract(CallbackContract=…)][OperationContract(IsOneWay=true)]
2. Implement the serviceOperationContext.Current
.GetCallbackChannel<ICallbackContract>()
3. Host the serviceNo config supportA bit tricky for now – see sample codeMay get much easier after Beta1
WCF
“Data Push” (Server to Client)
Simple Back-End Data Access
WCF,SOAP
REST,XML/JSON,Atom/RSS
Mashups (Using REST APIs)
Recap: REST in Silverlight 2
Making requests:HttpWebRequestWebClient
Working with XML:XmlReader / XmlWriterLinq – to – XMLXmlSerializer
Working with JSON:System.Json (“Linq – to – JSON”)DataContractJsonSerializer
Working with RSS/Atom FeedsSystem.ServiceModel.Syndication
REST Pain Points
HTTP Stack RestrictionsUsability
REST Services: HTTP Stack
SL3 Beta1 has same capabilities as SL2
HTTP stack browser restrictions still thereExploring options to remove these in the future
HTTP stack extensibility added in SL3Can “roll your own” stackE.g. HTML DOM + JavaScript XmlHttpRequestE.g. Proxied through a ServiceThese may be released as samples / CodePlex
REST Services: Usability
SL3 has same capabilities as SL2
“Paste XML as Serializable Types”Copy: XML or XSD Paste: Silverlight-compatible typesIn “REST Starter Kit, Preview 2” (CodePlex)
Paste XML as Serializable Types
demo
SummarySimple Back-End Data Access
WCF,SOAP
REST,XML/JSON,Atom/RSS
Mashups (Using REST APIs)
WCF
“Data Push” (Server to Client)
More Information
Team Blog:http://blogs.msdn.com/SilverlightWS
My Blog:http://eugeneos.blogspot.com
Samples Will Be Posted At:http://code.msdn.com/SilverlightWS
REST Starter Kit Preview 2 (for Paste-XML-as-Types):
http://msdn.com/WCF/REST
Please Complete an Evaluation FormYour feedback is important!
Evaluation forms can be found on each chairTemp Staff at the back of the room have additional evaluation form copies
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after
the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Transport With Message Credential ModeServer Side: Enabling This Mode
BasicHttp bindingTransportWithMessageCredentialsOnly UserName credential type (no Certificates)
Custom bindingSecurity binding element with UserNameOverTransport mode
Server Side: AuthN and AuthZStandard WCF methodsE.g. <serviceCredentials> behavior + membership providerOr custom username/password validator
Client Side:proxy.ClientCredentials.UserName.UserName = …proxy.ClientCredentials.UserName.Password = …
HttpWebRequest
High-level components and User Code
Browser Plugin APIs
Web Browser- Cookies- Authenticated sessions- Caching- Proxy server to use
Windows/MacNetworking Layer
HTTP Requests in Silverlight
Restrictions
Restrictions
How Duplex Works“Smart Polling” over HTTPSimplified explanation:
Client Browser Server
ServerDuplexChannel
ClientDuplexChannel
ClientApp
ServerApp
Any messages?
10-15secNo messages
Any messages?
MessageMessage
Any messages?
Message