Silverlight WCF + SSL 安全错误 - crossdomain.xml 从未请求

发布于 2024-10-14 22:21:56 字数 2330 浏览 6 评论 0原文

(我看到几个与我的问题相关的问题,但没有一个解决方案对我有用,因为我在生产中遇到这个问题,而不是在本地开发过程中,并且我已经尝试了所有建议的修复程序。)

我有一个 Silverlight 4 应用程序使用 IIS 托管的 WCF 服务。在生产中,这些服务是通过 HTTPS 访问的。尽管有 有效的 crossdomain.xml 文件,但在访问服务:

尝试向 URI 发出请求时发生错误 'https://MYDOMAIN/MYSERVICE.svc'。这可能是由于尝试 没有适当跨域的情况下以跨域方式访问服务 现有的策略,或者不适合 SOAP 服务的策略。你 可能需要联系服务所有者发布跨域 策略文件并确保它允许与 SOAP 相关的 HTTP 标头 发送。此错误也可能是由于使用网络中的内部类型引起的 不使用InternalsVisibleToAttribute 属性的服务代理。 请参阅内部异常以了解更多详细信息。 ---> System.Security.SecurityException ---> System.Security.SecurityException:安全错误...

使用 Fiddler 我可以看到没有对 crossdomain.xml 或 clientaccesspolicy.xml 发出请求。有一个到服务器的 CONNECT 请求,但仅此而已。

我读到这个错误,尽管它表明 crossdomain.xml/clientaccesspolicy.xml 存在问题,但当服务器颁发无效证书时也可能会引发该错误。在我的场景中似乎并非如此。

我确信以下设置正确:
1. crossdomain.xml 有效并托管在站点的根目录中
2. 这些服务确实有效(我们有其他采用各种技术的客户端也使用它们,包括依赖 crossdomain.xml 的 Adob​​e Flex。)
3. Silverlight应用程序确实可以工作(它与本地服务和共享开发服务器上的服务一起工作得很好***)
4. Silverlight应用程序甚至不会尝试请求crossdomain.xml或clientaccesspolicy.xml(Fiddler已确认)
5. Silverlight 应用程序使用正确的配置通过 https 访问 WCF。下面是配置:

<configuration>  
    <system.serviceModel>  
        <bindings>  
            <basicHttpBinding>  
                <binding name="BasicHttpBinding_IMyServices" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">  
                    <security mode="Transport" />  
                </binding>  
                </basicHttpBinding>  
        </bindings>  
        <client>  
            <endpoint address="https://MYDOMAIN/MYSERVICE.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyServices" contract="Services.IMyServices" name="BasicHttpBinding_IMyServices" />  
        </client>  
    </system.serviceModel>  
</configuration>

还有什么会导致这种问题?难道是因为 Web 服务器是负载平衡的吗?还是证书有问题我没注意到?如果您至少能指出我正确的方向,我将不胜感激。

(***值得指出的是:我在我们的开发环境中遇到了类似的问题。尽管有正确的 crossdomain.xml 并且没有使用 HTTPS,但 Silverlight 应用程序无法访问共享开发服务器上的 WCF 服务。我解决了通过将开发服务器添加为 IE 中的受信任站点,但是这种解决方法不适用于生产环境,即使如此,它也不是一个可接受的解决方法,但事实上我必须在开发环境中执行此操作。担心我一路上错过了一些东西......)

(I see several questions related to my problem but none of the solutions work for me as I am encountering this problem in production, not during local development, and I've already tried all of the proposed fixes.)

I have a Silverlight 4 application that uses WCF services hosted by IIS. In production these services are accessed over HTTPS. Despite having a valid crossdomain.xml file I still get the famous "Security error" when accessing the service:

An error occurred while trying to make a request to URI
'https://MYDOMAIN/MYSERVICE.svc'. This could be due to attempting to
access a service in a cross-domain way without a proper cross-domain
policy in place, or a policy that is unsuitable for SOAP services. You
may need to contact the owner of the service to publish a cross-domain
policy file and to ensure it allows SOAP-related HTTP headers to be
sent. This error may also be caused by using internal types in the web
service proxy without using the InternalsVisibleToAttribute attribute.
Please see the inner exception for more details. --->
System.Security.SecurityException --->
System.Security.SecurityException: Security error...

Using Fiddler I can see that no request is made to crossdomain.xml or clientaccesspolicy.xml. There is a CONNECT request to the server but that is all.

I've read that this error, though it indicates a problem with crossdomain.xml/clientaccesspolicy.xml, can also be raised when the server issues an invalid certificate. This does not seem to be the case in my scenario.

I am certain the following is set up correctly:
1. crossdomain.xml is valid and hosted in the root of the site
2. The services do work (We have other clients in various technologies that use them, including Adobe Flex which relies on crossdomain.xml.)
3. The Silverlight app does work (It works just fine with local services and services on a shared development server***)
4. The Silverlight app does not even try to request crossdomain.xml or clientaccesspolicy.xml (as confirmed by Fiddler)
5. The Silverlight app uses the proper config for accessing WCF over https. Below is the configuration:

<configuration>  
    <system.serviceModel>  
        <bindings>  
            <basicHttpBinding>  
                <binding name="BasicHttpBinding_IMyServices" maxBufferSize="2147483647" maxReceivedMessageSize="2147483647">  
                    <security mode="Transport" />  
                </binding>  
                </basicHttpBinding>  
        </bindings>  
        <client>  
            <endpoint address="https://MYDOMAIN/MYSERVICE.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyServices" contract="Services.IMyServices" name="BasicHttpBinding_IMyServices" />  
        </client>  
    </system.serviceModel>  
</configuration>

What else can cause this kind of problem? Could it be because the web servers are load balanced? Or is there a problem with the certificate that I haven't noticed? If you can at least point me in the right direction that would be much appreciated.

(***Something worth pointing out: I came upon a similar problem in our development environment. The Silverlight app was unable to access WCF services on a shared development server, despite having a proper crossdomain.xml and not using HTTPS. I worked around it by adding the development server as a trusted site in IE. However this same workaround does not work for production, and even then it wouldn't be an acceptable workaround. But the fact that I had to do this in the development environment makes me worried that I've missed something along the way...)

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

世界和平 2024-10-21 22:21:56

问题是我缺少 clientaccesspolicy.xml。在这种情况下,拥有 crossdomain.xml 是不够的。我认为这是因为 WCF 调用不仅是跨浏览器,而且是跨协议(Silverlight 应用程序是通过 http 提供的,但服务是通过 https 提供的)。

此外,我的 clientaccesspolicy.xml 必须显式允许 http 访问,如下所示:

<?xml version="1.0" encoding="utf-8"?>  
<access-policy>  
    <cross-domain-access>  
        <policy>  
            <allow-from http-request-headers="SOAPAction">  
                <!-- IMPORTANT! Include these lines -->
                <domain uri="http://*"/>  
                <domain uri="https://*"/>  
            </allow-from>  
            <grant-to>  
                <resource path="/" include-subpaths="true"/>  
            </grant-to>  
        </policy>  
    </cross-domain-access>  
</access-policy>

它现在就像一个魅力。

一路上有几件事让我绊倒:

  • 我的浏览器正在缓存 clientaccesspolicy.xml 和 crossdomain.xml。每次更改这些文件之一时,我都必须清除缓存,否则它无法识别较新的版本,尽管 IIS 配置为阻止客户端缓存此文件。
  • 对 clientaccesspolicy.xml 和 crossdomain.xml 的请求并不总是出现在 Fiddler 中。我经常会看到 CONNECT 请求。我不明白这样做的原因,但我学会了不要依赖 Fiddler 来确认这些请求的发出。也许我在某处有一些恶意设置(它不是“解密 HTTPS 流量”设置,因为我已经禁用了它)。

The problem was that I was missing clientaccesspolicy.xml. Having crossdomain.xml was not sufficient in this case. I think this is because the WCF invocation was not just cross-browser but also cross-protocol (the Silverlight app was served via http but the services were served via https).

In addition, my clientaccesspolicy.xml had to explicitly allow access for http as follows:

<?xml version="1.0" encoding="utf-8"?>  
<access-policy>  
    <cross-domain-access>  
        <policy>  
            <allow-from http-request-headers="SOAPAction">  
                <!-- IMPORTANT! Include these lines -->
                <domain uri="http://*"/>  
                <domain uri="https://*"/>  
            </allow-from>  
            <grant-to>  
                <resource path="/" include-subpaths="true"/>  
            </grant-to>  
        </policy>  
    </cross-domain-access>  
</access-policy>

It now works like a charm.

A couple of things that tripped me up along the way:

  • My browser was caching clientaccesspolicy.xml and crossdomain.xml. I would have to clear my cache every time I changed one of those files or it wouldn't recognize the newer version, despite the fact that IIS is configured to prevent client caching of this file.
  • The requests to clientaccesspolicy.xml and crossdomain.xml were not always showing up in Fiddler. I would often see CONNECT requests instead. I don't understand the reason for this but I've learned not to rely on Fiddler to confirm these requests are being made. Perhaps I have some rogue setting somewhere (it's not the "Decrypt HTTPS traffic" setting because I already disabled it).
迷迭香的记忆 2024-10-21 22:21:56

我有同样的错误,当我尝试通过 http 调用我的网站而我的服务是通过 https 时,它失败了。发生此错误是因为我的 ISS 没有证书,因此,当应用程序尝试下载 clientaccesspolicy 时,它失败了。

查看浏览器上的任何调试工具并查找 clientaccesspolicy 文件,然后检查是否正在下载该文件。

I have the same error, when I try to make a call to my site over http and my service was over https it failed. This error occured because my ISS had no certificate, so, when the app tried to download the clientaccesspolicy, it failed.

Take a look in any debug tool on your browser and look for clientacccesspolicy file, then check that if it is being downloaded.

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文