Consuming Web Services in Microsoft Silverlight 3Eugene OsovetskyProgram ManagerMicrosoft Corporation

We'll Cover 3 Scenarios:Simple Back-End Data Access

WCF,SOAP

REST,XML/JSON,Atom/RSS

Mashups (Using REST APIs)

WCF

“Data Push” (Server to Client)

Simple Back-End Data Access

WCF,SOAP

REST,XML/JSON,Atom/RSS

Mashups (Using REST APIs)

WCF

“Data Push” (Server to Client)

Back-End Data Access: Silverlight 2 Recap

WCF

Server:“Add New Item…” “Silverlight-enabled WCF Service”Or any BP SOAP service…

Client:“Add Service Reference”

Product Catalog – Accessing Server Data from Silverlight

demo

Common Pain Points

WCF

PerformanceSOAP / XML “bloat”

Handling Error ConditionsDebugging impossible:

Can’t use SOAP Faults

SecurityNo automated way to send user credentials (if cannot rely on browser)

Can’t do “Add Service Reference” as part of build process

System.ServiceModel.CommunicationException: The remote server returned an error: NotFound

Silverlight 3 Addresses All These

PerformanceErrors / Faults / DebuggingSecurityProxy Creation

Optimizing Performance withBinary XML

demo

Binary XML

Browser apps are often “chatty”

You pay for bandwidth and server capacity

Sometimes a tradeoff…

Bandwidth: Compression at HTTP level (Turn on in IIS)

Server Capacity: Binary XMLMore clients with existing server capacity

Binary XML Characteristics

NOT Compression (but usually reduces size)Optimizes for Speed, not Size

Biggest gainsArrays, Numbers, Complex type graphs, Byte Arrays (binary blobs)

Not optimizedVery small messagesStrings

Even repeated strings - Difference from netTcpBinding

Recommendation: Always use Binary“Silverlight-enabled WCF Service”- now Binary by default

Binary XML: Server ThroughputUsing "typical" message payloads

20 objects 100 objects

6122

2702

7570

4615

HP BL680c: 8 Intel EMT64 cores@2.4GHzWindows Server 2008 64-bit, IIS7

Text / HTTPBinary / HTTP

Message size

Web s

erv

ice r

equest

s/se

c

24%

71%

Your mileage may vary

Binary XML: Message Size ReductionUsing large messages with arrays of "typical" data

15%

34%

40%

String IntLarge object graph

Siz

e r

educt

ion

Your mileage may vary

PerformanceErrors / Faults / DebuggingSecurityProxy Creation

Fault / Error Handling and Debugging

Attempt #1: Naïve Approach

demo

Naïve Approach: Just call the service

No error info on the wire:Security reasons

So… No error info in Silverlight

Need to Enable DebuggingIncludeExceptionDetailsInFaults=true

Fault / Error Handling and Debugging

Attempt #2: Enable Debugging

demo

With Debugging Enabled:Error info is on the wireError info still not in Silverlight!

Can use “Fiddler Debugging”, but…… not with Binary XML… not with HTTPS… can be hard to set up

System.ServiceModel.CommunicationException: The remote server returned an error: NotFound

Why No Error Info in Silverlight?

WCF

ServerSends HTTP 500 Error Code (SOAP standard)Not supported by browser plugins (like Silverlight)

Solution: Switch to HTTP 200 Code

How? WCF Sample (“Message Inspector Sample”) athttp://code.msdn.com/SilverlightWSLooking into a better solution after Beta1

Why No Error Info in Silverlight?

WCF

Client:No support for faults in Silverlight 2 Even with HTTP 200

Supported in Silverlight 3ExceptionDetailFaultException<T>Etc …

Fault / Error Handling and Debugging

With Silverlight 3 Faults Support

demo

PerformanceErrors / Faults / DebuggingSecurityProxy Creation

Securing Services: 2 Options

How is identity communicated to the service?

Browser-Based (Automatic)Examples

Windows AuthenticationCookies

Message-Based (Manual) Examples

URL parametersSOAP headers with Username/Password

Browser-Based Authentication Example with Cookies + Forms Auth

Browser

E.g.: ASP.NET login

User:Password:

YourDomain.comCredentials

Auth info (cookie)

Service calls + Auth info

Browser-Based AuthenticationLogin through Silverlight

User:Password:

YourDomain.comCall with credentials toASP.NET Auth Service

Reply contains cookie

Service calls + Auth info

ASP.NET Auth Service

Browser

Browser-Based Authentication Using Windows Authentication

Windows login

User:Password:

YourDomain.com

Service calls + Creds

Browser

MyBank.com Login

User:Password:

MyBank.comCredentials

Auth info (e.g. cookie)

Malicious call + Auth info

EvilApps.comMalicious application

Could steal orchange dataif protection wasn’t in place

Browser-Based Authentication: Cross-Domain Threat

Cross-domain access blocked by defaultCan enable with “cross-domain policy file”

Browser-Based Auth is only appropriate if

No cross-domain access, orAccess limited to a few trusted domains

If you enable access for “*”:MUST NOT use a browser-based methodMUST use message-based method instead

Message-Based AuthenticationIdentity managed by Silverlight, not the Browser

User:Password:

YourDomain.com

Creds are added by Silverlight, not browser

No creds

BrowserEvilApps.com

Enabling In-Message Auth:

Option 1: Change the Contract[OperationContract]

public decimal GetAccountBalance(int accountID, string userName, string password);

Option 2: Automatically inject SOAP headers using WCF Extensibility

See “Message Inspector Sample” for SL2

Option 3: Built-in Support in Silverlight 3

Securing Services withMessage Credentials

demo

Transport With Message Credential Mode

<soap:Envelope><soap:Header>

<!-- WS-Security Header --><!-- With UserName, Password, Timestamp -->

</soap:Header><soap:Body><!-- Message Payload --></soap:Body>

</soap:Envelope>

Plain-text password sent over the wireRequires SSL (HTTPS). Restriction is enforced

Timestamp, Lifetime, Max Clock SkewSimple replay protectionEnforced in both directions (client server)Default max skew is 5 minutes – may require changes(Client clock can’t be more that 5 minutes out of sync with server)

PerformanceErrors / Faults / DebuggingSecurityProxy Creation

Proxy Creation

SL2: Only through Visual Studio

SL3: Command-line Tool availableslsvcutil.exeSilverlight version of svcutil.exe (simplified)More flexibility than Add Service Reference

Slsvcutil.exe

demo

Simple Back-End Data Access

WCF,SOAP

REST,XML/JSON,Atom/RSS

Mashups (Using REST APIs)

WCF

“Data Push” (Server to Client)

Pushing Messages to Silverlight

Useful for real-time interaction (e.g. chat),monitoring (e.g. stock ticker), etc.

“Duplex” feature introduced in Silverlight 2

Based on “smart polling”

Hard to use in SL2Advanced WCF knowledge required

Significantly simplified in Silverlight 3 Beta1May improve even more after the Beta

Pushing Data to a Silverlight 3 Client

demo

Using Duplex: Client Side1. “Add Service Reference”

2. Open the Proxy (Config not supported)

May get easier in final SL3 release

3. Call Methods and Handle Events

EndpointAddress address = new EndpointAddress("http://example.com/Service1.svc");

CustomBinding binding = new CustomBinding( new PollingDuplexBindingElement(), new TextMessageEncodingBindingElement(

MessageVersion.Soap12WSAddressing10, Encoding.UTF8), new HttpTransportBindingElement());

Using Duplex: Server Side

1. Define a Service with a Callback Contract

[ServiceContract(CallbackContract=…)][OperationContract(IsOneWay=true)]

2. Implement the serviceOperationContext.Current

.GetCallbackChannel<ICallbackContract>()

3. Host the serviceNo config supportA bit tricky for now – see sample codeMay get much easier after Beta1

WCF

“Data Push” (Server to Client)

Simple Back-End Data Access

WCF,SOAP

REST,XML/JSON,Atom/RSS

Mashups (Using REST APIs)

Recap: REST in Silverlight 2

Making requests:HttpWebRequestWebClient

Working with XML:XmlReader / XmlWriterLinq – to – XMLXmlSerializer

Working with JSON:System.Json (“Linq – to – JSON”)DataContractJsonSerializer

Working with RSS/Atom FeedsSystem.ServiceModel.Syndication

REST Pain Points

HTTP Stack RestrictionsUsability

REST Services: HTTP Stack

SL3 Beta1 has same capabilities as SL2

HTTP stack browser restrictions still thereExploring options to remove these in the future

HTTP stack extensibility added in SL3Can “roll your own” stackE.g. HTML DOM + JavaScript XmlHttpRequestE.g. Proxied through a ServiceThese may be released as samples / CodePlex

REST Services: Usability

SL3 has same capabilities as SL2

“Paste XML as Serializable Types”Copy: XML or XSD Paste: Silverlight-compatible typesIn “REST Starter Kit, Preview 2” (CodePlex)

Paste XML as Serializable Types

demo

SummarySimple Back-End Data Access

WCF,SOAP

REST,XML/JSON,Atom/RSS

Mashups (Using REST APIs)

WCF

“Data Push” (Server to Client)

More Information

Team Blog:http://blogs.msdn.com/SilverlightWS

My Blog:http://eugeneos.blogspot.com

Samples Will Be Posted At:http://code.msdn.com/SilverlightWS

REST Starter Kit Preview 2 (for Paste-XML-as-Types):

http://msdn.com/WCF/REST

Please Complete an Evaluation FormYour feedback is important!

Evaluation forms can be found on each chairTemp Staff at the back of the room have additional evaluation form copies

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after

the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Transport With Message Credential ModeServer Side: Enabling This Mode

BasicHttp bindingTransportWithMessageCredentialsOnly UserName credential type (no Certificates)

Custom bindingSecurity binding element with UserNameOverTransport mode

Server Side: AuthN and AuthZStandard WCF methodsE.g. <serviceCredentials> behavior + membership providerOr custom username/password validator

Client Side:proxy.ClientCredentials.UserName.UserName = …proxy.ClientCredentials.UserName.Password = …

HttpWebRequest

High-level components and User Code

Browser Plugin APIs

Web Browser- Cookies- Authenticated sessions- Caching- Proxy server to use

Windows/MacNetworking Layer

HTTP Requests in Silverlight

Restrictions

Restrictions

How Duplex Works“Smart Polling” over HTTPSimplified explanation:

Client Browser Server

ServerDuplexChannel

ClientDuplexChannel

ClientApp

ServerApp

Any messages?

10-15secNo messages

Any messages?

MessageMessage

Any messages?

Message