Consuming Web Services in

Microsoft Silverlight 3
Eugene Osovetsky
Program Manager
Microsoft Corporation
We'll Cover 3 Scenarios:
Simple Back-End Data Access

WCF,
SOAP

“Data Push” (Server to Client)

WCF

Mashups (Using REST APIs)

REST,
XML/JSON,
Atom/RSS
Simple Back-End Data Access

WCF,
SOAP

“Data Push” (Server to Client)

WCF

Mashups (Using REST APIs)

REST,
XML/JSON,
Atom/RSS
Back-End Data Access: Silverlight 2 Recap

WCF

Server:
“Add New Item…”  “Silverlight-enabled
WCF Service”
Or any BP SOAP service…
Client:
“Add Service Reference”
 demo

Product Catalog –
Accessing Server Data
from Silverlight
Common Pain Points

WCF

Performance
SOAP / XML “bloat”

Handling Error Conditions

Debugging impossible:

System.ServiceModel.CommunicationException: The remote

server returned an error: NotFound
Can’t use SOAP Faults

Security
No automated way to send user credentials (if cannot rely on browser)

Can’t do “Add Service Reference” as part of build process

Silverlight 3 Addresses All These
Performance
Errors / Faults / Debugging
Security
Proxy Creation
 demo
Optimizing Performance with
Binary XML
Binary XML
Browser apps are often “chatty”

You pay for bandwidth and server capacity

Sometimes a tradeoff…

Bandwidth: Compression at HTTP level

(Turn on in IIS)

Server Capacity: Binary XML

More clients with existing server capacity
Binary XML Characteristics
NOT Compression (but usually reduces size)
Optimizes for Speed, not Size

Biggest gains
Arrays, Numbers, Complex type graphs,
Byte Arrays (binary blobs)
Not optimized
Very small messages
Strings
Even repeated strings - Difference from netTcpBinding

Recommendation: Always use Binary

“Silverlight-enabled WCF Service”
- now Binary by default
Binary XML: Server Throughput
W e b se r v ic e r e q u e sts/se c
Using "typical" message payloads

24%
HP BL680c: 8 Intel EMT64 cores@2.4GHz
Windows Server 2008 64-bit, IIS7

Text / HTTP
71% Binary / HTTP
7570

6122

4615

2702

Your mileage may vary

20 objects 100 objects

Message size
Binary XML: Message Size Reduction
Using large messages with arrays of "typical" data
Size reduction
40%

34%

15%

Your mileage may vary

String Int Large object graph

Performance
Errors / Faults / Debugging
Security
Proxy Creation
 demo
Fault / Error Handling and Debugging

Attempt #1: Naïve Approach

Naïve Approach: Just call the service

No error info on the wire:

Security reasons

So… No error info in Silverlight

Need to Enable Debugging

IncludeExceptionDetailsInFaults=true
 demo
Fault / Error Handling and Debugging

Attempt #2: Enable Debugging

With Debugging Enabled:
Error info is on the wire
Error info still not in Silverlight!

System.ServiceModel.CommunicationException: The remote

server returned an error: NotFound

Can use “Fiddler Debugging”, but…

… not with Binary XML
… not with HTTPS
… can be hard to set up
Why No Error Info in Silverlight?

WCF

Server
Sends HTTP 500 Error Code (SOAP standard)
Not supported by browser plugins (like Silverlight)

Solution: Switch to HTTP 200 Code

How?
WCF Sample (“Message Inspector Sample”) at
http://code.msdn.com/SilverlightWS
Looking into a better solution after Beta1
Why No Error Info in Silverlight?

WCF

Client:
No support for faults in Silverlight 2
Even with HTTP 200

Supported in Silverlight 3
ExceptionDetail
FaultException<T>
Etc …
 demo
Fault / Error Handling and Debugging

With Silverlight 3 Faults Support

Performance
Errors / Faults / Debugging
Security
Proxy Creation
Securing Services: 2 Options
How is identity communicated to the service?

Browser-Based (Automatic)
Examples
Windows Authentication
Cookies

Message-Based (Manual)
Examples
URL parameters
SOAP headers with Username/Password
Browser-Based Authentication
Example with Cookies + Forms Auth

E.g.: ASP.NET login

Credentials
User:
YourDomain.com
Password:

Auth info (cookie)

Service calls + Auth info

Browser
Browser-Based Authentication
Login through Silverlight

Call with credentials to YourDomain.com

User: ASP.NET Auth Service
Password: ASP.NET
Reply contains cookie Auth Service

Service calls + Auth info

Browser
Browser-Based Authentication
Using Windows Authentication

Windows login

User:
YourDomain.com
Password:

Service calls + Creds

Browser
Browser-Based Authentication:
Cross-Domain Threat

MyBank.com Login
Credentials
User:
MyBank.com
Password:
Auth info (e.g. cookie)

Could steal or
change data
Malicious call + Auth info if protection
wasn’t in place
Malicious application
EvilApps.com
Cross-domain access blocked by default
Can enable with “cross-domain policy file”

Browser-Based Auth is only appropriate if

No cross-domain access, or
Access limited to a few trusted domains

If you enable access for “*”:

MUST NOT use a browser-based method
MUST use message-based method instead
Message-Based Authentication
Identity managed by Silverlight, not the Browser

YourDomain.com
User:
Password:
Creds are added by
Silverlight, not browser

No
creds

EvilApps.com

Browser
Enabling In-Message Auth:
Option 1: Change the Contract
[OperationContract]
public decimal GetAccountBalance
(int accountID, string userName, string password);

Option 2: Automatically inject SOAP headers using

WCF Extensibility
See “Message Inspector Sample” for SL2

Option 3:
Built-in Support in Silverlight 3
 demo
Securing Services with
Message Credentials
Transport With Message Credential Mode
<soap:Envelope>
<soap:Header>
<!-- WS-Security Header -->
<!-- With UserName, Password, Timestamp -->
</soap:Header>
<soap:Body><!-- Message Payload --></soap:Body>
</soap:Envelope>

Plain-text password sent over the wire

Requires SSL (HTTPS). Restriction is enforced

Timestamp, Lifetime, Max Clock Skew

Simple replay protection
Enforced in both directions (client   server)
Default max skew is 5 minutes – may require changes
(Client clock can’t be more that 5 minutes out of sync with server)
Performance
Errors / Faults / Debugging
Security
Proxy Creation
Proxy Creation
SL2: Only through Visual Studio

SL3: Command-line Tool available

slsvcutil.exe
Silverlight version of svcutil.exe (simplified)
More flexibility than Add Service Reference
 demo
Slsvcutil.exe
Simple Back-End Data Access

WCF,
SOAP

“Data Push” (Server to Client)

WCF

Mashups (Using REST APIs)

REST,
XML/JSON,
Atom/RSS
Pushing Messages to Silverlight
Useful for real-time interaction (e.g. chat),
monitoring (e.g. stock ticker), etc.

“Duplex” feature introduced in Silverlight 2

Based on “smart polling”

Hard to use in SL2

Advanced WCF knowledge required

Significantly simplified in Silverlight 3 Beta1

May improve even more after the Beta
 demo
Pushing Data to a Silverlight 3 Client
 Using Duplex: Client Side
1. “Add Service Reference”

2. Open the Proxy (Config not supported)

EndpointAddress address = new EndpointAddress("http://example.com/Service1.svc");

CustomBinding binding = new CustomBinding(

new PollingDuplexBindingElement(),
new TextMessageEncodingBindingElement(
MessageVersion.Soap12WSAddressing10, Encoding.UTF8),
new HttpTransportBindingElement());

May get easier in final SL3 release

3. Call Methods and Handle Events

Using Duplex: Server Side
1. Define a Service with a Callback Contract
[ServiceContract(CallbackContract=…)]
[OperationContract(IsOneWay=true)]

2. Implement the service

OperationContext.Current
.GetCallbackChannel<ICallbackContract>()

3. Host the service

No config support
A bit tricky for now – see sample code
May get much easier after Beta1
Simple Back-End Data Access

WCF,
SOAP

“Data Push” (Server to Client)

WCF

Mashups (Using REST APIs)

REST,
XML/JSON,
Atom/RSS
Recap: REST in Silverlight 2
Making requests:
HttpWebRequest
WebClient

Working with XML:

XmlReader / XmlWriter
Linq – to – XML
XmlSerializer

Working with JSON:

System.Json (“Linq – to – JSON”)
DataContractJsonSerializer

Working with RSS/Atom Feeds

System.ServiceModel.Syndication
REST Pain Points
HTTP Stack Restrictions
Usability
REST Services: HTTP Stack
SL3 Beta1 has same capabilities as SL2

HTTP stack browser restrictions still there

Exploring options to remove these in the future

HTTP stack extensibility added in SL3

Can “roll your own” stack
E.g. HTML DOM + JavaScript XmlHttpRequest
E.g. Proxied through a Service
These may be released as samples / CodePlex
REST Services: Usability
SL3 has same capabilities as SL2

“Paste XML as Serializable Types”

Copy: XML or XSD
Paste: Silverlight-compatible types
In “REST Starter Kit, Preview 2” (CodePlex)
 demo
Paste XML as Serializable Types
Summary
Simple Back-End Data Access

WCF,
SOAP

“Data Push” (Server to Client)

WCF

Mashups (Using REST APIs)

REST,
XML/JSON,
Atom/RSS
More Information
Team Blog:
http://blogs.msdn.com/SilverlightWS

My Blog:
http://eugeneos.blogspot.com

Samples Will Be Posted At:

http://code.msdn.com/SilverlightWS

REST Starter Kit Preview 2 (for Paste-XML-as-Types):

http://msdn.com/WCF/REST
Please Complete an
Evaluation Form
Your feedback is important!
Evaluation forms can be found on each chair
Temp Staff at the back of the room have additional
evaluation form copies
 © 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not
be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Transport With Message Credential Mode
Server Side: Enabling This Mode
BasicHttp binding
TransportWithMessageCredentials
Only UserName credential type (no Certificates)
Custom binding
Security binding element with UserNameOverTransport mode

Server Side: AuthN and AuthZ

Standard WCF methods
E.g. <serviceCredentials> behavior + membership provider
Or custom username/password validator

Client Side:
proxy.ClientCredentials.UserName.UserName = …
proxy.ClientCredentials.UserName.Password = …
HTTP Requests in Silverlight
High-level components and User Code

HttpWebRequest

Browser Plugin APIs Restrictions

Web Browser
- Cookies
- Authenticated sessions Restrictions
- Caching
- Proxy server to use

Windows/Mac
Networking Layer
How Duplex Works
“Smart Polling” over HTTP
Simplified explanation:
Client Client Any messages? Server Server
App Duplex Duplex App
Channel 10-15sec Channel
No messages

Any messages?

Message
Message Message

Any messages?

Client Browser Server