views:

215

answers:

3

Can anyone point me in the right direction of how I can use SSL client-side certificates with Silverlight to access a restful web service?

I can't seem to find anything on how to handle them, or even whether they are supported.

Cheers.

A: 

take a look at this.

http://support.microsoft.com/kb/307267

just change your urls to https

hope this helps

Ritik Khatwani
+1  A: 

It depends on whether you're using the browser HTTP stack or the client HTTP stack. The client stack does not support client certificates, period. The browser stack does, and pretty much automatically, if you're willing to live with its other limitations (lack of support for all HTTP verbs, coercion of response status codes, etc.).

I have however been running into a problem using the browser stack with client certificates in an OOB scenario. Prism module loading fails under these conditions - the request gets to IIS, but causes a 500 server error for no apparent reason. If I set IIS to ignore client certs, or if I run the app in-browser, it works fine :-/

slipjig
+1  A: 

Slipjig mentioned this:

"The browser stack does, and pretty much automatically, if you're willing to live with its other limitations (lack of support for all HTTP verbs, coercion of response status codes, etc.)."

If that is acceptable to you, look at how Microsoft themselves deal with this in some of their APIs using the custom X-HTTP-Method header, like how they do it for WCF and OData:

http://www.odata.org/developers/protocols/operations

In MSDN, Microsoft also mentions this about using REST in conjunction with SharePoint 2010's WCF based REST API:

msdn.microsoft.com/en-us/library/ff798339.aspx

"In practice, many firewalls and other network intermediaries block HTTP verbs other than GET and POST. To work around this issue, WCF Data Services (and the OData standard) support a technique known as "verb tunneling." In this technique, PUT, DELETE, and MERGE requests are submitted as a POST request, and an X-HTTP-Method header specifies the actual verb that the recipient should apply to the request. For more information, see X-HTTP-Method on MSDN and OData: Operations (the Method Tunneling through POST section) on the OData Web site."

Don Box's also had some words about this, but regarding GData specifically:

www.pluralsight-training.net/community/blogs/dbox/archive/2007/01/16/45725.aspx

"If I were building a GData client, I honestly wonder why I'd bother using DELETE and PUT methods at all given that X-HTTP-Method-Override is going to work in more cases/deployments."

There's an article about Silverlight and Java interop which also addresses this limitation of Silverlight by giving the same advice:

www.infoq.com/articles/silverlight-java-interop

"Silverlight supports only the GET and POST HTTP methods. Some firewalls restrict the use of PUT and DELETE HTTP methods.

It is important to point out that true RESTful service can be created (conforming to all the REST principles listed above) only using the GET and POST HTTP methods, in other words the REST architecture does not require a specific mapping to HTTP. Google’s GData X-Http-Method-Override header is an example of this approach.

The following HTTP methods overrides may be set in the header to accomplish the PUT and DELETE actions if the web services interpret the X-HTTP-Method-Override header on a POST:

* X-HTTP-Method-Override: PUT
* X-HTTP-Method-Override: DELETE"

Hope this helps -Josh

JoshGough