How to show SSL WCF Service Padlock
-
So I got my SSL enabled service and non SSL service (both WCF) running fine on my host. My site is entirely silverlight and is http://****.com I can call both services fine and results are correct, but however the secured padlock logo will not show up on browser when I am calling the SSL service. If the access the site and add the 's' at : https://****.com The padlock will then show up. But I do not want the site to be SSL enabled for the entire time. I want it only to be SSL enabled only when customer checks out or login. Keeping in mind my entire site is one big silverlight app, how do I switch to https or enable the padlock logo only when I need it to?
-
So I got my SSL enabled service and non SSL service (both WCF) running fine on my host. My site is entirely silverlight and is http://****.com I can call both services fine and results are correct, but however the secured padlock logo will not show up on browser when I am calling the SSL service. If the access the site and add the 's' at : https://****.com The padlock will then show up. But I do not want the site to be SSL enabled for the entire time. I want it only to be SSL enabled only when customer checks out or login. Keeping in mind my entire site is one big silverlight app, how do I switch to https or enable the padlock logo only when I need it to?
Are you sure that need the padlock to show up? From what you have said, you have secured the call to the service (assuming your endpoints etc. are looking at the https services): e.g.
<endpoint address="https://nigel.company.co.nz/MyService.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyService"- but that is all in the background. Even though you didn't access/download the Silverlight xap with https it will still be communicating directly with the services over https if they are configured that way. -
Are you sure that need the padlock to show up? From what you have said, you have secured the call to the service (assuming your endpoints etc. are looking at the https services): e.g.
<endpoint address="https://nigel.company.co.nz/MyService.svc" binding="basicHttpBinding" bindingConfiguration="BasicHttpBinding_IMyService"- but that is all in the background. Even though you didn't access/download the Silverlight xap with https it will still be communicating directly with the services over https if they are configured that way.Thank you Nigel, and yes the SSL service endpoint is correct and everything is working fine. I know I am calling the service with SSL enabled and fiddler can see it is SSL, but it is all in the background. I need to show the padlock because customers (and my client) will only believe they are SSL secured only if the browser tells them. I could says with a textblock that the login is SSL secured, but the browser isnt showing the padlock and it is dubious to them.
-
Thank you Nigel, and yes the SSL service endpoint is correct and everything is working fine. I know I am calling the service with SSL enabled and fiddler can see it is SSL, but it is all in the background. I need to show the padlock because customers (and my client) will only believe they are SSL secured only if the browser tells them. I could says with a textblock that the login is SSL secured, but the browser isnt showing the padlock and it is dubious to them.
I know what you mean. I have just been talking to my colleague about the same thing. The funny thing is that once the xap has been downloaded (via https for example) and is running, whatever the browser says is irrelevant, you can still go ahead and be as un-secure as you like in the background with your service calls (assuming you have the clientaccesspolicy.xml in place). That's my understanding anyway - I would like to be proved wrong though. Cheers.
-
I know what you mean. I have just been talking to my colleague about the same thing. The funny thing is that once the xap has been downloaded (via https for example) and is running, whatever the browser says is irrelevant, you can still go ahead and be as un-secure as you like in the background with your service calls (assuming you have the clientaccesspolicy.xml in place). That's my understanding anyway - I would like to be proved wrong though. Cheers.
While trying to find a solution to this problem, I read from somewhere that SSL to non-secured service calls would be denied. I could not be sure, but if it is not the case, you might have something there Nigel. Going back to topic, I would appreciate any suggestions and help on this matter. Is there anyway to switch from HTTP to HTTPS while not losing silverlight page contents?
-
While trying to find a solution to this problem, I read from somewhere that SSL to non-secured service calls would be denied. I could not be sure, but if it is not the case, you might have something there Nigel. Going back to topic, I would appreciate any suggestions and help on this matter. Is there anyway to switch from HTTP to HTTPS while not losing silverlight page contents?
Soulforged wrote:
SSL to non-secured service calls would be denied
That's the basis of the problem. By having the clientaccesspolicy.xml with https and http included you are allowing calls from a Silverlight app in http to services in https and vice versa. It is my understanding that the browser is ignorant of what Silverlight is doing in the background so the padlock can be misleading. You could run the app in https with a nice padlock and then call services over http and the padlock will stay there. Unless you remove/alter the clientaccesspolicy.xml and stick to either all http or all https. I'll let you know if I find out any more info. Cheers