Consume unsecure webservices with HTTPS
This is a repost from the Silverlight Viewer forum... But this is a core-product question that may/may not be specific to the Silverlight viewer, so if this is in duplicate, please remove...
I have a Geocortex Silverlight Site that I'm configuring and have a service that uses HTTPS protocol. I can add the service to my Essentials Rest endpoint for configuration, but when I launch the site to see the map, I get that the map failed to load.
I checked the ClientAccessPolicy and verified:
<allow-from http-request-headers="*">
<domain uri="*"/>
<domain uri="http://*"/>
<domain uri="https://*"/>
</allow-from>
I checked the CrossDomain and verified:
<allow-access-from domain="*"/>
<site-control permitted-cross-domain-policies="all"/>
<allow-http-request-headers-from domain="*" headers="*"/>
Both are located at the root of the web server C:\inetpub\wwrooot
When I add the service through the Rest Admin, I don't select authentication as the service is not technically secure, however it is being accessed through HTTPS protocol. I can access the service and submit a successful query via the browser on the Essentials server, so there isn't a connection/firewall issue. Is there anything in Essentials that I need to do differently, for utilizing map services through HTTPS?
I should add that we are using the most recent Silverlight Viewer release with Essentials 3.9.0
-
Unfortunately a Silverlight service hosted on HTTP cannot under any circumstances download images from a service hosted on HTTPS.
Please see the table on this page:
(http://msdn.microsoft.com/en-us/library/cc189008(v=vs.95).aspx) http://msdn.microsoft.com/en-us/library/cc189008(v=vs.95).aspx
You'll note that the intersection between 'Cross scheme access' (refers to HTTP-->HTTPS as well as the other way around) and 'Image Class' is denoted as 'Not Allowed'. This means under any circumstances, even with a security policy file. We are very sorry about this, but there isn't really anything we can do, as this restriction is imposed by Microsoft for security purposes.
0 -
That's what I suspected Jonathan.
Thank you for putting this issue to bed for me. I will have to revert back to an HTTP instance of ArcGIS Server for use with Essentials.
What is the preferred method for Essentials security? HTTP and token based authentication?
Thanks again.
0 -
There isn't one preferred method for security -- it depends on the needs and requirements of your business.
Generally though, increasingly secure security is also increasingly difficult to set up and manage. This is somewhat unavoidable, as the purpose of security is to make it very difficult for unauthorized users to get at your stuff. This usually has the side-effect of making things a bit more inconvenient and difficult for the authorized users as well.
It is recommended to always use HTTPS with token based security though, as otherwise user names and passwords will be sent in plain text over the wires where they are relatively easy to intercept.
0 -
I have a simular issue. I cannot access an https site because it has one of these:
https://<mysecureservice>/arcgisreview/rest/services (ArcGIS Server 10.0 SP4)
(NOTE: after linking here, accept the security certificate because it is a self-signed cert for internal access only )I cannot access it through the http: prefix either. I do not get a prompt or anything to accept the service. So am i out of luck this time?
I have asked thier webmaster to go to a token based security or a user name and login based security, because essentials has those prompts available to me when I add the site to essentials.
I need advice here!
J
0
Please sign in to leave a comment.
Comments
4 comments