6 Replies Latest reply on Oct 15, 2013 1:37 AM by ignaciohita

    flex with secure web service (https, ssl)

    ufukuste

      Hi,

       

      We have a flex application which consumes a secure web service on https channel. We use wcf web services and ssl.

      We use Soap Headers for security. (Basic Authentication with WS Username Token.)

       

      There are many operations in the web service. We start with calling AuthenticateUser operation and then GetUserRoles and then the other ones...

      Sometimes our application works fine, all operations(methods) work successfully but sometimes they don't.

      We get an error like: "Soap Response cannot be decoded. Raw response:" and sometimes we see the same error like: "HTTP request error".

      The first method(AuthenticateUser) always works successfully.We get these errors when we call other methods (e.g GetUserRoles) and we get these errors sometimes, we couldn't find any rules (case) for the errors.

      But we call all the methods by the same way. We add Soap Header to the web service. So all methods need to be called by that header.

       

      We always get errors when we use Mozilla Firefox and we get sometimes when we use Internet Explorer.

       

      1- Here how I define web service:

       

      <mx:WebService id="AdminService"
              wsdl="{wsdlUrl}"
              endpointURI="{endPoint}">     
              <mx:operation name="AuthenticateUser"
                      resultFormat="object"
                      result="AuthenticateUser_result(event);"
                      fault="AuthenticateUser_fault(event);" >
              </mx:operation>
              <mx:operation name="GetUserRoles"
                      resultFormat="object"
                      result="GetUserRoles_result(event);"
                      fault="GetUserRoles_fault(event);" >
              </mx:operation>

              <!--there are several methods below also-->
             .

             .

      </mx:WebService>

       

      wsdlUrl is the url of AdminService's wsdl on http channel: (http://someHost/AdminServices/AdminService.svc?wsdl)

      endPoint is the uri of AdminService's endpoint on https channel: (https://someHost:1444/AdminServices/AdminService.svc)


      Web Service works correctly when I consume it via SoapUI..

       

      2- Here how I add Soap Headers:

       

      private function getHeader(username:String, password:String):void{   
            var header:SOAPHeader = SOAPHeaderUtil.returnWSSEHeaderWithoutNonceAndTimestamp(username, password);
            header.mustUnderstand = true;
            AdminService.clearHeaders();
            AdminService.addHeader(header);   
      }

       

      SOAPHeaderUtil.returnWSSEHeaderWithoutNonceAndTimestamp: I get this code from here. This code uses as3corelib.swc.

      I am sure that I can add headers successfully because when I observe my http request by some http monitor, I can see my Soap Request and it is correct.

       

      3- Here how I call the web service and call AuthenticateUser Method

       

      public function login(username:String, password:String):void{

           //get web service header (SoapHeader)             

           getHeader(username, password);

           //call web service authenticate method with parameters that user entered                    

           AdminService.AuthenticateUser.send(username, password);                         
      }

       

      4.Here how I handle web service operation results:

       

      private function AuthenticateUser_result(event:ResultEvent):void {
           var isUserAuthenticated:Object = event.result as Object;
           if(isUserAuthenticated == true){

                //make another service call inorder to get roles of this user. Below userName is a global variable which user entered previously.
                AdminService.GetUserRoles.send(this.userName);                                                   
           }  
           else{                  
                Alert.show("Invalid username or password!");
           }

      }

       

      //this method get user roles

      private function GetUserRoles_result(event:ResultEvent):void {

           var userRoles:ArrayCollection = event.result as ArrayCollection;
           for(var i:int = 0 ; i < userRoles.length; i++){
                var role:Object = userRoles.getItemAt(i);
                if(role.toString() == "Administrator"){
                      isAdministrator = true;
                }

                if(role.toString() == "Viewer"){
                     isViewer = true;
                }
           }

           if(!isApprover && !isViewer && !isAdministrator){
                Alert.show("You don't have any role!");
           }
      }

       

       

      5. Finally we put both Flex Application and Web Service to the same host and the directory. And we put also our crossdomain.xml and clientaccesspolicy.xml files to the same directory. (e.g: someHost/someDirectory/AdminService,  someHost/someDirectory/FlexApplication, someHost/someDirectory/crossdomain.xml, someHost/someDirectory/clientaccesspolicy.xml)

       

      However I beleive that crossdomain files are not important. Because when  I run the Flex App from my local (workspace), it generally works and calls web service successfully.

       

      crossdomain.xml

      <?xml version="1.0"?>
      <!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd">
      <cross-domain-policy>
           <site-control permitted-cross-domain-policies="all"/>
           <allow-access-from domain="*" to-ports="*" />
           <allow-http-request-headers-from domain="*" headers="*"/>
      </cross-domain-policy>


      clientaccesspolicy.xml

      <?xml version="1.0" encoding="utf-8"?>
      <access-policy>
        <cross-domain-access>
          <policy>
            <allow-from http-request-headers="SOAPAction">
              <domain uri="*"/>
            </allow-from>
            <grant-to>
              <resource path="/" include-subpaths="true"/>
            </grant-to>
          </policy>
        </cross-domain-access>
      </access-policy>

       

       

      Any suggestion will be appreciated...

      Thank in advance..

      Ufuk