Tip : Cross Domain Policy when Self-Hosting your Services

This tip is about self hosting of services with the .Net WCF or Java Restlet framework. Cross-domain access is mandatory here since the Site of Origin does not host the services.

Self hosting a service represents a quick & easy way to expose a Web Service for tests purpose. Yet, customization is extermely limited since self hosting does not provide you all the capabilities of Web Servers such as delivering static content (cross domain policy file).

The first thing you need to know is that when Silverlight attempts to access services in cross-domain, it will send a HTTP GET method on https://<domain:port>/clientaccesspolicy.xml or https://<domain:port>/crossdomain.xml (in case clientaccesspolicy.xml wasn’t found). If you plan to self host your Web Service, you will agree that there is no possible way to host a physical Cross Domain policy file at the root of the Web Server.

You must handle this request through your Service implementation. It usually matches the /clientaccesspolicy.xml or /crossdomain.xml URI pattern.

WCF way (inspired from Carlo’s blog)

Self-hosted Service

 class Program
     static void Main(string[] args)
         // URI of the Service
         Uri uri = new Uri("https://localhost:8081/");
         // create a new WebServiceHost specifying the implementation of the Service
         // and the specified uri to bind with
         WebServiceHost host = new WebServiceHost(
                 new REST_ItemsServiceLibrary.ItemsREST(),
         // add the Service Endpoint specifying the Service Interface
                                 new WebHttpBinding(), "");
         // open the WebServiceHost
         Console.WriteLine("Service hosted at {0}", uri.OriginalString);
         // close the WebServiceHost

Handling cross-domain file requests 

As we said earlier, we have to manage the /clientaccesspolicy.xml, specify in the Service Interface that HTTP GET method on the URI /clientaccesspolicy.xml will be handled by GetSilverlightPolicy();

 [WebGet(UriTemplate ="/clientaccesspolicy.xml")]
 Stream GetSilverlightPolicy();

this also applies to /crossdomain.xml

Finally, in your Service implementation, return a clientaccesspolicy.xml content:

 public Stream GetSilverlightPolicy()
     string result = @"<?xml version=""1.0"" encoding=""utf-8""?>
             <allow-from http-request-headers=""*"">
                 <domain uri=""*""/>
                 <resource path=""/"" include-subpaths=""true""/>
     return StringToStream(result);
 Stream StringToStream(string result)
     WebOperationContext.Current.OutgoingResponse.ContentType = "application/xml";
     return new MemoryStream(Encoding.UTF8.GetBytes(result));

Restlet way

Self-hosted Service

 public static void main(String[] args) {
     try {
         // Create a new Component.
         Component component = new Component();
         // Add a new HTTP server listening on port 8182.
         component.getServers().add(Protocol.HTTP, 8182);
         // Attach the sample application.
                 new FirstResourceApplication(component.getContext()));
         // Start the component.
     } catch (Exception e) {
         // Something is wrong.

Handling cross-domain file requests 

Following the same philosophy as the WCF way, we need to handle HTTP GET method on /clientaccesspolicy.xml file request :

In the Application implementation you must bind the URI pattern with the Ressource that will handle it :


Finally, implement the ClientAccessPolicy class, specially the HTTP GET method within getRepresentation method :

 package firstResource;
 import java.io.IOException;
 import org.restlet.Context;
 import org.restlet.data.MediaType;
 import org.restlet.data.Request;
 import org.restlet.data.Response;
 import org.restlet.resource.DomRepresentation;
 import org.restlet.resource.Representation;
 import org.restlet.resource.Resource;
 import org.restlet.resource.Variant;
 import org.w3c.dom.Document;
 import org.w3c.dom.Element;
 public class ClientAccessPolicy extends Resource{
     public ClientAccessPolicy(Context context, Request request,
             Response response) {
         super(context, request, response);
         getVariants().add(new Variant(MediaType.TEXT_XML));
     public Representation getRepresentation(Variant variant){
         if (MediaType.TEXT_XML.equals(variant.getMediaType())) {
              try {
                 DomRepresentation representation = new DomRepresentation(
                 // Generate a DOM document representing the list of
                 // items.
                 Document d = representation.getDocument();
                 Element accesspolicy = d.createElement("access-policy");
                 Element crossdomainaccess = d.createElement("cross-domain-access");
                 Element policy = d.createElement("policy");
                 Element allowfrom = d.createElement("allow-from");
                 Element domain = d.createElement("domain");
                 domain.setAttribute("uri", "*");
                 Element grantto = d.createElement("grant-to");
                 Element resource = d.createElement("resource");
                 resource.setAttribute("path", "/");
                 // Returns the XML representation of this document.
                 return representation;
              } catch (IOException e) {
           return null;

- Ronny Kwon