locked
Windows 8.1 Windows.Web.HTTP.HTTPClient - Secure to Non Secure Redirect Exception

    Question

  • I am building Windows 8.1 Application and using Windows.Web.HTTP.HTTPClient API to talk with a custom SSO Login service. It redirects from HTTPs to HTTP. It was working fine with System.Net.HTTP. HTTPClient API however it is giving exception with Windows.Web.HTTP.HTTPClient API.

    URL - https://sso.rumba.int.pearsoncmg.com/sso/loginService?service=http://www.google.com?authservice=rumbasso&username=may23_rumba_edu1&password=pass&gateway=true

    I am getting the exception - "The text associated with this error code could not be found.\r\n\r\nA redirect request will change a secure to a non-secure connection\r\n"

    Code Snippet

    var baseFilter = new HttpBaseProtocolFilter();
    baseFilter.AllowAutoRedirect = true;
    var httpClient = new HttpClient(baseFilter)
    serverURI = new Uri("https://sso.rumba.int.pearsoncmg.com/sso/loginService?service=http://www.google.com?authservice=rumbasso&username=may23_rumba_edu1&password=pass&gateway=true");
    HttpResponseMessage response = await httpClient.GetAsync(serverURI);
    

    Please advise what I can do to fix this issue.

    Thanks Hitender

    Wednesday, July 23, 2014 8:01 AM

All replies

  • Are you able to catch the exception and ignore it?

    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Wednesday, July 23, 2014 12:20 PM
    Moderator
  • I apologize Matt for not sharing runnable code earlier. Please find below the link to test project illustrating this exception. Please add debug points in UserAuthenticate method in MainPage CS file to observe the exception. XAML UI is very plain.

    https://www.dropbox.com/s/fsuo84yg2fwz42n/TestApp.zip

    I am not getting my service response from HTTPClient due to this exception and thus not able to silently ignore it.

    Please note that my service will replace google url mentioned in my code base.

    Thanks

    Hitender

    Thursday, July 24, 2014 6:15 AM
  • Hi Matt, Please advise whether you got time to look into this. Also please let me know if you need anything from my side. Thanks Hitender
    Tuesday, July 29, 2014 5:18 AM
  • Hi Hitender,

           I don't see how we can directly ignore the exception, but let me ask- what exactly is the flow of information here?  I think that if you set the autoredirect to false and check for a redirection explicitly, you can work around this problem.


    Matt Small - Microsoft Escalation Engineer - Forum Moderator
    If my reply answers your question, please mark this post as answered.

    NOTE: If I ask for code, please provide something that I can drop directly into a project and run (including XAML), or an actual application project. I'm trying to help a lot of people, so I don't have time to figure out weird snippets with undefined objects and unknown namespaces.

    Wednesday, July 30, 2014 12:07 PM
    Moderator
  • Hi Matt,

    I apologize I moved on to some other functionalities in my App and did not revert back on this.

    Actually I need to read a service ticket gets appended in querystring after redirection. I don't see any way to read the service ticket once I get the exception.

    Please let me know if there is any way to move forward on this.

    Thanks

    Hitender

    Friday, September 12, 2014 9:50 AM
  • It's throwing an exception because what you're doing is unsafe!  When you switch from HTTPS back to HTTP, you undo all of the security that the you were trying to get by using HTTPS -- you loose all of your encryption, all of the protections against MITM attacks, and all of your assurance that you're talking to the correct web service.  And on the server side, you loose all of the assurances that you're talking to an authenticated person.  

    Wednesday, June 3, 2015 5:34 AM