This project is read-only.

Testing a Web API service

Topics: Web Api
Feb 16, 2012 at 9:23 PM


I have developed a self-hosted Web API service. I'm using HTTPS and basic auth, and I can test the service browsing https://localhost/api/messages/test from the browser. I get the test page and everything is fine.

But when I try to test the service from an Android emulator or an Android device I always get the same "Internal server error" (500) on the client side. But the weird thing is, I add a break point at UserNamePasswordValidator (it should enter there always), but the program never reaches this point. I have tried everything: disabling the firewall, changing localhost to,, changing localhot to my private network IP (at the moment)... I don't know what to do, I have run out of ideas :(. So... do you have any?

Thanks in advanced :(

Feb 16, 2012 at 10:19 PM

Can other computers on the network (not emulators) hit your API?

It sounds like maybe you are using a self-signed certificate, and your local machine will trust it, but the emulator will not.

I had this issue with WCF, using user name security, and that is why I stopped using WCF because it was just too stupid.

Feb 16, 2012 at 10:29 PM

Hi digitalpacman,

Thanks for your reply. Yes, I am using a self-signed certificate. And yes, I can hit my API from another computer of my network from the browser ( I have just tested it). But when I try from an Android device (not emulator)... nothing happens. Well, I guess it's Android related, but I don't know what :(.

Thank you.

Feb 16, 2012 at 10:31 PM

I know this sounds stupid but, are you sure the android is on your local network? Maybe its being firewall blocked...

We configure our local dev machines to not use SSL, and we configure our testing environments to use SSL (with real ssl).

This is a major reason we use WebApi, because you can't really do that with WCF using the built-in security.

Feb 16, 2012 at 11:39 PM

Yes. My Android device has the IP and my dev laptop I guess it is about how the Android manages the self-signed certificates. I have tried various approaches, but nothing works. 

Thank you!

Feb 17, 2012 at 10:50 PM

If you are getting a 500 then the service must be blowing up for some reason.

Can you try attaching the debugger on the sever and breaking on all thrown exceptions?

Daniel Roth

Feb 21, 2012 at 1:12 AM

I finally got it. My server implementation was hiding the exception.

I was using this OperationHandler:

class PrincipalFromSecurityContext : HttpOperationHandler<HttpRequestMessage, IPrincipal>
        public PrincipalFromSecurityContext()
            : base("principal")

        protected override IPrincipal OnHandle(HttpRequestMessage input)
            return new GenericPrincipal(ServiceSecurityContext.Current.PrimaryIdentity, new string[0]);

My Android code was doing a bad Basic Auth base64 encoding so the server was blowing all the time here and I could't see the reason. 

So... you can delete this thread. Sorry, the bug was on the client side :(.

Thank you for your support.