I have a lot of filters, which are using HttpContext.IsCustomErrorEnabled in MVC 5. One of such filter is JsonExceptionFilter, to simply return status without full error when exception is fired on Production environment. The details of exception are returned based on CustomeErrors enabled. So in rare cases I can see production/staging error just by chanign this option in web.config. However in ASP.NET Core there is no such option because redirection is done by ExceptionHandler middleware.
Is there any way to check if redirection (custom error) is enabled?
Related
I'm reading the book API Security in Action by Neil Madden. In the book, there is a section about CORS and how to attach the proper headers in Java. I am aware that there is already an AddCors and UseCors built in to ASP.NET Core, but for my edification I wanted to roll my own middleware.
However, I found that I was unable to receive any sort of OPTIONS requests, they were automatically being rejected somehow, and I was unable to respond to them manually, even when it was the first middleware in the pipeline. Since the UseCors middleware is able to intercept these pre-flight requests, I'm curious whether or not it is hooking into a deeper level of ASP.NET Core than I am able to.
TL;DR: Is ASP.NET Core (or Kestrel) performing some sort of automatic preflight request checking even when UseCors is not called?
The answer in the end is no, ASP.NET does not do anything fancy when it comes to preflight requests. I looked into the source code and the CorsMiddleware (and associated extensions) are relatively simple; most of the logic is contained within the ICorsService, and doesn't impact the middleware pipeline directly.
I'm unsure what my original issue was being caused by, but it is now resolved.
See below for the source code:
https://github.com/dotnet/aspnetcore/blob/a450cb69b5e4549f5515cdb057a68771f56cefd7/src/Middleware/CORS/src/Infrastructure/CorsMiddleware.cs
It is worth noting that if you add the CORS headers manually, you will get the following exception
System.InvalidOperationException: Endpoint ProjectName.Controllers.SomeController.Login (ProjectName) contains CORS metadata, but a middleware was not found that supports CORS.
Configure your application startup by adding app.UseCors() inside the call to Configure(..) in the application startup code. The call to app.UseCors() must appear between app.UseRouting() and app.UseEndpoints(...).
You can avoid this error by setting a flag to true in the custom CORS handler
httpContext.Items["__CorsMiddlewareWithEndpointInvoked"] = true;
However, I feel it's important to stress that this should only be done for education purposes; you should be relying on built-in CorsMiddleware and not rolling your own whenever possible (and it should hopefully always be possible).
I will try my best to explain the exception I am facing. I have an application built with dotnet core 2.1 running under localhost:5000. I have applied the global exception handler within the startup class to handle any exception thrown by the application. I have tested this functionality and its working absolutely fine. However, if I pass this 'http://localhost:5000/redirect=https%3a%2f%2fey.com' in the url it throws an exception but doesn't get caught within the application. Please refer to the screenshot attached. My requirement is to redirect the user to a generic error page.
[EDITED] This issue was found during QA testing. Also, 'redirect' is not a keyword here, if we try to replace redirect with any random character throws the same exception. eg 'http://localhost:5000/a=https%3a%2f%2fey.com'
I would like to display custom error message when authentication fails in IdentityServer4. Namely I want to show what went wrong, e.g. "invalid redirect url" or "invalid authentication flow". When authentication fails I see only that exception occured but for what happened I need to go into logs. In this case I would like to know that e.g. redirect url is wrong directly. How can I achieve that?
I'm thinking about some exception filter or custom middleware on ASP.NET Core. However it seems to me that exception filter won't work since that is MVC stuff and exception occurs in the IdentityServer middleware. And I am not sure how to create the middleware so it shows the error and also manages to use the same layout and ui parts as in MVC views. Is there another way? Maybe some extension points I did not see?
In previous ASP.NET versions I was used to create a BaseController inherited from the other controllers and there intercepting the general error and logging each error with a simple logging method and passing the ExceptionContext filterContext.
Should I do the same in ASP.NET 5?
I see in file Startup.cs that there is a if/else statement that basically separate the debug/live condition, with line
app.UseErrorHandler("/Home/Error");
for a production application.
How am I supposed to hook in the process and log the errors?
Handling and logging errors in ASP.NET 5 involves a few elements.
To handle the error in a production scenario and show an error page, the app.UseExceptionHandler() method is the way to go. The Diagnostics repository on the ASP.NET GitHub organisation includes a sample that shows this. For development-time scenarios where you want to see a full stack trace and other diagnostic information, use app.UseDeveloperExceptionPage() as seen in this sample.
If the application is using ASP.NET MVC 6, then there is an MVC-specific way of handling errors, much as there was in earlier versions of ASP.NET MVC. In ASP.NET MVC 6, a filter (or the Controller itself, which is also a filter) can handle/override the OnActionExecuted method and inspect the ActionExecutedContext parameter to attempt to handle the error.
When it comes to logging, there's a new logging infrastructure in ASP.NET 5 that reports a great deal of information to any registered ILogger. The default project templates in Visual Studio 2015 register some loggers that log errors (and other data) to the console and the Visual Studio debug output window. However, when running in IIS or IIS Express there is no console window (yet!). But if you run from the command line (using dnx web) then you'll see the error. Or, of course, you can register a different logger that writes to a log file or database and see the logs there.
To register a custom ILogger in a web app:
Write a logger that implements the ILogger interface. See the DNX implementations for how to do this.
Add a parameter of type ILoggerFactory to your app's Startup class's Configure method.
In the Configure method call loggerFactory.AddProvider(<some provider>) and pass in an instance of your logger.
I have a custom IHttpHandler that calls MvcHttpHandler implemented as described in this answer.
It worked well in asp.net MVC2, but after I migrate the code to MVC4 with IISExpress 7.5, I start getting InvalidOperationException on the line:
httpHandler.ProcessRequest(HttpContext.Current);
with message:
'HttpContext.SetSessionStateBehavior' can only be invoked before
'HttpApplication.AcquireRequestState' event is raised.
ASP.NET Development Server does not make any problems.
Does anyone know what's going on here, and how to solve it?
I believe you need to use httpContext.Server.TransferRequest with the MVC update.
See this question: MVC3 Application Inside Webforms Application Routing is throwing a HttpContext.SetSessionStateBehavior Error in IIS7.5