I've been folowing the advice from this article for setting up a robots.txt file in asp.net mvc3 for using a controller to handle the server response, and IIS 8.0 express is returning a file not found error, rather than an asp.net error.
How do I get IIS to not look for a file in these cases? Is there something I need in the web.config?
IIS tries to be intelligent here. He intercepts the dot in the url and thinks that this is a static file and attempts to serve it with the default StaticFile handler. it dopesn't event get to the managed ASP.NET application.
The first possibility is to add the following in your web.config
<system.webserver>
<modules runAllManagedModulesForAllRequests="true" />
but actually that's not something I would recommend you doing because this might have a negative effect on the performance of your application because now all requests to static files (such as .js, .css, images, ...) will go through the managed pipeline.
The recommended approach is to add the following handler to your web.config (<handlers> tag of <system.webServer>):
<system.webServer>
<handlers>
<add name="Robots-ISAPI-Integrated-4.0" path="/robots.txt" verb="GET" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
...
</handlers>
</system.webServer>
Notice how we have specified that this handler will only apply to a particular URL and HTTP verb.
Now when you GET /robots.txt, IIS will no longer handle it with the StaticFile handler but will instead pass it to the managed pipeline ASP.NET. And then it will be intercepted by the routing engine and routed to the corresponding controller action.
Unless you need a dynamically generated robots.txt file, which is very rarely necessary, just do the following:
Ignore the route to robots.txt
routes.IgnoreRoute("robots.txt");
Add the robots.txt file to your root dir
Related
I am getting this error when I click on ASP Button. Error: A potentially dangerous Request.Form value was detected from the client
I have read few question of stack over flow. The point here is the button is working fine when I live the website to our client server. But it is not working if I configure in my local IIS server.
Do I need to change any settings in my local IIS server?
Please suggest.
By default, the application is prevented from processing unencoded HTML content submitted to the server.
If you set the the RequestValidationMode to 2.0 in your web.config, it will solve your issue.
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
If you want to make the smallest change possible, you could define the requestValidationMode inside a location element to have it applied to a specific page (ex: Login page)
<location path="Login.aspx">
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
</location>
Remarks (From MSDN)
The RequestValidationMode property specifies which ASP.NET approach to validation will be used. This can be the algorithm that is used in versions of ASP.NET earlier than version 4, or the version that is used in .NET Framework 4. The property can be set to the following values:
4.5 (the default). In this mode, values are lazily loaded, that is, they are not read until they are requested.
4.0 The HttpRequest object internally sets a flag that indicates that request validation should be triggered whenever any HTTP request data is accessed. This guarantees that the request validation is triggered before data such as cookies and URLs are accessed during the request. The request validation settings of the element (if any) in the configuration file or of the directive in an individual page are ignored.
2.0. Request validation is enabled only for pages, not for all HTTP requests. In addition, the request validation settings of the element (if any) in the configuration file or of the directive in an individual page are used to determine which page requests to validate.
I am trying to prevent unauthorized access to all files within some of my media libraries in Kentico v9.0. I intend to only provide access to certain libraries via Kentico Role membership and global admins only.
I have followed the guide published here: Securing media libraries and it seems to work fine: Direct URL path access results in a 401.2 - Unauthorized message, regardless of user authentication state and role membership. And I have a media gallery web part set up correctly to provide the permanent URLs, which also work as I expect them to.
However, I have another requirement; which is to serve up a ~/googlesitemap.xml file. I followed the guide published here: Google Sitemaps, which instructs me to provide an attribute to the system.webServer/modules node in the web.config:
<modules runAllManagedModulesForAllRequests="true">
...
</modules>
However, when I add the above, then any authenticated user can gain access to my media library files if they enter in the full URL. This violates my attempts at media library access based on role membership; since I dont want users in other roles to be able to get at the files.
I have tried to exclude all media library files from the re-writing engine by adding my media folder root as an Excluded URL in Settings > URLs and SEO > URL Format > Excluded URLs... but this doesn't appear to help.
Any suggestions would be highly welcome!
As far as I know runAllManagedModulesForAllRequests attribute is mandatory only for different extensions (different from .aspx). If you are using IIS 7 or above you can omit this attribute in your web.config (see source).
Note: In ASP.NET websites, the value of runAllManagedModulesForAllRequests previously had to be set to true to support routing. However, once IIS 7 has been updated with a Service Pack, the value of runAllManagedModulesForAllRequests can be set to false or omitted when working with ASP.NET routing. For more information, see ASP.NET Routing on the MSDN website.
So quick fix: Do not add this attribute to web.config and your media gallery (permissions) should work as you wish.
EDIT: So I think I have got solution for you. It seems that runAllmanagedModulesForAllRequests attribute kills Anonymous Authentication setting so Kentico serves data after successful authentication. I`ve found workaround so you can forbid access to media library. Try to add something like:
<location path="MySite/media/MyMediaLibrary">
<system.web>
<authorization>
<deny users="*"/>
</authorization>
</system.web>
</location>
into your web.config inside configuration section.
We have an application running MVC4 front end an consuming a web api2 rest PUT. It is running in IIS 8.5 and windows server 2012
I am using PutAsync to update some data but getting a 405 - Method Not Allowed back. i looked around and found out that some people had this issue and it was resolved by using some or other technique in the web.config of the API.
I tried this in the web API config and it worked for me.
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
</handlers>
BUT I am not sure why. i don't have any webdav authoring rules defined for my web site. Can someone please help me understand why this might be working for me??
Also, is there a downside of setting runAllManagedModulesForAllRequests=true for the API??
The configuration can be inhertied from machine.config. For more info,Configuration Inheritance in this page. It can also be inherited from any other web.config in a containing folder.
runAllManagedModulesForAllRequests implies that any request done to the folder (and subfolders) where you include this web.config will be handled to the registered modules. For example it will try to handle the request to something that doesn't look like a Web API action. Please, see this: <modules runAllManagedModulesForAllRequests="true" /> Meaning
I faced these questions in one of my interview question which i was not able to answer..
How can we set routing in Mvc with out using routconfig file ?
Mvc does not have statemanagement technique like viewstate as Asp.net , then how is the state managed in Mvc?...
How to pass data from controller to view and view to controller??
from controller to view we can pass using viewbag,viewdata, model binding...from view to controller also we can pass data with model binding,
are there any other options other than this?
There is an option: You can use
In ASP.NET, you can add the following configuration setting to applications in order to support routing:
In you web.config file
<configuration>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<!-- more -->
</modules>
</system.webServer>
</configuration>
When runAllManagedModulesForAllRequests is true, a URL like http://mysite/myapp/home goes to ASP.NET, even though there is no .aspx, .mvc, or similar extension on the URL.
For more information Go to MSDN ASP.NET Routing
this is my first post on this great source of programming information.
I have developed new site for client and just doing some finishing touches.
I am trying to create custom error pages which would be read from web.config
<system.web>
<customErrors mode="RemoteOnly">
<error statusCode="404" redirect="404.aspx" />
<error statusCode="500" redirect="500.aspx" />
</customErrors>
It works well on local development machine and 404 and 500 errors are shown as required.
After compilation and publishing site to web server it doesnt work. IIS 6 keeps on showing original IIS 6 error pages like this 404 error:
The page cannot be found
The page you are looking for might have been removed,
had its name changed, or is temporarily unavailable.
Please try the following:
Make sure that the Web site address displayed in the address bar of
your browser is spelled and formatted correctly.
If you reached this page by clicking a link, contact the Web site
administrator to alert them that the link is incorrectly formatted.
Click the Back button to try another link.
HTTP Error 404 - File or directory not found.
Internet Information Services (IIS)
I am not sure why is it doing this, I thought that web.config overwrites original IIS6 settings.
Ok I have found out that the problem is with the 404 .aspx page only. Error 500 is working fine and showing 500.aspx page. But not for 404.aspx. Please advice
The web config will only override IIS6 settings if the request is passed to the .NET ISAPI filter - for example, for pages ending with .aspx
If I browsed to a file or directory that didn't get to the .NET ISAPI it wouldn't use the web.config rules.