I'm using the WCF Web API (the latest version, which I think is 0.5, obtained from the VS2010 Ultimate integrated package dependency GUI).
I've got a simple API class exposed and in each method I'm making a call that performs authorization against the user. When the user is unauthorized, I throw an HttpResponseException with the 401/unauthorized code.
This works, and you can see that at some point in the Http Handler chain, the 401 was trapped. The problem is that the site in which the API resides contains ASP.NET Forms authentication... and so when it sees the 401, it tries to forward my client request to the logon page.
How do I disable this behavior for a particular sub-directory within my site? I've tried setting a location of "api" always allowing users... but I still throw a 401 which still causes ASP.NET to try and redirect me to the logon page.
I'm sure I'm just missing a simple configuration setting that tells forms auth to ignore requests for the /api/* directories, but I can't find any information on it.
I have described the problem and it's solution here (with Preview4): Basic Authentication with WCF Web API hosted in IIS / Getting a 404 - Disable Forms Authentication Redirection
Related
I use IdentityServer (aka Duende) ver. 6 and ASP.Net Core client as a BFF provider for the frontend with standard .Net Core Microsoft OIDC middleware .AddOpenIdConnect for the Authorization Code flow. Everything works nice except one small thing: browser history entry for the OIDC challenge which looks like https://myserver/connect/authorize/callback?client_id... It must be the same for any OIDC provider because this call must be done in a browser and cannot be replaced by AJAX.
It's just looking untidy with long URL and no page title in the history. If user hits back in a browser, it leads to the error because the challenge code is not valid anymore. The problem was precisely explained here and the solution history.replace was even implemented for the IdentityServer's JS client as a config parameter but I can't find anything similar for the .Net Core.
The solution for the browser back button is implemented on the IdentityServer side in their "QuickStart" sample and I also handle an error on the client but still this long untidy URL in the browser offends my eye. I would prefer replacing history instead.
The idea is to handle some event from the OIDC middleware and inject javascript with history.replace to the http context there. Maybe someone already has ready-to-go solution?
I have a question about enabling cross-domain calls.
I have a WCF Rest service that is hosted in xyz domain. I am able to test these REST APIs from Advanced Rest Client, Postman and Fiddler. I also have a WPF application that actively calls these API which is hosted in a different domain (say abc domain) which works fine in getting responses.
However, when I created a new Angular web application and a Windows Service (deployed on abc domain), and tried calling the APIs from these two components, I am getting a 405 error.
Can someone explain:
How REST clients always are able to successfully establish a connection?
How does my WPF successfully connects to the WCF service even though
its on a different domain?
Why is my Windows Service/Web App not able to talk to WCF?
I assume that the issue here is caused by the preflight request. The browser issues this OPTIONS verb request to ask the server if the origin is allowed to call the API in a non-safe manner.
If your WCF REST service does not deal with this request, the WCF runtime will try to dispatch the request to your service implementation.
However, if the runtime does not find a method to call for this verb, it will return a 405 Method Not Allowed response.
I've dealt with this in the past by using an IOperationInvoker implementation, installed via an IOperationBehavior. This article describes a slightly different way of doing basically the same.
I have two separate projects
MVC Web App
MVC Web API
I have published both on my IIS 7.5
My Web App is hosted on 7172 port
and Web API is hosted on 7171 port
Strangely iam not able to call jquery.ajax() from my web app (7172) to web api (7171) port. It gives me 405 Method not found error code.
But if i write the same jquery.ajax() in my web api project (7171) and call web api method then it work fine and returns data.
I want to call web api from my web app.
Any suggestion would be appreciated.
Thanks in advance.
This has to do with the Same Origin Policy. By default, you can't execute an AJAX call to another domain (both on name, port and protocol).
If you want to enable this you should use Cross-origin resource sharing (CORS). CORS can be used with Web API by installing a (prerelase) NuGet package: Microsoft ASP.NET Web API Cross-Origin Support
This package allows you to configure which domains can call your service. You can find a walk trough here Enabling Cross-Origin Requests in ASP.NET Web API. In essence it comes down to adding attributes to your controllers like this:
[EnableCors(origins: "http://myclient.azurewebsites.net", headers: "*", methods: "*")]
You're running into the same-origin/cross-domain security policy. The port used is part of the origin calculation. A bit of Javascript loaded from (say) localhost:80 cannot make an AJAX request to localhost:8080, because the port numbers don't match. The 405 error you're getting is almost certainly coming from your Web App, not the API - check the server logs for the app, and you'll see the ajax hit in there.
I've set up a ACS domain with a Relaying Party to Authenticate a WCF Service. On my client (website), I want to link to the Hosted Login Page that ACS provides for my Relaying Party. I have the Return URL configured to respond to the same page, but whenever it returns the page currently throws this error:
A potentially dangerous Request.Form value was detected from the
client (wresult="<t:RequestSecurityTo...")
How to do retrieve this SWT token and parse it to send off to the WCF service?
The ASP.NET request validation feature is kicking in here (because of the angle brackets). Either turn off request validation for the page or when on .NET 4.5 you can set the request validation mode in web.config to 4.5.
Or use this: http://leastprivilege.com/2010/07/24/wif-asp-net-4-0-and-request-validation/
I would also recommend using SAML instead of SWT. Since this is what WCF understands by default.
I am using Asp.net MVC 4 Web Api project. MY application uses mvc to implement a web site. It makes http requests to the web api to implement server functionality.
Regular page requests to controllers work fine and it is able to display web pages. The application is able to make get and post requests to the api. But when it tries to to put or delete web requests it gets
"Failed to load resource: the server responded with a status of 501 (Not Implemented) "
The application is hosted on iis 6.
The application works when running a local cassani server instance and is able to make put and delete requests, but as soon as the application is executed from iis it doesn't work as expected.
I tried all the suggestions from the comment above and none of them worked.
I had to add the ASP.NET 4.0 dll to the Wildcard mappings in the Configuration area on the Home Directory tab. That worked for me. Remember to uncheck the "Verify file exists" checkbox.
EDIT: I posted a blog on the exact process to make this happen here: http://www.proworks.com/blog/2012/11/14/how-to-fix-aspnet-mvc-web-api-http-put-and-delete-requests-failing/