I have put the parameter in the web.config of the web.api that is being called. I even put it in the webapiconfig.cs to allow all sites hit the web.api. Even put it on the controller. And I still get this message? The calling website is sending json over to my web api. Why would I , could I be getting this error? What information can I give you guys to help me figure out this issue?
In reply to the solutions listed below: Here is the piece of my web.config....I put the wildcard of asterisk in it:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="*"/>
<add name="Access-Control-Allow-Headers" value="*" />
</customHeaders>
</httpProtocol>
Within my webapiconfig.cs file I have the following as well:
{
// enable CORS
config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*"));
}
And here is my controller. I know, overkill, but I am trying to figure out this issue:
[EnableCors(origins: "*", headers: "*", methods: "*")]
public class ExampleController : ApiController
Just check your web.config file and search for system.webServer section:
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="Access-Control-Allow-Origin" />
<remove name="Access-Control-Allow-Headers" />
<add name="Access-Control-Allow-Headers" value="Origin,X-Requested-With,Content-Type,Accept" />
</customHeaders>
</httpProtocol>
</system.webServer>
Try reading through https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS for the general idea of what's going on, and http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api for how to solve it in ASP.net
Essentially, if your request is coming from one server to another on a different domain, the other server must say it's happy to accept requests from browsers on the first domain.
To fix it, tell ASP.net to return 'Access-Control-Allow-Origin' headers that include the origin your request is coming from, either via web.config (as in the other answer), or by adding to your config and controller classes as below:
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.EnableCors();
// ...
}
}
namespace WebService.Controllers
{
[EnableCors(origins: "http://myclientdomain.azurewebsites.net", headers: "*", methods: "*")]
public class TestController : ApiController
{
// ...
}
}
Related
I implemented an ASP.Net Web API 2 project with ADFS cookie authentication and hosted it on IIS. All works fine.
However, some clients have got old cookies which became invalid because of configuration changes. Such cookies cause following error when calling my API:
[CryptographicException: Key not valid for use in specified state.
]
System.Security.Cryptography.ProtectedData.Unprotect(Byte[] encryptedData, Byte[] optionalEntropy, DataProtectionScope scope) +447
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +49
[InvalidOperationException: ID1073: A CryptographicException occurred when attempting to decrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ]
System.IdentityModel.ProtectedDataCookieTransform.Decode(Byte[] encoded) +329
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) +167
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(XmlReader reader, SecurityTokenResolver tokenResolver) +826
System.IdentityModel.Tokens.SessionSecurityTokenHandler.ReadToken(Byte[] token, SecurityTokenResolver tokenResolver) +92
System.IdentityModel.Services.SessionAuthenticationModule.ReadSessionTokenFromCookie(Byte[] sessionCookie) +569
System.IdentityModel.Services.SessionAuthenticationModule.TryReadSessionTokenFromCookie(SessionSecurityToken& sessionToken) +306
System.IdentityModel.Services.SessionAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs) +159
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +142
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +92
The obvious workaround is to clear the cookies. However, it's likely that I'll change the cookies configuration again in future, so I'd like to clear all invalid cookies automatically from the API.
I've tried adding a custom OWIN middleware and overriding IExceptionHandler.
Here's my WIF config:
<system.identityModel>
<identityConfiguration>
<audienceUris>
<add value="https://my.web-api.com" />
</audienceUris>
<issuerNameRegistry type="System.IdentityModel.Tokens.ValidatingIssuerNameRegistry, System.IdentityModel.Tokens.ValidatingIssuerNameRegistry">
<authority name="ADFS">
<keys>
<add thumbprint="--a thumbprint--" />
</keys>
<validIssuers>
<add name="http://my.adfs.com/adfs/services/trust" />
</validIssuers>
</authority>
</issuerNameRegistry>
</identityConfiguration>
</system.identityModel>
<system.identityModel.services>
<federationConfiguration>
<wsFederation issuer="https://my.adfs.com/adfs/ls" realm="https://my.web-api.com" requireHttps="true" passiveRedirectEnabled="false"
persistentCookiesOnPassiveRedirects="true" />
<cookieHandler name="my.cookie" path="/" persistentSessionLifetime="7.0:0:0" />
<serviceCertificate>
<certificateReference x509FindType="FindBySubjectName" findValue="my.web-api.com" storeLocation="LocalMachine" storeName="My" />
</serviceCertificate>
</federationConfiguration>
</system.identityModel.services>
Here's my Startup class:
public class Startup
{
public void Configuration(IAppBuilder appBuilder)
{
var config = new HttpConfiguration();
config.Services.Replace(typeof(IExceptionHandler), new CryptographicExceptionHandler());
WebApiConfig.Register(config);
appBuilder.UseWebApi(config);
appBuilder.Use<ClearInvalidCookiesMiddleware>();
}
}
No matter what's inside CryptographicExceptionHandler and ClearInvalidCookiesMiddleware, their code is not called and I'm getting 500 error. I also tried to move ClearInvalidCookiesMiddleware before UseWebApi.
My aim is to add Set-Cookie response header to clear invalid cookies and return 401 or a redirect.
How can I make OWIN to customize the response in this case?
The solution appeared to override SessionAuthenticationModule.OnAuthenticateRequest and call SignOut() in case of exceptions:
class ClearInvalidCookiesSessionAuthenticationModule : SessionAuthenticationModule
{
protected override void OnAuthenticateRequest(object sender, EventArgs eventArgs)
{
try
{
base.OnAuthenticateRequest(sender, eventArgs);
}
catch(InvalidOperationException ex) when (ex.InnerException is CryptographicException) // Invalid cookie signing key
{
SignOut();
}
catch(System.Xml.XmlException) // Invalid cookie structure
{
SignOut();
}
}
}
To use the inherited class instead of default one, one should insert following line inside Web.config:
<system.webServer>
<modules ...>
<!-- Insert the line below or replace existing SessionAuthenticationModule -->
<add name="SessionAuthenticationModule" preCondition="managedHandler"
type="MyNamespace.ClearInvalidCookiesSessionAuthenticationModule, MyAssembly" />
...
</modules>
...
</system.webServer>
I have added a Web API feature to an ASP.NET MVC app and want to use attribute routing. When running the site in Visual Studio 2015, I can enter URLs in the browser address bar and get the methods on my controller to work. Once I move the site to IIS, all I get is 404 responses. I have tried many code changes with no luck.
The BuilderApiController file is in a WebAPI/v1/Controllers folder. Will attributes on the controller be found here?
namespace Hds.Edsi.WebAPI.V1.Controllers
{
[System.Web.Http.RoutePrefix("api/v1/builder")]
public class BuilderApiController : BaseApiController
{
[System.Web.Http.Route("GetExternalOrganizationID/{envisionOrgID}")]
[System.Web.Http.HttpGet]
public HttpResponseMessage GetExternalOrganizationID(string envisionOrgID)
{
WebApiConfig.cs file. Standard stuff. If I am using attribute routing, do I need the config.Routes.MapHttpRoute part? I have tried it with and without.
If I need it, what is the purpose of config.MapHttpAttributeRoutes()? When I look at GlobalConfiguration,Configuration._routes after Register is called, none of the attribute routing defined routes are there. Should they be?
namespace Hds.Edsi.WebAPI
{
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
// Web API routes
config.MapHttpAttributeRoutes();
/*
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/v1/{controller}/{action}/{id}",
defaults: new { id = RouteParameter.Optional }
);
*/
protected void Application_Start()
{
GlobalConfiguration.Configure(WebApiConfig.Register);
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configuration.Formatters.JsonFormatter.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
GlobalConfiguration.Configuration.Formatters.JsonFormatter.SerializerSettings.Converters.Add(new StringEnumConverter());
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
Components.Automapper.CreateMaps();
// Requrired for managing AppDomain teardown - IRegisteredObject
MonitorManager.RegisterInstance();
}
IIS Express:
http://localhost:8181/api/v1/builder/GetExternalOrganizationID/123.123.123.123.1234 returns a JSON object as I would expect.
IIS:
http://my server/api/v1/builder/GetExternalOrganizationID/123.123.123.123.1234 returns a 404
I am guessing that I am missing something simple here or don't understand how attribute routing works.
Added
Here is the system.webServer section from web.config:
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="true">
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="*" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
</handlers>
</system.webServer>
As per as i know, if it's not working properly on your IIS, then that is an IIS error, not an ASP.NET error so this doesn’t actually come from ASP.NET’s routing engine but from IIS’s handling of expressionless URLs.
You can try with adding runAllManagedModulesForAllRequests to your web.config
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="ScriptCompressionModule" type="Westwind.Web.ScriptCompressionModule,Westwind.Web" />
</modules>
</system.webServer>
In detail you can refer Rick Strahl's Web Log ASP.NET Routing not working on IIS 7.0
Hope this helps!
Everytime Elmah logs an error the error is logged twice. 100% identical with exact the same Timestamp.
I have no special configuration in the web.config.
I have created a ElmahHandleErrorAttribute an added two filters:
filters.Add(new ElmahHandleErrorAttribute {
ExceptionType = typeof(System.Data.Common.DbException),
// DbError.cshtml is a view in the Shared folder.
View = "DbError",
Order = 2
});
filters.Add(new ElmahHandleErrorAttribute {
ExceptionType = typeof(Exception),
// DbError.cshtml is a view in the Shared folder.
View = "Error",
Order = 3
});
Some Snippets from web.config:
<httpModules>
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" />
</httpModules>
and
<modules runAllManagedModulesForAllRequests="true">
<add name="ErrorLog" type="Elmah.ErrorLogModule, Elmah" preCondition="managedHandler" />
<add name="ErrorMail" type="Elmah.ErrorMailModule, Elmah" preCondition="managedHandler" />
<add name="ErrorFilter" type="Elmah.ErrorFilterModule, Elmah" preCondition="managedHandler" />
</modules>
In the ElmaHandleErrorAttribute this code:
public override void OnException(ExceptionContext context) {
base.OnException(context);
if (!context.ExceptionHandled
|| TryRaiseErrorSignal(context)
|| IsFiltered(context))
return;
LogException(context);
}
I have searched a lot, but no solution fits to my problem. No double entries in web.config or something like this.
It's no big problem, but it's annoying.
thx in advance
©a-x-i
I had the same problem with my setup, so I made a ExceptionLogger class. Then added a static field to it to keep a list of the exceptions it logged. Then when the onException event hapens it checks for the last exception logged to avoid logging duplicates.
public class ExceptionLogger
{
public static List<Exception> loggedExceptions = new List<Exception>();
public static void LogException(Exception e) {
...
public override void OnException(ExceptionContext context)
{
base.OnException(context);
var e = context.Exception;
if (!e.Equals(ExceptionLogger.loggedExceptions.Last()))
{
ExceptionLogger.LogException(e);
}
}
I wanted to create a custom membership provider for my asp.net mvc application, but the number of parameters in default CreateUser() method is not what I want. Because my User table is different, i want to pass my own parameters. Here is the code I used for UserCreate() Method :
public override MembershipUser CreateUser(string username,string family,string personcode, string password, string email, string passwordQuestion, string passwordAnswer, bool isApproved, object providerUserKey, out MembershipCreateStatus status)
{
//
}
and here the the error i got :
Error 2 MyMemberShipProvider.CreateUser(string, string, string, string, string, string, string, bool, object, out System.Web.Security.MembershipCreateStatus)': no suitable method found to override
A good approach is to use both the Membership Provider and the Profile provider.
The Membership provider will manage the creation of users, password validation, keeping track of who and when logs in to your app, etc.
The Profile provider allows you to manage multiple attributes for the user.
So, you will need to do the following:
Implement your own Membership provider.
See msdn.microsoft.com/en-us/library/f1kyba5e.aspx or msdn.microsoft.com/en-us/library/44w5aswa.aspx
Implement your Profile provider (or use an existing one).
See here msdn.microsoft.com/en-us/library/0580x1f5.aspx or msdn.microsoft.com/en-us/library/ta63b872.aspx
Implement a ProfileCommon class defining the attributes you want to use for your users.
Your Profile provider should know how to handle the ProfileCommon class.
For a ProfileCommon example I implemented the following for my custom MongoDB ASPNet Providers: github.com/agarcian/MongoDBASPNetProviders/blob/master/ASPNETProvidersForMongoDB/ProfileCommon.cs
Configure the WebConfig sections to define your custom implementations.
(See sample below)
The next examples are part of custom Membership, Role, and Profile providers I developed for MongoDB.
See https://github.com/agarcian/MongoDBASPNetProviders
Here is the configuration I use in my apps to utilize my custom membership provider.
<membership defaultProvider="MongoDBProvider" userIsOnlineTimeWindow="15">
<providers>
<clear />
<add
name="MongoDBProvider"
type="ASPNetProvidersForMongoDB.MongoDBMembershipProvider, ASPNetProvidersForMongoDB"
connectionStringName="MongoProvidersDBConnStr"
enablePasswordRetrieval="true"
enablePasswordReset="true"
requiresQuestionAndAnswer="false"
writeExceptionsToEventLog="true"
mongoProviderDatabaseName ="aspnetproviderdb"
mongoProviderUsersCollectionName="Users"
applicationName="WebUI4"
/>
</providers>
</membership>
<roleManager defaultProvider="MongoDBProvider" enabled="true">
<providers>
<clear />
<add applicationName="WebUI4"
name="MongoDBProvider"
type="ASPNetProvidersForMongoDB.MongoDBRolesProvider, ASPNetProvidersForMongoDB"
connectionStringName="MongoProvidersDBConnStr"
writeExceptionsToEventLog="true"
mongoProviderDatabaseName ="aspnetproviderdb"
mongoProviderUsersCollectionName="Roles"
/>
</providers>
</roleManager>
<profile defaultProvider="MongoDBProvider" inherits="MyCompany.Security.Profile.ProfileCommon">
<providers>
<add
applicationName="WebUI4"
name="MongoDBProvider"
type="ASPNetProvidersForMongoDB.MongoDBProfileProvider, ASPNetProvidersForMongoDB"
connectionStringName="MongoProvidersDBConnStr"
writeExceptionsToEventLog="true"
mongoProviderDatabaseName ="aspnetproviderdb"
mongoProviderUsersCollectionName="Profiles" />
</providers>
</profile>
I hope this helps.
Have a legacy application and from there, my MVC application is called.
I planned to use custom httpmodule [AuthenticationModule class inherites IHttpModule]. In Init, I hooked up BeginRequest and do my FormAuthenication stuff...
private void Application_BeginRequest(Object source, EventArgs e) {
// Do my own authetication and issue FormAuthentication Ticket
}
In web.config:
<system.webServer>
<validation validateIntegratedModeConfiguration="false"/>
<modules runAllManagedModulesForAllRequests="true">
<add name="AuthenticationModule" type="RealProperty.LegacySecurity.AuthenticationModule, RealProperty.LegacySecurity" preCondition="ManagedHandler"/>
</modules>
But my AuthenticationModule never got fire in debug...
(1) Can anyone explain why it isn't got called?
(2) Is it correct to do my authentication in BeginRequest?
Make sure you have both sections in your Web.config file:
<system.web>
<httpModules>
<add name="MyAuthenticationModule" type="Ns.To.MyAuthenticationModule, MyAssembly" />
</httpModules>
</system.web>
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<add name="MyAuthenticationModule" type="Ns.To.MyAuthenticationModule, MyAssembly" />
</modules>
</system.webServer>