I'm using the Thinktecture.IdentityModel nuget package to enable CORS for WebAPI controllers in an MVC Web Application. At the moment, I'm only worried about POSTs but let me know about any problems with other verbs. This works when running through the IIS Express server.
When dealing with the AppHarbor deployment, it doesn't work. nginx doesn't seem to pass through the OPTIONS request to my code. What else is needed to get it running on AppHarbor?
Request
OPTIONS $path HTTP/1.1
Host: $servername
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://www.local
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.56 Safari/537.17
Access-Control-Request-Headers: accept, origin, content-type
Accept: /
Referer: http://www.local/wordpress/2013/01/request-url-test/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 30 Jan 2013 02:34:14 GMT
Content-Length: 0
Connection: keep-alive
Allow: OPTIONS, TRACE, GET, HEAD, POST
Public: OPTIONS, TRACE, GET, HEAD, POST
My web.config is set up with the following default handlers:
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
Is WebDAV to blame?
After the suggestion of Jeffery To, I disabled WebDAV by following these instructions. Didn't even know WebDAV was installed on AH, but doing this did change my results.
Relevant Web.config sections
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="WebDAV" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDAVModule"/>
<remove name="AspNetAppHarborIntegration" />
<add name="AspNetAppHarborIntegration" type="Premotion.AspNet.AppHarbor.Integration.AppHarborModule, Premotion.AspNet.AppHarbor.Integration" />
</modules>
Request
OPTIONS $path HTTP/1.1
Host: $servername
Connection: keep-alive
Access-Control-Request-Method: POST
Origin: http://www.local
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.17 (KHTML, like Gecko) Chrome/24.0.1312.57 Safari/537.17
Access-Control-Request-Headers: accept, origin, content-type
Accept: /
Referer: http://www.local/wordpress/2013/01/request-url-test/
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-GB,en;q=0.8,en-US;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Response
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Mon, 04 Feb 2013 17:09:19 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 76
Connection: keep-alive
Cache-Control: no-cache
Pragma: no-cache
Expires: -1
WebDAV was to blame for the initial problem of not getting the full CORS headers in the response. The 405 error was a problem somewhere in the configuration of my app.
After some digging into the internals, it appears that the CORSMessageHandler for use with WebAPI (provided by Thinktecture) wasn't correctly identifying preflight requests and those requests were routed through to the WebAPI object itself.
I worked-around the issue by moving to the IIS module instead of the WebAPI one. This may make life more difficult in the future, but at least it works.
I might be missing something here, but based on the example response you've included it seems like the OPTIONS method is actually sent to your application - the Allow and Public headers are included in the response.
Related
We host an API that needs PUT/DELETE verbs to interact and this thing keeps coming up.
At first i figured out I need to ditch webdav to fix the 405 error and went for the solutions described here: "405 method not allowed" in IIS7.5 for "PUT" method
I removed handler, module and edited web.config
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="WebDAVModule" />
<remove name="WebDAV" />
<remove name="BundleModule" />
<add name="BundleModule" type="System.Web.Optimization.BundleModule" />
<remove name="TelemetryCorrelationHttpModule" />
<add name="TelemetryCorrelationHttpModule" type="Microsoft.AspNet.TelemetryCorrelation.TelemetryCorrelationHttpModule, Microsoft.AspNet.TelemetryCorrelation" preCondition="integratedMode,managedHandler" />
<remove name="ApplicationInsightsWebTracking" />
<add name="ApplicationInsightsWebTracking" type="Microsoft.ApplicationInsights.Web.ApplicationInsightsHttpModule, Microsoft.AI.Web" preCondition="managedHandler" />
</modules>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Now the tricky part: I removed webDav with the add/remove Feature and completly deinstalled it and thats it for the day.
But when I login the server and test the verbs on the next day, the error is back and the feature is back installed on the server. I checked the log files for reboots and updates and found nothing peculiar.
Has anyone any idea what I am doing wrong? Any hints are much apprecicated.
I'm trying to get a fellow developer's app working on my machine. Solution is built in VS 2015 using Web API and I'm running it using 64-bit IIS Express. Every request is returning 500.0 errors. Request tracing log says this about it:
1517. -MODULE_SET_RESPONSE_ERROR_STATUS
ModuleName ManagedPipelineHandler
Notification EXECUTE_REQUEST_HANDLER
HttpStatus 500
HttpReason Internal Server Error
HttpSubStatus 0
ErrorCode Recursion too deep; the stack overflowed. (0x800703e9)
ConfigExceptionInfo
The relevant config section looks like this:
<system.webServer>
<handlers>
<remove name="OPTIONS" />
<remove name="OPTIONSVerbHandler" />
<remove name="TRACEVerbHandler" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*" verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Other possibly relevant facts:
The machine hasn't been used for web hosting before, but I've been doing a lot of VS2013 development and only installed 2015 last week to run this project.
The project does contain some C# 6.0 features, namely the new string interpolation goodies.
How would I even begin to debug this? I'm getting zero relevant hits on Google.
Change path="*" to path="*." in each of the handlers you have listed.
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="*" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
I believe there is a way to use path="" but I haven't figured out what it is. I just ran across this question because I was trying to use path="" and that's when the "recursion too deep..." error was thrown.
I had the exact same issue when migrating my projects to VS2017 (Was working in VS2010) and managed to resolve this by following the recommendation from another post:
https://stackoverflow.com/a/29370225
So the issue is that the IISExpress uses a different handler name (without the "Handler" postfix) from IIS, so you will need to add the following removal scripts to the web.config instead:
<!--Handler in IIS-->
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit"/>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit"/>
<remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
<!--Handler in IISExpress-->
<remove name="ExtensionlessUrl-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrl-Integrated-4.0" />
Hopefully this helps.
I'm getting an inconsistent preflight HTTP Options request from my single page app. This only happens randomly sometimes and the only way I ameliorate the issue is by pressing F5 and things are good for a while until I kind of go "idle" for a little bit.
When it happens my Chrome Network Tab looks like this:
When my
https://webui.myapp.com (AngularJS 1.1.5)
https://api.myapp.com (ASP.NET Web Api .NET v4.5 on IIS 7)
My infrastructure breakdown
AngularJS Application
ASP.NET Web Api
Visual Studio 2012
IIS 7.5
Windows 7
I've read a few articles and my web.config's system.webServer looks like this:
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<modules runAllManagedModulesForAllRequests="false">
<remove name="WebDAVModule" />
</modules>
<handlers>
<remove name="WebDAV" />
<remove name="OPTIONSVerbHandler"/>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Max-Age" value="1728000"/>
</customHeaders>
</httpProtocol>
</system.webServer>
I am working on .Net Web API which is working fine in debug as well as on localhost IIS but when i publish this to server it starts giving following error :-
"Message": "No HTTP resource was found that matches the request URI
On server, we have application folder under default site for this API, but it's working fine in application folder under local IIS's default site so that should not be the problem.
Now i tried setting proper verb in handler as specified in following url but didn't work:
HTTP 404 Page Not Found in Web Api hosted in IIS 7.5
Also i have MVC4 installed on server as suggested on following url:
.NET Web Api - 404 - File or directory not found
Also WebDav module, handler may give error so i also tried removing it but it's giving same error.
Here is the Web.config section for module, handler settings :-
<modules runAllManagedModulesForAllRequests="true" />
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="*" modules="IsapiModule"
scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll"
preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="*" modules="IsapiModule"
scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll"
preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
I am not playing with routes anywhere. Am i missing something regarding settings/configuration in web.config or server IIS ?
This works for me:
<remove name="WebDAV"/>
I don't know why it is installed on the server. But this seems to have interference with extensionless handlers
From IIS (http://www.iis.net/learn/install/installing-publishing-technologies/installing-and-configuring-webdav-on-iis):
Microsoft released a new WebDAV extension module that was completely
rewritten for Internet Information Services (IIS) 7 and above on
Windows ServerĀ® 2008. This new WebDAV extension module incorporated
many new features that enable Web authors to publish content better
than before, and offers Web administrators more security and
configuration options. Microsoft has released an update to the WebDAV
extension module for Windows ServerĀ® 2008 that provides shared and
exclusive locks support to prevent lost updates due to overwrites.
Another potential reason for this is if the
GlobalConfiguration.Configure(WebApiConfig.Register);
is after
RouteConfig.RegisterRoutes(RouteTable.Routes);
in global.asax.cs
It needs to be before, otherwise the default RouteConfig route 'eats' the WebAPI route - and attempts to map API requests to a controller called API...
Change to:
<validation validateIntegratedModeConfiguration="false" />
<modules>
<remove name="WebDAVModule"/>
</modules>
<handlers>
<remove name="WebDAV"/>
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
<remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
I am using IIS URLRewrite to add the HttpOnly option to all outgoing requests, except it is not add this for requests to for example my ./images/ folder where a cookie is set.
Result: Set-Cookie: ASPSESSIONIDQECSBATA=KGBFCMFABKMKPHBLFJHPNEJN; secure; path=/
My outbound rule:
<outboundRules>
<rule name="Add HttpOnly" preCondition="No HttpOnly">
<match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
<action type="Rewrite" value="{R:0}; HttpOnly" />
<conditions>
</conditions>
</rule>
<preConditions>
<preCondition name="No HttpOnly">
<add input="{RESPONSE_Set_Cookie}" pattern="." />
<add input="{RESPONSE_Set_Cookie}" pattern="; HttpOnly" negate="true" />
</preCondition>
</preConditions>
How do I get the HttpOnly flag added to the cookie being set for my images folder?
Put the outbound rule at the server level. This will go in the applicationHost.config and apply it to all sites on that server.