I have an MVC3 application that works in Visual Studio, but when published to the web server returns a 404 on Requested URL: /App/Account/LogOn. The problem is I never created an Account controller or the action LogOn. I'm not sure why Account/LogOn is even loading or how to fix it. Thanks.
My global.asax.cs file looks like this:
public class MvcApplication : NinjectHttpApplication
{
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
//filters.Add(new HandleErrorAttribute());
}
public static void RegisterRoutes(RouteCollection routes)
{
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
routes.MapRoute(
"Default",
"{controller}/{action}/{id}",
new { controller = "Home", action = "Index", id = UrlParameter.Optional }
);
}
// Create ninject kernel
protected override IKernel CreateKernel()
{
var kernel = new StandardKernel();
// Add bindings
kernel.Bind<IEmployeeRepository>().To<EFEmployeeRepository>();
kernel.Bind<IDocumentRepository>().To<DocumentRepository>();
// Load kernel
kernel.Load(Assembly.GetExecutingAssembly());
return kernel;
}
// Replaces App_Start() when using Ninject
protected override void OnApplicationStarted()
{
base.OnApplicationStarted();
AreaRegistration.RegisterAllAreas();
RegisterGlobalFilters(GlobalFilters.Filters);
RegisterRoutes(RouteTable.Routes);
}
}
My best guess would be that this is coming from your web.config, as this is the default login page when you create a new MVC project. Its where you get redirected when you try to hit an action that has the [Authorize] attribute applied to it.
Check for a section that says:
<authentication mode="Forms">
<forms loginUrl="~/Account/LogOn" timeout="2880" />
</authentication>
If you have your own login page you need to at that URL here, otherwise, if you aren't using security, then check for actions that carry the [Authorize] attribute.
Related
I really can't understand why it does not work. I have the following code:
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
}
}
[RoutePrefix("api/Profile")]
[System.Web.Http.AuthorizeAttribute]
[IdentityBasicAuthenticationAttribute]
public class ProfileApiController : ApiController
{
[HttpPost]
[ValidateApiContentLength]
[ValidateApiMimeMultipart]
[Route("Upload")]
public async Task<HttpResponseMessage> UploadDocumentAsync(string description)
{
//....
}
}
}
but when I call: http://localhost:11015/api/profile/Upload
I get 404 error:
{
"Message": "No HTTP resource was found that matches the request URI 'http://localhost:11015/api/profile/Upload'.",
"MessageDetail": "No action was found on the controller 'ProfileApi' that matches the request."
}
but insight says about error:
what is incorrect?
WebApi routing can't find your UploadDocumentAsync method. In your application you're using both the routing table (in the WebApiConfig class) and attribute routing. You don't need the latter.
You can leave the routing table in the WebApiConfig class as is and drop the Route and RoutePrefix attributes.
Change your action UploadDocumentAsync in the Profile controller to:
...
[HttpPost]
public async Task<HttpResponseMessage> UploadUploadDocumentAsync(string description)
{
...
just leaving the HttpPost attribute.
You can reach your your resource by calling (you can do it via Fiddler, for exampe):
POST http://localhost:11015/api/profile/
UPDATE:
Or if you would really like to have the "upload" part in your url, you can utilize the Route attribute for the action:
[Route("api/profile/upload")]
I have found a solution. Problem was not in the routing. Problem was in parameter of action. It should not be there for POST method. Other things leave as is
[HttpPost]
[ValidateApiContentLength]
[ValidateApiMimeMultipart]
[Route("upload")]
public async Task<HttpResponseMessage> UploadDocumentAsync()
{
I have a WebApi 2 Application and I'm using simple injector and all is working ok.
But today I tried to use the [RoutePrefix] and [Route] attributes to resolve my routes on a particular controller and it seems that simple injector is not able to create an instance of my controller.
i'm getting this error
An error occurred when trying to create a controller of type
'NewController'. Make sure that the controller has a parameterless
public constructor. Type
'Public.API.Controllers.NewController' does not have a default
constructor
Stack trace:
at System.Web.Http.Dispatcher.DefaultHttpControllerActivator.Create(HttpRequestMessage request, HttpControllerDescriptor controllerDescriptor, Type controllerType)
at System.Web.Http.Controllers.HttpControllerDescriptor.CreateController(HttpRequestMessage request)
at System.Web.Http.Dispatcher.HttpControllerDispatcher.<SendAsync>d__1.MoveNext()
at System.Linq.Expressions.Expression.New(Type type)
at System.Web.Http.Internal.TypeActivator.Create[TBase](Type instanceType)
at System.Web.Http.Dispatcher.DefaultHttpControllerActivator.GetInstanceOrActivator(HttpRequestMessage request, Type controllerType, Func`1& activator)
at System.Web.Http.Dispatcher.DefaultHttpControllerActivator.Create(HttpRequestMessage request, HttpControllerDescriptor controllerDescriptor, Type controllerType)
my controller looks like this
[Authorize]
[RoutePrefix("api/New")]
public class NewController : ApiController
{
private IUserService userService;
public NewController(IUserService userService)
{
this.userService = userService;
}
[HttpPost]
[AllowAnonymous]
public async Task<IHttpActionResult> Register(ApiRegisterUserRequestModel model) {
return Content(HttpStatusCode.OK, "reponse");
}
[HttpPost]
[AllowAnonymous]
[Route("ForgotPasswordSendEmail")]
public async Task<IHttpActionResult> ForgotPasswordSendEmail(
[FromBody] ApiForgotPasswordRequestModel model)
{
var response = "cool";
return Content(HttpStatusCode.OK, response);
}
}
If I make a request to the Register action I get a response, but if I make a request to the ForgotPasswordSendEmail action then I get the error I mentioned above.
The simple injector configuration I have is the Basic setup mentioned here
https://simpleinjector.readthedocs.org/en/latest/webapiintegration.html
UPDATE
I'm using OWIN and JWT token authentication, and I have a global.asax and a startup file in my project and both were configured to use webapi.
These were my Startup class and Application_Start
//startup class
public class Startup
{
public void Configuration(IAppBuilder app)
{
SimpleInjectorWebApiInitializer.Initialize();
HttpConfiguration httpConfig = new HttpConfiguration();
ConfigureOAuthTokenGeneration(app);
ConfigureOAuthTokenConsumption(app);
WebApiConfig.Register(httpConfig);
app.UseWebApi(httpConfig);
}
}
//Application_Start
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
BundleConfig.RegisterBundles(BundleTable.Bundles);
SimpleInjector.Configure();
SimpleInjectorWebApiInitializer.Initialize();
}
I removed all of the api configuration from the startup and left if like this
public class Startup
{
public void Configuration(IAppBuilder app)
{
ConfigureOAuthTokenGeneration(app);
ConfigureOAuthTokenConsumption(app);
}
}
and it started to work.
now, why wasn't it working using the [Route] attribute and without it all was fine? it's a mystery to me.
I've been trying to reproduce this issue, but with no success. You typically get the "Make sure that the controller has a parameterless public constructor" error in case the registered IDependencyResolver.GetService returns null and the requested type does not have a default constructor.
If you, as you said, follow Simple Injector's configuration guidance, the SimpleInjectorWebApiDependencyResolver will not return null, but will either return a valid controller instance -or- will throw an expressive exception. The default guidance states that you at least do the following:
container.RegisterWebApiControllers(GlobalConfiguration.Configuration);
container.Verify();
GlobalConfiguration.Configuration.DependencyResolver =
new SimpleInjectorWebApiDependencyResolver(container);
If you use this code, it's very unlikely that you get this "Make sure that the controller has a parameterless public constructor" error. Especially in the situation where the controller can be resolved when called using one action, while it fails to initialize during another.
So please check the following:
You are using the code as shown above.
Are you sure that api/New/Register call actually goes through the NewController. You can set a break point in its constructor and the Register method.
The NewController can actually be resolved correctly when manually calling container.GetInstance<NewController>().
I'm trying to implement an Authentication Provider for my WebApi Services.
Im using this guide: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
For testing purpose i've implemented two controllers in a separate webapi-project:
public class TestApiController : ApiController
{
[Authorize]
public string Get()
{
return "Secure";
}
public string Get(int id)
{
return "Not Secure";
}
}
public class TestODataController : ODataController
{
[Authorize]
[EnableQuery]
public HttpResponseMessage Get()
{
return new HttpResponseMessage(HttpStatusCode.OK);
}
}
My Goal is to use the Odata Controller in the end.
When I call localhost:Port/api/TestApi and set the Bearer Token in the Header, everythings works fine. When i do the call localhost:Port/odata/TestOData and add the token i receive the Message :
Authorization has been denied for this request.
It doesn't matter if i set the token in header or not. If i remove the Authorize Attribute everything works fine.
I'm using Postman to call the methods, if this is of any interest.
At the moment i'm using iis-express from visual studio to host the controllers, but iis is alread configured but produces the same message.
My Startup.cs (the interesting part...)
public void Configuration(IAppBuilder app)
{
var config = new HttpConfiguration();
ConfigureOAuth(app);
FilterConfig.Register(config);
ODataConfig.Register(config);
WebApiConfig.Register(config);
app.UseCors(CorsOptions.AllowAll);
app.UseWebApi(config);
}
public void ConfigureOAuth(IAppBuilder app)
{
//Token consumption
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions
{});
}
OData and WebConfig :
public class ODataConfig
{
public static void Register(HttpConfiguration config)
{
ODataConventionModelBuilder modelBuilder = new ODataConventionModelBuilder();
modelBuilder.EntitySet<MyModel>("MyModel");
var conventions = ODataRoutingConventions.CreateDefault();
var route = config.Routes.MapODataRouteFixed(
routeName: "ODataRoute",
routePrefix: "odata",
model: modelBuilder.GetEdmModel(),
conventions: conventions) as Route;
}
}
public static class WebApiConfig
{
public static void Register(HttpConfiguration config)
{
config.MapHttpAttributeRoutes();
config.Routes.MapHttpRoute(
name: "DefaultApi",
routeTemplate: "api/{controller}/{id}",
defaults: new { id = RouteParameter.Optional }
);
config.Formatters.JsonFormatter.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver();
}
}
The Account-Controller to add new user is in another project. The database looks good and the token generation works, too. It's almost the same code as the example from bitoftech-demo.
I don't see the difference betweens these controllers. The Auhtorize attribute is recognized by the controller...but something else is wrong.
Any hints would be appreciated.
Update
After some research and the first answers i updated my startup values. The old options are only necessary for token generation and not token consumption. But still api controllers works and OdataController throws "Authorization denied".
Update2
It worked now. But i'm not quite sure why. I removed everything from my FilterConfig :
public class FilterConfig
{
public static void Register(HttpConfiguration config)
{
//config.SuppressDefaultHostAuthentication();
//config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
}
}
But i have no idea why it was working before with the api controller and not with the odata controller...
If you use one project for getting the token and another for webApi, both must have the same machine key in web.config.
In the next post of the same serial that you are following explains how to do it: Decouple OWIN Authorization Server from Resource Server
Example:
<system.web>
...
<machineKey validationKey="57B449BBA8F9E656087FF7848727E122C5F5966F65AC0FC25FB3532193B59CFCD13B370883FFC184C1F1500638F33E6F67B37CAED1D9BC65BBC6CFFB232BFD0B" decryptionKey="6D9FBE88D16B3FA5B5E6B37460BBE50DA85D5B4C482159006B5A337C58AA9E79" validation="SHA1" decryption="AES" />
...
</system.web>
Why you are using app.UseCookieAuthentication(new CookieAuthenticationOptions()); and app.UseOAuthAuthorizationServer(OAuthOptions); on the same time, I guess this is only API project with no MVC, right?
Remove the app.UseOAuthAuthorizationServer(OAuthOptions); and try again.
What is the value in response header (WWW-Authenticate) when you receive 401? Bearer or something else?
I had the similar problem and found this answer posted on Telerik web site and it worked for me. It required setting the dataType to "json".
transport: {
type: "odata",
read: {
url: "http://........",
dataType: "json",
beforeSend: function (xhr) {
var auth = 'Bearer ' + token;
xhr.setRequestHeader('Authorization', auth);
}
},
},
This is the url:
http://www.telerik.com/forums/odata-not-working-with-custom-authorization-header
On my MVC application I decorated some of the methods of my controller with this:
[PrincipalPermission(SecurityAction.Demand, Role = "Administrator")]
public ActionResult Create(FormCollection collection)
{
try {
...
}
catch {
return View();
}
}
And indeed if I am not logged in or not with the correct role an exception is thrown by the MVC application. The problem is I am not getting the application redirected to an error page.
I tried creating a base controller like this:
[HandleError]
public class BaseController : Controller
{
protected override void OnException(ExceptionContext filterContext)
{
// Make use of the exception later
this.Session["ErrorException"] = filterContext.Exception;
// Mark exception as handled
filterContext.ExceptionHandled = true;
// ... logging, etc
// Redirect
filterContext.Result = this.RedirectToAction("Error", "Home");
base.OnException(filterContext);
}
}
And then adding the Error view in the Home controller as well as the actual View. The problem is that when I try this in Visual Studio I first get an exception upon entering the protected action method:
SecurityException was unhandled by the application
and then I have to do Debug|Continue and only then I am redirected to the the Error view but that is unacceptable in a production application because it should go straight to the Error view.
Just wondering why you are not just using standard AuthorizeAttribute. Pretty sure it would do that same thing and just work?
E.g.
[Authorize(Roles="Administrator")]
public ActionResult Create(FormCollection collection)
Article on general MVC security here.
http://www.codeproject.com/Articles/288631/Secure-ASP-NET-MVC3-applications
Like the question says, I wanted to know if it's possible to turn off caching on all controllers and actions for my entire site. Thanks!
Create a Global Action Filter and override OnResultExecuting():
public class DisableCache : ActionFilterAttribute
{
public override void OnResultExecuting(ResultExecutingContext filterContext)
{
filterContext.HttpContext.Response.Cache.SetExpires(DateTime.UtcNow.AddDays(-1));
filterContext.HttpContext.Response.Cache.SetValidUntilExpires(false);
filterContext.HttpContext.Response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
filterContext.HttpContext.Response.Cache.SetCacheability(HttpCacheability.NoCache);
filterContext.HttpContext.Response.Cache.SetNoStore();
}
}
And then register this in your global.asax, like so:
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new DisableCache());
}
In summation, what this does is create a Global Action Filter so that implicitly this will be applied to all Controllers and all Actions.
You should add this method to your Global.asax.cs file
protected void Application_BeginRequest(object sender, EventArgs e)
{
Response.AddHeader("Cache-Control", "no-cache, no-store, must-revalidate");
Response.AddHeader("Pragma", "no-cache"); // HTTP 1.0.
Response.AddHeader("Expires", "0"); // Proxies.
}
This disables cache on every request (images, html, js etc.).
Yes, depending on the approach you take.
I like applying the actions to a base controller (hence my reply there). You could implement the filter at the link below and implement it as a global filter as well (registered in your global.asax.cs)
Disable browser cache for entire ASP.NET website
In web.config you can add additional headers to go out with every response
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Cache-control" value="no-cache"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>