I am making Ajax DELETE request (from another server) to my asp.net web api. I can see that the OPTIONS request was logged in IIS and also captured by Wireshark. But just after that, DELETE is not captured. I have enabled 'All Verbs' in Request Filtering and restarted IIS too. Is there any reason as to why this happens? In my client, I am always getting 403 Access Denied as response on DELETE request, while OPTIONS, like I said, is 200 OK.
Related
I set up cors in azure storage (URL-for example: www.abc.com, GET, * , *, 200)
Then i just copy the link from storage
https://demo.blob.core.windows.net/demo/demo.png
And use it on postman or localhost (web), but still can display pictures, is it normal?
I suppose postman and localhost website will not be able to get images, once cors is set up for azure storage.
CORS prevents cross domain requests that are usually send by AJAX requests. If such a request is send from your browser it will perform a preflight request to see if your current domain is allowed to make such a request. As example it would prevent this site from sending a POST request in the background to api.<yourbank>.com to transfer money.
It won't stop anybody from embedding an image or other file on their website as the browser won't perform such a preflight request unless they call the resource through an AJAX request. Likewise Postman won't do that as it's a testing tool where you explicitely define the request you want to send without being on another 'domain'.
I'm implementing a webdav server. I have everything working fine for anonymous access, but now I want to require authentication.
When a user clicks on a link to open the word document (I'm using the ms-word: protocol), Word sends a couple of HTTTP OPTIONS requests, first with an empty Bearer value in the Authorization header, to which the server responds with a WWW-Authenticate header, and everything is working correctly (after the user authenticates with Word, word sends a follow-up HTTP OPTIONS request with a token value in the header).
However, when Word requests the file itself (using HTTP GET), there is no Authorization header. I've tried having the server respond with a 401 status, but when it does, Word simply gives up and informs the user the file can't be opened.
What's even more troubling is that, from what I can tell, Word sends the GET and OPTIONS requests in parallel, so at the time it sends the GET request, it has no idea that it will be authenticating with the OPTIONS request.
Not sure if this will always be the answer to the issues I described above, but I think it's a combination of problems I was running into. Here's the basics of how I got around the issues I was having.
Delete Office Webdav cache. Office caches information about Webdav servers pretty aggressively. The cache is found in the registry as this location: Computer\HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\X\Common\Internet\Server Cache where X is the current version of Office you have installed. Delete all subkeys that have your server's URL.
Do not use localhost or 127.0.0.1 for your Webdav. Office seems to behave differently if it knows that your server is local. This may mean needing to add entries into your hosts file to "trick" it into thinking your site is on a remote server.
If using some sort of federated auth (Azure AD, Google, Facebook, etc.) and you are using bearer tokens, Office needs to be told where to go to authenticate, this is done by responding to non-authenticated requests with a 401 status and the WWW-Authenticate header value being set to something like this (I can confirm this works for Azure AD):
Bearer authorization_uri="https://login.microsoftonline.com/[Tenant ID]/oauth2/authorize",trusted_issuers="https://login.microsoftonline.com/*/",client_id="[Azure AD App Client ID]"
Even with the client ID set, it seems like the Application ID URI in the app registration needs to match the server's base URL (protocol + host + port)
Hi I have a question about azure mobile apps.
Can I confirm HTTP request including header, body and url parameter in azure mobile apps when troubleshooting?
If yes, how can I confirm that?
For example, let me assume that client send a HTTP request to azure mobile apps, and a the response is bad request(status code 400).
Then I would like to figure out the cause.
First of all I set [Diagnostics log] - [Web server logging] as Storage in portal.azure.com,and confirmed the IIS log.
But there is no header, body info in the HTTP request.
So I did not find out the cause by that log.
Finally problem is solved by client logs by taking fiddler and cause is wrong info in body of the http request.
Above all, by taking fiddler log in client side, I was able to solve the problem but I would like to know if there is a way to confirm http request's header, body and url parameter in azure mobile apps side.
You can log the inbound query on the client or server side, or use something like Fiddler. For the server side, just use regular methods for Node.js or ASP.NET - nothing special is needed. For the client side, I documented the process for all platforms on my blog. Although the documentation is for adjusting the HTTP request, it's the same recipe for logging.
We are implementing CA Site minder on external server for single sign on.
We did all necessary configuration on our server as well as on policy server.
When I hit my URL request get interrupted by ISAPI Filter and Site Minder Replace it with Log in Page Then I put credentials and click log in.
This request goes to policy server and after authenticating site minder redirect me to original url that I hit early on but somehow i am not getting SMSESSION Cookie.
I check FRT log and found that cookie is there in Request Header which mean site minder able to generate and pass the cookie to request but not set in Response header So its getting removed from response.
I tried to find why its getting removed or response not setting SMSESSION Cookie but not able to find any reason.
I am using Integrated pipeline mode and the same setup is working fine with classic mode but since my application is MVC I can't use that and i have to use integrated mode.
The SMSESSION cookie is not provided to the application from SiteMinder. It is initialized in the client browser after login and should be included when the authenticated request arrives back at your application.
I suggest monitoring the client side to ensure the SMSESSION is received after login and sent back out in the application request.
I have a WCF Data service hosted in Azure as a Azure Web Role. Have added a Http Module for authentication. The custom Http Module looks at the Authorization header in the request headers and authenticates the user.
When I make a Http request to the WCF Data Service, I run into two issues. There is a Http redirect happening.
I make the request to http:\northwindsample.cloudapp.net\SampleService.svc. The message I get is that "There is no operation listening for http://rd00155d341b52/SampleService.svc, but there is an operation listening for http://northwindsample.cloudapp.net/SampleService.svc/, so you are being redirected there.
Though I am making the request to http:\northwindsample.cloudapp.net\SampleService.svc, it is somehow going to http://rd00155d341b52/SampleService.svc and then gets redirected to the actual service. I get an Http 307 and in the redirect the authorization header is missing.
Later I found that when I add the trailing slash, then there is no redirect happening.
How can I prevent this redirection because of missing trailing slash ? Also the issue is that the authorization header is not sent to the redirected Uri.
Thanks
Take a look at this:
http://gavinmckay.wordpress.com/2009/03/24/howto-fix-wcf-host-name-on-iis/
For updating this in Azure, you will want to either create a startup task or use the IIS management APIs like is used here:
http://blogs.msdn.com/b/tom/archive/2011/02/18/installing-and-using-an-httpmodule-in-windows-azure.aspx