I need to capture a user's domain\username when they access my webapi app. On my dev machine I have my webapi at localhost:10570 and my angularjs website which makes calls to the webservice at localhost:34575.
If I make a call directly to my webapi app everything works fine. I can see the users domain and username and the service returns the requested data as JSON. But if I access my angularjs site and angular makes the call to webapi then I get 401 unauthorized for every call against the service.
In my WebApi app's web.config I have:
<system.web>
<compilation debug="true" targetFramework="4.5.2" />
<httpRuntime targetFramework="4.5.2" />
<authentication mode="Windows" />
</system.web>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="http://localhost:34575" />
<add name="Access-Control-Allow-Methods" value="POST, PUT, DELETE, GET, OPTIONS" />
<add name="Access-Control-Allow-Headers" value="content-Type, accept, origin, X-Requested-With, Authorization, name" />
<add name="Access-Control-Allow-Credentials" value="true" />
</customHeaders>
</system.webServer>
I have this in IIS Express for Visual Studio 2015's applicationhost.config file:
<location path="MyNamespace.WebAPI">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="true" />
<anonymousAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
My angularjs site is part of the same solution at "MyNamespace.Client".
Why does accessing the web service directly work fine, but accessing it via the angular app fail?
I didn't realize you have to tell Angular to send your credentials to the server. I just had to change my API calls from:
$http.get(url);
to
$http.get(url, { withCredentials: true });
Related
I have a website and api hosted on IIS 8.5 and lately users of the site are getting the following console error when attempting to POST data to the api when using Microsoft Edge:
HTTP401: DENIED - The requested resource requires user authentication.
(XHR)OPTIONS - http://my-local-address/api/customers/approval/post
Note: Users are authenticated by using Windows Authentication.
This occurs spontaneously and to get around the issue the users are forced to do a hard refresh (Ctrl + F5) on MS Edge and then they can continue with their process. Could there be a setting on IIS that's releasing the user authentication after a period of time?
I've listed my attempts to resolve the issue below:
I've got my organisation to add in a trusted policy for my local web address.
Changed the providers of the API. Moved NTLM above Negotiate.
Removed Negotiate based on this stackoverflow post Windows authentication failing in IIS 7.5.
Try and catch the error from the POST request but I'm returning null every time.
Configured CORS to allow for cross origin.
NB: I'm using angularjs for my front end and ASP.NET Web API 2 for the API.
The following code snippet details how the Web Api is configured:
WebApiConfig.cs
var cors = new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true };
config.EnableCors(cors);
Web.config
<system.web>
<identity impersonate="true" />
<compilation debug="true" targetFramework="4.5.1">
<assemblies>
<add assembly="System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</assemblies>
</compilation>
<httpRuntime targetFramework="4.5.2" />
</system.web>
<system.webServer>
<validation validateIntegratedModeConfiguration="false" />
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0" />
<remove name="TRACEVerbHandler" />
<remove name="OPTIONSVerbHandler" />
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>
</system.webServer>
Angular module config using $httpProvider to supply $http requests with credentials
$httpProvider.defaults.withCredentials = true;
I'm trying to develop a braintree payment gateway (transparent redirect) on my dotnetnuke website and while I was developing on development site with http development everything worked. When i put my code in the production website with https, i have this error on my chrome console and not works!
After some search i put this on my web.config:
<httpProtocol>
<customHeaders>
<remove name="X-Powered-By" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
</customHeaders>
</httpProtocol>
And my payment still works and a receive the transparent url:
<--urlbase-->?http_status=200&id=xxx&kind=create_transaction&hash=xxx
But when execute:
Result<Transaction> chargeResult = this.BraintreeGateway().TransparentRedirect.ConfirmTransaction(this.Request.Url.Query);
Nothing happens! I don't have errors in the event viewer!
I am using an API call in cross domain where In chrome I am getting this response . I have all the headers included in my REST API in other domain .
<add name="Access-Control-Allow-Origin" value="*"/>
<add name="X-Content-Type-Options" value="nosniff"/>
<add name="X-XSS-Protection" value="1;"/>
<remove name="X-Powered-By"/>
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept"/>
<add name="Access-Control-Allow-Methods" value="POST,GET"/>
And this is my API Call from angular .
$scope.XYZ=customURLWithoutArray.save({
controller:"XYZController",
actionName:"ABCACTIONNAME",
UserId: "VC"
},
function($success){
return $success;
},function($error){
return $error;
});
It is able to hit the controller but data is null.
As you might already know, a preflight request sends a HTTP OPTIONS request.
In your configuration (I assume its some IIS server?) you have this:
<add name="Access-Control-Allow-Methods" value="POST,GET"/>
Which means you're not allowing OPTIONS.
So try modifying it to this:
<add name="Access-Control-Allow-Methods" value="POST,GET,OPTIONS/>
More information on configuring IIS for CORS:
https://stackoverflow.com/a/31084417/6139050
I have an AngularJS application that I am trying to use an AJAX request to pull in a static file from a ASP.NET WebApi2 application running on IIS 8.5. Similar to the example below-
ng-include="http://server/Content/icon.svg"
If I navigate to that URL in the browser, IIS happily serves that file as a static file. However, when I use an AJAX request, Angular attempts an OPTIONS request first, since it is CORS request, and IIS throws a 405 Method Not Allowed.
I have tried adding these headers to the static Content folder in the web site-
However this made no difference. Also, the IIS server does not have WebDAV installed, which is a thing I have seen around as something that could cause issues.
I had an IIS site with a virtual directory from which I serve my static files.
In order to do CORS from the browser, what I did was configuring the "En tetes de réponses HTTP" of the site, which in english should be something like "HTTP Response Headers".
There I added a new header named "Access-Control-Allow-Origin" with value "*".
From this moment, I can use static files in XHR.
My actual problem was serving OpenStreetMap tiles to a file:///c/xxx/index.html and the error in chrome was
Image from origin 'http://myhost' has been blocked from loading by Cross-Origin Resource Sharing policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.
This works for me for accessing .png files in a subdirectory under forms authentication. You should be able to change the extension.
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.web>
<authorization>
<deny users="?" />
</authorization>
</system.web>
<system.webServer>
<staticContent>
<mimeMap fileExtension=".*" mimeType="image/png" />
</staticContent>
<handlers>
<clear />
<add name="StaticFile" path="*" verb="*" type="" modules="StaticFileModule,DefaultDocumentModule,DirectoryListingModule" scriptProcessor="" resourceType="Either" requireAccess="Read" allowPathInfo="false" preCondition="" responseBufferLimit="4194304" />
</handlers>
</system.webServer>
</configuration>
What if you add the OPTIONS as a verb for the Access-Control-Allow-Methods As answered in this question.
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type" />
</customHeaders>
</httpProtocol>
</system.webServer>
If you want to serve static files to the public internet without any authorization you can set your CORS polity to:
Allow GET request
From any Origin
Allow all request Headers
Allow the OPTIONS reply to be cached for 24h
Internet Information Server this can be configured with the following IIS configuration for your site
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Methods" value="GET,OPTIONS" />
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Headers" value="*" />
<add name="Access-Control-Max-Age" value="86400" />
</customHeaders>
</httpProtocol>
</system.webServer>
</configuration>
I used ` RouteTable.Routes.MapPageRoute for my pages in website
same as
RouteTable.Routes.MapPageRoute(1,
"~/LNG/WebSites/Vission/vissions.aspx","vission");
RouteTable.Routes.MapPageRoute(2,
"~/LNG/WebSites/Loss/LossCiculars.aspx","Loss Circular");
`....
but this worked for some page .
i have an error for other page http 404
in web.config i added this line
<system.webServer>
<modules runAllManagedModulesForAllRequests="true">
<remove name="UrlRoutingModule-4.0" />
<add name="UrlRoutingModule-4.0" type="System.Web.Routing.UrlRoutingModule" preCondition="" /> </modules>
</system.webServer>
Note : this code worked correctly when i have run project in v.s.
help me plz if you can
thanks