In this Adding a Controller (C#) tutorial I read:
ASP.NET MVC invokes different controller classes (and different action
methods within them) depending on the incoming URL
However, I am looking now at the source code full of such Controllers, the web app is fully functional, switches from Controller to Controller smoothly, without ever changing the URL...
How does this work?
Also, based on method, so one action might handle POST requests because it is decorated with [HttpPost] attribute and another one for GET requests as it is decorated with [HttpGet] attribute
I need to do some more guesswork as you've not detailed your observation: your application might send AJAX requests, and while the Url of the page is not changing, different actions in controllers are invoked because of these behind the scene requests.
Related
Through my application log, I have noticed the following HttpException has been raised:
"A public action method 'MyMethod' was not found on controller 'MyApp.Controllers.MyController'"
Controller: "MyController", Action: "MyAction" (GET)
This is normal because MyAction is a POST method.
But MyController can be accessed by authenticated users only, thanks to a controller filter overriding HandleUnauthorizedRequest() method.
Moreover, MyAction is called by Ajax from a Scripts file dedicated to authenticated functionalities.
(Please note that MyAction and MyController are not the real names, I have changed them here, and they are absolutely uncommon names which cannot be guessed without reading the JS file.)
I fear for my application security.
How is this possible that the existence of this controller method has been detected by an unauthentified user (which is a bot according to its IP address location)? What should I do to avoid that issue?
Given a URL, and I want to know which action in which controller is responsible for handling that URL. What I do right now is that I search for the route name in the project from visual studio. But I think there might be a package or tool that lists the routes and their corresponding Controller actions.
Is there a more neat way to find that:
url/examples/1
is handled by:
[HttpGet]
[Route("examples/{id}")]
public Task viewExmaple()
Try Swagger, as I think this will be as close as you can get in terms of "lists the routes and their corresponding Controller actions". By default, swagger acts a GUI (web page) that displays every controller with corresponding controller methods nested beneath(accordion style).
Swagger is also a great tool for debugging and testing. It displays details like which HTTP verb the methods use, which query string params (or JSON payload in body) the method accepts. Great for documentation as well.
Behind the scenes, swagger builds one giant JSON payload that nests all of your controller / controller actions so you may also be able to view it like that.
You would access it by hitting http(s)://your.app.path/swagger
Setting up in a .NET Standard (Non-Core) app
I am using a complex template for my new ASP.NET Core application. Now I wanted to create a new controller which receives a POST request from another external server. That didn't work. I tried a lot until I found out that there is a mechanism set up which only allows POST request to access my controller which have a certain header (X-XSRF-TOKEN). This is done to prevent a Cross-Site-Request-Forgery attack.
However one specific controller should allow such requests, because this controller is not used from the webpage visitors browser. Is there a way to annotate the controller or any other way to allow this exception?
I finally found the answer and it is indeed possible by using an annotation. Just annotate your controller or action with [IgnoreAntiforgeryTokenAttribute] and the whole XSRF mechanism won't bother your controller any more.
Note that even if you don't intend to use that controller action from a browser, if it can be accessed via http, it may easily be susceptible to CSRF. An attacker may still for example create a rogue webpage, which if visited by one of your users, makes the user send a request to that action. If session management is cookie-based or equivalent and the action changes server state, it would still be an exploitable vulnerability.
So while you can turn of CSRF protection, you need to consider consequences carefully.
I have a few controllers and a few methods decorated with a [Route] attribute.
Now the thing is, i want to add a global message handler excluding one single controller.
here is a snapshot from the http configuration code:+
The problem is, my Free controller (defined in the FreeApi route) is still getting the Custom message handler somehow in the pipeline.
How can i achieve this kind of behavior?
Thanks!
I need to create ASP.NET WebApi with couple operation, for example RegisterAppStart, RegisterStep and RegisterAppEnd. And I want to place all this actions in one controller. As I read, usually in WebApi action name is not using.
And my question - is this a bad idea to rewrite default route config with actions using?
ps. sorry for my English
You can give actions arbitrary names using the [Route("/api/FooController/BarMethod"] attribute routing.
This usually overrides the "REST"yness of your service (where the request method indicates which method should be called), but as you aren't really building a REST service, you shouldn't care.