I'm using ASP.net Core 1, MVC 6. I am using SignInManager and UserManager, to authenticate a user in a web api application (MVC6 / C#) from another MVC application (the web api Logon method is actually called from a Jquery Ajax request).
In IE, I call the Login method and when successful, it gives me a Set-Cookie response with an ASP.net auth cookie. I can then see subsequent requests have the ASP.net auth cookie attached.
In chrome, the Set-Cookie directive is returned in the response, but subsequent requests do not have the cookie attached.
Why is this happening?
The only difference I can see is that in Chrome, there is a pre-flight OPTIONS request being sent, but I have handled that in the startup.cs file in the web api and am essentially ignoring it.
Internet Explorer
My request to Login web api looks like this:
Accept */*
Accept-Encoding gzip, deflate
Accept-Language en-IE
Cache-Control no-cache
Connection Keep-Alive
Content-Length 246
Content-Type application/x-www-form-urlencoded; charset=UTF-8
Cookie BeaeN4tYO5M=CfDJ8KMNkK4F2ylMlo1LFxNzxWLNDECVWfhxBYRQrw_MkNQBrVIwfO6FoMIMqg1PP-nZa8Dhp3IV1ZS1uXKpknUDYegiMlEvFaNG-wqUXErvQ5wkMMc_HBI88j-7bCbD2Q7P_B6fEQOQSTKHoL5sTcH0MoM
DNT 1
Host localhost:44338
Referer https://localhost:44356/
Request POST /api/account/Login HTTP/1.1
User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
X-ACL-Key 4A6F0007-95E7-4423-B786-6FBF981799FE
Response like this:
Response HTTP/1.1 200 OK
Cache-Control no-cache
Pragma no-cache
Content-Type application/json; charset=utf-8
Expires -1
Server Kestrel
Set-Cookie oAuthInterop=CfDJ8Asqo6qO2cNHlXpsdNLsuoQWhLxXcnaNkAMTB-VvpkMRIz2AiM_7feoIM29gza_zZz97qaE6TKdqK8y1jDPjDDyiiMdOMiuCmCoV5X4IQ9xtHvpGgmFoxOSiYFVeVOBbHsLx4BccL647F9sJ07M55zvjMx_7wrt32omhONH64vmc12P3nepwZjNSIFYfom1U0Z4r4EX_0tZjKRH7FrdvO0PI2iY5SMaKhCcBw1QXpQHSUxL6Hm-Wr8Q46gFAYoa6YffJV0Rx80FvJHmr1LMAA6PAF0dU_DzNdRVHdXm14t_nbfl-6xb6o7WQN259moUhkT1ZQ9CZsYwWvn7VBmpjfIXNJvIu0FDnRaHnNMrj3uN77_cAMdO3OcyCuy-CAKJ9c-0PxKToStb9juGSNa9ClpVQPADzpUxFqxZU029AXBPavXQK2Ezvy7YT4FwCkL8TEf5AnB5hfOZ5YCBlqD30n2heMdHDbXRHpxeaQB4aoY_6uSpJ3cPazBDsbvGi4fV2-0g5NvoTGgJUXa5p4UntRmuiJ2tZHbMmEjXzf-GV6QtTFIhseKsS3n6TMX68yqQOhYOzxvHdJXPjYxvjmm6-vJw5w2FDgiEXoQJQ7qaSmGzRwOA_cE4VBV_RhzrZELmp3A; path=/; secure; httponly
X-SourceFiles =?UTF-8?B?QzpcVXNlcnNcUm9iZXJ0XERlc2t0b3BcSEJFIE1hbmFnZXJcTUFJTlxCbHVlem9uZSBXZWJBcGlcc3JjXEJ6LkFwcGxpY2F0aW9uXEJ6LkFwcGxpY2F0aW9uLkFwaVx3d3dyb290XGFwaVxhY2NvdW50XExvZ2lu?=
X-Powered-By ASP.NET
Access-Control-Allow-Methods GET,PUT,POST,DELETE
Access-Control-Allow-Headers Content-Type,x-xsrf-token,X-ACL-Key
Date Fri, 06 May 2016 14:23:22 GMT
Content-Length 16
Subsequent test web api call (IsLoggedIn):
Request GET /api/account/IsLoggedIn HTTP/1.1
X-ACL-Key 4A6F0007-95E7-4423-B786-6FBF981799FE
Accept */*
Referer https://localhost:44356/
Accept-Language en-IE
Accept-Encoding gzip, deflate
User-Agent Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Host localhost:44338
DNT 1
Connection Keep-Alive
Cache-Control no-cache
Cookie BeaeN4tYO5M=CfDJ8KMNkK4F2ylMlo1LFxNzxWLNDECVWfhxBYRQrw_MkNQBrVIwfO6FoMIMqg1PP-nZa8Dhp3IV1ZS1uXKpknUDYegiMlEvFaNG-wqUXErvQ5wkMMc_HBI88j-7bCbD2Q7P_B6fEQOQSTKHoL5sTcH0MoM; oAuthInterop=CfDJ8Asqo6qO2cNHlXpsdNLsuoQWhLxXcnaNkAMTB-VvpkMRIz2AiM_7feoIM29gza_zZz97qaE6TKdqK8y1jDPjDDyiiMdOMiuCmCoV5X4IQ9xtHvpGgmFoxOSiYFVeVOBbHsLx4BccL647F9sJ07M55zvjMx_7wrt32omhONH64vmc12P3nepwZjNSIFYfom1U0Z4r4EX_0tZjKRH7FrdvO0PI2iY5SMaKhCcBw1QXpQHSUxL6Hm-Wr8Q46gFAYoa6YffJV0Rx80FvJHmr1LMAA6PAF0dU_DzNdRVHdXm14t_nbfl-6xb6o7WQN259moUhkT1ZQ9CZsYwWvn7VBmpjfIXNJvIu0FDnRaHnNMrj3uN77_cAMdO3OcyCuy-CAKJ9c-0PxKToStb9juGSNa9ClpVQPADzpUxFqxZU029AXBPavXQK2Ezvy7YT4FwCkL8TEf5AnB5hfOZ5YCBlqD30n2heMdHDbXRHpxeaQB4aoY_6uSpJ3cPazBDsbvGi4fV2-0g5NvoTGgJUXa5p4UntRmuiJ2tZHbMmEjXzf-GV6QtTFIhseKsS3n6TMX68yqQOhYOzxvHdJXPjYxvjmm6-vJw5w2FDgiEXoQJQ7qaSmGzRwOA_cE4VBV_RhzrZELmp3A
Response like this:
Response HTTP/1.1 200 OK
Content-Type application/json; charset=utf-8
Server Kestrel
X-SourceFiles =?UTF-8?B?QzpcVXNlcnNcUm9iZXJ0XERlc2t0b3BcSEJFIE1hbmFnZXJcTUFJTlxCbHVlem9uZSBXZWJBcGlcc3JjXEJ6LkFwcGxpY2F0aW9uXEJ6LkFwcGxpY2F0aW9uLkFwaVx3d3dyb290XGFwaVxhY2NvdW50XElzTG9nZ2VkSW4=?=
X-Powered-By ASP.NET
Access-Control-Allow-Methods GET,PUT,POST,DELETE
Access-Control-Allow-Headers Content-Type,x-xsrf-token,X-ACL-Key
Date Fri, 06 May 2016 14:23:22 GMT
Content-Length 68
CHROME
My request to Login web api looks like this:
POST /api/account/Login HTTP/1.1
Host: localhost:44338
Connection: keep-alive
Content-Length: 246
Accept: */*
Origin: https://localhost:44356
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
X-ACL-Key: 4A6F0007-95E7-4423-B786-6FBF981799FE
Referer: https://localhost:44356/
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Response like this:
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Content-Type: application/json; charset=utf-8
Expires: -1
Vary: Origin
Server: Kestrel
Set-Cookie: oAuthInterop=CfDJ8Asqo6qO2cNHlXpsdNLsuoRvlRjfUBWrkt3W3NzBJIoFYA6DcQivnfYmZV2O5xuiqpd75oRjZ-JeHBcjiOK0HoFJQ9f61RyJ2HDeuCNmQk0H-pA3Lzs5ft_F49dpQt0kFn3_-FzEh5-NScCbY4N6TiuYlWY4VSoKsdJJ91k7Z4LQO-0Wm3cZ6HfX0E6pLzGG4lWaZGuV-gOsVCRygR5nv_O_YpWwfaLsT_51aX6fNXVSotU6MECEkFdfWseqOGyYVj7KJrxY2mPwksE0XGACs12TnmfJzCABrzd06FnTPy3RuqJF2IWOobX6ZAHGMoAVFR07mhy9gMPyaHQ12RKmhBhZSXE-Yi3BHow2ER9d2Niligx7JjwYR7UfHFHWJdoYzewLRkZZGE5pw67O710hYyA2UCM2ODB9l9x-WDQ1A_3xjxu2Mrkp0lrF0V-h3y6V2gzEP9RyQAjDISEEZQqvb-GzfZrsRzzQcMn0TMhq5_LUKkX3AScSGRiarBzZ2O9Af3jzwTmN1BciJknJwMKRefq_zrXH7kymCD1kJM89aGkswqp2bycMQjlsjqg5k8EEhv8u1kLA7hA9NyE2ZaamB1PAWYz4NXi3Agccgw83nFi4bs6VE8ZLnyZFEwxdyEGyvQ; path=/; secure; httponly
Access-Control-Allow-Origin: https://localhost:44356
Access-Control-Allow-Credentials: true
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcUm9iZXJ0XERlc2t0b3BcSEJFIE1hbmFnZXJcTUFJTlxCbHVlem9uZSBXZWJBcGlcc3JjXEJ6LkFwcGxpY2F0aW9uXEJ6LkFwcGxpY2F0aW9uLkFwaVx3d3dyb290XGFwaVxhY2NvdW50XExvZ2lu?=
X-Powered-By: ASP.NET
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Headers: Content-Type,x-xsrf-token,X-ACL-Key
Date: Fri, 06 May 2016 12:59:36 GMT
Content-Length: 16
Subsequent test web api call (IsLoggedIn):
GET /api/account/IsLoggedIn HTTP/1.1
Host: localhost:44338
Connection: keep-alive
Accept: */*
Origin: https://localhost:44356
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.94 Safari/537.36
X-ACL-Key: 4A6F0007-95E7-4423-B786-6FBF981799FE
Referer: https://localhost:44356/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-GB,en-US;q=0.8,en;q=0.6
Response like this:
HTTP/1.1 401 Unauthorized
Content-Length: 0
Content-Type: text/plain; charset=utf-8
Server: Kestrel
X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcUm9iZXJ0XERlc2t0b3BcSEJFIE1hbmFnZXJcTUFJTlxCbHVlem9uZSBXZWJBcGlcc3JjXEJ6LkFwcGxpY2F0aW9uXEJ6LkFwcGxpY2F0aW9uLkFwaVx3d3dyb290XGFwaVxhY2NvdW50XElzTG9nZ2VkSW4=?=
X-Powered-By: ASP.NET
Access-Control-Allow-Methods: GET,PUT,POST,DELETE
Access-Control-Allow-Headers: Content-Type,x-xsrf-token,X-ACL-Key
Date: Fri, 06 May 2016 12:59:43 GMT
My web api controller code looks like this:
[Authorize]
[EnableCors("AllowAll")]
[Route("api/[controller]")]
public class AccountController : Controller
{
private readonly UserManager<ApplicationUser> _userManager;
private readonly SignInManager<ApplicationUser> _signInManager;
public AccountController(UserManager<ApplicationUser> userManager, SignInManager<ApplicationUser> signInManager)
{
_userManager = userManager;
_signInManager = signInManager;
}
[HttpPost("login")]
[AllowAnonymous]
public async Task<IActionResult> Login(UserLogin model)
{
if (ModelState.IsValid) {
var result = await _signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded) {
return Json(new { success = true });
}
if (result.RequiresTwoFactor) {
return Json(new { success = false, errType = 1 });
}
if (result.IsLockedOut) {
return Json(new { success = false, errType = 2 });
} else {
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
return Json(new { success = false, errType = 3 });
}
}
return Json(new { success = false, errType = 0 });
}
[HttpGet("IsLoggedIn")]
public IActionResult IsLoggedIn()
{
return Json(new {
loggedon = (HttpContext.User.Identity.Name != null && HttpContext.User.Identity.IsAuthenticated),
isauthenticated = HttpContext.User.Identity.IsAuthenticated,
username = HttpContext.User.Identity.Name
});
}
}
Startup.cs for my web api looks like this:
public class Startup
{
public static int SessionLength { get; private set; }
private string Connection;
public Startup(IHostingEnvironment env)
{
// Set up configuration sources.
var builder = new ConfigurationBuilder()
.AddJsonFile("appsettings.json")
.AddEnvironmentVariables();
Configuration = builder.Build();
SessionLength = 30;
}
public IConfigurationRoot Configuration { get; set; }
// This method gets called by the runtime. Use this method to add services to the container.
public void ConfigureServices(IServiceCollection services)
{
// Get the configured connection string.
Connection = Configuration["Data:DefaultConnection:ConnectionString"];
var userStore = new CustomUserStore();
var roleStore = new CustomRoleStore();
var userPrincipalFactory = new CustomUserPrincipalFactory();
services.AddInstance<IUserStore<ApplicationUser>>(userStore);
services.AddInstance<IRoleStore<ApplicationRole>>(roleStore);
services.AddInstance<IUserClaimsPrincipalFactory<ApplicationUser>>(userPrincipalFactory);
services.AddIdentity<ApplicationUser, ApplicationRole>(options => {
options.Cookies.ApplicationCookie.Events = new CookieAuthenticationEvents() {
OnRedirectToAccessDenied = ctx =>
{
if (ctx.Response.StatusCode == (int)HttpStatusCode.Unauthorized || ctx.Response.StatusCode == (int)HttpStatusCode.Forbidden) {
return Task.FromResult<object>(null);
}
ctx.Response.Redirect(ctx.RedirectUri);
return Task.FromResult<object>(null);
},
OnRedirectToLogin = ctx =>
{
if (ctx.Response.StatusCode == (int)HttpStatusCode.Unauthorized || ctx.Response.StatusCode == (int)HttpStatusCode.Forbidden) {
return Task.FromResult<object>(null);
}
ctx.Response.Redirect(ctx.RedirectUri);
return Task.FromResult<object>(null);
}
};
//options.Cookies.ApplicationCookie.CookieHttpOnly = false;
options.Cookies.ApplicationCookieAuthenticationScheme = "ApplicationCookie";
options.Cookies.ApplicationCookie.AuthenticationScheme = "ApplicationCookie";
options.Cookies.ApplicationCookie.CookieName = "oAuthInterop";
options.Cookies.ApplicationCookie.AutomaticChallenge = true;
options.Cookies.ApplicationCookie.AutomaticAuthenticate = true;
options.Cookies.ApplicationCookie.DataProtectionProvider = new DataProtectionProvider(new DirectoryInfo("d:\\development\\artefacts"),
configure =>
{
configure.SetApplicationName("TestAuthApp");
//configure.ProtectKeysWithCertificate("thumbprint");
});
options.Cookies.ApplicationCookie.ExpireTimeSpan = TimeSpan.FromMinutes(SessionLength);
}).AddDefaultTokenProviders();
// Add framework services.
services.AddMvc();
// Add cross site calls.
//TODO: implement with better security instead of allowing everything through.
services.AddCors(options => options.AddPolicy("AllowAll", p => p.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader().AllowCredentials()));
}
// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
loggerFactory.AddConsole(Configuration.GetSection("Logging"));
loggerFactory.AddDebug();
app.UseIISPlatformHandler(options => options.AuthenticationDescriptions.Clear());
app.UseStaticFiles();
app.UseIdentity();
app.UseMvc();
}
}
A wild guess would be you are not setting withCredentials flag on your XMLHttpRequest when making cross-domain request from javascript via ajax. This flag basically controls whether to include credentials (such as cookies, authorization headers or client certificates) in cross-domain request. Why it still works in IE? Not completely sure, but maybe because proper implementation of this flag only appeared in IE10, and you might use another version of IE. If you use jquery to make requests, see here how to set this flag.
If that is not the case, please include your client-side code + request and response headers of Chrome's OPTIONS request.
Related
I'm using this code in my .NET API:
jwtOptions.Events = new JwtBearerEvents()
{
OnAuthenticationFailed = c =>
{
c.NoResult();
Logger.LogException(c.Exception);
c.Response.StatusCode = 401;
c.Response.ContentType = "text/plain";
if (ApiConfig.IsDeveloping)
{
return c.Response.WriteAsync(c.Exception.ToString());
}
return c.Response.WriteAsync("An error occured processing your authentication.");
},
OnTokenValidated = c =>
{
if (c.Principal.IsInRole("SuperAdmin"))
{
c.HttpContext.Items["IsSuperAdmin"] = true;
}
return Task.CompletedTask;
}
};
But this causes my React client to not get the errors if the authentication token is invalid.
When I look at the Chrome's Network tab, I see this error:
(failed)net::ERR_HTTP2_PROTOCOL_ERROR
What should I do? What have I done wrong in my .NET code?
Update I realized that it depends on the token that I send. If I send a totally invalid token like lkjsdlkjf then I get the 401 response. But if I use a valid JWT token from internet that is invalid for my current session, I get this error.
Update 2
This is the request/response I logged using Wireshark. Request/response seem to be fine. But Chrome or Postman cannot understand it correctly:
GET /locale/data HTTP/1.1
X-Forwarded-Host: api.admin.example.local
X-Forwarded-Proto: https
Connection: Upgrade
Host: api.admin.example.local
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
User-Agent: PostmanRuntime/7.29.2
Accept: */*
Postman-Token: 02c8e0f2-0afb-4112-8abf-c4815ea66176
Accept-Encoding: gzip, deflate, br
HTTP/1.1 401 Unauthorized
Content-Type: text/plain
Date: Mon, 09 Jan 2023 07:47:32 GMT
Server: Kestrel
Cache-Control: no-cache, no-store, must-revalidate
Content-Encoding: br
Expires: 0
Pragma: no-cache
Transfer-Encoding: chunked
Vary: Accept-Encoding
Milliseconds: 2238
33
...An error occured processing your authentication.
I am struggling with this for weeks now, tried everything I could find on internet, but nothing works.
Biggest problems is - it works seamlessly in .NET 4.8 with default WCF scaffold, however .NET Core has WCF reworked and this one I can not figure out.
So, the authentication process has three parts.
Get XSFR token from web page, this is simple HttpClient.GetAsync towards web page which returns XSFR cookie in response.
Get SessionID by calling REST auth method, also simple and works with HttpClient.PostAsync.
Call HTTPS WCF service by sending XSFR token and SessionID as cookies. No go.
I used Visual Studio 2022 (17.4.3) to scaffold wsdl file.
I tried different bindings and I learned that Security.Mode has to be System.ServiceModel.SecurityMode.Transport otherwise I get error that "http" is expected but "https" found in URL and does not work.
However, when I do set security mode to Transport, I get error:
'The HTTP request was forbidden with client authentication scheme 'Anonymous'.'
Anonymous changes depending on Security.Transport.ClientCredentialType.
As for sending cookies, I tried two different methods:
OperationContextScope:
using (new OperationContextScope(port.InnerChannel)) {
var endPoint = new EndpointAddress(Config.URL_APP_ORIGIN);
var httpRequest = new HttpRequestMessageProperty();
httpRequest.Headers.Add(HEADER_X_XSRF_TOKEN, xsrfToken?.Value);
httpRequest.Headers.Add(HttpRequestHeader.Cookie, sessionId?.ToString());
httpRequest.Headers.Add(HttpRequestHeader.Cookie, xsrfToken?.ToString());
OperationContext.Current.OutgoingMessageProperties.Add(HttpRequestMessageProperty.Name, httpRequest);
await IspisVerzije(port);
// await IspisAllowedValues(port);
port.Close();
}
HttpHeaderMessageInspector
// Implementation of partial method in scaffolded web service reference
static partial void ConfigureEndpoint(System.ServiceModel.Description.ServiceEndpoint serviceEndpoint, System.ServiceModel.Description.ClientCredentials clientCredentials) {
var headers = new Dictionary<string, string> {
["HEADER_X_XSRF_TOKEN"] = Program.xsrfToken?.ToString(),
["Cookie"] = "Basic " + Program.sessionId?.ToString(),
["Cookie"] = "Basic " + Program.xsrfToken?.ToString()
};
var behaviour = new AddHttpHeaderMessageEndpointBehavior(headers);
serviceEndpoint.EndpointBehaviors.Add(behaviour);
}
}
public class HttpHeaderMessageInspector : IClientMessageInspector {
private Dictionary<string, string> Headers;
public HttpHeaderMessageInspector(Dictionary<string, string> headers) {
Headers = headers;
}
public void AfterReceiveReply(ref Message reply, object correlationState) { }
public object BeforeSendRequest(ref Message request, IClientChannel channel) {
// ensure the request header collection exists
if (request.Properties.Count == 0 || !request.Properties.ContainsKey(HttpRequestMessageProperty.Name)) {
request.Properties.Add(HttpRequestMessageProperty.Name, new HttpRequestMessageProperty());
}
// get the request header collection from the request
var HeadersCollection = ((HttpRequestMessageProperty)request.Properties[HttpRequestMessageProperty.Name]).Headers;
// add our headers
foreach (var header in Headers) HeadersCollection[header.Key] = header.Value;
return null;
}
}
public class AddHttpHeaderMessageEndpointBehavior : IEndpointBehavior {
private IClientMessageInspector HttpHeaderMessageInspector;
public AddHttpHeaderMessageEndpointBehavior(Dictionary<string, string> headers) {
HttpHeaderMessageInspector = new HttpHeaderMessageInspector(headers);
}
public void AddBindingParameters(ServiceEndpoint endpoint, BindingParameterCollection bindingParameters) { }
public void ApplyClientBehavior(ServiceEndpoint endpoint, ClientRuntime clientRuntime) {
clientRuntime.ClientMessageInspectors.Add(HttpHeaderMessageInspector);
}
public void ApplyDispatchBehavior(ServiceEndpoint endpoint, EndpointDispatcher endpointDispatcher) { }
public void Validate(ServiceEndpoint endpoint) { }
}
I used Fiddler to inspect outgoing requests and cookies are present in request.
This is raw request sent by working .NET Framework 4.8 version:
POST https://zupit-test.gov.hr/services/integration/v2 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; MS Web Services Client Protocol 4.0.30319.42000)
X-XSRF-TOKEN: 7280e4c2-6dd1-4ed4-9a35-91c22c172dfd
VsDebuggerCausalityData: uIDPo0dR90lQHnFDopiVLjbd/0IAAAAAxYMKfS4zuEWC0d5bf6byLKVx4ImkhWZLr+qCOPCMN3gACQAA
Content-Type: application/soap+xml; charset=utf-8; action=""
Host: zupit-test.gov.hr
Cookie: XSRF-TOKEN=7280e4c2-6dd1-4ed4-9a35-91c22c172dfd; JSESSIONID=B232706D460BE6C5FC5981826B36E9EB; TS01a2529c=01402d66b9a555cd86492a154020763ed07f0c7bbe2dbd6487ca2abfa0cfa1b3c533cde8a1335c973f7c6d5c24cdee6f743a38b5b5c0b26948152fee150d6abba41ea0e8cd
Content-Length: 301
Expect: 100-continue
<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><getVersion xmlns="http://zupit.gov.hr/integration/v2" /></soap:Body></soap:Envelope>
And this is raw request sent by .NET 7 version:
POST https://zupit-test.gov.hr/services/integration/v2 HTTP/1.1
Host: zupit-test.gov.hr
Cache-Control: no-cache, max-age=0
X-XSRF-TOKEN: e62fe08b-e7ea-4fd7-88d7-28f58aa45018
Cookie: JSESSIONID=77C6A62B4A0B62DDDFAD8C534EA9D2A9,XSRF-TOKEN=e62fe08b-e7ea-4fd7-88d7-28f58aa45018
Accept-Encoding: gzip, deflate
Content-Type: application/soap+xml; charset=utf-8
Content-Length: 573
<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing"><s:Header><a:Action s:mustUnderstand="1">http://zupit.gov.hr/integration/v2/IntegrationWSv2/getVersionRequest</a:Action><a:MessageID>urn:uuid:3aef24b7-6c08-4a85-bff4-fd0dbcf7ce1d</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">https://zupit-test.gov.hr/services/integration/v2</a:To></s:Header><s:Body><getVersion xmlns="http://zupit.gov.hr/integration/v2"/></s:Body></s:Envelope>
And this is server response for .NET 7 request:
HTTP/1.1 403
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
Set-Cookie: XSRF-TOKEN=915dea61-d5a4-4c63-ad85-51f92df31f67; Path=/
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
X-Frame-Options: DENY
Content-Type: application/json;charset=UTF-8
Date: Thu, 22 Dec 2022 07:42:34 GMT
Strict-Transport-Security: max-age=16070400; includeSubDomains
Set-Cookie: TS01a2529c=01402d66b972abf2e18b994c3e4a4342cb1a60809c602d5bd0ebfb7953d22b3d635225a9b013d6108d2efd22d658d57c1de898f2709b920c1a01fefeda45b6c6746a57884d; Path=/
Transfer-Encoding: chunked
8e
{"timestamp":"2022-12-22T07:42:35.272Z","error":"Forbidden","message":"Forbidden","path":"/services/integration/v2","showServerMessage":false}
0
Is this HTTPS issue or difference of generated SOAP XML in .NET 7?
Any ideas how to solve this?
Thanks,
Mario
I'm trying to set up a file upload request in a ServiceStack TypeScript client that also includes the month for which the file is relevant. How do I set up the request so that both come through to the server?
I've tried various changes, including manually changing headers to try to force Content-Type to be application/json, which didn't work (but I suspect would break the file upload even if it did).
Client-side API:
export const serviceApi = {
importData: (month: string, file: File) => {
var client = new JsonServiceClient("");
var request = new DTOs.ImportData();
// At this point, the month has a value
request.month = month.replace('/', '-').trim();
let formData = new FormData();
formData.append('description', file.name);
formData.append('type', 'file');
formData.append('file', file);
const promise = client.postBody(request, formData);
return from(promise);
},
};
DTO definition:
[Route("/api/data/import/{Month}", "POST")]
public class ImportData : IReturn<ImportDataResponse>
{
public string Month { get; set; }
}
public class ImportDataResponse : IHasResponseStatus
{
public ResponseStatus ResponseStatus { get; set; }
}
Server-side API:
[Authenticate]
public object Post(ImportData request)
{
if (Request.Files == null || Request.Files.Length <= 0)
{
throw new Exception("No import file was received by the server");
}
// This is always coming through as null
if (request.Month == null)
{
throw new Exception("No month was received by the server");
}
var file = (HttpFile)Request.Files[0];
var month = request.Month.Replace('-', '/');
ImportData(month, file);
return new ImportDataResponse();
}
I can see that the file is coming through correctly on the server side, and I can see an HTTP request going through with the month set in the query string parameters as "07-2019", but when I break in the server-side API function, the month property of the request is null.
Update, here are the HTTP Request/Response headers:
Request Headers
POST /json/reply/ImportData?month=07-2019 HTTP/1.1
Host: localhost:40016
Connection: keep-alive
Content-Length: 7366169
Origin: http://localhost:40016
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.157 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryI8CWlbw4tP80PkpZ
Accept: */*
Referer: http://localhost:40016/data
Accept-Encoding: gzip, deflate, br
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: _ga=GA1.1.673673009.1532913806; ASP.NET_SessionId=gtwdk3wsvdn0yulhxyblod3g; __utmc=111872281; __utmz=111872281.1533684260.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ss-opt=perm; __utma=111872281.673673009.1532913806.1550789161.1550794391.20; _gid=GA1.1.893581387.1558389301; ss-id=kfq4G0GYb3WldSdCaRyJ; ss-pid=aZ400sqM4n3TQgNVnHS2
Response Headers
HTTP/1.1 500 Exception
Cache-Control: private
Content-Type: application/json; charset=utf-8
Vary: Accept
Server: Microsoft-IIS/10.0
X-Powered-By: ServiceStack/5.10 NET45 Win32NT/.NET
X-AspNet-Version: 4.0.30319
X-SourceFiles: =?UTF-8?B?RTpcVEZTXFNvdXJjZVxNZWRpc2VuXFdlYnNpdGVzXE9OaWlDU1xNYWluXFNvdXJjZVxPbmlpY3NSZWFjdC1QYXltZW50c1xPbmlpY3NSZWFjdFxPbmlpY3NSZWFjdFxqc29uXHJlcGx5XEltcG9ydE1CU0NvZGVz?=
X-Powered-By: ASP.NET
Date: Tue, 21 May 2019 21:49:03 GMT
Content-Length: 605
Query String Parameters
month=07-2019
You'll be able to upload a file using JavaScript's fetch API directly, e.g:
let formData = new FormData();
formData.append('description', file.name);
formData.append('type', 'file');
formData.append('file', file);
fetch('/api/data/import/07-2019', {
method: 'POST',
body: formData
});
Otherwise if you want to use ServiceStack's TypeScript JsonServiceClient you would need to use the API that lets you post the Request DTO with a separate request body, e.g:
formData.append('month', '07-2019');
client.postBody(new ImportData(), formData);
I don't think the month should be part of the request header, that's kinda unorthodox. It should be part of the form data.
If you did:
formData.append('Month', month.replace('/', '-').trim());
client side, then request.Month or request.content.Month should work, depending on how the request object is handled in your instance.
I've been stuck on this recently and can't figure out why this is happening.
I'm using an MVC Controller in .Net Core to return a NotFound() "404" response.
However, client side (using angular) if I console.log the response, it shows this...
status:200
statusText:"OK"
Is there any reason why returning NotFound() would return an error code of 200 instead of the intended 404?
This is my Controller GET.
// GET: api/cause/cause-name
[HttpGet("{name}")]
[AllowAnonymous]
public IActionResult GetCauseByName(string name)
{
var input = _service.GetCauseByName(name);
if (input == null)
{
return NotFound();
}
else
{
return Ok(input);
}
}
Any help would be appreciated! Thanks!
To be clear, for this instance assume input is null. What I'm testing is it hitting NotFound() not the return OK(input). Breakpoints have been set and it does hit the NotFound() but still returns the response code of 200.
Headers--
GET /cause/dsdasdas
HTTP/1.1
Host: localhost:48373
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8 Accept-Encoding: gzip, deflate, sdch, br Accept-Language: en-US,en;q=0.8
HTTP/1.1
200 OK
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
Content-Encoding: gzip Vary:
Accept-Encoding Server: Kestrel X-SourceFiles: =?UTF-8?B?QzpcVXNlcnNcaXR0ZW1wNVxEZXNrdG9wXFByb2plY3RGdW5kQXBwXHNyY1xQcm9qZWN0RnVuZFxjYXVzZVxkc2Rhc2Rhcw==?= X-Powered-By: ASP.NET Date: Thu, 25 May 2017 14:51:29 GMT –
POSTMAN HEADERS
Content-Encoding →gzip
Content-Type →text/html; charset=utf-8
Date →Thu, 25 May 2017 15:18:31 GMT
Server →Kestrel
Transfer-Encoding →chunked
Vary →Accept-Encoding
X-Powered-By →ASP.NET
X-SourceFiles →=?UTF-8?B?QzpcVXNlcnNcaXR0ZW1wNVxEZXNrdG9wXFByb2plY3RGdW5kQXBwXHNyY1xQcm9qZWN0RnVuZFxjYXVzZVxkc2Rhc2Rhcw==?=
I have asked a similar question and received some kind of answer... NotFound() doesn't seem to work as expected
The solution Redirect("~/404.html"); returns 200.
However, there's another way.
// Wherever you want to return your standard 404 page
return Redirect("Home/StatusCode?code=404");
public class HomeController : Controller
{
// This method allows for other status codes as well
public IActionResult StatusCode(int? code)
{
// This method is invoked by Startup.cs >>> app.UseStatusCodePagesWithReExecute("/Home/StatusCode", "?code={0}");
if (code.HasValue)
{
// here is the trick
this.HttpContext.Response.StatusCode = code.Value;
}
//return a static file.
try
{
return File("~/" + code + ".html", "text/html");
}
catch (FileNotFoundException)
{
return Redirect("Home/StatusCode?code=404");
}
}
}
This does return 404.
I've got an issue with the BasicAuthProvider in ServiceStack. POST-ing to the CredentialsAuthProvider (/auth/credentials) is working fine.
The problem is that when GET-ing (in Chrome):
http://foo:pwd#localhost:81/tag/string/list
the following is the result
Handler for Request not found:
Request.HttpMethod: GET
Request.HttpMethod: GET
Request.PathInfo: /login
Request.QueryString: System.Collections.Specialized.NameValueCollection
Request.RawUrl: /login?redirect=http%3a%2f%2flocalhost%3a81%2ftag%2fstring%2flist
which tells me that it redirected me to /login instead of serving the /tag/... request.
Here's the entire code for my AppHost:
public class AppHost : AppHostHttpListenerBase, IMessageSubscriber
{
private ITagProvider myTagProvider;
private IMessageSender mySender;
private const string UserName = "foo";
private const string Password = "pwd";
public AppHost( TagConfig config, IMessageSender sender )
: base( "BM App Host", typeof( AppHost ).Assembly )
{
myTagProvider = new TagProvider( config );
mySender = sender;
}
public class CustomUserSession : AuthUserSession
{
public override void OnAuthenticated( IServiceBase authService, IAuthSession session, IOAuthTokens tokens, System.Collections.Generic.Dictionary<string, string> authInfo )
{
authService.RequestContext.Get<IHttpRequest>().SaveSession( session );
}
}
public override void Configure( Funq.Container container )
{
Plugins.Add( new MetadataFeature() );
container.Register<BeyondMeasure.WebAPI.Services.Tags.ITagProvider>( myTagProvider );
container.Register<IMessageSender>( mySender );
Plugins.Add( new AuthFeature( () => new CustomUserSession(),
new AuthProvider[] {
new CredentialsAuthProvider(), //HTML Form post of UserName/Password credentials
new BasicAuthProvider(), //Sign-in with Basic Auth
} ) );
container.Register<ICacheClient>( new MemoryCacheClient() );
var userRep = new InMemoryAuthRepository();
container.Register<IUserAuthRepository>( userRep );
string hash;
string salt;
new SaltedHash().GetHashAndSaltString( Password, out hash, out salt );
// Create test user
userRep.CreateUserAuth( new UserAuth
{
Id = 1,
DisplayName = "DisplayName",
Email = "as#if.com",
UserName = UserName,
FirstName = "FirstName",
LastName = "LastName",
PasswordHash = hash,
Salt = salt,
}, Password );
}
}
Could someone please tell me what I'm doing wrong with either the SS configuration or how I am calling the service, i.e. why does it not accept the supplied user/pwd?
Update1: Request/Response captured in Fiddler2when only BasicAuthProvider is used.
No Auth header sent in the request, but also no Auth header in the response.
GET /tag/string/AAA HTTP/1.1
Host: localhost:81
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,sv;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ss-pid=Hu2zuD/T8USgvC8FinMC9Q==; X-UAId=1; ss-id=1HTqSQI9IUqRAGxM8vKlPA==
HTTP/1.1 302 Found
Location: /login?redirect=http%3a%2f%2flocalhost%3a81%2ftag%2fstring%2fAAA
Server: Microsoft-HTTPAPI/2.0
X-Powered-By: ServiceStack/3,926 Win32NT/.NET
Date: Sat, 10 Nov 2012 22:41:51 GMT
Content-Length: 0
Update2 Request/Response with HtmlRedirect = null . SS now answers with the Auth header, which Chrome then issues a second request for and authentication succeeds
GET http://localhost:81/tag/string/Abc HTTP/1.1
Host: localhost:81
Connection: keep-alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,sv;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ss-pid=Hu2zuD/T8USgvC8FinMC9Q==; X-UAId=1; ss-id=1HTqSQI9IUqRAGxM8vKlPA==
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Server: Microsoft-HTTPAPI/2.0
X-Powered-By: ServiceStack/3,926 Win32NT/.NET
WWW-Authenticate: basic realm="/auth/basic"
Date: Sat, 10 Nov 2012 22:49:19 GMT
0
GET http://localhost:81/tag/string/Abc HTTP/1.1
Host: localhost:81
Connection: keep-alive
Authorization: Basic Zm9vOnB3ZA==
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.11 (KHTML, like Gecko) Chrome/23.0.1271.64 Safari/537.11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8,sv;q=0.6
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: ss-pid=Hu2zuD/T8USgvC8FinMC9Q==; X-UAId=1; ss-id=1HTqSQI9IUqRAGxM8vKlPA==
Prefixing foo:pwd# to a url like:
http://foo:pwd#localhost:81/tag/string/list
is not how you do BasicAuth with HTTP, the wikipedia page for an example:
Sending BasicAuth request with a HTTP client
When the user agent wants to send the server authentication credentials it may use the Authorization header.
The Authorization header is constructed as follows:
Username and password are combined into a string "username:password"
The resulting string literal is then encoded using Base64
The Authorization method and a space i.e. "Basic " is then put before the encoded string.
For example, if the user agent uses 'Aladin' as the username and 'sesam open' as the password then the header is formed as follows:
Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4=