Disable "httpErrors" element for a specific path - asp.net

I'm having trouble with httpErrors element in Web.config.
I decided to use httpErrors element to handle http errors and show custom error pages in my (ASP.NET MVC) application. The problem is that I also have an API that I don't want httpErrors element to handle its errors, it has its own custom error responses.
I want it to be disabled when it comes to API.
Is there anything I can do to achieve what I want?

I found the solution.
We can fix such problems by using the location element:
We just have to put the code below in the configuration element (the root) of the Web.config:
<location path="api">
<system.webServer>
<httpErrors existingResponse="PassThrough"></httpErrors>
</system.webServer>
</location>
What the <location> element actually does is that it overrides the configurations for paths that start with what you put in the path attribute, which in my case is "api". Then what you have to do is disable the httpErrors, which can be done by setting the existingResponse attribute to PassThrough.
I hope this helps.

Related

ASP.NET customErrors web.config not catching all invalid URLs

It looks like there is a bug in customErrors default redirect in web.config. In my web.config file I have the following customErrors setting
<customErrors defaultRedirect="~/generalerror.html?" mode="On" />
As far as I know this should send all errors to the custom generalerror.html page. It seems to work for some invalid URLS like
http://website.com/?x="<p>"
http://website.com/"<p>"
BUT it is not working when “&” is used in the URL and there is no “?” and there is an HTML tag. So this
http://website.com/&x="<p>"
totally ignores customErrors and you are given the default yellow Runtime Error instead of being sent to the custom generalerror.html page. How do I get this URL to also be redirected to the custom error page ?
If I turn mode="Off" in the web.config I get the following error
A potentially dangerous Request.RawUrl value was detected from the client (="/&x="<p>"").
Since you are passing HTML tags in the URL, it could be an indicative of cross-site scripting attack. Not all HTML tags are dangerous, but when HTML characters are followed by certain characters like '&' in your case, asp.net considers it as a cross-site scripting attack and doesn't allow it by default.
You should consider encoding the URL to get around this. And it is always a best practice. Here is a good explanation about XSS. And here is a link that explains in detail how to get around this issue.
To change this behavior, you can set request validation to false in web.config.
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
But in this case, requests need to be validated in the pages.
Breaking changes were made to ASP.NET request validation in .NET 4.0 and this entry is required to revert the behavior to .NET 2.0 where invalid URLs will redirect to custom error page.
<httpRuntime requestValidationMode="2.0" />

Fire events for requests to static content without setting runAllManagedModulesForAllRequests to true

I'm looking for a more precise solution to handle requests for static contents by the ASP.NET lifecycle without setting runAllManagedModulesForAllRequests to true.
As far as I know is the effect of runAllManagedModulesForAllRequests = "true" that the precondition attribute of each module will be set to "".
The problem:
I have to protect static content in a subfolder of a web application against unauthorized access
To include requests to those static contents in the ASP.NET lifecycle and therefore having some events fired, I set runAllManagedModulesForAllRequests to true in web.config.
Because this solution turns the big wheel and all managed modules are affected for the whole application, I'm looking for a more adapted solution restricted to the subfolder where this behavior is required.
I need a solution for IIS6 and II7
Question 1:
The preconditon of which modules have to be resetted (precondition = "") to fire global.asax.cs events (e.g. Application_BeginRequest) for requests for static contents?
Question 2:
Is it possible to limit this request handling to requests to a single subfolder (e.g. perhaps by placing an adapted web.config in this subfolder, tweeking the main web.config, ...)
Any suggestions would be appreciated. Thanks.
Have you thought in the direction of registering a custom HttpModule for the right event of global.asax, and then enabling the HttpModule only for the sub directory using location attribute in the main web.config itself? It is just a thought of a possible solution - I havent thought through it..
<location path="subDirectoryPath">
<system.web>
<httpmodules>
<add type="MyCustomModule.Name" name="MyCustomModule" />
</httpmodules>
</system.web>
</location>
EDIT:
You may have to override your web.config, and bring in all the httpModule section in this, and then insert the custom module at the right place, with the right precondition.
This is to avoid setting runAllManagedModulesForAllRequests to true

Custom 404 Page with <httpErrors> element does not seem to function in IIS 7

I'm testing an IIS 7.5 site with Managed Pipeline Mode = 'Integrated'
My site targets mobile devices and leverages well formed URLs to pass parameters with a minimum of typing. For example 'mysite.com/bob1234' in this case 'bob1234' is actually parameter.
In the Application.BeginRequest, I process the Request.Url.AbsolutePath using a regular expression to determine if the URL is well formed.
I wanted to add a Custom 404 page, if a user mistypes the URL i.e. mysite.com/boob1234.
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="~/MobileError.aspx">
<error statusCode="404" redirect="404.htm"/>
</customErrors>
</system.web>
And while this catches errors when the extension is '.aspx', it does not catch 404(s) when no handler is mapped, for example '/mysite.com/boob1234'.
I followed the instructions and also added a element to my system.webserver
<system.webServer>
<modules runAllManagedModulesForAllRequests="true" />
<httpErrors defaultResponseMode="Redirect" errorMode="DetailedLocalOnly">
<remove statusCode="404" subStatusCode="-1"/>
<error statusCode="404" prefixLanguageFilePath=""
path="/mobile/MobileError.aspx" responseMode="ExecuteURL"/>
</httpErrors>
</system.webServer>
But no iteration of this seems to work. When I uncomment the block, I get a 500 error. And no, there doesn't seem to be any problem with my code. I get a 500 error, even when I just forward to an plain HTML Page.
I did implement failed request tracing to see what I could see.
I get the expected: 404 thrown by IIS Web Core.
Then a few steps later the CustomerErrorModule starts, but it fails with a 500 error. The detailed message is
ConfigExceptionInfo:
\?\C:.....\MyApp\web.config ( 89)
:This configuration section cannot be
used at this path. This happens when
the section is locked at a parent
level. Locking is either by default
(overrideModeDefault="Deny"), or set
explicitly by a location tag with
overrideMode="Deny" or the legacy
allowOverride="false".
I've tried walking up the '.config' stack, and haven't found any references to overrideMode="Deny"
Any help would be awesome. Totally stuck now.
Thanks:
Dylan
This has to do with the lifecycle of a request within IIS. In your case where there is no handler mapped, the 404 is recognized before the ASP dlls are even called into play. For items that are not explicitly identified in IIS as requiring Asp.Net, the IIS 404 error will fire and ignore any directives within Asp.Net. Even if a wild-card is applied to the all extensions, this wild-card is only called if IIS does not detect a 404 first. This includes directories and all file extensions not handled explicitly by .Net. So if you attempt to go to http://mydomain.com/images/someimage.gif and that file does not exist, you will not receive a .Net 404 error handler. If you change .gif to .aspx the handler will subsequently fire. The only method I have seen that adequately responds to this is to change all of your 404 handlers within IIS to redirect to a URL file on your local site. It will pass an aspxerror querystring, but if you put a ?error= in your url declaration, you will be able to add specific information.
One other thing I tried, though I'm not sure I tried it correctly, is reassigning the mapping for the file within IIS. We defined that Asp.Net should handle all requests for .gif at one point. The problem I had is that an image didn't come out, a Base64 encoding (I think?) text came out. Being under a deadline I did not pursue this as the simpler solution was to use the IIS custom errors mappings.
Have your tried unlocking the configuration section in the applicationhost.config?
<location path="example.net" overrideMode="Allow">
<system.webServer>
<httpErrors>
</httpErrors>
</system.webServer>
</location>
Reference: http://learn.iis.net/page.aspx/124/introduction-to-applicationhostconfig/#Locking
Just a stab in the dark, try adding this attribute to the httpErrors element:
existingResponse="PassThrough"
For example:
<httpErrors existingResponse="PassThrough"
defaultResponseMode="Redirect"
errorMode="DetailedLocalOnly">

Disabling themes in a subdirectory with ASP.NET

This should be a simple one. I am using a program that has themes defined in its Web.config file. I want to turn these off for a subdirectory.
I copied Web.config into a subdirectory and tried removing the theme attribute from the pages element on Web.config but that didn't get me anywhere. I got a bunch of errors about elements that are apparently not allowed in non-root Web.config files so I removed all of those elements, but I am still getting the same error.
I tried adding EnableTheming="False" in the ASPX Page header, the thing that defines Language=C#, etc., but it didn't work either.
So if someone can tell me a tested, confirmed way to make this work, I would appreciate that. I am using .NET Framework 2.0 on Server 2003.
Got it with a very basic Web.config:
<?xml version="1.0"?>
<configuration>
<system.web>
<pages theme="" />
</system.web>
</configuration>

asp.net, web.config inheritence, and clearing the authentication setting

I have an ASP.net 1.1 application.
In a sub-folder, I've installed blogengine.net, which is a 2.0 app.
The folder is set to be an application and is using the proper framework.
It works...except for authentication.
The issue is inheritence from the web.config in the root application.
The common fix for this issue is to use 'clear' in your nested app's config file for each thing you want to reset.
<httpModules>
<clear/>
</httpModules>
The problem is that 'clear' does not appear to be allows within authentication tags:
<authentication mode="Forms">
<clear/>
<forms... rest of my child app's settings for authentication...>
</authentication>
Doing that gives me a syntax error.
Anyone know of a way to get this working? I need to prevent the root app's authentication info in web.config from being inherited within the child application.
UPDATE: per curious_geek's answer, one option is to modify the root config to not allow inheritance. However, my understanding is that will also block the system.config properties. Is that usually a big deal? This isn't my server, so wonder if doing that will open up some security issues that might not go over with with the server admin.
You need to tell the parent web.config no to force section inheritance in child-application.
If you want to stop system.web section inheritance to child-app then you'd wrap your system.web section with location element mentioned as below.
<location path="." inheritInChildApplications="false">
<system.web>
</system.web>
</location>
You can also apply this technique for stop inheritance for connectionstrings and appsettings section as well.
PS: when you actually add this
lines in web.config, visual studio will
not recognize it as valid and mark it
as error, but be rest assured that it
will work well under IIS when
deployed.

Resources