I want to route SOAP messages to different servers depending on the message content.
I tried the Application Request Routing (ARR), but it seems, that you can only route by server variables and the HTTP header.
I found this tutorial:
Developing a Custom Rewrite Provider for URL Rewrite Module
My Question is, can I route depending on the HTTP body with a custom ReplaceProvider (IRewriteProvider, IProviderDescriptor)?
This is not possible!
Application Request Routing (ARR) can only access information from the http header.
Related
I am using Symfony 4 as Restful API, I was working perfectly with calling the api from a VueJS application.
Today, I needed to add an another resource on the api but when I want to call it to get data from Vuejs I get "No 'Access-Control-Allow-Origin' header is present on the requested resource".
Only for this entity, for the others it's working.
Your problem is related to CORS:
Cross-Origin Resource Sharing (CORS) is a mechanism that uses
additional HTTP headers to tell a browser to let a web application
running at one origin (domain) have permission to access selected
resources from a server at a different origin. A web application makes
a cross-origin HTTP request when it requests a resource that has a
different origin (domain, protocol, and port) than its own origin.
One of the possible solutions can be installing NelmioCorsBundle. This will bring CORS handling directly to your application.
Another solution can be adding this header in your web server (How do I add Access-Control-Allow-Origin in NGINX?).
We're developing a native application that accesses content on a resource server (which is also under our control). The resource server will require the user of the native app to authenticate by OpenID Connect to get an access key which is passed as a bearer token (RFC 6750). The authorization server is a separate server running Keycloak.
I'd like to avoid hard-coding information into the client software about the address of the authorization server. Instead, I'd like the resource server to provide the link to the auth server's provider discovery endpoint, possibly as part of the HTTP 401 challenge. I could just invent an X-MyApp-* header, but I was wondering if there is an established convention for this (whether an HTTP header, body content in the 401 response, a standard URL on the resource server etc)?
RFC6750 define the usage of WWW-Authenticate Response Header.
Section 3 of the spec define follow,
If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response
You may utilise this header to respond back the address of the authorization server. Specification allows to have attributes other than the ones defined by specification,
All challenges defined by this specification MUST use the auth-scheme
value "Bearer". This scheme MUST be followed by one or more
auth-param values. The auth-param attributes used or defined by this
specification are as follows. Other auth-param attributes MAY be
used as well.
Now if we can define a custom attribute named auth_server, then we can add it to 401 response's WWW-Authenticate header as below
WWW-Authenticate: Bearer realm="example", auth_server="URL-TO-OIDC-SERVER"
Your client must parse the header and extract the auth_server value .
I am new to Web Api 2. I am trying to build a project to explore token authorization. I created a new project in VS 2013 and selected the WebApi2 template and used Fiddler to emulate http requests. I didn't change anything in the template, just ran it as it was and tried to play with it with Fiddler. I successfully created a user by issuing request to /api/account/register but I can't login by issuing a POST request to the /Token endpoint. The request is:
http://localhost:YYYY/token?grant_type=password&password=admin123456&username=admin
(i also tried to pass the parameters as a json object in the request body).
I get back this:
{"error":"unsupported_grant_type"}
From other posts such as ASP.NET WEB API 2 OWIN Authentication unsuported grant_Type I learned that I needed to enable CORS for web api and at the token endpoint, but that hasn't worked for me.
Are you sure that you are sending POST request message and not GET?
If you simply go to the URL with query string (or open connection to this URL from your code) you are sending GET message by default. It's not what WebAPI with "/token" path is listening for.
If you are calling web service from same place, CORS is not needed. The error "unsupported_grant_type" could be in the format of the data you are passing server in post action.
Try sending with Content-Type application/x-www-form-urlencoded
I am creating an advanced app that uses websocket instead of ajax for dynamic interaction. My WebSocket messages are handled like HTTP Requests, they contain a json-encoded array of path and parameters, which will be converted to a Request. Now the HttpKernel handles this request like every other HTTP request (as sub-request). The only problem is, that the routes for websocket messages are public avaible.
Has anyone an idea how to allow only internal access for a route in this situation?
This answer explains why the firewall configuration can't be used to block routes by name as it uses the RequestMatcher which allows only path regexes and not route names.
In how many ways can an HTTP request be generated?
There are endless ways how you can create and from where you can send HTTP requests to a server. Actually your server has no idea, what the origin of such a request is (if it's AJAX or "regular" request, or sent from a console application or ...)
But there are HTTP methods (HTTP verbs) that (can) tell the server about the intent of the request: http://en.wikipedia.org/wiki/HTTP_Verbs#Request_methods
Also you can set headers in a request, for example the content-type or the accepted encoding: http://en.wikipedia.org/wiki/List_of_HTTP_header_fields
Most JavaScript libraries for example set the (non-standard) HTTP header X-Requested-With, so your application can differentiate between regular and ajax requests.
You see, it's even possible to set your own, non-standard headers. There are endless possible combinations...
HttpRequest is a C# class that wraps a petition sent by a client during a Web request.
There are many ways to generate it. The most usual one happens when your browser connects to an ASP.NET website.
You can, for example, create your own custom HttpRequest to petition a specific web page from a C# console application.
Are you trying to achieve something more specific?