Nancy cannot load with wildcard url reservations - wildcard

I have a desktop application that is self hosting a NancyFX web server. Being a desktop application there is a requirement that we allow dynamic IP addresses so we have registered the url using the wildcard option with netsh, as so:
netsh http add urlacl url=http://+:1234/ user=Everyone
However when this application is run under a non-administrator account the following exception is thrown.
The Nancy self host was unable to start, as no namespace reservation existed for the provided url(s).
Please either enable UrlReservations.CreateAutomatically on the HostConfiguration provided to
the NancyHost, or create the reservations manually with the (elevated) command(s):
netsh http add urlacl url=http://192.168.1.90:1234/ user=Everyone
I have tried many combinations of wildcard registrations, all with the same result. I also looked at registering the wildcard when loading Nancy, but due to Nancy using Uri types this was not valid.
I was under the assumption that by using the wildcard registration I had registered any ip address to be used. But Nancy seems to need the specific ip address registered.
I would really appreciate if someone could tell my why the wildcard registration will not work with Nancy, or even better, how to make it work with Nancy.

An old question but if anyone runs into this, Nancy SelfHost allows you to create Url reservations automatically using the HostConfiguration object.
The Url is then reserved automatically on startup.
//Nancy configuration
HostConfiguration hostConfig = new HostConfiguration()
{
UrlReservations = new UrlReservations()
{
//create URL reservations automatically
CreateAutomatically = true
}
};
//Uri
Uri uri = new Uri("http://localhost:9999");
using (var host = new NancyHost(hostConfig, uri))
{
host.Start();
Console.WriteLine("Running self-hosted server ...");
Console.WriteLine("Press [Enter] to close the application.");
Console.ReadLine();
}

Related

BizTalk 2016: How to use HTTP Send adapter with API token

I need to make calls to a rest API service via BizTalk Send adapter. The API simply uses a token in the header for authentication/authorization. I have tested this in a C# console app using httpclient and it works fine:
string apiUrl = "https://api.site.com/endpoint/<method>?";
string dateFormat = "dateFormat = 2017-05-01T00:00:00";
using (var client = new HttpClient())
{
client.DefaultRequestHeaders.Add("token", "<token>");
client.DefaultRequestHeaders.Add("Accept", "application/json");
string finalurl = apiUrl + dateFormat;
HttpResponseMessage resp = await client.GetAsync(finalurl);
if (resp.IsSuccessStatusCode)
{
string result = await resp.Content.ReadAsStringAsync();
var rootresult = JsonConvert.DeserializeObject<jobList>(result);
return rootresult;
}
else
{
return null;
}
}
however I want to use BizTalk to make the call and handle the response.
I have tried using the wcf-http adapter, selecting 'Transport' for security (it is an https site so security is required(?)) with no credential type specified and placed the header with the token in the 'messages' tab of the adapter configuration. This fails though with the exception: System.IO.IOException: Authentication failed because the remote party has closed the transport stream.
I have tried googling for this specific scenario and cannot find a solution. I did find this article with suggestions for OAUth handling but I'm surprised that even with BizTalk 2016 I still have to create a custom assembly for something so simple.
Does anyone know how this might be done in the wcf-http send adapter?
Yes, you have to write a custom Endpoint Behaviour and add it to the send port. In fact with the WCF-WebHttp adapter even Basic Auth doesn't work so I'm currently writing an Endpoint Behaviour to address this.
One of the issues with OAuth, is that there isn't one standard that everyone follows, so far I've had to write 2 different OAuth behaviours as they have implemented things differently. One using a secret and time stamp hashed to has to get a token, and the other using Basic Auth to get a token. Also one of them you could get multiple tokens using the same creds, whereas the other would expire the old token straight away.
Another thing I've had to write a custom behaviour for is which version of TLS the end points expects as by default BizTalk 2013 R2 tries TLS 1.0, and then will fail if the web site does not allow it.
You can feedback to Microsoft that you wish to have this feature by voting on Add support for OAuth 2.0 / OpenID Connect authentication
Maybe someone will open source their solution. See Announcement: BizTalk Server embrace open source!
Figured it out. I should have used the 'Certificate' for client credential type.
I just had to:
Add token in the Outbound HTTP Headers box in the Messages tab and select 'Transport' security and 'Certificate' for Transport client credential type.
Downloaded the certificate from the API's website via the browser (manually) and installed it on the local servers certificate store.
I then selected that certificate and thumbprint in the corresponding fields in the adapter via the 'browse' buttons (had to scroll through the available certificates and select the API/website certificate I was trying to connect to).
I discovered this on accident when I had Fiddler running and set the adapter proxy setting to the local Fiddler address (http://localhost:8888). I realized that since Fiddler negotiates the TLS connection/certificate (I enabled tls1.2 in fiddler) to the remote server, messages were able to get through but not directly between the adapter and the remote API server (when Fiddler WASN'T running).

AspNet.Security.OpenIdConnect.Server (ASP.NET vNext) Authority Configuration in Mixed http/https Environments

I am using Visual Studio 2015 Enterprise and ASP.NET vNext Beta8 to build an endpoint that both issues and consumes JWT tokens as described in detail here. As explained in that article the endpoint uses AspNet.Security.OpenIdConnect.Server (AKA OIDC) to do the heavy lifting.
While standing this prototype up in our internal development environment we have encountered a problem using it with a load balancer. In particular, we think it has to do with the "Authority" setting on app.UseJwtBearerAuthentication and our peculiar mix of http/https. With our load balanced environment, any attempt to call a REST method using the token yields this exception:
WebException: The remote name could not be resolved: 'devapi.contoso.com.well-known'
HttpRequestException: An error occurred while sending the request.
IOException: IDX10804: Unable to retrieve document from: 'https://devapi.contoso.com.well-known/openid-configuration'.
Consider the following steps to reproduce (this is for prototyping and should not be considered production worthy):
We created a beta8 prototype using OIDC as described here.
We deployed the project to 2 identically configured IIS 8.5 servers running on Server 2012 R2. The IIS servers host a beta8 site called "API" with bindings to port 80 and 443 for the host name "devapi.contoso.com" (sanitized for purposes of this post) on all available IP addresses.
Both IIS servers have a host entry that point to themselves:
127.0.0.1 devapi.contoso.com
Our network admin has bound a * certificate (*.contoso.com) with our Kemp load balancer and configured the DNS entry for https://devapi.contoso.com to resolve to the load balancer.
Now this is important, the load balancer has also been configured to proxy https traffic to the IIS servers using http (not, repeat, not on https). It has been explained to me that this is standard operating procedure for our company because they only have to install the certificate in one place. We're not sure why our network admin bound 443 in IIS since it, in theory, never receives any traffic on this port.
We make a secure post via https to https://devapi.contoso.com/authorize/v1 to fetch a token, which works fine (the details of how to make this post are here ):
{
"sub": "todo",
"iss": "https://devapi.contoso.com/",
"aud": "https://devapi.contoso.com/",
"exp": 1446158373,
"nbf": 1446154773
}
We then use this token in another secure get via https to https://devapi.contoso.com/values/v1/5.
OpenIdConnect.OpenIdConnectConfigurationRetriever throws the exception:
WebException: The remote name could not be resolved: 'devapi.contoso.com.well-known'
HttpRequestException: An error occurred while sending the request.
IOException: IDX10804: Unable to retrieve document from: 'https://devapi.contoso.com.well-known/openid-configuration'.
We think this is happening because OIDC is attempting to consult the host specified in "options.Authority", which we set at startup time to https://devapi.contoso.com/. Further we speculate that because our environment has been configured to translate https traffic to non https traffic between the load balancer and IIS something is going wrong when the framework tries to resolve https://devapi.contoso.com/. We have tried many configuration changes including even pointing the authority to non-secure http://devapi.contoso.com to no avail.
Any assistance in helping us understand this problem would be greatly appreciated.
#Pinpoint was right. This exception was caused by the OIDC configuration code path that allows IdentityModel to initiate non-HTTPS calls. In particular the code sample we were using was sensitive to missing trailing slash in the authority URI. Here is a code fragment that uses the Uri class to combine paths in a reliable way, regardless of whether the Authority URI has a trailing slash:
public void Configure(IApplicationBuilder app, IOptions<AppSettings> appSettings)
{
.
.
.
// Add a new middleware validating access tokens issued by the OIDC server.
app.UseJwtBearerAuthentication
(
options =>
{
options.AuthenticationScheme = JwtBearerDefaults.AuthenticationScheme ;
options.AutomaticAuthentication = false ;
options.Authority = new Uri(appSettings.Value.AuthAuthority).ToString() ;
options.Audience = new Uri(appSettings.Value.AuthAuthority).ToString() ;
// Allow IdentityModel to use HTTP
options.ConfigurationManager =
new ConfigurationManager<OpenIdConnectConfiguration>
(
metadataAddress : new Uri(new Uri(options.Authority), ".well-known/openid-configuration").ToString(),
configRetriever : new OpenIdConnectConfigurationRetriever() ,
docRetriever : new HttpDocumentRetriever { RequireHttps = false }
);
}
);
.
.
.
}
In this example we're pulling in the Authority URI from config.json via "appSettings.Value.AuthAuthority" and then sanitizing/combining it using the Uri class.

How to construct a correct HttpRequest in Salesforce

I am developing an application in Salesforce that should communicate with a server to get some data. the server address is like this http://192.168.115.22/.
this is the HttpRequest object i am constructing in my Apex code is :
HttpRequest request = new HttpRequest();
String username = "myLogin", passwd = "myPassword";
String dataUrl = 'sli=on&fli=on&login=' + username + '&password=' + passwd + 'the rest of data';
request.setMethod('POST');
request.setEndpoint('http://192.168.115.22/Services/getLicenses');
request.setHeader('Content-Type','application/x-www-form-urlencoded');
request.setHeader('Content-Length', String.valueOf(dataUrl.length()));
request.setBody(dataUrl);
Http http = new Http();
HttpResponse response = http.send(request);
But the response i am getting contains this error :
The following error was encountered while trying to retrieve the URL: http://192.168.115.22/Licgen/Service/getLicensePackage?
Access Denied.
i don't know what is the problem with the url i am constructing, and when i write the url manually in my navigator i have access to the server.
Any help please.
This issue, in light of having already been added to the whitelist for endpoints, I think has to do with the fact that 192.168 IP addresses denote local IP addresses within a network normally.
It's likely that you can reach it because you're on your network, but Salesforce cannot see your network from the inside. You would need to use something like ngrok.com which allows you to expose a local machine to an outside available IP address.
You can also find out your router's IP address if you are at home, and port forward to your 192.168.115.22 local machine through it to expose it to the outside world, but I've had a much easier time with ngrok.com for easy integration testing with my applications.
Some Information On 192.168 addresses
(Adding this answer because my other answer could legitimately solve someone searching for the same issue above)
This issue may have to do with the fact that Salesforce prevents outside calls to un-authorized endpoints. Fortunately, it is a simple matter of adding an endpoint to the whitelist of authorized outbound connection points.
Under the setup menu option, and then again under teh security menu, there is a menu item called remote site settings. Within this option you'll see a list of sites you are allowed to access from within Salesforce. If your endpoint isn't in the list, add it and you may get a different result.
Please let me know if you have already added this to the whitelist and it is still a problem.

How do you fix Google OAuth API - (403) There is a per-IP or per-Referer restriction configured on your API key

I have recently moved a project over to another server. The domain name is the same, it has just been pointed to the new server. The URL is exactly the same. Since moving the project over however I get this error when the app tries to connect to googles OAuth api.
{
"name": "Error calling GET https:\/\/www.googleapis.com\/analytics\/v3\/management\/accounts\/~all\/webproperties\/~all\/profiles?key=AIzaSyBKUP8JriiOnFnbJm_QYt_bHTMuHf-ilAI: (403) There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.",
"url": "\/analytics\/statistics.json"
}
The obvious reason (based on the error message) would be that I haven't added the new server IP into the list of allowed IP's in the devlopers console under APIs & auth->Credentials->Key for server applications.
I have added the IP. I've checked the domain has propagated by pinging it and the new IP comes up which has been entered in the console so i'm struggling to work out why it doesn't work.
Has anybody come across this before that may be able to help me solve it?
Go to Project -> APIs & Auth -> Credentials -> API Key -> Create New Key -> Browser Key. It may take upto 5 minutes to reflect changes.
And it worked for me.
After you added your new server IP you need to generate a new API key from the Console. This message shows up when access in not properly configured. Look here and scroll down to "accessNotConfigured".
So, go to your developer console, Project -> APIs & Auth -> Credentials -> Public API Access -> Create New Key -> Server Key. Use this new key and you should be good to go.
I've had this problem for a while as well but finally solved it:
I noticed when trying wget http://bot.whatismyipaddress.com/ from my server it would actually return an IPv6-address, when on the API key's config page I had entered the IPv4-Address of my server. Once I added the IPv6-Address, my requests where finally accepted.
Go to Project -> APIs & Auth -> Credentials -> Public API Access -> Create New Key -> Server Key >> Accept requests from these server IP addresses (Optional) section,
then remove all the IP Address and Update it first, then try it. And, later you can add the specific IP address which did weirdly work for me.

Creating a url in controller in asp.net mvc 4

I am trying to send activation mail to the currently registered user.In mail body,I need to send a link like http://example.com/account/activation?username=d&email=g.Now, for debugging on local machine, I manually write it as localhost:30995/account/activation?username=d&email=g. But, when my port number changes, I need to rewrite it.
I tried another question
on this website,but, compiler gives error like url.action doesnot exist.
Please give me fresh solution as I am confused with that solution.
Use a Url.Action overload that takes a protocol parameter to generate your URLs:
Url.Action("Activation", "Account", new { username = "d", email = "g" }, "http")
This generates an absolute URL rather than a relative one. The protocol can be either "http" or "https". So this will return http://localhost:XXXXX/account/activation?username=d&email=g on your local machine, and http://example.com/account/activation?username=d&email=g on production.
In short, this will stick whatever domain you're hosting your app on in front of your URL; you can then change your hostname/port number/domain name as many times as you want. Your links will always point to the host they originated from. That should solve the problem you're facing.
Try using IIS / IIS-Express instead of Casinni web server that comes with visual studio.
You could add bindings to have the right URL (with host entries of course).
This will avoid the port numbers in your links.

Resources