In my ASP.NET MVC3 application when I queue some request to /Controller/Action?param=whatever and it fails and IIS custom errors handling configured in web.config kicks in and performs a "default redirect" (which is configured to redirect to /GenericHandler.htm I get redirected to /GenericHandler.htm?aspxerrorpath=/Controller/Action and the query string (param=wheveter part) is lost.
How do I make the query string preserved?
Related
Working on a DNN (9.2) module and am getting the following error in the DNN log file when trying to call http://dnndev.me/desktopmodules/rentalz/server.ashx directly from URL address bar in browser:
DotNetNuke.Entities.Urls.UrlRewriterUtils - System.ArgumentNullException:
Value cannot be null.
Parameter name: url
at System.Web.HttpResponse.Redirect(String url,
Boolean endResponse, Boolean permanent)
at DotNetNuke.Entities.Urls.AdvancedUrlRewriter.ProcessRequest(
HttpContext context, Uri requestUri, Boolean useFriendlyUrls,
UrlAction result, FriendlyUrlSettings settings,
Boolean allowSettingsChange, Guid parentTraceId)
When I remove the following entry from the Web.config file, the ASHX page works, but the rest of the site bombs out!
<add name="UrlRewrite" type="DotNetNuke.HttpModules.UrlRewriteModule,
DotNetNuke.HttpModules" preCondition="managedHandler" />
Does anyone know what's causing this?
This request shouldn't be handled by the URL rewriter, it ignores ashx requests by default. You can go to the SEO Settings page, and check the Expressions tab under URL Management to see if ashx is listed in the Do Not Rewrite URL Regular Expression. You can also go the the Test URL tab and put your URL in to see what sort of rewriting the system is trying to perform.
You shouldn't use a handler anymore. It's an old technique that can easily create security flaws on your website. You should instead us Web API. It's so much easier to do as well.
http://www.dnnsoftware.com/wiki/services-framework-webapi
We're using the Jasig .NET CAS Client to interface with our organization's CAS SSO server.
However, we've noticed that in ASP.NET MVC 3 (and I would assume this affects ASP.NET WebForms as well) applications, when users log out, we see the following error in our error log:
System.Web.HttpRequestValidationException (0x80004005):
A potentially dangerous Request.Form value was detected from the client
(logoutRequest="<samlp:LogoutRequest...").
at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection)
at System.Web.HttpRequest.get_Form()
at System.Web.HttpRequest.FillInParamsCollection()
at System.Web.HttpRequest.GetParams()
at DotNetCasClient.Utils.RequestEvaluator.GetRequestIsCasSingleSignOut() in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\Utils\RequestEvaluator.cs:line 292
at DotNetCasClient.CasAuthenticationModule.OnBeginRequest(Object sender, EventArgs e) in C:\Projects\Jasig\CAS\dotnet-client\trunk\DotNetCasClient\CasAuthenticationModule.cs:line 93
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I don't believe this is an error message users are receiving -- it seems to only be seen by the server. As far as the users are concerned, log out is successful.
Is there any way I can get ASP.NET MVC to stop trying to validate these types of requests? I know I can disable request validation completely, but that's out of the question. The site with a hyphen has a good question on this, but not really an acceptable answer:
add the following setting to the web.config:
<httpRuntime requestValidationMode="2.0" />
After setting this value, U can disable request validation by setting validateRequest="false"
So, is there any way to disable ASP.NET validation for this request without turning it off completely?
Edit: This is also tricky to debug because this request is coming from the CAS server, NOT from the user's browser. I think this is the CAS server attempting to notify all running applications that the user has signed out (single sign out). So we're only receiving this error in production, not when testing locally.
The dotnetcas client gets access to the request before it gets to an MVC controller action, so it is not possible to simply set the validation attribute on an MVC controller or action.
The target of this request seems to be the last URL that was validated, so it is not possible to disable validation for a specific path in your application by using this method either: http://erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/
From what I see you have a couple of options:
Disable this validation:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
or
.Net 4.5 allows you to access a request before it goes through validation. If you have access to this you can re-compile the client from source, fixing the relevant issue.
I am not familar with Jasig .NET CAS but ASP.NET MVC allows you to disable request validation at the page level.
Add the following attribute to your controller action:
[ValidateInput(false)]
I’m having a problem with my SQL Connection strings not using the authentication provided in the connection string. I have written an ASP.NET application using self-tracking entities and I need to access data from two different servers. The first server, SQLSERVER1 is using windows authentication and is on the domain and im able to pull my data just fine. The second server connection however, is on another box off the domain and I need to use a specific login and password to access the data. I confirmed that the credentials im using in the connection string can connect to the server just fine.
On my web-server setup I have my app pool in IIS7 running under its own credential “Domain\AppPoolUser”.
For some reason, whenever I try to call data from SQLSERVER2 after publishing to the webserver im getting the following error, even though I have specified the credentials in my connection string and they are valid. The connection works fine however, if im debugging the application locally : Login failed for user 'DOMAIN\AppPoolUser'.
It seems like it’s not using the credentials I have specified in the connection string, and instead trying to connect as the application pools credentials. How can I setup the connection string to use the credentials I have provided?
Here is my connection strings:
<add name="ADATrackingContext" providerName="System.Data.SqlClient" connectionString="Server=SQLSERVER1;Database=ADATracking;Integrated Security=True;" />
<add name="PatientContext" providerName="System.Data.SqlClient" connectionString="Server=SQLSERVER2;Database=Patients;uid=PatientUser;password=123456;Integrated Security=False;" />
Not sure if it matters, but the user should be User Id= and not uid=
The ADATrackingContext connection string will attempt to login using the Domain\AppPoolUser domain account since you have set the Integrated Security = true. Since you don't have Domain\AppPoolUser as a login for your db, you will get the error you describe.
Double check to make sure you are passing the correct connection string to your DbContext.
It looks like the error was being caused beacuse I was trying to pull the data before my client page was authenticated to the ADATracking connection string. I moved the data call over to the HomeConstroller.cs instead of the Global.asax file and all is working now. My mistake.
I can access the elmah.axd file, to view errors, when browsing using the localhost host name (i.e. http://localhost:24425/admin/elmah.axd).
I created a different host name and added it in my host file (to mirror production domain name). When I browse the site, and force an exception, the exception does get logged (SQL Server) using the prod host name. However, I am not able to view the elmah.axd file (i.e. http://www.foo.com/admin/elmah.axd). I get "HTTP Error 404.0 - Not Found
The resource you are looking for has been removed, had its name changed, or is temporarily unavailable."
When I force an exception, using the localhost url, the exception still does get logged in SQL and I am able to browse this file: http://localhost:24425/admin/elmah.axd. However, I only see exceptions that occur under the localhost url (not the www.foo.com url).
After reviewing SQL, I see errors that happen using localhost with Application "/" and User set to the account I am logged in with. The errors generated when using www.foo.com have Application set to "/LM/W3SVC/6/ROOT" and the User column is blank.
I just need to be able to access the elmah.axd file when using www.foo.com/admin/elmah.axd. I have set security allowRemoteAccess to "1" in my web.config and have also added the elmah stuff to system.web and system.webServer nodes in my web.config.
I am using Windows Server 2008R2, IIS7.5 and it is a ASP.NET site (set up as a Web Application).
Thanks for any advice given.
By default elmah.axd can only be viewed on the local machine (whicj is why using localhost works).
You need to configure the web application to allow remote access.
I've got a asmx service that takes a single int parameter. I can open the URL to the service and see the service description screen. From here I can enter the query parameters into a form and invoke the web service.
Is there any way to invoke a web service directly from a URL/query string?
This doesnt work:
http://localhost:4653/MyService.asmx?op=MyWebMethod&intParameter=1
Any ideas? I'd really like to be able to do this from a standard link due to some deployment issues. Am I going to have to wrap the request in a normal aspx page?
You can decorate your method to allow HTTP GET requests, which should in turn do what you're looking for like so:
[WebMethod]
[ScriptMethod(UseHttpGet=true)]
public string MyNiftyMethod(int myint)
{
// ... code here
}
And edit the web.config :
<system.web>
<webServices>
<protocols>
<add name="HttpGet"/>
</protocols>
Then you'll be able to call this method like so:
http://mysite.com/Service.asmx/MyNiftyMethod?myint=12345
EDIT: Note that this method of performing GET requests does come with some security risks. According to the MSDN documentation for UseHttpGet:
Setting the UseHttpGet property to
true might pose a security risk for
your application if you are working
with sensitive data or transactions.
In GET requests, the message is
encoded by the browser into the URL
and is therefore an easier target for
tampering.
ASMX web services use SOAP. SOAP requests use only POST to invoke methods. You will need to generate a proxy client in your aspx page to invoke the web service. If you really need to use GET verbs to invoke web services you might need to use a different approach such as WCF REST.