I have a web service method taking multiple parameters.
Therefor the BodyStyle = WebMessageBodyStyle.Wrapped is set.
I want to access this method from a web service client therefor I did add the url of the service method to Reference->Add Services and I get the following error.
"There was an error downloading 'http://localhost:8080/Api/StoreI'.
The request failed with HTTP status 405: Method Not Allowed.
Metadata contains a reference that cannot be resolved: 'http://localhost:8080/Api/StoreI'.
The content type application/json of the response message does not match the content type of the binding (application/soap+xml; charset=utf-8).
If using a custom encoder, be sure that the IsContentTypeSupported method is implemented properly.
The first 323 bytes of the response were: '{"ErrorCode":110,"ErrorDetails":null,"Message":"The incoming message has an unexpected message format 'Raw'. The expected message formats for the operation are 'Xml', 'Json'.
This can be because a WebContentTypeMapper has not been configured on the binding. See the documentation of WebContentTypeMapper for more details."}'.
The remote server returned an error: (500) Internal Server Error.
If the service is defined in the current solution, try building the solution and adding the service reference again."
What should I do in order to resolve this error?
What are the steps to access a secure web service from a client?
I an new to web services.
A reply would be highly appreciated.
Thanks.
I am not expert but change
BodyStyle = WebMessageBodyStyle.Wrapped
to
BodyStyle = WebMessageBodyStyle.Bare
The usage of the wrapped on the operation description does not add a layer of security on the message body. It simply wraps the request (or the response) in an XML element
Related
I made a change to the .proto file where the path of a method changed
old .proto
package foo
rpc test
Method path is foo.test
new .proto
package foo.v1
rpc test
Method path is foo.v1.test
Of course, old clients will stop working with error
12 UNIMPLEMENTED: unknown service foo.test
I don't want to version my APIs instead I want to run a server interceptor that fixes the path for each incoming request.
The issue is the client gets an error response UNIMPLEMENTED before the request is handled by the interceptor.
To my understanding, the interceptor function is executed before the handler but, it seems there is code running that check the connection and the method name before the interceptor.
My question is how to get the server interceptor to run first and change the method path?
Ps. the cleint uses grpc-js
The method path can't be changed after call method. The interceptor execute later than find method by service and method name. So you should not remove the origin method when any client still call this method.
When an API is doing HTTP Token Authentication using Introspection, what should it return if the Introspection server is down or returns a 500?
I am writing an API and want to adhere to Http standards. If the API fails to validate the token (due to the custom Introspection server being down or returning a 500) should the API return a 401, 422, or a 500?
Also, if this token introspection endpoint is not an Oauth endpoint should it return the same Http code?
I have done some research and found:
https://tools.ietf.org/id/draft-ietf-oauth-v2-bearer-11.xml#authn-header
This says: "If the protected resource request included an access token and failed authentication, the resource server SHOULD include the error attribute to provide the client with the reason why the access request was declined. The parameter value is described in Section 3.1. In addition, the resource server MAY include the error_description attribute to provide developers a human-readable explanation that is not meant to be displayed to end users."
https://tools.ietf.org/id/draft-ietf-oauth-v2-bearer-11.xml#resource-error-codes
This says: "The access token provided is expired, revoked, malformed, or invalid for other reasons. The resource SHOULD respond with the HTTP 401 (Unauthorized) status code."
Now the above make me think that for sure when using Oauth Introspection a 401 is the correct approach in the given case and not a 500. The reason being since the authentication was not a success = failure. Does this sound correct? Also, should this be the same for non-Oauth Introspection?
I reviewed Microsoft's code for their .net core API Introspection package. It shows they return a 401 in this case. The code is at: https://github.com/aspnet-contrib/AspNet.Security.OAuth.Extensions/blob/dev/src/AspNet.Security.OAuth.Introspection/OAuthIntrospectionHandler.cs
The relevant part is:
// Return a failed authentication result if the introspection
// request failed or if the "active" claim was false.
var payload = await GetIntrospectionPayloadAsync(token);
if (payload == null || !payload.Value<bool>(OAuthIntrospectionConstants.Claims.Active))
{
Context.Features.Set(new OAuthIntrospectionFeature
{
Error = new OAuthIntrospectionError
{
Error = OAuthIntrospectionConstants.Errors.InvalidToken,
ErrorDescription = "The access token is not valid."
}
});
return AuthenticateResult.Fail("Authentication failed because the authorization " +
"server rejected the access token.");
}
Finally I came accross this:
https://www.rfc-editor.org/rfc/rfc6750#section-2.1
Which says: "If the protected resource request does not include authentication
credentials or does not contain an access token that enables access
to the protected resource, the resource server MUST include the HTTP
"WWW-Authenticate" response header field; it MAY include it in
response to other conditions as well."
You definitely don't want a 4xx error, because it suggests that it might be solvable by the client or at least a client-side error. This is clearly an outage so your error code should at least start with 5.
If you are accessing a external service, that service is down or malfunctioning and the service is critical (e.g.: there's nothing you can do in terms of a fallback) the most appropriate status code might be 503 Service Unavailable.
We have activated health monitoring on our website. Recently we are getting a lot of hack attempts which are caused by bots, but also spawn a lot of server errors.
Exception type: System.Web.HttpException
Exception message: The length of the URL for this request exceeds the configured maxUrlLength value.
Request information:
Request URL: http://www.ourdomain.be/Product/Band/29360" onmousedown="return rwt(this,'','','','7','[CUT_OUT_SOME_STUFF]row ab_button" id="am-b6" href="
User host address: ---.---.47.93
How can I filter these particular events so I don't get 10 emails per second?
Or how can I sanitize the URL before it is handled by the security parts of ASP.NET?
I can't totally repro your error - I get an exception for Illegal characters in path instead. Nevertheless...
Quick and dirty = send your emails to a dummy address and set up a
filter/rule on it so only the ones you want get forwarded to you
Slightly less quick = Use Application_Error with
Server.GetLastError() and Server.ClearError() to inspect and ignore
these
Create your own health monitoring provider, though I think you still
need to use Server.GetLastError to retrieve the exception data. See
http://msdn.microsoft.com/en-us/library/ms227676%28v=vs.85%29.aspx?cs-save-lang=1&cs-lang=vb#code-snippet-1
Getting following error after hosting WCF Service in IIS.
HTTP Error 500.0 - Internal Server Error. The page cannot be displayed
because an internal server error has occurred.
Module IsapiModule
Notification ExecuteRequestHandler
Handler svc-ISAPI-4.0_32bit
Error Code 0x00000000
It is HTTPS having a secure certificate WCF Service.
Please help me to solve this problem.
It can be caused by many different things. You should try the following solutions:
1 First way
Right click the folder where your site is located: "C:\Users\NAME\SiteName" and select Properties.
Select the Security tab and click on Edit.
Add.. and type in "IIS_IUSRS".
2 Second way
By default, WCF Service OperationContracts can only be invoked using an HTTP POST. When you call open() on the Titanium HTTPClient, are you specifying a GET or POST for HTTP method parameter?
Secondly, since your service binding is using SOAP 1.1, you need to pass a SOAPAction header in your request so that WCF can route the message to the GetData method. If an Action parameter is not specified in the service's OperationContract attribute, the Action should be the method name preceded by the namespace and service contract name (probably http://tempuri.org/IService1/GetData if you're using what the default WCF application created). You'll also need to specify a content-type. So, you'd need to setup your xhr like this prior to calling send:
xhr.setRequestHeader('Content-Type', 'text/xml; charset=utf-16');
xhr.setRequestHeader('SOAPAction',
'"http://tempuri.org/IService1/GetData"'); xhr.send(s); Also, you can
explicitly specify an action for a WCF service operation:
[OperationContract(Action = "MyAction")] string GetData() {
// ...snip... }
xhr.setRequestHeader('SOAPAction', '"MyAction"');
And lastly, you can allow service operations to be invoked via an HTTP GET by decorating the method with the [WebGet] attribute. This allows the operation to be called in REST fashion: http://msdn.microsoft.com/en-us/library/system.servicemodel.web.webgetattribute.aspx
I get this error while calling the web service hosted on the server.
The service has one web method with as string input and returns string (will be in XML format). The service is working fine but once in a while I get this error and can't predict. Can someone help me to get through this error.
Attached the screen shot of the error. Please let me know if you need additional info
I've never seen this error before, but I suggest you look at the event log on the server side. I suspect you are getting an unhandled exception on the client because you have one on the server.
Also, you should never return XML as a string. Use the XmlElement data type to return XML.