ASP.NET Web API removing HttpError from responses -

-

i'm building restful service using microsoft asp.net web api.

my problem concerns httperrors web api throws user when go wrong (e.g. 400 bad request or 404 not found).

the problem is, don't want serialized httperror in response content, provides information, therefore violates owasp security rules, example:

request:

http://localhost/service/api/something/555555555555555555555555555555555555555555555555555555555555555555555

as response, 400 of course, following content information:

{  "$id": "1",  "message": "the request invalid.",  "messagedetail": "the parameters dictionary contains null entry parameter 'id'  of non-nullable type 'system.int32' method 'mynamespaceandmethodhere(int32)' in 'service.controllers.mycontroller'. optional parameter must reference type, nullable type, or declared optional parameter." }

something not indicates webservice based on asp.net webapi technology (which isn't bad), gives information namespaces, method names, parameters, etc.

i tried set includeerrordetailpolicy in global.asax

globalconfiguration.configuration.includeerrordetailpolicy = includeerrordetailpolicy.never;

yeah, did somehow good, result doesn't contain messagedetail section, still, don't want httperror @ all.

i built custom delegatinghandler, affects 400s , 404s myself generate in controllers, don't want happen.

my question is: there convinient way rid of serialized httperror response content? want user bad requests response code.

what using custom ihttpactioninvoker ? basically, have send empty httpresponsemessage.

here basic example :

public class myapicontrolleractioninvoker : apicontrolleractioninvoker {     public override task<httpresponsemessage> invokeactionasync(httpactioncontext actioncontext, system.threading.cancellationtoken cancellationtoken)     {         var result = base.invokeactionasync(actioncontext, cancellationtoken);          if (result.exception != null)         {             //log critical error             debug.writeline("unhandled exception ");              return task.run<httpresponsemessage>(() => new httpresponsemessage(httpstatuscode.internalservererror));         }         else if (result.result.statuscode!= httpstatuscode.ok)         {             //log critical error             debug.writeline("invalid response status");              return task.run<httpresponsemessage>(() => new httpresponsemessage(result.result.statuscode));         }           return result;     } }

in global.asax

globalconfiguration.configuration.services.replace(typeof(ihttpactioninvoker), new myapicontrolleractioninvoker());

one other important thing do, not related web api, remove excessive asp.net & iis http headers. here explanation.


Comments

Post a Comment

Popular posts from this blog

javascript - Count length of each class -

-
i have below code in this fiddle . html <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> <span class="myname">john smith</span> javascript $('.myname').each(function(){ var text = $(this).html().split(' '), len = text.length, test = $(this).val().length, result = []; console.log('outside: ' + test); for( var = 0; < len; i++ ) { result[i] = '<span class="name-'+[i]+'" >' + text[i] + '</span>'; console.log('inside: ' + test); } $(this).html(result.join(' ')); console.log('after
Read more

What design pattern is this code in Javascript? -

-
this question has answer here: why write “.call(this)” @ end of javascript anonymous function? [duplicate] 4 answers what kind of design pattern , significance of using closure? (function(){ // code here }).call(this); edit then difference between above code , following this keyword still refer same object in both ways. (function(){ // code here })(); thats invoked function expression. more info here: http://benalman.com/news/2010/11/immediately-invoked-function-expression/ the purpose run code while protecting scope (so variables declared within don't leak out global scope. update call sets value of this function being applied on. without it, value set window object, there set outer scope.
Read more

hadoop - Restrict secondarynamenode to be installed and run on any other node in the cluster -

-
i have have cloudera cdh3u4 cluster setup. have secondarynamenode daemon running on 1 of nodes. i have ensure user has root access node on cluster (for example, datanode not have other daemons running) should not able start instance of secondarynamenode daemon on node (thereby having 2 secondarynamenodes on cluster) how can achieve this? thanks in advance. add property hdfs-site.xml namedfs.secondary.http.address valuesecondarynamenode-host address or ip:50090
Read more