Geek Answers Handbook

Web API 2.1 Windows CORS Firefox Authentication

Here's the script:

I created a web api project and an mvc project, for example:

http://www.asp.net/web-api/overview/security/enabling-cross-origin-requests-in-web-api

I installed CORS support via nuget and added EnableCorsAttribute

I ran the project and everything worked as expected (GET, PUT and POST) through Chrome, IE and FireFox.

Then I turned on Windows authentication in the web api project (yes, I really need win auth in the api project). To make this work, I added the xhrFields argument to my jquery.ajax call:

$.ajax({ type: method, url: serviceUrl, data: JSON.stringify(foo), contentType: 'application/json; charset=UTF-8', xhrFields: { withCredentials: true } }).done(function (data) { $('#value1').text(data); }).error(function (jqXHR, textStatus, errorThrown) { $('#value1').text(jqXHR.responseText || textStatus); });

In addition, I set the property EnableCorsAttribute.SupportsCredentials = true

I checked everything. Chrome and IE worked, FireFox did not. Firefox receives 401 in response to a preflight request (OPTIONS).

It seems that FireFox is not trying to authenticate with the service.

Has anyone found a solution to this problem?

+8
firefox cors asp.net-web-api windows-authentication
source share
2 answers

I figured out a 2-part solution.

The problem is that when Firefox issues an OPTION request and is denied 401, it does not make further attempts to re-authenticate. This led me to a way to bypass authentication in all OPTION requests. I could not find much information on this, but I found this:

401 response to CORS request in Windows enabled IIS

Based on this, I set the anonymous authentication value to Enabled in the api project settings (I also had Windows authentication set to Enabled ).

After starting the projects (mvc and api), I was asked to enter the credentials when issuing the CORS request. After providing my credentials, I was able to successfully do GET / POST / PUTS with Firefox.

To exclude credential requests in Firefox, I received a review from Brock Allen that led me to the path to enabling NTLM authentication. I found a post here that contains instructions on how to change the appropriate settings.

After adding ' http://localhost ' to the network.negotiate-auth.trusted-uris parameter , I can now issue CORS requests against all verbs using Firefox without asking for credentials.

+7
source share

I am currently solving this problem, and the decision to enable anonymous authentication was something that I did not like. So a little afraid, I found the right combination described in this. I'm still not 100% happy, I want to avoid the code in the global asax, but through the web configuration I was not able to change the plane.

Hope this helps.

0
source share

More articles:


All Articles