5

Alright, I'm having a tough time locating the problem since it works locally but after doing a publish the results are simply:

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)

The code:

[RoutePrefix("api/v1/project")]
public class ProjectController : BaseApiController
{
    [HttpGet]
    public HttpResponseMessage GetProjects()
    {
        HttpResponseMessage resp = new HttpResponseMessage(HttpStatusCode.OK);
        if(User.Identity.IsAuthenticated)
        {
            var model = new ModelFactory().CreateProjects();
            resp = Request.CreateResponse(HttpStatusCode.OK, model);
        }
        return resp;
    }
}

public static class WebApiConfig
{
    public static void Register(HttpConfiguration config)
    {
        // all actions under /project routes require authentication
        config.Routes.MapHttpRoute(
            name: "ProjectApi",
            routeTemplate: "api/v1/{controller}/{action}/{apikey}",
            defaults: new { apikey = RouteParameter.Optional },
            constraints: new { controller = "project" },
            handler: new BasicAuthHandler(config));

        // all routes requires an api key
        config.MessageHandlers.Add(new ApiKeyHandler());
        config.MapHttpAttributeRoutes();
    }
}

I've tried several "solutions" from the net yet none of them seems to fix this. I've added the:

// Stop IIS/Asp.Net breaking our routes
RouteTable.Routes.RouteExistingFiles = true;

from: http://www.grumpydev.com/2013/09/17/403-14-error-when-trying-to-access-a-webapi-route/

And also made sure that:

<modules runAllManagedModulesForAllRequests="true">

Having the code above, using the following link gives a successful connection where it checks (in the correct order) the APIkey (ApiKeyHandler), checks if the user needs to log in(BasicAuthHandler) and then goes to method in the controller ({controller}/{action}).

// THIS WORKS!
http://localhost:51077/api/v1/project/getprojects?apikey=123456

then we do a publish and tries the same thing

// This is haunted with number 403
http://website.com/api/v1/project/getprojects?apikey=123456

gives the Error Code: 403 Forbidden.

I am clueless. I've even tried changing the whole publish folder's security settings for "NETWORK SERVICE" to full access.. no change.

Let me know if you need any more intel.

Yenza
  • 440
  • 5
  • 19
  • How do you publish the site? Does the App Pool user have permissions in the publication folder? Which kind of authorization is implemented in your app? Are you using SSL or not? Can you access a fiel on the root fo your site? – JotaBe May 26 '15 at 13:36
  • I'm using the MVS (2012 Professional) 'Publish Web site' under BUILD. Yes it does. Simple one, pops up a "username, password" field and it is sent back + saved as a cookie.Nope, no SSL. Yes I can access all of them. – Yenza May 27 '15 at 05:47
  • I just remotely connected to the webbserver machine and tried the haunted 403 adress and it works on that machine so I'm thinking that there is something blocking outside calls. – Yenza May 27 '15 at 09:13

1 Answers1

3

Called the web server machine fellas and they had a firewall blocking incoming webapi calls with authenticating. It now works as it should :)

Yenza
  • 440
  • 5
  • 19
  • Just to add to this. I had the same issue and ended up with probably the same solution; however the specific thing my IT guy had to change was the delegation properties in Forefront TMG. https://stackoverflow.com/questions/54679601/web-api-403-forbidden-outside-of-network-using-bearer-token/54699059#54699059 – Rafiki Feb 14 '19 at 21:10