Returing noData().withStatus(401) returns the default IIS 401 page in the body/filecontent

[Brook Davies]

Hello,

Second day using Taffy! Thank you Adam! Loving it so far. I am just trying to return a 401 without any body or even return my custom JSON message in the body with a 401 status, representationOf(local.result).withStatus(401), but I always get the default IIS page returned (below). How do I avoid this?

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>
<title>401 - Unauthorized: Access is denied due to invalid credentials.</title>
<style type="text/css">
<!--
body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}
fieldset{padding:0 15px 10px 15px;}
h1{font-size:2.4em;margin:0;color:#FFF;}
h2{font-size:1.7em;margin:0;color:#CC0000;}
h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;}
#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;
background-color:#555555;}
#content{margin:0 0 0 2%;position:relative;}
.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}
-->
</style>
</head>
<body>
<div id="header"><h1>Server Error</h1></div>
<div id="content">
 <div class="content-container"><fieldset>
  <h2>401 - Unauthorized: Access is denied due to invalid credentials.</h2>
  <h3>You do not have permission to view this directory or page using the credentials that you supplied.</h3>
 </fieldset></div>
</div>
</body>
</html>
                                       

[Brook Davies]

I should have mentioned, I am testing using CFHTTP..... But not sure that should make a difference?

[Adam Tuttle]

Hi Brook!

Welcome to the club. There's punch & pie in the back.

The reason you see those IIS error pages is an IIS setting very similar to ColdFusion's Robust Exception Information setting: In general, it's a good practice to hide things like system paths and full exception details.

Unfortunately, the way IIS is coded, it's not possible (out of the box) to have that IIS setting enabled AND return status codes other than 200 without triggering IIS's "friendly" response bodies. Assuming you're on IIS7 or later, This is where you need to go for the setting:

That said, know that by doing this for your whole website, you are exposing information that you probably don't want to.

Alternatively, setup a custom subdomain specifically for your API and only enable this setting for that website, or use custom error pages to conceal sensitive information while still allowing your custom response body (or none at all) to go through.

I can't walk you through the latter part though -- it's been years since I've done that and I need to figure it out again soon for myself.

Good luck!

Adam

--
You received this message because you are subscribed to the Google Groups "Taffy Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to taffy-users...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Brook Davies]

Hi Adam,

Thank you so much for the quick reply. I figured it was related to that. I actual use a couple of custom error handlers as well for 404s and 403s, so I'll see if I can inspect the request in a custom 401 error handler and determin if it is part of the rest API and return the appropriate reponse. Thanks again!

Brook

On Thursday, June 18, 2015 at 2:30:54 PM UTC-7, Brook Davies wrote:

[Brook Davies]

And BTW, you can set error pages at the folder level using IIS or just modifying the web.config file in the sub directory:

Enter code her<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <httpErrors errorMode="Custom">
            <error statusCode="401" prefixLanguageFilePath="" path="401.cfm" responseMode="ExecuteURL" />
        </httpErrors>
    </system.webServer>
</configuration>
e...

On Thursday, June 18, 2015 at 2:30:54 PM UTC-7, Brook Davies wrote:

[Brook Davies]

Hi Adam,

It seems you were right. Enabling detailed error messages works. But is a security issue in production. A custom handler also works, but I can't access any of the request data from the Taffy response, and only have  access to the query string which contains the 401;path which I can use to get the statusCode (since it gets reset to 200 when the custom error handler runs), and set it via cfheader back to 401 - but what I really need is access to data set in the request to Taffy (In this case the message about the missing API key).

Not sure how to get around this. Should I just return that default IIS page for 401's in the body and let the consumer handle the response based soley on the status code and maybe a header as opposed to trying to return a custom message in the response body in JSON?

Brook

On Thursday, June 18, 2015 at 2:30:54 PM UTC-7, Brook Davies wrote:

[Adam Tuttle]

Well, in the case of a 401, you can probably guarantee that the response body is always going to be the same, right? Missing API key. What's more troubling is something like a 400, where you want to give the client specifics about what went wrong.

As I mentioned, I'm in a similar boat myself for an ongoing project. I'm going to keep trying to figure something out. If you beat me to it, please do post it here!

[Brook Davies]

Ahh yes, good point. I'll post if I find a solution to this...

--
You received this message because you are subscribed to a topic in the Google Groups "Taffy Users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/taffy-users/FEUfA7zF08k/unsubscribe.
To unsubscribe from this group and all its topics, send an email to taffy-users...@googlegroups.com.

[Brook Davies]

Hi Adam,

I am still working through this but think I may have found a solution. As you know, the only way to return a custom status code and a JSON response (without IIS returning its default error page) is to enable detailed error messages in IIS. But then you expose too much sensitive info including file paths. I found what appears to be a solution (not fully tested),

This web.config example, works for me (so far) to have custom errors enabled, but still return a nice JSON response.

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>

    <httpErrors existingResponse="PassThrough" errorMode="Custom" />
    </system.webServer>
</configuration>

Let me know if it works for you! The existingResponse="PassThrough" was the key.

[Adam Tuttle]

Brook, if ever we meet, I owe you a beer! Works great! Thanks for that!

[Adam Tuttle]

http://docs.taffy.io/!/IIS-Idiosyncrasies

[Brook Davies]

Happy to contribute! I owe you some beers too for all your hard work on Taffy, so look's like we'll be getting a little tipsy if we ever do meet ;)