Method Overriding RESTful services allow the clients to act on the resources through methods such as GET, POST, PUT, DELETE, and so on. GET and POST are the most frequently used methods. Most of the corporate firewalls allow port 80, the typical port of HTTP. However, some do have restrictions in terms of the HTTP methods allowed. GET and POST methods are very common, but others such as DELETE can be disallowed. The X-HTTP-Method-Override header can help you work around this problem. A typical solution involving this header is to send X-HTTP-Method-Override in the request with the actual verb intended (DELETE or PUT) and submit the request using POST; that is, the request line with the dummy POST verb tricks the firewall into allowing the request. In ASP.NET Web API, a message handler, such as the one shown in Listing 4-2, can replace POST with the method specified in X-HTTP-Method-Override. The message handler runs early in the pipeline and is the best extensibility point suitable for this purpose.
Request Line
Request Headers
GET /home.html HTTP/1.1 Accept: text/html User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Host: server.com [Blank line indicating the end of request headers]
Figure 4-4. Request message
www.it-ebooks.info
Chapter 4 ■ http anatomy and SeCurity
45
Listing 4-2. Method Override
public class MethodOverrideHandler : DelegatingHandler { protected override async Task<HttpResponseMessage> SendAsync(HttpRequestMessage request, CancellationToken cancellationToken) { if (request.Method == HttpMethod.Post && request.Headers.Contains("X-HTTP-Method-Override")) { var method = request.Headers.GetValues("X-HTTP-Method-Override").FirstOrDefault();
bool isPut = String.Equals(method, "PUT", StringComparison.OrdinalIgnoreCase); bool isDelete = String.Equals(method, "DELETE", StringComparison.OrdinalIgnoreCase);
if (isPut || isDelete) { request.Method = new HttpMethod(method); } }
return await base.SendAsync(request, cancellationToken); } }
To test the preceding MethodOverrideHandler, you will need a tool like Fiddler, covered in depth later in this chapter. Fiddler is useful in capturing and analyzing HTTP traffic. Also, it lets you hand-code a request complete with request headers and send it to an endpoint with an HTTP method of your choice. Figure 4-5 illustrates how you can make a POST request with an X-HTTP-Method-Override header set to PUT. If MethodOverrideHandler is plugged into the pipeline by making an entry in WebApiConfig.cs file under App_Start, this request will invoke the PUT action method in the controller instead of POST.
HTTP Response The HTTP response has the status line as the first line of the response. As shown in Figure 4-6, the status line starts with the HTTP version, followed by a space, followed by the status code and a space, and then the reason phrase. The request line is terminated by a CR and an LF character.
Figure 4-5. Fiddler Composer