IIS 7.5 + enable PUT and DELETE for RESTFul service, extensionless

百般思念 提交于 2019-11-26 17:10:07
John P

To get PUT and DELETE to be accepted by IIS 7.5 for a PHP 5.4 fast-CGI driven REST API I had to disable the WebDAV-module. Otherwise the WebDAV module intervenes the HTTP requests using PUT or DELETE. To get this working was however a bit confusing and I might have missed some steps or done it in another order.

These lines are placed as children of the <system.webServer>-element in web.config in the application root.

<modules>
    <remove name="WebDAVModule" />
</modules>
<handlers>
    <remove name="WebDAV" />
</handlers>

Hopes this might spare some frustration. It seems like the default setting for the server is to accept any HTTP verb not listed - see settings under Request filtering -> HTTP Verbs -> Edit feature Settings. One may consider to explicitly add the VERBS that are to be allowed. The verbs allowed may be specified appending this snippet, also as a child of <system.webServer>.

    <security>
        <requestFiltering>
            <verbs allowUnlisted="false">
                <add verb="GET" allowed="true" />
                <add verb="POST" allowed="true" />
                <add verb="DELETE" allowed="true" />
                <add verb="PUT" allowed="true" />
            </verbs>
        </requestFiltering>
    </security>

On a client machine one can uninstall the WebDAV module from here:

Control Panel -> Uninstall Program -> Turn Windows features on or off -> IIS -> World Wide Web Services -> Common HTTP feautre -> WebDAV Publishing

The last measure to get it working was by editing applicationhost.config found in C:\Windows\System32\inetsrv\config. Within <system.webServer> -> <handlers> you will see a php entry that has just verb="GET,HEAD,POST - amend it to add the verbs you require, e.g.:

<add name="PHP54_via_FastCGI" path="*.php" verb="GET,HEAD,PUT,DELETE,POST"/>
                                                                 |
                                                                 |
                                                                 |
append verbs here  ----------------------------------------------|

1.Go to IIS Manager.
2.Click on your app.
3.Go to "Handler Mappings".
4.In the feature list, double click on "WebDAV".
5.Click on "Request Restrictions".
6.In the tab "Verbs" select "All verbs" .
7.Press OK.

SerialSeb

See http://learn.iis.net/page.aspx/901/iis-express-faq/ that is linked from the OR wiki.

From the link (not block-quoted for readability):

A: You can modify the IIS Express applicationHost.config in the %userprofile%\documents\IISExpress\config folder. For example to enable PUT and DELETE for extensionless Urls scroll down to the bottom of the IIS Express applicationHost.config file and look for a handler entry that starts with:

<add name="ExtensionlessUrl-Integrated-4.0"

In the verb attribute add PUT and DELETE so the verb attribute looks like: verb="GET,HEAD,POST,DEBUG,PUT,DELETE".

My scenario was a web application in a web site on IIS 7.5. The web site had to continue to enable WebDAV, but the web application needed to turn it off in order to support PUT and DELETE in its REST API.

To get that working, the web application's Web.config needed this:

<modules runAllManagedModulesForAllRequests="true" runManagedModulesForWebDavRequests="true" >
  <remove name="WebDAVModule" />
</modules>

<handlers>
  <remove name="WebDAV" />
</handlers>

The important difference from the other answers here is the need for runManagedModulesForWebDavRequests="true"

For me this does the trick in the web.config.

<system.webserver>
    <handlers>
          <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
          <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" modules="IsapiModule" scriptProcessor="c:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />

          <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
          <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
<system.webserver/>

<system.web>
  <authentication mode="Windows" />
  <identity impersonate="true"/>
<system.web/>

I used following configuration:

  • IIS 7.5
  • Windows Server 2008 R2
  • Custom Application Pool, .NET 4.0, Integrated
  • Windows Authentication = true
  • Anonymous Authentication = false

Hope it helps. ;-)

Alph.Dev

URLScan tool users

If other answers still don't work and you get 404 error: these verbs may be explicitly rejected by the URLScan tool, if you have it installed.

You can configure [AllowVerbs] and [DenyVerbs] sections of the URLScan.ini file to meet your needs.

Beware of the security risks of enabling these verbs.

What worked for me was uninstalling WebDav completely.

Going into the handler mappings and setting WebDAV to handle all verbs is the only thing that worked for me, despite the fact that PUT and DELETE were already listed as handled verbs. The working web.config I have is:

  <system.webServer>
    <handlers>     
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" />
      <remove name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" />
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_32bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-ISAPI-4.0_64bit" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" modules="IsapiModule" scriptProcessor="%windir%\Microsoft.NET\Framework64\v4.0.30319\aspnet_isapi.dll" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE,PATCH,OPTIONS" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
      <remove name="WebDAV" />
      <add name="WebDAV" path="*" verb="*" modules="WebDAVModule" resourceType="Unspecified" requireAccess="None" />
    </handlers>
  </system.webServer>
Sergio

in the web.config

<system.webServer>
    <handlers>
        <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
        <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
</system.webServer>

you can also use the IIS management UI and define this globally, or default web server

I tried in IIS 8.

  • **uninstall WebDav Publishing

    Steps to uninstall -> Control Panel -> Go to Programs and features -> Turn windows featues on or off-> Select Internet Information Services->World Wide Web Services->Common HTTP Featues->"Remove" WebDAV Publishing by unchecking WebDAV option**

Reason for 500 error !

Hi all,

I want to post my own research too, I hope it would help future enthusiasts. As suggested in answers, I can't uninstall WebDav so I have added the line below in web config (from other answers)

 <system.webServer>
    <handlers>
        <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
        <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>
</system.webServer>

but I got a 500 error, when I have enabled debug mode found this

 Cannot add duplicate collection entry of type 'add' with unique key attribute 'name' set to 'ExtensionlessUrlHandler-Integrated-4.0'

Answer

Its because there was already an ExtensionlessUrlHandler in the handler mappings section, do the following to resolve the issue.

Method 1

1) Go to Your IIS Manager and select your app

2) Go to Handler Mappings feature

3) Find ExtensionlessUrlHandler-Integrated-4.0 and delete it.

4) Add ExtensionlessUrlHandler in your webconfig (as mentioned in above answers)

<system.webServer>
<handlers>
    <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
    <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="GET,HEAD,POST,DEBUG,PUT,DELETE" type="System.Web.Handlers.TransferRequestHandler" resourceType="Unspecified" requireAccess="Script" preCondition="integratedMode,runtimeVersionv4.0" />
</handlers>

Method 2

1) Remove ExtensionlessUrl handler from your web config

2) Click on your app in IIS Server, go to HandlerMappings

3) Find ExtensionlessUrlHandler-Integrated-4.0 (only this name, ignore others)

4) right click on it and choose Edit

edit handler

5) click on 'Request Restrictions' and select Verbs tab & choose All Verbs

this will enable extensionsless handler to allow all verbs.

I will go with method 1, as we can have control in web.config. But make sure you check the deployment server for duplicate handler definitions.

My web.config with asp.net core 1.0

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <system.webServer>
    <modules>
      <remove name="WebDAVModule" />
    </modules>
    <handlers>
      <remove name="WebDAV" />
      <add name="aspNetCore" path="*" verb="*" modules="AspNetCoreModule" resourceType="Unspecified"/>
    </handlers>
    <aspNetCore processPath="%LAUNCHER_PATH%" arguments="%LAUNCHER_ARGS%" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false"/>
  </system.webServer>
</configuration>
rhalf

In windows server 2012. Open applicationHost.config file in notepad with Administrator rights

applicationHost.config file is found in C:\Windows\System32\inetsrv\config

Locate the section

 <verbs allowUnlisted="false" applyToWebDAV="true">
   <add verb="GET" allowed="true" />
   <add verb="HEAD" allowed="true" />
   <add verb="POST" allowed="true" />
   <add verb="DELETE" allowed="false" />
   <add verb="TRACE" allowed="false" />
   <add verb="PUT" allowed="false" />
   <add verb="OPTIONS" allowed="false" />
</verbs>

Notice DELETE and PUT HTTP Verbs are set to false. Change them to true.

It should now read as below

 <verbs allowUnlisted="false" applyToWebDAV="true">
   <add verb="GET" allowed="true" />
   <add verb="HEAD" allowed="true" />
   <add verb="POST" allowed="true" />
   <add verb="DELETE" allowed="true" />
   <add verb="TRACE" allowed="false" />
   <add verb="PUT" allowed="true" />
   <add verb="OPTIONS" allowed="false" />
</verbs>

Save the file. You have enabled HttpPut and HttpDelete requests on your web server

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!