"HTTP POST /sales/clientapi/SuperState/KeepAli­ve" failes when web service api is disabled

Hi,

I noticed in the log for the SO Sales Web Site, that some part seems to be requesting a "KeepAlive"-endpoint in the internal NetServer of the Sales Web Site.

This fails as the web service api is disabled on this site, as we have a separate NetServer for potential API-integrations.

I was of the impression that the SO Web Client or other parts, didn't needed this access.

I would rather not have the whole log filled with these kind of warnings. Can it be disabled in any way?

Also, is this a problem and if so, in what exact technical way?

I would rather not enable the web service API on the Sales Web Site if not needed for some reason.

SO Version
SO 9.2 R09 Onsite

Error Message

==================================================================================================
Error	2021-06-02T08:45:30.59	SuperOffice.Services.WebApi.Handlers.SoWebApiAuthenticationHandler		HTTP POST /sales/clientapi/SuperState/KeepAlive HTTP POST /sales/clientapi/SuperState/KeepAlive Agent: webapi method: POST/sales/clientapi/SuperState/KeepAlive token:  (null identity)    at SuperOffice.Web.Security.HttpContextProvider.SetCurrentContext(SoContextContainer newContext)
   at SuperOffice.SoContext.Authenticate(SecurityToken[] tokens)
   at SuperOffice.DCF.Web.SoFormsAuthentication.LoginIn(SoSession& soSession, LoginOperation loginOperation)
   at SuperOffice.DCF.Web.SoFormsAuthentication.TryAutomatedLogin(SoSession& session, SetLicenseFailure licenseFailure, Boolean testForImplicitLogin, AutomatedLoginAction action)
   at SuperOffice.DCF.Web.SoFormsAuthentication.RedirectIfNotAuthenticated(Boolean allowExceptions)
   at SuperOffice.DCF.Web.Protocol.SoProtocolModule.<>c.<Init>b__3_0(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 (null) MSSQL - 13 \\\ <SERIAL-XXX> SuperOffice 9.2 R9 NetServer 9.2 Release (Build: Release92R9_2021.05.25-04) 9.2.0.0 9.2.7815.1722 Release92R9_2021.05.25-04 Default <SOSERVERNAME-XXX> NetServer	
Error	2021-06-02T08:45:30.65	System.InvalidOperationException		LogExceptionError message: Web service requests are disabled in .config file and is not permitted for this installation. Attempted to call webapi.POST/sales/clientapi/SuperState/KeepAlive (null identity)    at SuperOffice.Web.Security.HttpContextProvider.SetCurrentContext(SoContextContainer newContext)
   at SuperOffice.SoContext.Authenticate(SecurityToken[] tokens)
   at SuperOffice.DCF.Web.SoFormsAuthentication.LoginIn(SoSession& soSession, LoginOperation loginOperation)
   at SuperOffice.DCF.Web.SoFormsAuthentication.TryAutomatedLogin(SoSession& session, SetLicenseFailure licenseFailure, Boolean testForImplicitLogin, AutomatedLoginAction action)
   at SuperOffice.DCF.Web.SoFormsAuthentication.RedirectIfNotAuthenticated(Boolean allowExceptions)
   at SuperOffice.DCF.Web.Protocol.SoProtocolModule.<>c.<Init>b__3_0(Object sender, EventArgs args)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
   at System.Web.HttpApplication.PipelineStepManager.ResumeSteps(Exception error)
   at System.Web.HttpApplication.BeginProcessRequestNotification(HttpContext context, AsyncCallback cb)
   at System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
   at System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr pHandler, RequestNotificationStatus& notificationStatus)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
   at System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr rootedObjectsPointer, IntPtr nativeRequestContext, IntPtr moduleData, Int32 flags)
 (null) MSSQL - 13 \\\ <SERIAL-XXX> SuperOffice 9.2 R9 NetServer 9.2 Release (Build: Release92R9_2021.05.25-04) 9.2.0.0 9.2.7815.1722 Release92R9_2021.05.25-04 Default <SOSERVERNAME-XXX> NetServer Web service requests are disabled in .config file and is not permitted for this installation. Attempted to call webapi.POST/sales/clientapi/SuperState/KeepAlive    at SuperOffice.Services.WcfService.SoWcfRequestInterceptor.OnAuthenticate(String service, String method, String requestApplicationToken)
   at SuperOffice.Services.WebApi.Handlers.SoWebApiAuthenticationHandler.LoginAndExecute(HttpRequestMessage request, CancellationToken cancellationToken, SecurityToken token, String applicationToken, Func`3 executeRequest) SoCore	
  	Exception Message:Web service requests are disabled in .config file and is not permitted for this installation. Attempted to call webapi.POST/sales/clientapi/SuperState/KeepAlive
  	Exception Source:SoCore
  	Exception Target:System.Object OnAuthenticate(System.String, System.String, System.String)
  	   at SuperOffice.Services.WcfService.SoWcfRequestInterceptor.OnAuthenticate(String service, String method, String requestApplicationToken)
  	   at SuperOffice.Services.WebApi.Handlers.SoWebApiAuthenticationHandler.LoginAndExecute(HttpRequestMessage request, CancellationToken cancellationToken, SecurityToken token, String applicationToken, Func`3 executeRequest)
==================================================================================================


Best Regards
Marcus

RE: "HTTP POST /sales/clientapi/SuperState/KeepAli­ve" failes when web service api is disabled

Web client is using the API a lot more actively now. 

All the archives are now populated using web api calls, so disabling the webapi & services will break the web client.

 

(we should probably take these switches out now - they are not useful any more)

Av: Christian Mogensen 10. jun 2021

RE: "HTTP POST /sales/clientapi/SuperState/KeepAli­ve" failes when web service api is disabled

Hi Christian,

Thanks for this, then pretty important, input.

Until these settings are removed, maybe this information should be added to the installation instructions as a requirement then? :)

BUT
But, if the the archives now are populated using web api calls, I don't understand why all archives seems to work in this installation anyway. Is there some kind of fall-back-feature that kicks in?

The below is the web.config-setting for the Sales Site.

I have tried to call the API both via the Sales Website as well as my separate NetServer (which should accept calls) and the sales website refuses calls while the "open" netserver accept calls. So the set access seems utilized.

What could be the reason for the archive to still work?

Is there some kind of test that could be made in the Sales/Service GUI that would verify a "broken" functionality due to this setting?

Other features using the web api

How will the different workflows below be affected?

  • Service -> Netserver
  • Netserver -> Service
  • Service-Triggers
  • Sales-triggers
  • Webhooks

I have a hunch that there is a bunch of underlying dependencies on the api for these workflows to work.

Security

What about the discussion about security? In Online I assume that the web client have access to the web api, but the api isn't available for any other apps, if not specifically approved with some kind of app-key. I assume that the same functionality isn't implemented per default in onsite but the the APi will instead be open for all callers. Right?

If the web-gui requires the api to be accessable, is there some simple and secure way of locking it down for other callers?

/Marcus

Av: Marcus Svenningsson 10. jun 2021