Trying to make a GET request via AJAX against my WebAPI, returns 401 Unauthorized only in Firefox and Chrome

Question

I'm simply making an AJAX GET request to my WebAPI method - IE is fine, but Chrome and Firefox return a 401 Unauthorized error.

Here's my jQuery, client-side code that makes the AJAX call to my WebAPI:

(function ($) {
    $.displayToastrNotifications = function (appId) {
        $.support.cors = true;
        var userId = '';

        // get current user's ID
        $.ajax({
            url: 'http://server/AppTools/API/Identity/GetCurrentlyLoggedInUserId',
            type: 'GET',
            dataType: 'text',
            crossDomain: true,
            success: function (data) {
                userId = data;
                // get all messages for the app
                $.ajax({
                    url: 'http://server/AppToolsWS/api/BulletinBoard/GetMessagesForApp/' + appId,
                    type: 'GET',
                    dataType: 'json',
                    crossDomain: true,
                    success: function (data) {
                        DisplayToasterNotifications(data);
                    },
                    error: function (x, y, z) {
                        alert('getmessagesforapp: ' + x + '\n' + y + '\n' + z);
                    }
                });
            },
            error: function (x, y, z) {
                alert('getuserid: ' + x + '\n' + y + '\n' + z);
            }
        });
...

And here's my WebAPI method:

[EnableCors("*", "*", "*")]
public class IdentityController : ApiController
{
    [HttpGet]
    public HttpResponseMessage GetCurrentlyLoggedInUserId()
    {
        var userid = string.Empty;
        try
        {
            userid = HelperClasses.StringHelper.GetLogonUserID();
        }
        catch (Exception ex)
        {

        }

        return this.Request.CreateResponse(HttpStatusCode.OK, userid, "text/plain");
    }
}

I can manually navigate to this method in any browser and it returns data back successfully. It's weird, I'm not sure why it's doing this in Firefox and Chrome - I am on a company intranet using AD - any ideas?

Is your IIS WebSite using Windows Security? – Dalorzo Jan 10 '14 at 20:39 — Dalorzo, Jan 10 '14 at 20:39
It's on my company's web server - I have no idea. – Mike Marks Jan 10 '14 at 20:41 — Mike Marks, Jan 10 '14 at 20:41

score 0 · Answer 1 · edited May 23 '17 at 12:03

0

Please add this to your web.config

<location path="api">
    <system.web>
        <authorization>
            <allow users="*"/>
        </authorization>
    </system.web>
</location>

You can find more information here:

http://msdn.microsoft.com/en-us/library/wce3kxhd%28v=vs.100%29.aspx

Disable Windows Authentication for WebAPI

edited May 23 '17 at 12:03

Community

1
1

answered Jan 10 '14 at 20:41

Dalorzo

19,834
7
55
102

1

You cannot use routing or web.config files to secure your MVC application. The only supported way to secure your MVC application is to use a base class with an [Authorize] attribute, and then have each controller type subclass that base type. -per MSDN – Mike Marks Jan 10 '14 at 20:55
@MikeMarks please take a look at http://msdn.microsoft.com/en-us/library/wce3kxhd%28v=vs.100%29.aspx – Dalorzo Jan 10 '14 at 20:57

score 0 · Answer 2 · answered Jul 26 '17 at 11:26

Close all sessions of Chrome and try running Chrome from cmd (windows) using the command 'chrome.exe --disable-web-security --user-data-dir'.

Chrome will issue a warning header if you have done it correctly: "You are using an unsupported command-line flag: --disable-web-security. Stability and security will suffer".

Trying to make a GET request via AJAX against my WebAPI, returns 401 Unauthorized only in Firefox and Chrome

2 Answers2