Since I don't know much about C# and .Net I often discover little things while working with it. I want to use this place to collect a few of them. Must people in my environment know that I know quite some things about HTTP and network communication. So I was recently asked by one of my relatives to assist in a test where they were putting two different systems together for te first time, since the guy responsible for that communication part wasn't available on that day. One system ("we") was written using C# ASPX the other ("they") was an SAP system developed in ABAP. The specification wasn' that complicated and read something like "Their systems does a HTTP POST request to our system, sending an XML document, which can be validated using an XSD schema to us and doesn't care about returned values or anything." Since I'm curious how such things work I built a short test application...
Coming from PHP this task would be quite easy for me: Just enable always_populate_raw_post_data in the php.ini file (or per host in the server's configuration) and then access the data using the $HTTP_RAW_POST_DATA variable. Since .Net has a stricter architecture you need some API to access it. I knew hat there's the request object holding most information about the current request and I looked at it's members and found a way to access the data. For a test I created an ASX web page and create the following test code:
public partial class foo : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
XmlDocument dom = new XmlDocument();
dom.Load(this.Request.InputStream);
}
}
For my first test this worked fine, while I've got an exception from dom.Load() since I didn't send an XML file. When sending the real document I got another Exception telling me "A potentially dangerous Request. Form value was detected from the client" That's a message created from the XSS protection integrated to ASP.NET 1.1 . To disable it one must either change the .aspx file and add an disable validation in the page tag
<%@Page Language="C#" validateRequest="false" %>)
or by changing the Web.config configuration file accordingly.
Sunday, March 11. 2007 at 20:24 (Reply)
Were you able to send an xml file via http post to the aspx page from SAP successfully? Did you do any other tweaks other than setting validate request to false. Please let me know..
Thx...
Gopi
Wednesday, March 14. 2007 at 00:52 (Reply)
in our case it worked fine and our system passed the test (while the other system sent us wrong data but that didn't matter for the test)