IIS REST Verbs give 404 and 401

I'm writing a REST service implemented in a single ashx handler class that was added to an initially empty ASP.NET Project. I test drive the service by using Fiddler's convenient Compose feature where you can send a http request and see the response.

404 Not Found

My GET and POST requests all work, but PUT and DELETE return status 404 from IIS and my code is never reached. I found it was necessary to go to IIS Manager > Web Site (or app) > Handler Mappings > double-click SimpleHandlerFactory-Integrated-4.0. In the dialog click Request Restrictions > Verbs tab > add PUT and DELETE and any other verbs you desire to the comma joined list.

401.3 Access is denied

I've overcome the 404 but now I get a security violation. Mercifully the default body of the response tells me it's a 401.3 which is an ACL violation on the ashx file. Procmon unexpectedly does not show me any Access Denied events to help me diagnose the violation. After a few experiments I conclude that you have to give Authenticated Users Read and Write permission to the ashx file.

And there goes another hour of my life I'll never get back.

---

Addendum March 29th 2016

A brand new small REST service was giving 404 for all DELETE verbs on my live server, not in development. I followed the instructions above but it made no difference. Then I noticed the Web.config file had a <system.webServer> <handlers> sections which was commented out. Inside it removed and added ExtensionlessUrlHandler-Integrated-4.0 allowing all verbs. I uncommented the section and now the deletes started working.

I presume I could also have edited the corresponding handler in the IIS configuration dialogs, but not this time.

Orthogonal Programming

Post Build ILMerge vs LibZ

For many years I used the ILMerge.exe utility in Visual Studio post build events to merge multiple .NET assemblies into a single assembly. This is most useful when you want to distribute an executable file and its dependent library files as a single EXE file. For Framework 4.0 projects I would add something this to the post build event:

"%ProgramFiles(x86)%\Microsoft\ILMerge\ILMerge.exe" /out:\\shared\utility\$(TargetFileName) /wildcards $(TargetFileName) *.dll /targetplatform:v4,%windir%\Microsoft.NET\Framework\v4.0.30319

I haven't tried using ILMerge on Framework 4.5 projects, but web searches hint that there are a few hurdles to getting it working.

It is well known that ILMerge does not work on WPF assemblies. The author says:

ILMerge is not able to merge WPF assemblies. They contain resources with encoded assembly identities. ILMerge is unable to deserialize the resources, modify the assembly identities, and then re-serialize them. Sorry!

In 2013 I stumbled upon an ILMerge replacement utility called LibZ (see Codeplex). The author explains the motivation for writing LibZ on the home page and has a nice technical discussion of how it works. Most importantly for me, LibZ has no problem with WPF assemblies. I have replaced all of my ILMerge post build commands like the one above with something like this:

xcopy $(TargetFileName) \\shared\utility /Y /D
libz inject-dll -a \\shared\utility\$(TargetFileName) -i *.dll

Notice that I copy the target file to the shared utility folder where it will finally live, then I process that file. I prefer to do that so the original build output file remains untouched.

Orthogonal Programming

pkzipc extract to subfolder

I was trying to extract all files from a zip into a subfolder like this:

pkzipc -ext -dir \\shared\archive\140325.zip * tempfiles

But no matter what I did it kept extracting the files into the current folder. My command looked similar to the sample in the official PDF online documentation (except they used ".." as the output folder).

It turns out you have make the subfolder first, otherwise pkzipc just silently ignores the output folder name you specify and puts them in the current folder.

So the sample used ".." which always exists and therefore always works. The weirdly bad example wasted 15 minutes of my time because I thought I had the syntax subtly wrong.

Orthogonal Programming

Real Random Numbers

July 2022 Update — The random.org and ANU Quantum web services are now behind paywalls. You have to register with both of them, even for free tier access, and the quota limits for free access are so cripplingly small that the services are now beyond the reach of hobby consumers. I hope that alternative similar services with more generous quotas may become available in the future. Some quick web searches reveal that there are hardware devices available that generate true random numbers, some cheap and simple, some very expensive. YouTube search results also suggest that this topic is clearly of interest to programmers and engineers. Links to sample code below originally written in 2014 have been removed.

November 2022 Update — The random.org Integer Generator does provide a quota that is generous enough for hobby use.

I was pleased to discover that there are many public web services available that provide real random numbers. You can easily generate pseudo random numbers in every modern programming language and platform, but those numbers are generated by deterministic algorithms and are not truly random.

Popular algorithms such as combined LCGs, the Mersenne Twister and the Subtractive Generator produce astronomically long sequences of pseudo random numbers that pass the toughest batteries of tests for randomness. So long as these algorithms are seeded and used cautiously they will satisfy most normal requirements. Be aware though that the internal state of these algorithms can be deduced by watching a certain number of sequential outputs, after which the sequence can be predicted forever. This predictability makes such pseudo random sequences unsuitable for use in cryptography.

When randomness is required in cryptography you should use a cryptographically secure pseudo-random number generator. Developers on the .NET platform can use the RNGCryptoServiceProvider class. Secure random numbers are slower to generate; my RandPlot application shows that a combined LCG can generate 2,300,000 numbers per second whereas the crypto secure class generates 165,000 per second. In practice this 14x speed difference probably won't be an issue because secure random numbers are usually used in small quantities for seeds or keys.

Thanks to online services we now have an exciting new alternative to pseudo or secure random numbers: real random numbers generated by natural processes. I found the following services attractive because they are backed by robust theory and they have friendly APIs to allow client applications to consume them.

ANU Quantum Random Numbers Server

The Australian National University generates random data in real-time at 5.7 GBits/sec by measuring quantum fluctuations of the vacuum. They provide a Web API that returns random data as JSON in three selectable formats.

random.org

Randomness is distilled out of atmospheric noise generated by radio receivers tuned between stations. There is an old Web API that returns data as text or XML and there is a new JSON API.

I've personally become quite attracted to the ANU's Quantum generator because of its futuristic flavour, the tantalising and trustworthy theory behind it, the blazing fast speed of the generator and the simple API.

The wonderful thing about using a service like the Quantum generator is that you never have to worry about even the tiniest flaws that may theoretically appear in random numbers generated by algorithms. You will never need to re-seed the generator. The previous century of detailed research and measurement of random number algorithms becomes a historical curiosity when you have access to real random numbers.

Legacy codes samples and outdated commentary has been removed [July 2022].

Orthogonal Programming