I am trying to develop a Ajax Webservice using VS2005 and IIS6. Its purpose is to query a database and return records as text/csv (not my choice!) based on a filtered MS Access Table. The Service must be accessible from any Client Browser (provided it supports Ajax and XMLHTTPRequest object) with the most likely being a Linux Server. This obviously involves the phenomenon of Cross-site HTTP requests. When the client is MS IE 8, it works without any fuss, probably because of that Web Tool's slapdash implementation of security. The problem arises in Firefox 12, where calling a function of the service returns HTTP/1.1 403 Forbidden. The web service code, in VB is as follows:
Option Explicit On
Option Strict On
Imports System.Web
Imports System.Web.Services
Imports System.Web.Services.Protocols
Imports System.ComponentModel
Imports System.Web.Script.Services
Imports System
Imports System.Data
Imports System.Data.OleDb
Imports System.Data.Odbc
<System.Web.Services.WebService(Namespace:="http://chpt.co.uk/CastusDataTransport")> _
<System.Web.Services.WebServiceBinding(ConformsTo:=WsiProfiles.BasicProfile1_1)> _
<ToolboxItem(False)> <ScriptService()> _
Public Class TransferToolData
Inherits System.Web.Services.WebService
Const AccConStr As String = "Provider=Microsoft.Jet.OLEDB.4.0; Data Source=c:\inetpub\wwwroot\Castus_Server\App_Data\db1.mdb"
<WebMethod()> _
Public Function GetJobRecords(ByVal ClientID As Long) As String
LogGrabJobData("Request for Job Data")
Return GrabJobData(ClientID)
End Function
Private Function GrabJobData(ByVal ID As Long) As String
Dim strData As String
Dim MyDB As New OleDbConnection
Dim drGet As OleDbDataReader
Dim cmdRetrieve As New OleDbCommand
Dim cs As String
Dim RecCount As Long
cs = AccConStr
MyDB = New OleDbConnection(cs)
cmdRetrieve.Connection = MyDB
cmdRetrieve.CommandText = "SELECT * FROM Job_Data WHERE Client_ID = " & ID.ToString
cmdRetrieve.Connection.Open()
drGet = cmdRetrieve.ExecuteReader
strData = "’Job_ID’, ’Client_ID’, ’Status_ID’, ’Product_ID’, ’Serial_No’, ’Date_IN’, ’RA_Scale’, ’Location’, ’Manager’, ’Operator’, ’Stage’\n"
RecCount = 0
Do While (drGet.Read())
strData &= Convert.ToString(drGet.Item("Job_ID")) & ","
strData &= Convert.ToString(drGet.Item("Client_ID")) & ","
strData &= Convert.ToString(drGet.Item("Status_ID")) & ","
strData &= Convert.ToString(drGet.Item("Product_ID")) & ","
'strData &= DelimitTextQuotes(Convert.ToString(drGet.Item("Client_Ref"))) & ","
strData &= DelimitTextQuotes(Convert.ToString(drGet.Item("Serial_No"))) & ","
strData &= Format(drGet.Item("Date_IN"), "d") & ","
'strData &= DelimitTextQuotes(Convert.ToString(drGet.Item("Notes"))) & ","
strData &= Convert.ToString(drGet.Item("RA_Scale")) & ","
strData &= DelimitTextQuotes(Convert.ToString(drGet.Item("Location"))) & ","
strData &= DelimitTextQuotes(Convert.ToString(drGet.Item("Manager"))) & ","
strData &= DelimitTextQuotes(Convert.ToString(drGet.Item("Operator"))) & ","
strData &= Convert.ToString(drGet.Item("Stage")) & "\n"
RecCount += 1
Loop
Return strData
End Function
And the client side calls it in the most pedestrian way:
function makeCall(){
var xmlHttp;
try {
xmlHttp = new XMLHttpRequest();
} catch (e) {
try {
xmlHttp = new ActiveXObject("Msxml2.XMLHTTP");
} catch (e) {
try {
xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
} catch (e) {
alert("This sample only works in browsers with AJAX support");
return false;
}
}
}
// Create result handler
xmlHttp.onreadystatechange=function(){
if(xmlHttp.readyState == 4){
document.getElementById("result").value = xmlHttp.responseText;
}
}
var url;
url = "http://chpt.co.uk/Castus_Server/TransferToolData.asmx/GetJobRecords";
var body = '{"ClientID":';
body = body + document.getElementById("num1").value + '}';
xmlHttp.open("POST", url, true);
xmlHttp.setRequestHeader("Content-type", "application/json");
xmlHttp.send(body);
}
The 403 error seems to come on the Preflight request from the Client (which I note that IE simply skips – a bad design fault that I wish other browsers would lower themselves to right now). The IIS Web Application is configured to return the following HTTP Headers:
Access-Control-Allow-Origin "*"
Access-Control-Allow-Headers Origin,cache-control,man,messagetype,x-requested-with
Access-Control-Allow-Methods POST,OPTIONS
The Firefox Browser/Server send the following headers:
Request URL:
http://chpt.co.uk/Castus_Server/TransferToolData.asmx/GetJobRecords
Request Method:
OPTIONS
Status Code:
HTTP/1.1 403 Forbidden
Request Headers
15:05:03.984
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding:gzip, deflate
Accept-Language:en-gb,en;q=0.5
Access-Control-Request-Headers:content-type
Access-Control-Request-Method:POST
Cache-Control:no-cache
Connection:keep-alive
Host:chpt.co.uk
Origin:null
Pragma:no-cache
User-Agent:Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Response Headers
?1984ms
Access-Control-Allow-Headers:Origin,cache-control,man,messagetype,x-requested-with
Access-Control-Allow-Methods:POST
Access-Control-Allow-Origin:*
Access-Control-Max-Age:120
Content-Length:1827
Content-Type:text/html
Date:Thu, 17 May 2012 14:04:54 GMT
MicrosoftOfficeWebServer:5.0_PubServer:Microsoft-IIS/6.0
X-Powered-By:ASP.NET
Now I have read the ‘Bible’ web page on this subject, [https://developer.mozilla.org/en/http_access_control#Access-Control-Allow-Methods][1] and have learned a few things but not the solution to my present problem. Just wondered if anyone could see where I was going wrong or point me in the right direction. Hope I haven’t bored everyone and that I have provided enough detail on my predicament.
As it is clear no one seems to know this one, and I can't waste any more time on it (I have already designed and proffered a workaround solution) I shall close this question down. It would seem that there is simply a glitch in the Cross-site HTTP Request API when using ScriptService() webservice. I shall try this again in a few months time to see if the problem has cleared up 'All by itself'! When I have a solution, I shall publish it here... Jim McGoldrick cablesafe.co.uk