none
Webinvoke(Method="DELETE") v Webinvoke(Method="POST") - Permissions error

    Question

  • Hi,
    I'm using Data Services 1.5CTP and I'm creating a batch-delete service operation to remove all of the records in a table using a single DELETE rather than looping through the entities individually.....

        <WebInvoke(Method:="POST")> _
        Public Function DeleteAllUploadedCosts() As Boolean
              ' Delete the records by executing a single DB command
              Return True
        End Function
    
    This works fine.  It responds with....
    <?xml version="1.0" encoding="utf-8" standalone="yes"?>
    <DeleteAllUploadedCosts p1:type="Edm.Boolean" xmlns:p1="http://schemas.microsoft.com/ado/2007/08/dataservices/metadata" xmlns="http://schemas.microsoft.com/ado/2007/08/dataservices">true</DeleteAllUploadedCosts>
    However, it's a DELETE function, so I thought it would be a good idea to have the Invoke Method be DELETE....

        <WebInvoke(Method:="DELETE")> _
        Public Function DeleteAllUploadedCosts() As Boolean
        ...

    But when I do this I always get a permissions error - even though everything else remains exactly the same.....

        DELETE /myservicee/myservice.svc/DeleteAllUploadedCosts HTTP/1.1
        User-Agent: Fiddler
        Host: mylocalservice
    

    Responds with....

        HTTP/1.1 401 Unauthorized
        Server: Microsoft-IIS/5.1
        ...

    Any ideas?
    My ServiceOperation permission statement in InitialiseServiceis...
            config.SetServiceOperationAccessRule("*", ServiceOperationRights.All)
    


    Thursday, April 30, 2009 11:04 AM

Answers

  • We currently support only POST and GET verbs on the service operations (even in the recently released CTP). Is there a reason why you want to support  DELETE verb on service operation? The main reason for not supporting all the verbs is that from the client side, discovery becomes a issue - there is no way to know what verb to send for a service operation. Also service operations are black box to us - so we try and categorized them into side-effecting and non-side effecting ones. We recommend to use GET for non-side effection service opertions and use POST for side-effecting ones.

    Please let us know if you think there is a good reason why DELETE verb should be supported.

    Thanks
    Pratik

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Dave Russell Tuesday, May 5, 2009 7:34 AM
    Friday, May 1, 2009 5:08 PM
    Moderator

All replies

  • Hi Dave ,
    Can you share the client code you are using to call this Service Operation ?
    I'd think you are using webrequest/HttpWebRequest directly.
    If you are doing this from Fiddler , can you check the authentication method on the Website hosting this service?
    From your earlier post, I dont know if I can assume that the DELETE verb is enabled , can you please check this too ?


    Phani Raj Astoria http://blogs.msdn.com/PhaniRaj
    Thursday, April 30, 2009 6:21 PM
    Moderator
  • I'm doing it directly from Fiddler, in the Request Builder.  I have got some client code, but haven't got as far as using it yet...

                Dim r As HttpWebRequest = WebRequest.Create(New Uri(Me.BaseUri, "DeleteAllUploadedCosts"))
                r.Method = "POST" ' Works with matching WebInvoke
    '           r.Method = "DELETE" ' Fails
    
                Dim rs As HttpWebResponse = r.GetResponse()
    
                Return rs.StatusCode
    
    The virtual directory hosting the .svc has only anonymous authentication enabled.  It has execute permissions of "Scripts and Executables".
    The IIS application's .svc extension allows MERGE, PUT and DELETE as extra verbs. 

    I have had permissions issues with DELETE (Only delete, not merge or put) before.  I thought they must have been unrelated as when I checked again the other day they were working OK - but I only checked the app functionality....I realised when I was investigating this I'd made another change which makes all my app's DELETE requests get sent in a SaveChanges(Batch)  - hence they are POSTed, not sent as DELETEs, so it could be that the delete verb isn't working for anything - not just this service operation.

    Is there anything else that can override my IIS verb's allowed?


    Friday, May 1, 2009 7:48 AM
  • Following on...

    I've tried a DELETE of an entity directly through Fiddler and that works fine, so it's just the DELETE verb being used with my ServiceOperation that is the problem - as I originally indicated.

    I did find some old posts (Apr 2008) which said that only POST was allowed for WebInvoke.  I'm assuming that's no longer the case?
    Friday, May 1, 2009 8:01 AM
  • We currently support only POST and GET verbs on the service operations (even in the recently released CTP). Is there a reason why you want to support  DELETE verb on service operation? The main reason for not supporting all the verbs is that from the client side, discovery becomes a issue - there is no way to know what verb to send for a service operation. Also service operations are black box to us - so we try and categorized them into side-effecting and non-side effecting ones. We recommend to use GET for non-side effection service opertions and use POST for side-effecting ones.

    Please let us know if you think there is a good reason why DELETE verb should be supported.

    Thanks
    Pratik

    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Dave Russell Tuesday, May 5, 2009 7:34 AM
    Friday, May 1, 2009 5:08 PM
    Moderator
  • That's fair enough.  Perhaps a "not supported" error would be better than a permission-denied one though. Also, why bother having a parameter for the WebInvoke attribute if it has to be POST?

    I was trying to use DELETE because that's exactly what my Service Operation was doing - a group delete.  As EF and L2S don't support deleting a batch of records in one command my new SO to do this "batch delete" seemed to be an obvious DELETE verb candidate, but I don't have a problem making it POST.

    Thanks for your help.
    Tuesday, May 5, 2009 7:34 AM
  • Hi Dave,

    Just to clarify, the WebInvoke attribute is not specific to ADO.NET Data Services. That's why you need to include/reference System.ServiceModel.Web.

    http://msdn.microsoft.com/en-us/library/system.servicemodel.web.webinvokeattribute.aspx

    Further, the protocol implemented by ADO.NET Data Services allows for function-imports (or service operations) to use any HTTP verb, so this gives a logical extension point for future addition of other verbs, and much easier code reuse / interoperability.

    Though I fully agree that the system should have indicated the problem in a more straightforward way.
    Matt Meehan, ADO.NET Data Services (Astoria)
    Tuesday, May 5, 2009 3:49 PM
    Moderator
  • Further, the protocol implemented by ADO.NET Data Services allows for function-imports (or service operations) to use any HTTP verb , so this gives a logical extension point for future addition of other verbs, and much easier code reuse / interoperability.
    Matt,

    The whole purpose of this thread is that ServiceOperations DO NOT work with any HTTP verb - only GET (If you mark it with the WebGet attribute) or POST (if you mark it with the WebInvoke attribute) - DELETE does not work for ServiceOperations (I haven't tried PUT, MERGE, etc)

    Dave
    Wednesday, May 6, 2009 7:34 AM
  • Sorry for the confusion, I mean that the protocol itself supports any verb, and our implementation is currently limited to GET and POST. Changing the API to conform to only those two would make it that much harder to ever add support for the others.
    Matt Meehan, ADO.NET Data Services (Astoria)
    Wednesday, May 6, 2009 2:13 PM
    Moderator