APIM policy not able to return custom response for 'Method Not Allowed'

Question

APIM policy not able to return custom response for 'Method Not Allowed'

Umair Syed 0

I am trying to block the GET method on the operation that supports POST method. Here is the policy I am defining:

I have tried adding this condition on different levels including operation, api and product level but APIM is always returning 404 instead of my custom response. Here is a screengrab of the failed request in postman: User's image

And here is the successful request:
User's image

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-11T18:33:14.4366667+00:00

Umair Syed I don't see the actual policy snippet in the question. Can you update the question with the policy snippet? Also, just to confirm that you have defined two operations, POST and GET and want to apply this policy for GET operation? If you can elaborate on how you defined APIs, that would be helpful.

Umair Syed 0

Here is the policy:

<policies>
    <inbound>
        <base />
        <choose>
            <when condition="@(context.Request.Method.Equals("GET") && context.Request.OriginalUrl.Path.ToString().Replace("/echo","").Equals("/resource"))">
                <return-response>
                    <set-status code="405" reason="Method Not Allowed" />
                    <set-header name="temp" exists-action="skip">
                        <value>@{ 
                            return context.Request.OriginalUrl.Path.ToString().Replace("/echo","");
                        }</value>
                    </set-header>
                </return-response>
            </when>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

I have two operations, POST and GET under the same api. On the POST operation, I want to disallow GET calls by sending back 405. But APIM is sending 404 even before it reads the policy.

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-12T15:10:01.3433333+00:00

Umair Syed Basically, an operation is a combination of an HTTP verb and URL template as described here. Hence, you cannot define a policy in POST operation to block GET method since it never reaches the path. Instead, you would need to add an Operation for GET (Add an operation) and add a policy like above to return a custom response. Based on 404 error, it looks like GET operation was not defined for the URL path. I hope this helps and let me know if you have any questions.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-14T15:33:04.92+00:00

Umair Syed Just a follow up on my comment and see if it helped. If you still need assistance, let me know.
Syed, Umair 45 Reputation points

2023-04-17T00:15:54.21+00:00

Thanks heaps for the response. I tried the solution you suggested, and it works fine. However, does this mean I have to define same operation multiple times? So if an API has 3 operations, the swagger definition will have 3x5 entries for each verb GET,POST,PUT,DEL,PATCH because I am using swagger definitions to deploy an api. Is there any better way to block rest of the verbs and only allow the one that is defined?
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-17T14:23:06.6233333+00:00

Syed, Umair I assume when you say three operations, you meant three different URL paths. In such cases, you can follow the below example and add additional conditions when checking the path. If you face any issues, let me know.

1 answer

Your answer

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-11T18:33:14.4366667+00:00

Umair Syed I don't see the actual policy snippet in the question. Can you update the question with the policy snippet? Also, just to confirm that you have defined two operations, POST and GET and want to apply this policy for GET operation? If you can elaborate on how you defined APIs, that would be helpful.
Umair Syed 0 Reputation points

2023-04-12T06:52:15.04+00:00

Here is the policy:

<policies> <inbound> <base /> <choose> <when condition="@(context.Request.Method.Equals("GET") && context.Request.OriginalUrl.Path.ToString().Replace("/echo","").Equals("/resource"))"> <return-response> <set-status code="405" reason="Method Not Allowed" /> <set-header name="temp" exists-action="skip"> <value>@{ return context.Request.OriginalUrl.Path.ToString().Replace("/echo",""); }</value> </set-header> </return-response> </when> </choose> </inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </on-error> </policies>

I have two operations, POST and GET under the same api. On the POST operation, I want to disallow GET calls by sending back 405. But APIM is sending 404 even before it reads the policy.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-12T15:10:01.3433333+00:00

Umair Syed Basically, an operation is a combination of an HTTP verb and URL template as described here. Hence, you cannot define a policy in POST operation to block GET method since it never reaches the path. Instead, you would need to add an Operation for GET (Add an operation) and add a policy like above to return a custom response. Based on 404 error, it looks like GET operation was not defined for the URL path. I hope this helps and let me know if you have any questions.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-14T15:33:04.92+00:00

Umair Syed Just a follow up on my comment and see if it helped. If you still need assistance, let me know.
Syed, Umair 45 Reputation points

2023-04-17T00:15:54.21+00:00

Thanks heaps for the response. I tried the solution you suggested, and it works fine. However, does this mean I have to define same operation multiple times? So if an API has 3 operations, the swagger definition will have 3x5 entries for each verb GET,POST,PUT,DEL,PATCH because I am using swagger definitions to deploy an api. Is there any better way to block rest of the verbs and only allow the one that is defined?
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-17T14:23:06.6233333+00:00

Syed, Umair I assume when you say three operations, you meant three different URL paths. In such cases, you can follow the below example and add additional conditions when checking the path. If you face any issues, let me know.

Answer 1

Syed, Umair Ok, understood the problem and thanks for sharing the additional details. For your scenario, you can define an API with Operations that are supported (such as POST in your example). By default, if APIM couldn't find a matching operation (for verb and URL template), then it would return 404 NotFound. To override this behavior, you can add the following code snippet in All Operations so that 405 MethodNotFound is returned.

<on-error>
        <base />
        <choose>
            <when condition="@(context.LastError.Source == "configuration" && context.Request.Url.Path == "/notallowed/resource")">
                <return-response>
                    <set-status code="405" reason="Method not allowed" />
                    <set-body>@{
                        return new JObject(
                            new JProperty("status", "HTTP 405"),
                            new JProperty("message", "Method not allowed")
                        ).ToString();
                    }</set-body>
                </return-response>
            </when>
            <otherwise />
        </choose>
    </on-error>

Note, you need to replace context.Request.Url.Path with the actual URL path like /echo/resource (policy snippet reference: here) and this would return the error if no verb is defined for the path. I hope this helps with your question and let me know if you face any issues or have any questions.

If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-20T14:15:17.58+00:00

Syed, Umair I'm reaching out to see if you have any questions regarding the information provided. If you found the answer helpful, please consider marking it as "Yes".

Share via

APIM policy not able to return custom response for 'Method Not Allowed'

1 answer

Your answer