Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

ASP.NET requestValidation 4.5 and WIF

Tags:

asp.net

wif

I have an ASP.NET MVC application with Windows Identity Foundation authentication enabled with ADFS as STS. The application is now on .NET 4.5 with MVC 4. When I change the ASP.NET requestValidation from 2.0 to 4.5, I get this error:

A potentially dangerous Request.Form value was detected from the client 
(wresult="<t:RequestSecurityTo...").

I guess this is the redirect from ADFS. How can I fix this?

like image 894
Jaap Avatar asked Nov 28 '22 22:11

Jaap

2 Answers

Upgrade your application to use WIF 4.5 included in the framework: http://msdn.microsoft.com/en-us/library/jj157089.aspx

Set RequestValidation to 4.5 mode:

<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />

WIF 4.5 plays nicely with the request validation in ASP.NET 4.5.

like image 51
klings Avatar answered Dec 19 '22 02:12

klings

Eugenio guided me to the right direction. But the sample he is refering to is not working anymore in ASP.NET 4.5. As I already commented on his answer, it is resulting in a stackoverflow. This is because requestvalidation is now done when data is requested. So the validation is done when WSFederationMessage.CreateFromFormPost requests the data. This triggers our requestvalidator. And this requestvalidator calls WSFederationMessage.CreateFromFormPost again and so on. After some digging in the WIF code, I have now a slightly modified requestvalidator which is working. Instead of CreateFromFormPost we use CreateFromNameValueCollection (which is also used by CreateFromFormPost), but now we can feed it with Request.Unvalidated.Form.

public class RequestValidator : System.Web.Util.RequestValidator
{
    protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
        validationFailureIndex = 0;
        if (requestValidationSource == RequestValidationSource.Form &&
            collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
        {
            if (WSFederationMessage.CreateFromNameValueCollection(WSFederationMessage.GetBaseUrl(context.Request.Url), context.Request.Unvalidated.Form) as SignInResponseMessage != null)
            {
                return true;
            }
        }
        return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
    }
}
like image 24
Jaap Avatar answered Dec 19 '22 00:12

Jaap
Sign in to Comment

Related questions

How to get RSACryptoServiceProvider public and private key only in c#
Converting GUID to Integer and Back
What is the fastest way to join Dictionary<string,string> into querystring?
How to enumerate files + folders recursively with System.IO.Directory.GetFiles
Eval check for DBNull doesnt work
Upload and resize image in Aspx
Entity Framework Error - The version of SQL Server in use does not support datatype 'datetime2'
.NET MVC3 Html.HiddenFor inside of foreach loop expecting a collection?
Linking to different areas on a page
Serialize only Date part of DateTime in web api 2
Why Implement the IEquatable<T> Interface
Convert Windows Forms application into Asp.net
What's the fastest way to get the info I need from MSDN?
How do I link to downloadable files in ASP.NET MVC?
Adding only new items from one list to another
Binding a Button click event in code behind
Prevent page refresh on pressing F5
How to reverse a LINQ to SQL query
Gridview RowCommand event is fired when I do sorting in gridview
Server tag is not well formed

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!