ASP.NET 4.5 requestValidation WIF和 [英] ASP.NET requestValidation 4.5 and WIF

问题描述

我有与ADFS的STS启用了Windows身份验证基础ASP.NET MVC应用程序。
该应用程序现在是在.NET 4.5与MVC 4。
当我从2.0更改ASP.NET requestValidation到4.5，我得到这个错误：

I have an ASP.NET MVC application with Windows Identity Foundation authentication enabled with ADFS as STS. The application is now on .NET 4.5 with MVC 4. When I change the ASP.NET requestValidation from 2.0 to 4.5, I get this error:

A potentially dangerous Request.Form value was detected from the client 
(wresult="<t:RequestSecurityTo...").

我想这是从ADFS重定向。
我该如何解决这个问题？

I guess this is the redirect from ADFS. How can I fix this?

推荐答案

欧亨尼奥我引向了正确的方向。但他闯民宅样品再也不在ASP.NET 4.5的工作。
正如我在他的回答已经评价说，这是导致计算器。这是因为所请求的数据时requestvalidation现已完成。所以当WSFederationMessage.CreateFromFormPost请求数据的验证完成。这会触发我们的requestvalidator。这requestvalidator WSFederationMessage.CreateFromFormPost再等等要求。
在WIF code一些挖后，我现在有一个稍微修改requestvalidator这是工作。相反，CreateFromFormPost我们使用CreateFromNameValueCollection（这也被CreateFromFormPost），但现在我们可以用Request.Unvalidated.Form喂它。

Eugenio guided me to the right direction. But the sample he is refering to is not working anymore in ASP.NET 4.5. As I already commented on his answer, it is resulting in a stackoverflow. This is because requestvalidation is now done when data is requested. So the validation is done when WSFederationMessage.CreateFromFormPost requests the data. This triggers our requestvalidator. And this requestvalidator calls WSFederationMessage.CreateFromFormPost again and so on. After some digging in the WIF code, I have now a slightly modified requestvalidator which is working. Instead of CreateFromFormPost we use CreateFromNameValueCollection (which is also used by CreateFromFormPost), but now we can feed it with Request.Unvalidated.Form.

public class RequestValidator : System.Web.Util.RequestValidator
{
    protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
        validationFailureIndex = 0;
        if (requestValidationSource == RequestValidationSource.Form &&
            collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
        {
            if (WSFederationMessage.CreateFromNameValueCollection(WSFederationMessage.GetBaseUrl(context.Request.Url), context.Request.Unvalidated.Form) as SignInResponseMessage != null)
            {
                return true;
            }
        }
        return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
    }
}

这篇关于ASP.NET 4.5 requestValidation WIF和的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！