在WSFederationAuthenticationModule.IsSignInResponse潜在危险的Request.Form [英] Potentially dangerous Request.Form in WSFederationAuthenticationModule.IsSignInResponse

问题描述

在我MVC3的网站，我避免设置requestValidationMode =2.0新ValidateInput属性，但现在我尝试切换到WIF进行身份验证，而当STS重定向到我的网站，我越来越例外，因为 WSFederationAuthenticationModule.IsSignInResponse 呼吁的Request.Form 而不是 Request.Unvalidated（） .FORM ...有没有什么办法来处理这​​个而不去requestValidationMode =2.0（我真的不想做）。

下面是堆栈跟踪，所以你可以看到我的意思。我控制器的方法从来没有真正被调用。

  [Htt的prequestValidationException（0X80004005）：从客户端（wresult =＆LT;信任：RequestSecuri ...）中检测到有潜在危险的Request.Form值。]
   System.Web.Htt prequest.ValidateString（字符串值，字符串collectionKey，RequestValidationSource requestCollection）8755668
   System.Web.Htt prequest.ValidateNameValueCollection（NameValueCollection中雷士，RequestValidationSource requestCollection）+122
   System.Web.Htt prequest.get_Form（）+114
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse（HTT prequest要求）+21
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse（HTT prequest要求，布尔的onpage）+121
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest（对象发件人，EventArgs参数）+78
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute（）+148
   System.Web.HttpApplication.ExecuteStep（IExecutionStep一步，布尔和放大器; completedSynchronously）+75
 

解决方案

处理这个问题的正确方法是将特定的验证程序添加到的httpRuntime，知道如何检测有效的安全令牌。

看任何这里的例子：<一href=\"http://claimsid.$c$cplex.com/releases/view/62929\">http://claimsid.$c$cplex.com/releases/view/62929

下面是其中的一个摘录（样品5＃T为特定这也是一个MVC应用程序）：

 命名空间FShipping
{
    使用系统;
    使用的System.Web;
    使用System.Web.Util;
    使用Microsoft.IdentityModel.Protocols.WSFederation;    公共类WsFederationRequestValidator：RequestValidator
    {
        保护覆盖布尔IsValidRequestString（HttpContext的背景下，字符串值，RequestValidationSource requestValidationSource，串collectionKey，OUT INT validationFailureIndex）
        {
            validationFailureIndex = 0;
            如果（requestValidationSource == RequestValidationSource.Form＆放大器;＆安培;
                collectionKey.Equals（WSFederationConstants.Parameters.Result，StringComparison.Ordinal））
            {
                如果（WSFederationMessage.CreateFromFormPost（context.Request）作为SignInResponseMessage！= NULL）
                {
                    返回true;
                }
            }            返回base.IsValidRequestString（背景下，价值，requestValidationSource，collectionKey，出validationFailureIndex）;
        }
    }
}
 

这里的配置：

 ＆LT;＆的System.Web GT;
...
   ＆LT;的httpRuntime requestValidationType =FShipping.WsFederationRequestValidator/＆GT;
＆LT; /system.web>
 

In my MVC3 site I've avoided setting requestValidationMode="2.0" with the new ValidateInput attribute, but now I'm trying to switch to WIF for authentication, and when the STS redirects back to my site, I'm getting the exception because WSFederationAuthenticationModule.IsSignInResponse is calling Request.Form instead of Request.Unvalidated().Form ... is there any way to deal with this without going to requestValidationMode="2.0" (which I really don't want to do).

Here's the stack trace, so you can see what I mean. My Controller's method never really gets called.

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
   System.Web.HttpRequest.get_Form() +114
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +21
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +121
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +78
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

解决方案

The correct way of dealing with this is to add specific validator to the HttpRuntime, that knows how to detect valid security tokens.

Look at any of the examples here: http://claimsid.codeplex.com/releases/view/62929

Here's an excerpt from one of those (sample #5 t be specific which is also an MVC app):

namespace FShipping
{
    using System;
    using System.Web;
    using System.Web.Util;
    using Microsoft.IdentityModel.Protocols.WSFederation;

    public class WsFederationRequestValidator : RequestValidator
    {
        protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
        {
            validationFailureIndex = 0;
            if (requestValidationSource == RequestValidationSource.Form &&
                collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
            {
                if (WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage != null)
                {
                    return true;
                }
            }

            return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
        }
    }
}

Here's the config:

<system.web> 
...   
   <httpRuntime requestValidationType="FShipping.WsFederationRequestValidator" />
</system.web>

这篇关于在WSFederationAuthenticationModule.IsSignInResponse潜在危险的Request.Form的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！