在WSFederationAuthenticationModule.IsSignInResponse潜在危险的Request.Form [英] Potentially dangerous Request.Form in WSFederationAuthenticationModule.IsSignInResponse
问题描述
在我MVC3的网站,我避免设置requestValidationMode =2.0新ValidateInput属性,但现在我尝试切换到WIF进行身份验证,而当STS重定向到我的网站,我越来越例外,因为 WSFederationAuthenticationModule.IsSignInResponse
呼吁的Request.Form
而不是 Request.Unvalidated() .FORM
...有没有什么办法来处理这个而不去requestValidationMode =2.0(我真的不想做)。
下面是堆栈跟踪,所以你可以看到我的意思。我控制器的方法从来没有真正被调用。
[Htt的prequestValidationException(0X80004005):从客户端(wresult =<信任:RequestSecuri ...)中检测到有潜在危险的Request.Form值。]
System.Web.Htt prequest.ValidateString(字符串值,字符串collectionKey,RequestValidationSource requestCollection)8755668
System.Web.Htt prequest.ValidateNameValueCollection(NameValueCollection中雷士,RequestValidationSource requestCollection)+122
System.Web.Htt prequest.get_Form()+114
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HTT prequest要求)+21
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HTT prequest要求,布尔的onpage)+121
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(对象发件人,EventArgs参数)+78
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()+148
System.Web.HttpApplication.ExecuteStep(IExecutionStep一步,布尔和放大器; completedSynchronously)+75
处理这个问题的正确方法是将特定的验证程序添加到的httpRuntime,知道如何检测有效的安全令牌。
看任何这里的例子:<一href=\"http://claimsid.$c$cplex.com/releases/view/62929\">http://claimsid.$c$cplex.com/releases/view/62929
下面是其中的一个摘录(样品5#T为特定这也是一个MVC应用程序):
命名空间FShipping
{
使用系统;
使用的System.Web;
使用System.Web.Util;
使用Microsoft.IdentityModel.Protocols.WSFederation; 公共类WsFederationRequestValidator:RequestValidator
{
保护覆盖布尔IsValidRequestString(HttpContext的背景下,字符串值,RequestValidationSource requestValidationSource,串collectionKey,OUT INT validationFailureIndex)
{
validationFailureIndex = 0;
如果(requestValidationSource == RequestValidationSource.Form&放大器;&安培;
collectionKey.Equals(WSFederationConstants.Parameters.Result,StringComparison.Ordinal))
{
如果(WSFederationMessage.CreateFromFormPost(context.Request)作为SignInResponseMessage!= NULL)
{
返回true;
}
} 返回base.IsValidRequestString(背景下,价值,requestValidationSource,collectionKey,出validationFailureIndex);
}
}
}
这里的配置:
&LT;&的System.Web GT;
...
&LT;的httpRuntime requestValidationType =FShipping.WsFederationRequestValidator/&GT;
&LT; /system.web>
In my MVC3 site I've avoided setting requestValidationMode="2.0" with the new ValidateInput attribute, but now I'm trying to switch to WIF for authentication, and when the STS redirects back to my site, I'm getting the exception because WSFederationAuthenticationModule.IsSignInResponse
is calling Request.Form
instead of Request.Unvalidated().Form
... is there any way to deal with this without going to requestValidationMode="2.0" (which I really don't want to do).
Here's the stack trace, so you can see what I mean. My Controller's method never really gets called.
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +21
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +121
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +78
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
The correct way of dealing with this is to add specific validator to the HttpRuntime, that knows how to detect valid security tokens.
Look at any of the examples here: http://claimsid.codeplex.com/releases/view/62929
Here's an excerpt from one of those (sample #5 t be specific which is also an MVC app):
namespace FShipping
{
using System;
using System.Web;
using System.Web.Util;
using Microsoft.IdentityModel.Protocols.WSFederation;
public class WsFederationRequestValidator : RequestValidator
{
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form &&
collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
if (WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage != null)
{
return true;
}
}
return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}
}
}
Here's the config:
<system.web>
...
<httpRuntime requestValidationType="FShipping.WsFederationRequestValidator" />
</system.web>
这篇关于在WSFederationAuthenticationModule.IsSignInResponse潜在危险的Request.Form的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!