Monday, August 22, 2011

Building WIF enabled .NET 4 Web applications: Potentially dangerous request

When integrating Windows Identity Foundation in your web applications probably one of the first errors you will see is the following:

RequestError

In the description of the error is stated that you can solve the error by adding the following configuration to your web.config:

<httpRuntime requestValidationMode="2.0" />

This solves the issue indeed but reverts the validation mode back to the ASP.NET 2.0 version. A better solution is to create and register your own RequestValidator for WIF.

public class WIFRequestValidator : RequestValidator
{
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;

if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
SignInResponseMessage message = WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage;

if (message != null)
{
return true;
}
}

return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
}

}

You can then register the WIFRequestValidator in the web.config:

<httpRuntime requestValidationType="SampleApp.Security.WIFRequestValidator,SampleApp"/>

No comments: