WIF, ASP.NET 4.0 and Request Validation
Posted
by Your DisplayName here!
on Least Privilege
See other posts from Least Privilege
or by Your DisplayName here!
Published on Sat, 24 Jul 2010 08:14:36 GMT
Indexed on
2010/12/06
17:00 UTC
Read the original article
Hit count: 412
IdentityModel
Since the response of a WS-Federation sign-in request contains XML, the ASP.NET built-in request validation will trigger an exception. To solve this, request validation needs to be turned off for pages receiving such a response message.
Starting with ASP.NET 4.0 you can plug in your own request validation logic. This allows letting WS-Federation messages through, while applying all standard request validation to all other requests. The WIF SDK (v4) contains a sample validator that does exactly that:
public class WSFedRequestValidator : RequestValidator
{
protected override bool IsValidRequestString(
HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex
= 0;
if (
requestValidationSource == RequestValidationSource.Form
&&
collectionKey.Equals(
WSFederationConstants.Parameters.Result,
StringComparison.Ordinal
) )
{
SignInResponseMessage message
=
WSFederationMessage.CreateFromFormPost(context.Request)
as SignInResponseMessage;
if (message
!= null)
{
return true;
}
}
return base.IsValidRequestString(
context,
value,
requestValidationSource,
collectionKey,
out validationFailureIndex
);
}
}
<httpRuntime requestValidationType="WSFedRequestValidator" />
© Least Privilege or respective owner