Xml Serialization SAML 2 Response and nullable element

Yesterday, I talked about my XML serialization of SAML 2 response adventures. Today we will continue with what XSD.exe tool generates and 1 other issue that you may experience.
If you check SAML 2 response XSD definition, you will see that there are a few DateTime definitions such as: NotOnOrAfter.
When XSD.exe generates the class, it does a little special thing with the non-nullable properties, such as DateTime, int, bool etc… It adds another property with the name “<propertyname>”Specified; in our case we have NotOnOrAfterSpecified propery in the generated class. XSD.exe decorates this property with [XmlIgnoreAttribute()] so that it doesn’t get serialized. This is kinda how serializer understands what to do when a not nullable variable needs to be serialized.
If you don’t change anything, and try to serialize your class, you will see that NotOnOrAfter won’t be serialized (even if it has a value).

You have 2 options to get the “NotOnOrAfter” serialized:
Option 1: Set the NotOnOrAfterSpecified property true. (Remember that this property is decored with XmlIgnoreAttribute so it won’t be serialized). This will tell the serializer to serialize the NotOnOrAfter property.
Option 2: You can open the generated class, find these not nullable properties and change their type to nullable types, such as from DateTime to DateTime?


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


Xml Serialization and SAML 2 response

I am working on a project that has a lot of XML serialization. I needed to serialize the SAML 2 response and to do this first, I need to create SAML 2 response class. I downloaded the SAML 2 response XSD and used the XSD.exe tool to generate the necessary classes. Serialization wasn’t that hard after I have the classes, and here is the code I used:
   1:    StringBuilder sb = new StringBuilder(8192);
   2:    XmlSerializerNamespaces samlNameSpace = new XmlSerializerNamespaces();
   3:    samlNameSpace.Add("samlp", "urn:oasis:names:tc:SAML:2.0:protocol");
   4:    samlNameSpace.Add("saml", "urn:oasis:names:tc:SAML:2.0:assertion");
   5:    var x = new XmlSerializer(responseMessage.GetType());
   6:    x.Serialize(new StringWriter(sb),responseMessage,samlNameSpace );


It isn’t that much of a complex code, but my issue was with the namespaces, the code above generated a response like below:

<samlp:Response xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"...

Although the XML attribute above is perfectly fine, I have seen SAML2 clients that doesn’t like the Assertion and Protocol namespace declaration at the root; they prefer to see something similar to this:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"...
<saml:Assertion Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"...


So how do we achieve this?
The first thing I had to do was removing line #4 from the code above, otherwise serializer always adds the namespace declaration at the root. This wasn’t good enough by itself; I also had to edit the assertion class that XSD.exe generated. Here is the attribute I added to the classes:

[XmlTypeAttribute(Namespace = "urn:oasis:names:tc:SAML:2.0:protocol")]
[XmlRootAttribute("Response", Namespace = "urn:oasis:names:tc:SAML:2.0:protocol", IsNullable = false)]
public class ResponseType : StatusResponseType

These 2 updates generated the XML serialization that I needed.


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


Visual Studio 2010 not signing?

I created a class library project, and I had to sign the dll, so I created a signing key using Visual Studio 2010. I also created a password to protect my key.
After some work on the code, I figured out that, the project assembly name is not good so I renamed the assembly. I continued my work, and it was time to use this dll in an another project; I needed the public key token for the dll; so I used the sn tool to get the public key token:

sn -T <dll name>
I got an error , complaining that the public token for this dll is null. First I thought this is because I did not run the command console with admin privileges; but that was not it. I opened the class library project again, confirmed that sign dll option is checked.; unchecked the option, checked it again; it did not work.

The solution was:

  1. Uncheck the sign option and delete the key from the project
  2. Clean the solution
  3. Generate a new key, with the same password, and check the sign option again
  4. Compile the project


This worked; apparently if you change the assembly name, after you sign the dll, something gets broken, and Visual Studio can not sign the dll anymore.


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


Load Balancer sending 302 not 307! ViewState is missing?

   Recently one of customers reported a bug with our product. They told us that our software does not work when there is a load balancer. First let me explain their environment to give a better understanding we had an issue.

At their environment there is a load balancer that is holding the SSL certificates, anything behind the load balancer is not SSL enabled. When a client connects to a server behind the load balancer using https, load balancer strips out the https section of the package, and send it to one of servers in http protocol (not https).  Furthermore the company network policy says that you can not talk to any servers without using https. So basically even if “Server A” behind the load balancer tries to talk to “Server B” behind the load balancer, it has to be https (and of course load balancer will strip out the certificate from the communication). The reason for this setup is so that all the certificates are installed into load balancer not individual servers.

Our software is making a post request to one of the pages on the same server, sending some data. The problem is the page that is receiving the post data does not receive the post data, and throws an exception. After checking the fiddler logs, we saw what the problem was. Let me try to explain it by telling you the workflow.

  1. 1. Client hits the server that hosts our product using https protocol; assume this is: https://contoso.com/default.aspx.

2. Load balancer.gets the request, strips the https section, and calls http://contoso.com/default.aspx.

3. Our page gathers some data, and posts the data to list.aspx pages on the same site, but as it is landing to default.aspx with http, it trying to post the data to http://contoso.com/list.aspx, and don’t forget that this is post request.

4. Load Balancer gets the request, and knowing about the https policy, it sends a http 302 (redirect) to https://contoso.com/list.aspx instead of http. Himm this is a redirect with get, but we posted data in the previous step, and what happened to that data? GONE.

5. list.aspx page tries to read post data, and some viewstate as well and fails because the expected data is not received.

Load balancer should never change a post request to a get request, and one of the solutions to this problem is, configuring the load balancer to send http 307 (redirect post with user agent), in stead of 302.

The other solution can be installing the same certificates to the server.behind the load balancer, and telling the load balancer to use https between servers and itself.


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


Check Permissions throws exception (SharePoint 2010)

I am working on a claims provider module for SharePoint 2010. I completed almost all the functionality, and now it was time to test the provider using the UI. It passed all the tests except one. When I try to check permissions for a secruity group, I was getting an exception, and SharePoint was displaying the default exception window. At first; I thought it was my code; and I debugged the code, and did not see any problem with the code. Then I decided to do the thing that I was supposed to do first; check SharePoint logs with ULSViewer. When I check the logs, the error message was:
System.InvalidOperationException: Operation is not valid due to the current state of the object. at Microsoft.SharePoint.SPUserToken.GetClaimsUserLoginName()
It was obvious that this could not be my code, as I don't call GetClaimsForUserLoginName, so I decided to google this error message; and bumm first hit was to MSDN. I installed this patch, and it fixed my problem. I wonder how did this bug not catch before SharePoint 2010 release? It is one of the very core functionality for a provider (check permission).


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


Infinite loop between STS and SharePoint

    If you setup SharePoint to use a STS for authentication, you may have an infinite loop problem like I did :) Here was my scenario:

I have a custom STS, and I setup a trust relation between this STS and SharePoint. When I try to login to a site, as expected, the browser is forwarded to STS login page. I typed in my username and password, then browser started redirection to SharePoint and then again back to STS. This was an infinite loop, and it was weird that Internet Explorer does not complain when there is an infinite loop.

Anyway, when I googled this situation, first link was: Setting the Login Token Expiration Correctly for SharePoint 2010 SAML Claims Users. I applied the suggestions which basically were changing the default timeouts. However this did not fix the problem.

I started thinking about the scenarios that could cause this problem. I know from the logs that STS login worked perfectly ok, and it created claims, and sent it to SharePoint. SharePoint was probably refusing the claims, and sending the user back to STS, STS was redirecting to SharePoint again (as there was a session cookie after then authentication) … The problem was when I was setting up the claims, I had a typo, and SharePoint was expecting another claim from STS, and hence causing the infinite loop.

I fixed the claim typo problem, and tried it again, nope again infinite loop. with the help of my one of my colleagues, we found the problem. When I click the site from IIS manager (click browse link next to the site), IIS is using localhost address, and this was causing the infinite loop. However when I type in the real address (not the localhost one), everything was working as expected :)


E-mail | Permalink | Trackback | Post RSSRSS comment feed 1 Responses


A potentially dangerous Request.Form value was detected from the client (wresult="

I created my first sample WIF application after hearing so much about it. I used the ASP.NET MVC default project that comes with Visual Studio 2010 using .NET 4.0.  I did not do anything special just created the ASP.NET MVC project, right clicked on the project, clicked add the sts reference and ran the project. The browser was forwarded to the login page, I put some random password, and clicked login button. I got the error you see in the title: “A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...").”
The reason for this error is the claim coming back from the STS project is xml format, and that triggers and fails the ASP.NET validation. What you have to do is write a custom validation, and configure your application to use this custom validation. WIF SDK has a sample custom validation which under default installation is at: “C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\Samples\Quick Start\Web Application\WebControlBasedClaimsAwareWebApp\App_Code\SampleRequestValidator.cs”.

There is a class in this file that derives from: RequestValidator and overrides IsValidRequestString. In this function it checks if the request is coming from our STS service or not. If it is not coming from our service, basically it calls the base validator. Here is the code that does this:

public class WIFRequestValidator:RequestValidator
        protected override bool IsValidRequestString(HttpContext context, 
string value, RequestValidationSource requestValidationSource,
string collectionKey, out int validationFailureIndex) { validationFailureIndex = 0; if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(WSFederationConstants.Parameters.Result,
StringComparison.Ordinal)) { SignInResponseMessage message =WSFederationMessage.
CreateFromFormPost(context.Request) as SignInResponseMessage; if (message != null) return true; } return base.IsValidRequestString(context, value,
requestValidationSource, collectionKey,
out validationFailureIndex); } }


To use this validator in your application instead of the default ASP.NET validator, you have to modify web.config file. Open up the web.config file, and add/modify this line as follows:

<httpRuntime requestValidationType="WIF2.WIFRequestValidator" />


Now you run the code and you probably get your second error message:

ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.

I don’t know if this is a bug in the WIF system or not, but to solve this issue, you need to modify the web.config for the web application one more time. Go to the line where you see:
“<wsFederation passiveRedirectEnabled..
and go to section realm=”… and add a / to the end of the url. Such as in my config file before I did the update it was:
and I changed it to:

That is it :)


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


New Era

I am changing my programming interests in the last few months. I am more interested in security, windows identity foundation, federated authorization and Sharepoint.  I am not new into security,  I presented OWASP Security Vulnerability, many times I was the one helping to fix the SQL injections or other security vulnerabilities found at work.
However I am new to Windows Identity Foundation and Sharepoint. I installed Sharepoint a virtual machine and started playing with it. Unfortunately Sharepoint is not very intuitive and user friendly. Most of the actions are not at the places you look for. As far as I can experience in the last 1 month, it is not developer friendly either :). All the resources you find are for beginners, and advanced blogs do not share the source code.

I will start sharing what I learn about Sharepoint and WIF in this blog from beginner to advanced level :)

Let the games begin…


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


Socal CodeCamp Reviews

I attended the 2 day Socal CodeCamp in San Diego which is a great event that I think all the developers in the area should attend. I am a frequent CodeCamp attendee :) , and usually enjoy the sessions.

I did not see a huge crowd this time at the CodeCamp (purely personal observation, you should talk to CodeCamp management for real data which says one of the most crowded codecamp in San Diego). It is summer time, people may have more fun stuff to do such as surfing :). Actually I even heard someone would go surfing in between  sessions :).

If you look at the interest tag cloud for the sessions this time there are lot of Sql Server, Silverlight, 101 XXX, Step by Step XXX.  It seems that people are interested in Beginner Level sessions. Once again this is purely personal observation, and people may attend different sessions and choose other sessions :). 
Overall the quality of the sessions that I attended were good, I mean when it is free, why would you complain right? But I still will :)).

I think some hours of the codecamp should be purely dedicated to more advanced sessions. Such as on Saturday sessions at 9 – 12, all sessions are advanced, this will help to arrange schedule for visitors.

Another issue, is lot’s of repeating.  Microsoft is coming out with lot’s different tools, and other communities such as Mono community is coming with lot’s different tools, and we don’t get a change to listen any talks about most of these.  I know the real question is then why don’t take the steps and learn one of these and give a talk :) Well, for this fall I am planning about it.


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


HandleError attribute (MVC)

    In ASP.NET MVC you can decorate the action methods and the controllers with filter attributes to control their behavior.  These filters are injected into the pipeline, and depending on their type; they are executed before/after something happens. You can either use the filters that come with the framework, or write your own filters. Even though it is easy to test the functionality of the filters, it may not be easy to test if the controller/action is/are decorated with the filter (You can use reflection).  There are 4 different types of filters that come with the framework:

  • Authorization Filter: These type of filters have very high priority, and run before other types of filters or the action execution.
  • Action Filter: These type of filters have normal priority, and run before and after the action execution, by this way you can do some work before  an action is executed or after an action is executed. A good example could be logging the system activity, or calculating the time that takes to execute the action.
  • Result Filter: These type of filters have  normal priority, and run before and after the action result is executed, by this way, you can manipulate the action results.
  • Exception Filter: These filters are executed if an unhandled exception is thrown.

In this blog posting I will be explaining HandleError attribute which is a type of Exception Filter. You may want to use this filter to catch the exception for either logging the exception to a log file or display a nice error page so the user does not freak out.  If you create a default MVC project using Visual Studio, you will see that the HomeController class is decorated with HandleError filter.

public class HomeController : Controller

This means whenever there is an exception that is not handled, render the Error view, so when there is an exception the framework will first look at the folder “Views/Home” and check if there is an Error.aspx page (assuming you are using the default WebForms Engine). If it can not find this page, it will check if there is a Error.ascx page, if there is none, then the same search will be applied to Shared folder. Finally if there is an Error.aspx/ascx page found it will be rendered, otherwise, in the production system, IIS will handle error, in the development system you may see the error below (depending on your web.config customErrors setting).


Or if you use the HandleError filter, and configure your system right, this may be the screen:


Of course you want to the second user friendly error page. Let’s first see what we should be doing to get the simple user friendly user page and then we will look into customizing this error page.

  1. Decorate the controller or the action method with HandleError
  2. Create an Error.aspx or Error.ascx page, and put this page either into the View folder of the controller or Shared folder.
  3. Open your web.config file and change the custom errors definition to customErrors mode=”On”

After this 3 simple steps, you have  an Error page that will be displayed whenever there is an unhandled exception.

HandleErrorAttribute is defined in the HandlErrorAttributed.cs (suprised?) file. It is a relatively simple and short code. If you check the source code, you will see that there are parameters you can customize.  Here are the list of the parameters that you can customize:

  • View: You can define a new View besides the Error to render for the error message. If you don’t specify a View name, default View name is Error
  • Master: You can define a master page for the View that will be rendered. If you don’t specify a master name, that it is empty by default, which means it will use the default master page.
  • ExceptionType: The exception type that you want to handle, by default it is the very generic System.Exception which means catch all the exceptions.

Note that there is another field you can customize however it is not a direct member of this class, but it comes with inheritance. 
Going back to our example, if we want to change error page name to let’s say “UnderMaintenance” , simple change your filter decoration to:

public class HomeController : Controller

Or if you want to change the master page to Maintenance simply change your filter decoration to:

[HandleError(View="UnderMaintenance", Master="Maintenance")]
public class HomeController : Controller

Now let’s assume you want to redirect the user to different pages for different types of exceptions, then you have to use the ExceptionType property.

  • If the View you are trying to render is not found, then InvalidOperationException will be thrown.
  • If you are trying to connect to SqlServer, and there is an error, then System.Data.SqlClient.SqlException will be thrown

For other types of exception you can check MSDN, but let’s now concentrate on these 2 exceptions, and create 2 different error pages for 2 different types of Exceptions. Here is the right decoration for this goal:

[HandleError(View="Error", ExceptionType=typeof(InvalidOperationException))
typeof(System.Data.SqlClient.SqlException)) public class HomeController: Controller

By this declaration we are telling the system that when there is an InvalidOperationException render the Error.aspx/ascx, when there is a SqlException  error, render DatabaseError.aspx/ascx view.

What happens when we add another HandleError that handles the SystemException which is basically all the exceptions, so if our declaration is like below, and assume SqlException is thrown:

[HandleError(ExceptionType = typeof(SystemException))]
 public class HomeController : Controller

The framework will call  the all filters that can catch this type of exception, in this case, framework will call handlerror twice, one for the SqlException, and one for the SystemException.

You can write your own HandleError filter, and apply it to the controller or action. Inside this filter, you have to set the ExceptionHandled flag to true, so that framework won’t throw the yellow dead screen. If there are more than 1 filter that can catch the error message, all of them have to set the ExceptionHandled flag to true, or framework will throw the yellow dead screen.
The default HandleError attribute also creates a model for your view incase you want to get more information about the error, if you change your error page’s model to HandleErrorInfo, then you can get more information from the framework about the error. A simple example for the Error.aspx could be:

<%@ Page ..  Inherits="System.Web.Mvc.ViewPage<HandleErrorInfo>" %>
Sorry for the error, We are working hard on it to fix the problem.
    <li>Action: <%=Model.ActionName %></li>
    <li>Controller: <%=Model.ControllerName %></li>
    <li><%=Model.Exception.ToString() %></li>


Of course in the real work application, you don’t want to display this information to your user, but you can use this information to write a log to your log system.
Hopefully this article help you to understand HandleError attribute.

May the force be with you.

Tags: , , ,

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses