A potentially dangerous Request.Form value was detected from the client (wresult="

I created my first sample WIF application after hearing so much about it. I used the ASP.NET MVC default project that comes with Visual Studio 2010 using .NET 4.0.  I did not do anything special just created the ASP.NET MVC project, right clicked on the project, clicked add the sts reference and ran the project. The browser was forwarded to the login page, I put some random password, and clicked login button. I got the error you see in the title: “A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...").”
The reason for this error is the claim coming back from the STS project is xml format, and that triggers and fails the ASP.NET validation. What you have to do is write a custom validation, and configure your application to use this custom validation. WIF SDK has a sample custom validation which under default installation is at: “C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\Samples\Quick Start\Web Application\WebControlBasedClaimsAwareWebApp\App_Code\SampleRequestValidator.cs”.

There is a class in this file that derives from: RequestValidator and overrides IsValidRequestString. In this function it checks if the request is coming from our STS service or not. If it is not coming from our service, basically it calls the base validator. Here is the code that does this:

public class WIFRequestValidator:RequestValidator
        protected override bool IsValidRequestString(HttpContext context, 
string value, RequestValidationSource requestValidationSource,
string collectionKey, out int validationFailureIndex) { validationFailureIndex = 0; if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(WSFederationConstants.Parameters.Result,
StringComparison.Ordinal)) { SignInResponseMessage message =WSFederationMessage.
CreateFromFormPost(context.Request) as SignInResponseMessage; if (message != null) return true; } return base.IsValidRequestString(context, value,
requestValidationSource, collectionKey,
out validationFailureIndex); } }


To use this validator in your application instead of the default ASP.NET validator, you have to modify web.config file. Open up the web.config file, and add/modify this line as follows:

<httpRuntime requestValidationType="WIF2.WIFRequestValidator" />


Now you run the code and you probably get your second error message:

ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.

I don’t know if this is a bug in the WIF system or not, but to solve this issue, you need to modify the web.config for the web application one more time. Go to the line where you see:
“<wsFederation passiveRedirectEnabled..
and go to section realm=”… and add a / to the end of the url. Such as in my config file before I did the update it was:
and I changed it to:

That is it :)


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses


New Era

I am changing my programming interests in the last few months. I am more interested in security, windows identity foundation, federated authorization and Sharepoint.  I am not new into security,  I presented OWASP Security Vulnerability, many times I was the one helping to fix the SQL injections or other security vulnerabilities found at work.
However I am new to Windows Identity Foundation and Sharepoint. I installed Sharepoint a virtual machine and started playing with it. Unfortunately Sharepoint is not very intuitive and user friendly. Most of the actions are not at the places you look for. As far as I can experience in the last 1 month, it is not developer friendly either :). All the resources you find are for beginners, and advanced blogs do not share the source code.

I will start sharing what I learn about Sharepoint and WIF in this blog from beginner to advanced level :)

Let the games begin…


E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses