Oct142010

A potentially dangerous Request.Form value was detected from the client (wresult="

I created my first sample WIF application after hearing so much about it. I used the ASP.NET MVC default project that comes with Visual Studio 2010 using .NET 4.0.  I did not do anything special just created the ASP.NET MVC project, right clicked on the project, clicked add the sts reference and ran the project. The browser was forwarded to the login page, I put some random password, and clicked login button. I got the error you see in the title: “A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...").”
The reason for this error is the claim coming back from the STS project is xml format, and that triggers and fails the ASP.NET validation. What you have to do is write a custom validation, and configure your application to use this custom validation. WIF SDK has a sample custom validation which under default installation is at: “C:\Program Files (x86)\Windows Identity Foundation SDK\v4.0\Samples\Quick Start\Web Application\WebControlBasedClaimsAwareWebApp\App_Code\SampleRequestValidator.cs”.

There is a class in this file that derives from: RequestValidator and overrides IsValidRequestString. In this function it checks if the request is coming from our STS service or not. If it is not coming from our service, basically it calls the base validator. Here is the code that does this:

public class WIFRequestValidator:RequestValidator
    {
        protected override bool IsValidRequestString(HttpContext context, 
string value, RequestValidationSource requestValidationSource,
string collectionKey, out int validationFailureIndex) { validationFailureIndex = 0; if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals(WSFederationConstants.Parameters.Result,
StringComparison.Ordinal)) { SignInResponseMessage message =WSFederationMessage.
CreateFromFormPost(context.Request) as SignInResponseMessage; if (message != null) return true; } return base.IsValidRequestString(context, value,
requestValidationSource, collectionKey,
out validationFailureIndex); } }

 

To use this validator in your application instead of the default ASP.NET validator, you have to modify web.config file. Open up the web.config file, and add/modify this line as follows:

<httpRuntime requestValidationType="WIF2.WIFRequestValidator" />

 

Now you run the code and you probably get your second error message:

ID1038: The AudienceRestrictionCondition was not valid because the specified Audience is not present in AudienceUris.

I don’t know if this is a bug in the WIF system or not, but to solve this issue, you need to modify the web.config for the web application one more time. Go to the line where you see:
“<wsFederation passiveRedirectEnabled..
and go to section realm=”… and add a / to the end of the url. Such as in my config file before I did the update it was:
realm=
http://localhost/wif2
and I changed it to:
realm=http://localhost/wif2/

That is it :)



Tags:

E-mail | Permalink | Trackback | Post RSSRSS comment feed 0 Responses

Add comment