as follow up to last post. Once you drop your first class into App_Code you will encounter an error stating you cant have both VB and C# code in same directory. Fine, I never did like semicolon anyway, so I deleted WIFSampleRequestValidator.cs and removed
<httpRuntime requestValidationType="SampleRequestValidator"/>
from the system.web part of web.config. First time I try logging in I instantly get
A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
oh, so TTHAAATTSS what the ugly C# code did. Ah well, I added the above statement in web.config and added a new SampleRequestValidator class.
Imports System.Web.Util
Imports Microsoft.IdentityModel.Protocols.WSFederation
Public Class SampleRequestValidator
Inherits RequestValidator
Public Sub New()
End Sub
Protected Overloads Overrides Function IsValidRequestString(ByVal context As HttpContext, ByVal value As String, _
ByVal ValidationSource As RequestValidationSource, _
ByVal collectionKey As String, _
ByRef validationFailureIndex As Integer) As Boolean
Try
validationFailureIndex = -1 ' Set a default value for the out parameter.
' This application does not use RawUrl directly so you can ignore the check.
If ValidationSource = RequestValidationSource.RawUrl Then
Return True
End If
If (ValidationSource = RequestValidationSource.Form) AndAlso _
collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal) Then
Dim message As SignInResponseMessage = WSFederationMessage.CreateFromFormPost(context.Request)
If message IsNot Nothing Then Return True
Return MyBase.IsValidRequestString(context, value, ValidationSource, collectionKey, validationFailureIndex)
Else
' All other HTTP input checks are left to the base ASP.NET implementation.
Return MyBase.IsValidRequestString(context, value, ValidationSource, collectionKey, validationFailureIndex)
End If
Catch ex As Exception
Return MyBase.IsValidRequestString(context, value, ValidationSource, collectionKey, validationFailureIndex)
End Try
End Function
End Class
Imports Microsoft.IdentityModel.Protocols.WSFederation
Public Class SampleRequestValidator
Inherits RequestValidator
Public Sub New()
End Sub
Protected Overloads Overrides Function IsValidRequestString(ByVal context As HttpContext, ByVal value As String, _
ByVal ValidationSource As RequestValidationSource, _
ByVal collectionKey As String, _
ByRef validationFailureIndex As Integer) As Boolean
Try
validationFailureIndex = -1 ' Set a default value for the out parameter.
' This application does not use RawUrl directly so you can ignore the check.
If ValidationSource = RequestValidationSource.RawUrl Then
Return True
End If
If (ValidationSource = RequestValidationSource.Form) AndAlso _
collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal) Then
Dim message As SignInResponseMessage = WSFederationMessage.CreateFromFormPost(context.Request)
If message IsNot Nothing Then Return True
Return MyBase.IsValidRequestString(context, value, ValidationSource, collectionKey, validationFailureIndex)
Else
' All other HTTP input checks are left to the base ASP.NET implementation.
Return MyBase.IsValidRequestString(context, value, ValidationSource, collectionKey, validationFailureIndex)
End If
Catch ex As Exception
Return MyBase.IsValidRequestString(context, value, ValidationSource, collectionKey, validationFailureIndex)
End Try
End Function
End Class
Ingen kommentarer:
Send en kommentar