在我的MVC3站点中,我避免使用新的ValidateInput属性设置requestValidationMode =“2.0”,但现在我正在尝试切换到WIF进行身份验证,当STS重定向回我的站点时,我得到了异常,因为WSFederationAuthenticationModule.IsSignInResponse正在调用Request.Form而不是Request.Unvalidated().Form …有没有办法处理这个问题而不需要requestValidationMode =“2.0”(我真的不想这样做).
这是堆栈跟踪,所以你可以看到我的意思.我的Controller的方法永远不会被调用.
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...").] System.Web.HttpRequest.ValidateString(String value,String collectionKey,RequestValidationSource requestCollection) +8755668 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc,RequestValidationSource requestCollection) +122 System.Web.HttpRequest.get_Form() +114 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +21 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request,Boolean onPage) +121 Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender,EventArgs args) +78 System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148 System.Web.HttpApplication.ExecuteStep(IExecutionStep step,Boolean& completedSynchronously) +75
解决方法
处理此问题的正确方法是向HttpRuntime添加特定验证器,HttpRuntime知道如何检测有效的安全令牌.
看看这里的任何例子:http://claimsid.codeplex.com/releases/view/62929
以下是其中一个的摘录(示例#5是具体的,也是MVC应用程序):
namespace FShipping
{
using System;
using System.Web;
using System.Web.Util;
using Microsoft.IdentityModel.Protocols.WSFederation;
public class WsFederationRequestValidator : RequestValidator
{
protected override bool IsValidRequestString(HttpContext context,string value,RequestValidationSource requestValidationSource,string collectionKey,out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form &&
collectionKey.Equals(WSFederationConstants.Parameters.Result,StringComparison.Ordinal))
{
if (WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage != null)
{
return true;
}
}
return base.IsValidRequestString(context,value,requestValidationSource,collectionKey,out validationFailureIndex);
}
}
}
这是配置:
<system.web> ... <httpRuntime requestValidationType="FShipping.WsFederationRequestValidator" /> </system.web>
