.NET 4.0 and a potentially dangerous Request
-
2010年12月2日 9:39
Since changing to .Net 4.0 Windows Cardspace is broken with the error message "A potentially dangerous Request" as the Page ValidateRequest="false" doesn't work now.
I've seen solutions that suggest putting requestValidationMode="2.0" in the web.config file. Is this the preferred solution. Are there reasons for NOT putting this in the web.config file?
Dave.
Dave
すべての返信
-
2011年1月28日 14:42
ASP.NET 4 validates incoming requests for potentially dangerous fragments. The security token obtained by Cardspace could be getting rejected by that security framework. You could try setting a custom requestValidator that excludes WSFederation SignInResponse from validation:
public class WsFederationRequestValidator : RequestValidator
{
protected override bool IsValidRequestString(HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form &&
collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
if (WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage != null)
{
return true;
}
}
return base.IsValidRequestString(context,
value,
requestValidationSource,
collectionKey,
out validationFailureIndex);
}
}
Then put the following in ur web.config in the system.web section
<system.web>...
<httpRuntime requestValidationType="<your namespace>.WsFederationRequestValidator, <your assembly>" /></system.web>
Jimit Ndiaye -
2011年9月22日 19:17any idea why this works with webforms but not MVC3?
