Saturday, February 12, 2011

A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

While implementing authentication using Windows Azure Access Control Service v2 in the ASP.NET MVC 3/.NET 4.0 web application I am working on, I came across the following error when the authentication page hands control back to my web application:

System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

I had previously worked my way through the Intro to ACS v2 lab in the Windows Azure Platform Kit and was surprised to see this error, as it had not happened in the Lab.

My initial investigation seemed to indicate that turning off request validation might be the only way to resolve this, but I was not very happy with having to manually validate requests for security purposes and besides, I knew that it was working in the Lab, so continued investigating.

It turns out that the solution you are using in the Lab above is not a Web Application, but a Website, and the Federation Utility that launches when you do "Add STS reference ..." will automatically add a WIFSampleRequestValidator.cs file that contains a class called "SampleRequestValidator", and the following key to the web.config if the project is a Website -- but will not do this for a Web Application:




public class SampleRequestValidator : RequestValidator
{
    protected override bool IsValidRequestString( HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex )
    {
        validationFailureIndex = 0;
        if ( requestValidationSource == RequestValidationSource.Form 
            && collectionKey.Equals( WSFederationConstants.Parameters.Result, StringComparison.Ordinal ) )
        {
            SignInResponseMessage message = WSFederationMessage.CreateFromFormPost( context.Request ) as SignInResponseMessage;
            if ( message != null )
            {
                return true;
            }
        }
        return base.IsValidRequestString( context, value, requestValidationSource, collectionKey, out validationFailureIndex );
    }
}

Once I knew what the solution was, I could easily find some confirming evidence on the web, and from there it was simple enough to include the WIFSampleRequestValidator.cs and modify the web.config to include the requestValidationType setting and everything worked as expected.  If you come across this issue, I hope this helps clarify and resolve it for you.
Posted by Brad Browne at 4:53 PM
Labels: , ,

2 comments:

dumbledad said...

Thanks for the post, that helped. One insight from the link you give is that

"WIF SDK 4.0 provides you with a sample validator you can use for solving the error without giving up the validation. In fact, FedUtil.exe does everything for you if you launch it on a web site (but not for other project types)."

August 10, 2011 at 2:57 AM
Brad Browne said...

Glad I could help, and thanks for letting me know!

August 25, 2011 at 4:20 PM

Post a Comment

Subscribe to: Post Comments (Atom)