RSS

Monthly Archives: June 2013

Windows Identity Foundation (WIF): A Potentially Dangerous Request.Form Value Was Detected from the Client (wresult=”<trust:RequestSecuri…")

windows-identity-foundation-wif-a-potentially-dangerous-request-form-value-was-detected-from-the-client-wresult

On WIF 3.5, the token is sent in XML-like format, contains tags. The error is caused by request validation in ASP.NET feature to reject request with any tag. This feature prevents cross-site scripting attack (XSS).

Quick Workaround

To workaround this issue, add the following config in your ASP.NET application’s web.config:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
</system.web>

This tells the ASP.NET to only perform request validation on .aspx pages – (2.0 represents ASP.NET 2.0). The request validation will not apply to all other pages / routings, so if you are on ASP.NET MVC (2, 3 or 4), disabling this open your application to the cross-site scripting attack.

Solution

To properly handle the exception error, create a class to validate the request.

This is what I have on my ASP.NET MVC 4.0

web.config

<system.web>
    <httpRuntime requestValidationType="WsFederationRequestValidator" />
</system.web>

Request validator class

public class WsFederationRequestValidator : RequestValidator
{
    protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
    {
        validationFailureIndex = 0;
        if (requestValidationSource == RequestValidationSource.Form && !String.IsNullOrEmpty(collectionKey) && collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
        {
            var _unvalidatedFormValues = System.Web.Helpers.Validation.Unvalidated(context.Request).Form;

            SignInResponseMessage _message = WSFederationMessage.CreateFromNameValueCollection(WSFederationMessage.GetBaseUrl(context.Request.Url), _unvalidatedFormValues) as SignInResponseMessage;

            if (_message != null)
            {
                return true;
            }
        }

        return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
    }
}
 
Leave a comment

Posted by on June 12, 2013 in General

 

Tags: , , ,

Entity Framework Code First Migrations Commands

To enable migrations in your Entity Framework Code First project, the following commands guide you thru installation, enabling the migration, adding a migration and updating the database. All the commands are run on Package Manager Console.

Install EntityFramework package

PM> install-package EntityFramework

Enable Code First Migrations

PM> Enable-Migrations

Add a migration

PM> Add-Migration <migration_name>

Update the database

PM> Update-Database
 
Leave a comment

Posted by on June 11, 2013 in References

 

Tags: , ,

Code First Migrations StartUp Project Does Not Reference The Project Contains Migrations

Could not load assembly ‘CFMigrationsSyntax.DataLayer’. (If you are using Code First Migrations inside Visual Studio this can happen if the startUp project for your solution does not reference the project that contains your migrations. You can either change the startUp project for your solution or use the -StartUpProjectName parameter.)

Depend on your solution and projects setup in Visual Studio, sometime Entity Framework Code First commands don’t run as expected.

By default, when Code First migration commands run, it will pick the default project set on your Package Manager Console:

code-first-migrations-startup-project-does-not-reference-the-project-contains-migrations-1

But most of the time, we have separate projects in Visual Studio solutions for presentation, business and data layers. EF Code First migration is enabled on the project where your EF Context lives, data layer, while the startup project for the solution is the presentation layer’s project. And since the startup project doesn’t have reference to data layer (where EF is), Package Manager Console will always throw error when running Code First migration commands.

Here’s my typical projects setup:

code-first-migrations-startup-project-does-not-reference-the-project-contains-migrations-2

MainConsole is the presentation and reference to the business layer, CFMigrationsSyntax.BusinessLayer project. In turn, CFMigrationsSyntax.BusinessLayer reference to the data layer, CFMigrationsSyntax.DataLayer.

To run EF Code First commands againts the data layer project, CFMigrationsSyntax.DataLayer, first change the default project in Package Manager Console to your EF project and then add the following parameter to the Code First migration commands:

-StartUpProjectName <EF_project>

In my case:

PM> Enable-Migrations -StartUpProjectName CFMigrationsSyntax.DataLayer
 
1 Comment

Posted by on June 11, 2013 in General

 

Templaty Note-Taking

Idea

Most of note-taking apps are bound to a basic format. It’s as if you are writing on a paper notepad. If you need a box while taking your note, you will have to draw it.
The idea is to create a note-taking app that allows customization templates. Think about playing bingo, the app loads bingo template and user fills this up. Once done, the data is saved. Often time, note-taking in an event or a conference is very specific to a format.
An organization can also create templates for forms, such as employment application form or volunteer sign up application, to collect information.
Further development can include storing all templates in cloud that users can download to their device.

Benefit

  • Custom template for all use.
  • Everybody can create their own template.
  • Paperless forms.
  • Better handling of data: normalization and data integrity.

How?

In technical detail, the templates are built with standard HTML5 & CSS3. The app will load any template and save the data just like how any form on the Internet save the form data.

Will it work?

 
Leave a comment

Posted by on June 3, 2013 in General

 

Tags:

WCF Message and Transport Security

Transport

The encryption takes place when the message is about to send over, at transport layer.
Depends on the transport protocol, normally require HTTPS (if send over HTTP).

Message

The encryption takes place on the message itself, before it is sent.
For most part, it’s transport-independent.
More flexibility, you can use any type of security credential as long as client and service agree.

Code

<system.serviceModel>
    <bindings>
      <wsHttpBinding>
        <binding name="wsHttpEndpointBinding">
          <security mode="Transport">
          </security>
          <!--<security mode="Message">
          </security>-->
        </binding>
      </wsHttpBinding>
    </bindings>
</system.serviceModel>

Options the security mode are:

  • None
  • Message
  • Transport
  • Both
  • TransportWithMessageCredential
  • TransportCredentialOnly

More info on: What the difference between transport and message security?

 
Leave a comment

Posted by on June 3, 2013 in References

 

Tags: , ,

 
%d bloggers like this: