Adding ValidateAntiForgeryTokenAttribute also fixing a bug in token deserialization.
This commit is contained in:
parent
904c91d2b9
commit
b444f66689
|
|
@ -38,11 +38,12 @@ namespace Microsoft.AspNet.Mvc
|
||||||
Exception innerException = null;
|
Exception innerException = null;
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
using (MemoryStream stream = new MemoryStream(UrlTokenDecode(serializedToken)))
|
var tokenBytes = UrlTokenDecode(serializedToken);
|
||||||
|
using (var stream = new MemoryStream(_cryptoSystem.Unprotect(tokenBytes)))
|
||||||
{
|
{
|
||||||
using (BinaryReader reader = new BinaryReader(stream))
|
using (var reader = new BinaryReader(stream))
|
||||||
{
|
{
|
||||||
AntiForgeryToken token = DeserializeImpl(reader);
|
var token = DeserializeImpl(reader);
|
||||||
if (token != null)
|
if (token != null)
|
||||||
{
|
{
|
||||||
return token;
|
return token;
|
||||||
|
|
@ -64,7 +65,7 @@ namespace Microsoft.AspNet.Mvc
|
||||||
* Version: 1 byte integer
|
* Version: 1 byte integer
|
||||||
* SecurityToken: 16 byte binary blob
|
* SecurityToken: 16 byte binary blob
|
||||||
* IsSessionToken: 1 byte Boolean
|
* IsSessionToken: 1 byte Boolean
|
||||||
* [if IsSessionToken = true]
|
* [if IsSessionToken != true]
|
||||||
* +- IsClaimsBased: 1 byte Boolean
|
* +- IsClaimsBased: 1 byte Boolean
|
||||||
* | [if IsClaimsBased = true]
|
* | [if IsClaimsBased = true]
|
||||||
* | `- ClaimUid: 32 byte binary blob
|
* | `- ClaimUid: 32 byte binary blob
|
||||||
|
|
|
||||||
|
|
@ -0,0 +1,34 @@
|
||||||
|
// Copyright (c) Microsoft Open Technologies, Inc.
|
||||||
|
// All Rights Reserved
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
|
||||||
|
// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
|
||||||
|
// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
|
||||||
|
// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
|
||||||
|
// NON-INFRINGEMENT.
|
||||||
|
// See the Apache 2 License for the specific language governing
|
||||||
|
// permissions and limitations under the License.
|
||||||
|
|
||||||
|
using System;
|
||||||
|
using Microsoft.Framework.DependencyInjection;
|
||||||
|
|
||||||
|
namespace Microsoft.AspNet.Mvc
|
||||||
|
{
|
||||||
|
[AttributeUsage(AttributeTargets.Class | AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
|
||||||
|
public class ValidateAntiForgeryTokenAttribute : Attribute, IFilterFactory, IOrderedFilter
|
||||||
|
{
|
||||||
|
public int Order { get; set; }
|
||||||
|
|
||||||
|
public IFilter CreateInstance(IServiceProvider serviceProvider)
|
||||||
|
{
|
||||||
|
var antiForgery = serviceProvider.GetService<AntiForgery>();
|
||||||
|
return new ValidateAntiForgeryTokenAuthorizationFilter(antiForgery);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -0,0 +1,36 @@
|
||||||
|
// Copyright (c) Microsoft Open Technologies, Inc.
|
||||||
|
// All Rights Reserved
|
||||||
|
//
|
||||||
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
// you may not use this file except in compliance with the License.
|
||||||
|
// You may obtain a copy of the License at
|
||||||
|
//
|
||||||
|
// http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
//
|
||||||
|
// THIS CODE IS PROVIDED *AS IS* BASIS, WITHOUT WARRANTIES OR
|
||||||
|
// CONDITIONS OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING
|
||||||
|
// WITHOUT LIMITATION ANY IMPLIED WARRANTIES OR CONDITIONS OF
|
||||||
|
// TITLE, FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABLITY OR
|
||||||
|
// NON-INFRINGEMENT.
|
||||||
|
// See the Apache 2 License for the specific language governing
|
||||||
|
// permissions and limitations under the License.
|
||||||
|
|
||||||
|
using System.Threading.Tasks;
|
||||||
|
|
||||||
|
namespace Microsoft.AspNet.Mvc
|
||||||
|
{
|
||||||
|
public class ValidateAntiForgeryTokenAuthorizationFilter : IAsyncAuthorizationFilter
|
||||||
|
{
|
||||||
|
private readonly AntiForgery _antiForgery;
|
||||||
|
|
||||||
|
public ValidateAntiForgeryTokenAuthorizationFilter([NotNull] AntiForgery antiForgery)
|
||||||
|
{
|
||||||
|
_antiForgery = antiForgery;
|
||||||
|
}
|
||||||
|
|
||||||
|
public async Task OnAuthorizationAsync([NotNull] AuthorizationContext context)
|
||||||
|
{
|
||||||
|
await _antiForgery.ValidateAsync(context.HttpContext);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
@ -110,6 +110,8 @@
|
||||||
<Compile Include="Filters\ResultExecutionDelegate.cs" />
|
<Compile Include="Filters\ResultExecutionDelegate.cs" />
|
||||||
<Compile Include="Filters\ResultFilterAttribute.cs" />
|
<Compile Include="Filters\ResultFilterAttribute.cs" />
|
||||||
<Compile Include="Filters\ServiceFilterAttribute.cs" />
|
<Compile Include="Filters\ServiceFilterAttribute.cs" />
|
||||||
|
<Compile Include="Filters\ValidateAntiForgeryTokenAttribute.cs" />
|
||||||
|
<Compile Include="Filters\ValidateAntiForgeryTokenAuthorizationFilter.cs" />
|
||||||
<Compile Include="FormContext.cs" />
|
<Compile Include="FormContext.cs" />
|
||||||
<Compile Include="HttpDeleteAttribute.cs" />
|
<Compile Include="HttpDeleteAttribute.cs" />
|
||||||
<Compile Include="HttpGetAttribute.cs" />
|
<Compile Include="HttpGetAttribute.cs" />
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue