I'm using .Net 4.5, running ASP.net Service configured with an Identity provider. I would like to alter the AudienceUri validation algorithm to allow wildcards or configure it to ignore subdomains.
In this page:
http://msdn.microsoft.com/en-us/library/system.identitymodel.selectors.samlsecuritytokenauthenticator.allowedaudienceuris(v=vs.100).Aspx
it says in the remarks:
Optionally, override the ValidateAudienceRestriction method to specify
the validation algorithm to use for the allowed URI.
I understand that I need to create a new class, inherit from SamlSecurityTokenAuthenticator and override the method.
But I'm not sure how do I apply this override, I believe that I should instantiate the new class and assign it to a static member of some class, such as FederationAuthentication, but I couldn't find the appropriate class.
Can anybody please clarify how to approach this?
There is a workaround for this.
If the RP validation of the received security token fails due to audience:
[System.InvalidOperationException]: {"ID1032: At least one 'audienceUri' must be specified in the SamlSecurityTokenRequirement when the AudienceUriMode is set to 'Always' or 'BearerKeyOnly'. Either add the valid URI values to the AudienceUris property of SamlSecurityTokenRequirement, or turn off checking by specifying an AudienceUriMode of 'Never' on the SamlSecurityTokenRequirement."}
Data: {System.Collections.ListDictionaryInternal}
HelpLink: null
HResult: -2146233079
InnerException: null
Message: "..."
StackTrace: ..
TargetSite: ..
}
This exception (and many others) can be handled in Application_Error, determine the exception using Server.GetLastError().
I noticed that:
FederatedAuthentication.WSFederationAuthenticationModule.SecurityTokenReceived
Fired right before this exception is thrown. This callback has SecurityTokenReceivedEventArgs, which has the SessionToken, where you can find all the audienceUri(s).
You can implement the logics you need there and add the relevant AudienceUri to:
FederatedAuthentication.ClaimsAuthorizationModule.FederationConfiguration.
IdentityConfiguration.AudienceRestriction.AllowedAudienceUris
As I said this is just a workaround, if you got can pour more information for my original question that will be great :)
Thanks.
Related
I am using asp.net MVC3 and I am very new to this technology.
My models are designed in such a way that the properties will throw validation errors if the data is invalid. In this case, the properties are not set with invalid data.
When I redisplay my editing-view, validation error messages are shown; however the values that the user previously entered are gone because the model that it is bound to only contains the old-valid data.
For example, say I had a Person class and the Name property cannot be a null or empty string otherwise it throws a validation exception and prevents the property from being set. Now say the user removes the value from the Name property and tries to save the Person from the web. A validation exception will be thrown and handled properly to add the error to the ModelState so that it is displayed on the screen; however the old value for the Name is redisplayed since the invalid, empty string never made it into the property.
I do not know how to solve this problem and any advice on the issue would be greatly appreciated.
My advise is allow invalid data but use validation attributes. You wont save invalid entities so there is no problem and this is the standard approach these days. If you don't want do that, there is no easy solution. Most simple solution would be using the info from Request.Form
You should implement IValidatableObject to performe this kind of validation at server side.
From MSDN IValidatableObject Interface:
Provides a way for an object to be invalidated.
Theres an exemple here Using IValidatableObject Custom Validation, also from MSDN.
The solution to this problem was to create a ViewModel that allowed invalid data to be entered into this. This solution also simplified my ModelBinder classes because it took on most of the work.
If certain attributes on built-in ASP.NET controls aren't specified, then an exception will be thrown.
How do I do this on my custom user/server control?
One approach would be to ensure the getter on the property checks for an 'unset' state and throws an exception if that's found to be true.
Is there any specific reason why you want to throw an exception ?
The standard approach is to assign a default value if nothing is specified by the user. Another alternative is already mentioned above by Lazarus.
We have a WebForms Control which requires that the ID of another Control implementing ITextControl is provided.
What exception should we throw if there is no control with that ID or a control is found but it's not implementing the interface?
var text = Page.FindControl(TextProviderId) as ITextControl;
if (text == null) {
throw new WhatEverException(...);
...
Should we split it into two cases and throw one exception if there is no control with that ID, and another one if said control does not implement ITextControl? If so, which exceptions should we use then?
If the control should really be there, I would say that your web form is in an invalid state if it is missing, so I would probably go for InvalidOperationException:
The exception that is thrown when a method call is invalid for the object's current state.
This would be applicable to both scenarios; regardless of whether the control is missing or if it does not implement the expected interface, the containing object is in an invalid state.
If this is a scenario that is expected to happen for various reasons (let's say that you are making some tool that others will program against, and this is a situation that they might very well produce), perhaps you should instead create two custom exceptions that make it very clear what is happening and how to correct it (such as ControlNotFoundException and InterfaceNotFoundException or something similar).
ArgumentOutOfRangeException?
Whether or not you should split them up into different exceptions probably depends most on whether or not you think it is likely that anyone will ever want to distinguish the two exceptions in different catch blocks.
Not knowing exactly how this will be used, this seems like the kind of error that should be brought to the developer's attention, where rewriting code to point to the correct file or implement the correct interface is the proper action, rather than implementing a try-catch and give the user friendly error messages. As such, I'd just throw an ArgumentException.
I use SqlWebEventProvider to log the exceptions to sql server, and it works fine.
I also want to log custom exceptions to aspnet_WebEvent_Events table programmatically. Similar to - http://fredrik.nsquared2.com/viewpost.aspx?PostID=107&showfeedback=true
WebBaseEvent.Raise(new WebErrorEvent("My Error message", null, 5000, e));
I get an error saying "Cannot access constructor 'WebErrorEvent' here due its protection level.
Appreciate your comments...
If you wish to log custom events, you may consider creating your own event by inheriting from one of the predefined event classes found in System.Web.Management.
Here is a good reference written by Scott Mitchell. It is pretty easy to follow
https://web.archive.org/web/20211020121454/https://www.4guysfromrolla.com/articles/062707-1.aspx
The constructor for class WebErrorEvent is private. You can't instantiate an object of this class.
Take a look at Using Access Modifier private with Constructor in the article titled What are constructors in CSharp - A Step Ahead Series?.
I am using methods with the Attribute [WebMethod] in my aspx pages. I don't use any asp.net ajax but jQuery to call these methods and return objects in JSON. This all works fine.
Next I added an authorization check inside the webMethod, if the current user doesn't have access to the feature I need to let the calling JavaScript know.
So I am throwing an AccessViolationException exception which can then be parsed by the OnError callback function in JavaScript. This works too but the exception includes the full StackTrace and I don't want to make this available to the calling client.
What other ways I could use to return an "Access Denied" to the client when the WebMethod returns a business object?
I'm using ASP.Net 3.5SP1 and jQuery 1.32
You can also add a:
customErrors mode="On"/
in your web.config, this will cut away the stack trace and leave you only the exception message
Why propagate errors through the wire? why not use an error response ?
Just wrap your object in a response object wich can contain an error code for status and an error message to present to users.
As suggested by NunFur I changed my approach and rather than throwing an error, I return a 'richer' object.
There are at least two options, the first one would be to encapsulate my business object into a response object with some status properties. I tried this but it makes the JSON more complicated.
So rather than adding a new object I added two properties to my business object, something like ServiceStatus and ServiceMessage. By default these are 200 and '', but can be set by the WebMethod code if anything goes wrong (no access, proper error). In this case they business object will be 'empty' (no data). The JavaScript code then first checks for the ServiceStatus and reacts appropriately.
I add the two fields to all my objects that are returned by WebMethods, even a simple string. They have to implement an Interface with those two properties.
Now I have complete control over that goes over the wire in case something unexpected is happening.
Thanks for the input
I save exceptions for when things go really wrong. (e.g. can't connect to the database)
Either return nothing (null/nill/whatever), or return a false bool value.
Sorry that I don't have a better answer than that...I'll have to keep looking myself.
You could look at SoapException: http://msdn.microsoft.com/en-us/library/system.web.services.protocols.soapexception(VS.71).aspx
I'm just not sure, if it will work when it is called from JavaScript. Espeially if it's called with a get-request.
BTW AccessViolationException is to my best knowlegde ment to be thrown when the application is accessing memory it has no access to.
/Asger