protected override bool IsValidRequestString(
HttpContext context,
string value,
RequestValidationSource requestValidationSource,
string collectionKey,
out int validationFailureIndex)
{
validationFailureIndex = 0;
if (requestValidationSource == RequestValidationSource.Form &&
collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal))
{
//创建登录消息
//SignInResponseMessage message = WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage;
//只要是WSFed的消息都算合法验证
WSFederationMessage message = WSFederationMessage.CreateFromFormPost(context.Request);
if (message != null)
{
return(true);
}
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
public ActionResult SignInResponse()
{
if (this.User != null && this.User.Identity != null && this.User.Identity.IsAuthenticated)
{
var responseMessage =
WSFederationMessage.CreateFromFormPost(this.HttpContext.ApplicationInstance.Request);
return(this.HandleSignInResponse(responseMessage.Context));
}
throw new UnauthorizedAccessException();
}
void WSFederationAuthenticationModule_SignedIn(object sender, System.EventArgs e)
{
WSFederationMessage wsFederationMessage = WSFederationMessage.CreateFromFormPost(HttpContext.Current.Request);
if (wsFederationMessage.Context != null)
{
var wctx = HttpUtility.ParseQueryString(wsFederationMessage.Context);
string returnUrl = wctx["ru"];
// TODO: check for absolute url and throw to avoid open redirects
HttpContext.Current.Response.Redirect(returnUrl, false);
HttpContext.Current.ApplicationInstance.CompleteRequest();
}
}
protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
validationFailureIndex = 0;
HttpContextWrapper contextWrapper = new HttpContextWrapper(HttpContext.Current);
if (requestValidationSource == RequestValidationSource.Form && collectionKey.Equals("wresult", StringComparison.Ordinal))
{
SignInResponseMessage message = WSFederationMessage.CreateFromFormPost(contextWrapper.Request) as SignInResponseMessage;
if (message != null)
{
return(true);
}
}
return(base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex));
}
private void HandleSignInResponse()
{
var responseMessage = WSFederationMessage.CreateFromFormPost(this.Page.Request);
this.HandleSignInResponse(responseMessage);
}
public ActionResult Authenticate(string ReturnUrl)
{
if (Request.Form.Get(WSFederationConstants.Parameters.Result) != null)
{
var settings = this.SettingsService.Retrieve();
// Parse sign-in response
SignInResponseMessage message =
WSFederationMessage.CreateFromFormPost(System.Web.HttpContext.Current.Request) as
SignInResponseMessage;
XmlTextReader xmlReader = new XmlTextReader(
new StringReader(message.Result));
XDocument xDoc = XDocument.Load(xmlReader);
XNamespace xNs = "http://schemas.xmlsoap.org/ws/2005/02/trust";
var rst = xDoc.Descendants(xNs + "RequestedSecurityToken").FirstOrDefault();
if (rst == null)
{
throw new ApplicationException("No RequestedSecurityToken element was found in the returned XML token. Ensure an unencrypted SAML 2.0 token is issued.");
}
var rstDesc = rst.Descendants().FirstOrDefault();
if (rstDesc == null)
{
throw new ApplicationException("No valid RequestedSecurityToken element was found in the returned XML token. Ensure an unencrypted SAML 2.0 token is issued.");
}
var config = new SecurityTokenHandlerConfiguration();
config.AudienceRestriction.AllowedAudienceUris.Add(new Uri(settings.AudienceUrl));
config.CertificateValidator = X509CertificateValidator.None;
config.IssuerNameRegistry = new AccessControlServiceIssuerRegistry(
settings.StsIssuerUrl, settings.X509CertificateThumbprint);
var securityTokenHandlers = new SecurityTokenHandlerCollection(config);
securityTokenHandlers.Add(new Saml11SecurityTokenHandler());
securityTokenHandlers.Add(new Saml2SecurityTokenHandler());
securityTokenHandlers.Add(new EncryptedSecurityTokenHandler());
var token = securityTokenHandlers.ReadToken(rstDesc.CreateReader());
ClaimsIdentityCollection claims = securityTokenHandlers.ValidateToken(token);
IPrincipal principal = new ClaimsPrincipal(claims);
// Map claims to local users
string roleClaimValue = "";
string usernameClaimValue = "";
string emailClaimValue = "";
foreach (var claimsIdentity in claims)
{
foreach (var claim in claimsIdentity.Claims)
{
if (claim.ClaimType == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role" && settings.TranslateClaimsToOrchardRoles)
{
roleClaimValue = claim.Value;
}
else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" && settings.TranslateClaimsToOrchardUserProperties)
{
emailClaimValue = claim.Value;
}
else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name")
{
usernameClaimValue = claim.Value;
}
else if (claim.ClaimType == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" && string.IsNullOrEmpty(usernameClaimValue))
{
usernameClaimValue = claim.Value;
}
}
}
if (string.IsNullOrEmpty(usernameClaimValue))
{
throw new SecurityException("Could not determine username from input claims. Ensure a \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\" or \"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\" claim is issued by the STS.");
}
IUser user = MembershipService.GetUser(settings.FederatedUsernamePrefix + usernameClaimValue);
if (user == null)
{
user = MembershipService.CreateUser(new CreateUserParams(settings.FederatedUsernamePrefix + usernameClaimValue,
Guid.NewGuid().ToString(), emailClaimValue,
Guid.NewGuid().ToString(), Guid.NewGuid().ToString(), true));
}
AuthenticationService.SignIn(user, false);
if (!string.IsNullOrEmpty(roleClaimValue))
{
var role = RoleService.GetRoleByName(roleClaimValue);
if (role != null)
{
UserRolesPartRecord currentRole =
UserRolesRepository.Get(r => r.UserId == user.Id && r.Role == role);
if (currentRole == null)
{
UserRolesRepository.Create(new UserRolesPartRecord {
UserId = user.Id, Role = role
});
}
}
}
}
return(new RedirectResult(ReturnUrl));
}