Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Added support for including an antiforgery token if one is rendered o…
…n the page
- Loading branch information
Showing
10 changed files
with
160 additions
and
31 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
53 changes: 53 additions & 0 deletions
53
src/MvcHaack.Ajax.DemoWeb/Areas/MvcAjaxDemo/Views/Home/SecureComicsPostDemo.cshtml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
@{ | ||
ViewBag.Title = "ComicsDemoPostback"; | ||
} | ||
|
||
@section Scripts { | ||
<script src="@Url.Content("~/Scripts/jquery-1.6.2.js")" type="text/javascript"></script> | ||
<script src="@Url.Content("~/json/comicsdemo?json")"></script> | ||
<script src="@Url.Content("~/Scripts/comicsdemo.js")"></script> | ||
} | ||
|
||
<h2>Simple Comics Post Demo With AntiForgery Protection</h2> | ||
|
||
<button id="post">Click to post a comic to the server</button> | ||
|
||
<script> | ||
$(function () { | ||
$('#post').click(function () { | ||
$mvc.ComicsDemo.SaveSecure({ Title: 'Adventurers', Issue: 123 }, true /*includeAntiForgeryToken*/).done(function (data) { | ||
alert(data.message + ' Comic: ' + data.comic.Title); | ||
}).fail(function () { alert('Failed!'); }); | ||
}); | ||
}); | ||
</script> | ||
|
||
<hr /> | ||
|
||
@Html.AntiForgeryToken() | ||
|
||
<fieldset class="code"> | ||
<legend>comicspostdemo.html</legend> | ||
|
||
<pre class="csharpcode"> | ||
<span class="kwrd"><</span><span class="html">script</span> <span class="attr">src</span><span class="kwrd">="../../Scripts/jquery-1.6.2.js"</span> <span class="attr">type</span><span class="kwrd">="text/javascript"</span><span class="kwrd">></</span><span class="html">script</span><span class="kwrd">></span> | ||
<span class="kwrd"><</span><span class="html">script</span> <span class="attr">src</span><span class="kwrd">="/json/comicsdemo?json"</span><span class="kwrd">></</span><span class="html">script</span><span class="kwrd">></span> | ||
<span class="kwrd"><</span><span class="html">script</span> <span class="attr">src</span><span class="kwrd">="/Scripts/comicsdemo.js"</span><span class="kwrd">></</span><span class="html">script</span><span class="kwrd">></span> | ||
|
||
<span class="kwrd"><</span><span class="html">h2</span><span class="kwrd">></span>Simple Comics Post Demo<span class="kwrd"></</span><span class="html">h2</span><span class="kwrd">></span> | ||
|
||
<span class="kwrd"><</span><span class="html">button</span> <span class="attr">id</span><span class="kwrd">="post"</span><span class="kwrd">></span>Click to post a comic to the server<span class="kwrd"></</span><span class="html">button</span><span class="kwrd">></span> | ||
|
||
<span class="asp">@@</span>Html.AntiForgeryToken() | ||
|
||
<span class="kwrd"><</span><span class="html">script</span><span class="kwrd">></span> | ||
$(<span class="kwrd">function</span>() { | ||
$(<span class="str">'#post'</span>).click(<span class="kwrd">function</span>() { | ||
$mvc.ComicsDemo.SaveSecure({ Title: <span class="str">'Adventurers'</span>, Issue: 123 }).done(<span class="kwrd">function</span>(data) { | ||
alert(data.message + <span class="str">' Comic: '</span> + data.comic.Title); | ||
}); | ||
}); | ||
}); | ||
<span class="kwrd"></</span><span class="html">script</span><span class="kwrd">></span></pre> | ||
|
||
</fieldset> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,60 +1,60 @@ | ||
<?xml version="1.0" encoding="utf-8"?> | ||
<?xml version="1.0"?> | ||
<!-- | ||
For more information on how to configure your ASP.NET application, please visit | ||
http://go.microsoft.com/fwlink/?LinkId=152368 | ||
--> | ||
<configuration> | ||
<appSettings> | ||
<add key="webpages:Version" value="1.0.0.0" /> | ||
<add key="ClientValidationEnabled" value="true" /> | ||
<add key="UnobtrusiveJavaScriptEnabled" value="true" /> | ||
<add key="webpages:Version" value="1.0.0.0"/> | ||
<add key="ClientValidationEnabled" value="true"/> | ||
<add key="UnobtrusiveJavaScriptEnabled" value="true"/> | ||
</appSettings> | ||
<system.web> | ||
<compilation debug="false" targetFramework="4.0"> | ||
<compilation debug="true" targetFramework="4.0"> | ||
<assemblies> | ||
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> | ||
<add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> | ||
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> | ||
<add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> | ||
<add assembly="System.Web.WebPages, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /> | ||
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> | ||
<add assembly="System.Web.Helpers, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> | ||
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> | ||
<add assembly="System.Web.Mvc, Version=3.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> | ||
<add assembly="System.Web.WebPages, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/> | ||
</assemblies> | ||
</compilation> | ||
<authentication mode="Forms"> | ||
<forms loginUrl="~/Account/LogOn" timeout="2880" /> | ||
<forms loginUrl="~/Account/LogOn" timeout="2880"/> | ||
</authentication> | ||
<pages> | ||
<namespaces> | ||
<add namespace="System.Web.Helpers" /> | ||
<add namespace="System.Web.Mvc" /> | ||
<add namespace="System.Web.Mvc.Ajax" /> | ||
<add namespace="System.Web.Mvc.Html" /> | ||
<add namespace="System.Web.Routing" /> | ||
<add namespace="System.Web.WebPages" /> | ||
<add namespace="System.Web.Helpers"/> | ||
<add namespace="System.Web.Mvc"/> | ||
<add namespace="System.Web.Mvc.Ajax"/> | ||
<add namespace="System.Web.Mvc.Html"/> | ||
<add namespace="System.Web.Routing"/> | ||
<add namespace="System.Web.WebPages"/> | ||
</namespaces> | ||
</pages> | ||
</system.web> | ||
<system.webServer> | ||
<validation validateIntegratedModeConfiguration="false" /> | ||
<modules runAllManagedModulesForAllRequests="true" /> | ||
<validation validateIntegratedModeConfiguration="false"/> | ||
<modules runAllManagedModulesForAllRequests="true"/> | ||
<defaultDocument> | ||
<files> | ||
<clear /> | ||
<add value="default.html" /> | ||
</files> | ||
<files> | ||
<clear/> | ||
<add value="default.html"/> | ||
</files> | ||
</defaultDocument> | ||
</system.webServer> | ||
<runtime> | ||
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1"> | ||
<dependentAssembly> | ||
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35" /> | ||
<bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0" /> | ||
<assemblyIdentity name="System.Web.Mvc" publicKeyToken="31bf3856ad364e35"/> | ||
<bindingRedirect oldVersion="1.0.0.0-2.0.0.0" newVersion="3.0.0.0"/> | ||
</dependentAssembly> | ||
</assemblyBinding> | ||
</runtime> | ||
<system.data> | ||
<DbProviderFactories> | ||
<remove invariant="System.Data.SqlServerCe.4.0" /> | ||
<add name="Microsoft SQL Server Compact Data Provider 4.0" invariant="System.Data.SqlServerCe.4.0" description=".NET Framework Data Provider for Microsoft SQL Server Compact" type="System.Data.SqlServerCe.SqlCeProviderFactory, System.Data.SqlServerCe, Version=4.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /> | ||
<remove invariant="System.Data.SqlServerCe.4.0"/> | ||
<add name="Microsoft SQL Server Compact Data Provider 4.0" invariant="System.Data.SqlServerCe.4.0" description=".NET Framework Data Provider for Microsoft SQL Server Compact" type="System.Data.SqlServerCe.SqlCeProviderFactory, System.Data.SqlServerCe, Version=4.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"/> | ||
</DbProviderFactories> | ||
</system.data> | ||
</configuration> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
57 changes: 57 additions & 0 deletions
57
src/MvcHaack.Ajax/ValidateJsonAntiForgeryTokenAttribute.cs
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,57 @@ | ||
using System; | ||
using System.Collections.Specialized; | ||
using System.Web; | ||
using System.Web.Helpers; | ||
using System.Web.Mvc; | ||
|
||
namespace MvcHaack.Ajax { | ||
[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, AllowMultiple = false, Inherited = true)] | ||
public class ValidateJsonAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter { | ||
|
||
public void OnAuthorization(AuthorizationContext filterContext) { | ||
if (filterContext == null) { | ||
throw new ArgumentNullException("filterContext"); | ||
} | ||
|
||
var httpContext = new JsonAntiForgeryHttpContextWrapper(HttpContext.Current); | ||
AntiForgery.Validate(httpContext, Salt ?? string.Empty); | ||
} | ||
|
||
public string Salt { | ||
get; | ||
set; | ||
} | ||
|
||
private class JsonAntiForgeryHttpContextWrapper : HttpContextWrapper { | ||
HttpRequestBase _request; | ||
public JsonAntiForgeryHttpContextWrapper(HttpContext httpContext) | ||
: base(httpContext) { | ||
_request = new JsonAntiForgeryHttpRequestWrapper(httpContext.Request); | ||
} | ||
|
||
public override HttpRequestBase Request { | ||
get { | ||
return _request; | ||
} | ||
} | ||
} | ||
|
||
private class JsonAntiForgeryHttpRequestWrapper : HttpRequestWrapper { | ||
NameValueCollection _form; | ||
|
||
public JsonAntiForgeryHttpRequestWrapper(HttpRequest request) | ||
: base(request) { | ||
_form = new NameValueCollection(request.Form); | ||
if (request.Headers["__RequestVerificationToken"] != null) { | ||
_form["__RequestVerificationToken"] = request.Headers["__RequestVerificationToken"]; | ||
} | ||
} | ||
|
||
public override NameValueCollection Form { | ||
get { | ||
return _form; | ||
} | ||
} | ||
} | ||
} | ||
} |
bf4a15d
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the ValidateJsonAntiForgeryTokenAttribute rename ValidateAjaxAntiForgeryTokenAttribute will be better.