diff options
author | levib <levib@microsoft.com> | 2012-04-07 03:40:59 +0400 |
---|---|---|
committer | levib <levib@microsoft.com> | 2012-04-07 03:42:35 +0400 |
commit | de43b6ad756800fd3b6e984ec65f9f37dbad723f (patch) | |
tree | dcf9b9af761a2ac8924b37084938a1bf79807883 /src/System.Web.Mvc | |
parent | a257938cd04948862e4af29f44aa45ffaea86592 (diff) |
Responding to customer and partner feedback re: the Anti-XSRF helpers.
What's new:
- Programmatic configuration over various Anti-XSRF behaviors:
-> The name of the cookie to use.
-> Whether SSL is required.
-> Ability to provide a nonce or other "custom data".
- The exception message is now a little less cryptic. It tells you exactly what check failed (e.g. the cookie 'foo' was missing, the token was meant for a different user, etc.).
- The system tries to detect if the current identity is degenerate (e.g. authenticated but without a name) and fails safe. The exception message specifies how to resolve the problem. (This check can be suppressed via config if necessary.)
- Ability to get the cookie and form token strings directly if you want more manual control.
- Built-in support for OpenID and Azure ACS (WIF).
- For most consumers, the token size is smaller.
Breaks:
- The salt / domain / path parameters are all obsolete as error. The customer can achieve the same effect by using the <httpCookies> configuration element or calling the AntiForgery.* APIs that are string-based.
- Not compatible with MVC 1 / 2 / 3. However, this system makes it easier to recover gracefully when an old token is submitted.
CR: marcind; bradwils
SR: naziml
Diffstat (limited to 'src/System.Web.Mvc')
-rw-r--r-- | src/System.Web.Mvc/HtmlHelper.cs | 31 | ||||
-rw-r--r-- | src/System.Web.Mvc/ValidateAntiForgeryTokenAttribute.cs | 25 |
2 files changed, 47 insertions, 9 deletions
diff --git a/src/System.Web.Mvc/HtmlHelper.cs b/src/System.Web.Mvc/HtmlHelper.cs index d9a5d2d0..43c483bf 100644 --- a/src/System.Web.Mvc/HtmlHelper.cs +++ b/src/System.Web.Mvc/HtmlHelper.cs @@ -106,19 +106,44 @@ namespace System.Web.Mvc return result; } + [SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Justification = "For consistency, all helpers are instance methods.")] public MvcHtmlString AntiForgeryToken() { - return AntiForgeryToken(salt: null); + return new MvcHtmlString(AntiForgery.GetHtml().ToString()); } + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AdditionalDataProvider", Justification = "API name.")] + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AntiForgeryConfig", Justification = "API name.")] + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AntiForgeryToken", Justification = "API name.")] + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "httpCookies", Justification = "API name.")] + [SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Justification = "Method is obsolete.")] + [Obsolete("This method is deprecated. Use the AntiForgeryToken() method instead. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property.", error: true)] + [EditorBrowsable(EditorBrowsableState.Never)] public MvcHtmlString AntiForgeryToken(string salt) { - return AntiForgeryToken(salt, domain: null, path: null); + if (!String.IsNullOrEmpty(salt)) + { + throw new NotSupportedException("This method is deprecated. Use the AntiForgeryToken() method instead. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property."); + } + + return AntiForgeryToken(); } + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AdditionalDataProvider", Justification = "API name.")] + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AntiForgeryConfig", Justification = "API name.")] + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AntiForgeryToken", Justification = "API name.")] + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "httpCookies", Justification = "API name.")] + [SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Justification = "Method is obsolete.")] + [Obsolete("This method is deprecated. Use the AntiForgeryToken() method instead. To specify a custom domain for the generated cookie, use the <httpCookies> configuration element. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property.", error: true)] + [EditorBrowsable(EditorBrowsableState.Never)] public MvcHtmlString AntiForgeryToken(string salt, string domain, string path) { - return new MvcHtmlString(AntiForgery.GetHtml(ViewContext.HttpContext, salt, domain, path).ToString()); + if (!String.IsNullOrEmpty(salt) || !String.IsNullOrEmpty(domain) || !String.IsNullOrEmpty(path)) + { + throw new NotSupportedException("This method is deprecated. Use the AntiForgeryToken() method instead. To specify a custom domain for the generated cookie, use the <httpCookies> configuration element. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property."); + } + + return AntiForgeryToken(); } [SuppressMessage("Microsoft.Performance", "CA1822:MarkMembersAsStatic", Justification = "For consistency, all helpers are instance methods.")] diff --git a/src/System.Web.Mvc/ValidateAntiForgeryTokenAttribute.cs b/src/System.Web.Mvc/ValidateAntiForgeryTokenAttribute.cs index b948a0b0..810344c0 100644 --- a/src/System.Web.Mvc/ValidateAntiForgeryTokenAttribute.cs +++ b/src/System.Web.Mvc/ValidateAntiForgeryTokenAttribute.cs @@ -1,4 +1,6 @@ -using System.Diagnostics; +using System.ComponentModel; +using System.Diagnostics; +using System.Diagnostics.CodeAnalysis; using System.Web.Helpers; namespace System.Web.Mvc @@ -13,19 +15,30 @@ namespace System.Web.Mvc { } - internal ValidateAntiForgeryTokenAttribute(Action<HttpContextBase, string> validateAction) + internal ValidateAntiForgeryTokenAttribute(Action validateAction) { Debug.Assert(validateAction != null); ValidateAction = validateAction; } + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AdditionalDataProvider", Justification = "API name.")] + [SuppressMessage("Microsoft.Naming", "CA2204:Literals should be spelled correctly", MessageId = "AntiForgeryConfig", Justification = "API name.")] + [Obsolete("The 'Salt' property is deprecated. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property.", error: true)] + [EditorBrowsable(EditorBrowsableState.Never)] public string Salt { - get { return _salt ?? String.Empty; } - set { _salt = value; } + get { return _salt; } + set + { + if (!String.IsNullOrEmpty(value)) + { + throw new NotSupportedException("The 'Salt' property is deprecated. To specify custom data to be embedded within the token, use the static AntiForgeryConfig.AdditionalDataProvider property."); + } + _salt = value; + } } - internal Action<HttpContextBase, string> ValidateAction { get; private set; } + internal Action ValidateAction { get; private set; } public void OnAuthorization(AuthorizationContext filterContext) { @@ -34,7 +47,7 @@ namespace System.Web.Mvc throw new ArgumentNullException("filterContext"); } - ValidateAction(filterContext.HttpContext, Salt); + ValidateAction(); } } } |