dotnet-cas-client icon indicating copy to clipboard operation
dotnet-cas-client copied to clipboard

Published 20 hours ago verified publisher icon apereo

Issues/single logout

Open nightBaker opened this issue 6 years ago • 7 comments

#80 After logout CAS sends post request message=<samlp:LogoutRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="LR-177-X8BLQyvy76SFszPwCMYwpFeF" Version="2.0" IssueInstant="2018-04-12T15:07:21Z"><saml:NameID xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">@NOT_USED@</saml:NameID>samlp:SessionIndexST-2171-iZF3BlhCp9VdarvPV-tJ1GEebO0-kaspi-portsso1</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=false,contentType=application/x-www-form-urlencoded

And dotnet-cas-client tryes get logoutRequest from HttpContext.Current.Request.Form

internal static void ProcessSingleSignOutRequest()
        {
            HttpContext context = HttpContext.Current;
            HttpRequest request = context.Request;
            HttpResponse response = context.Response;
            protoLogger.Debug("Examining request for single sign-out signature");

            if (request.HttpMethod == "POST" && request.Form["logoutRequest"] != null)
            {

getting value is causing exception - context.Request.Form["logoutRequest"] 'context.Request.Form["logoutRequest"]' threw an exception of type 'System.Web.HttpRequestValidationException' string {System.Web.HttpRequestValidationException}

nightBaker avatar Apr 13 '18 11:04 nightBaker

Uh, @nightBaker why do you keep closing and re-opening pull requests? You can just keep continuing your changes on a single pull request and push the changes to it as you go along.

TL;DR: no need to create a new pull request and close the previous one for each commit/change you make.

phantomtypist avatar Apr 13 '18 13:04 phantomtypist

@nightBaker You'll also need to tell us when you are done making changes to the PR... otherwise I have no clue when you are done making changes... which is why I'll suggest that you don't normally submit a PR in any source control system until you are done working on the code on an issue.

Granted though, it's okay to have a discussion in the PR once it is submitted... which might lead to further changes on your part. TL;DR: Get what you want to get done in its fullest and then submit a PR and we can discuss as a group.

phantomtypist avatar Apr 13 '18 13:04 phantomtypist

I have done making changes) There are some places where it tries to get value from HttpContext.Current.Request.Form["logoutRequest"] what contains xml, so ASP.NET throws exception System.Web.HttpRequestValidationException so I made changes for .net 4.5 using Unvalidated property which gives access to values without triggering ASP.NET request validation HttpContext.Current.Request.Unvalidated.Form["logoutRequest"] what solved the issue

nightBaker avatar Apr 13 '18 14:04 nightBaker

@nightBaker

You say you fixed the problem for the .NET 4.x code path.

Question: does the problem exist in the .NET 2/3.x code path? If yes, then have you fixed that as well in this PR?

phantomtypist avatar Apr 13 '18 20:04 phantomtypist

@phantomtypist Problem still exists in the .Net 2/3. It is not possible to fix in same way, because HttpContext.Current.Request.Unvalidated is not available for thus versions of framework

nightBaker avatar Apr 15 '18 04:04 nightBaker

@nightBaker I understand how it is not fixable in 2/3.x in the same manner you did for 4.x, but do you think you'd feel a little adventurous to see if you can come up with a fix for the 2/3.x side of things?... no pressure though ;)

phantomtypist avatar Apr 19 '18 04:04 phantomtypist

@phantomtypist, problem for below versions of .NET is solved.

nightBaker avatar Apr 20 '18 09:04 nightBaker