search

apereo / dotnet-cas-client

Apereo .NET CAS Client
Apache License 2.0
234 stars 172 forks source link

Issues/single logout #83

Open nightBaker opened 6 years ago

nightBaker commented 6 years ago

80

After logout CAS sends post request message=@NOT_USED@</saml:NameID>ST-2171-iZF3BlhCp9VdarvPV-tJ1GEebO0-kaspi-portsso1</samlp:SessionIndex></samlp:LogoutRequest>,asynchronous=false,contentType=application/x-www-form-urlencoded

And dotnet-cas-client tryes get logoutRequest from HttpContext.Current.Request.Form

internal static void ProcessSingleSignOutRequest()
        {
            HttpContext context = HttpContext.Current;
            HttpRequest request = context.Request;
            HttpResponse response = context.Response;
            protoLogger.Debug("Examining request for single sign-out signature");

            if (request.HttpMethod == "POST" && request.Form["logoutRequest"] != null)
            {

getting value is causing exception - context.Request.Form["logoutRequest"] 'context.Request.Form["logoutRequest"]' threw an exception of type 'System.Web.HttpRequestValidationException' string {System.Web.HttpRequestValidationException}

phantomtypist commented 6 years ago

Uh, @nightBaker why do you keep closing and re-opening pull requests? You can just keep continuing your changes on a single pull request and push the changes to it as you go along.

TL;DR: no need to create a new pull request and close the previous one for each commit/change you make.

phantomtypist commented 6 years ago

@nightBaker You'll also need to tell us when you are done making changes to the PR... otherwise I have no clue when you are done making changes... which is why I'll suggest that you don't normally submit a PR in any source control system until you are done working on the code on an issue.

Granted though, it's okay to have a discussion in the PR once it is submitted... which might lead to further changes on your part. TL;DR: Get what you want to get done in its fullest and then submit a PR and we can discuss as a group.

nightBaker commented 6 years ago

I have done making changes) There are some places where it tries to get value from HttpContext.Current.Request.Form["logoutRequest"] what contains xml, so ASP.NET throws exception System.Web.HttpRequestValidationException so I made changes for .net 4.5 using Unvalidated property which gives access to values without triggering ASP.NET request validation HttpContext.Current.Request.Unvalidated.Form["logoutRequest"] what solved the issue

phantomtypist commented 6 years ago

@nightBaker

You say you fixed the problem for the .NET 4.x code path.

Question: does the problem exist in the .NET 2/3.x code path? If yes, then have you fixed that as well in this PR?

nightBaker commented 6 years ago

@phantomtypist Problem still exists in the .Net 2/3. It is not possible to fix in same way, because HttpContext.Current.Request.Unvalidated is not available for thus versions of framework

phantomtypist commented 6 years ago

@nightBaker I understand how it is not fixable in 2/3.x in the same manner you did for 4.x, but do you think you'd feel a little adventurous to see if you can come up with a fix for the 2/3.x side of things?... no pressure though ;)

nightBaker commented 6 years ago

@phantomtypist, problem for below versions of .NET is solved.