Skip to content
/ asp-net-mvc-dashboard-antiforgery Public

How to apply antiforgery request validation to the ASP.NET MVC Dashboard control.

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

DevExpress-Examples/asp-net-mvc-dashboard-antiforgery

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
CS
CS
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
config.json
config.json
 
 
readme.md
readme.md
 
 

Repository files navigation

ASP.NET MVC Dashboard - How to Prevent Cross-Site Request Forgery (CSRF) Attacks

The following example shows how to apply antiforgery request validation to the ASP.NET MVC Dashboard control.

Files to Review

Example Overview

Follow the steps below to apply antiforgery request validation.

Configure a custom dashboard controller

  1. Create a custom dashboard controller. If you already have a custom controller, you can skip this step.
namespace MVCxDashboardPreventCrossSiteRequestForgery.Controllers {
    public class CustomDashboardController : DashboardController { 
    }
}
  1. Change the default dashboard route to use the created controller.
routes.MapDashboardRoute("dashboardControl", "CustomDashboard", new string[] { "MVCxDashboardPreventCrossSiteRequestForgery.Controllers" });
  1. Specify the controller name in the Web Dashboard settings.
@Html.DevExpress().Dashboard(settings => {
    ...
    settings.ControllerName = "CustomDashboard";
}).GetHtml()

Add validation for AntiforgeryToken

  1. Add @Html.AntiForgeryToken() if you do not have this token on the page.
@Html.AntiForgeryToken()
@Html.DevExpress().Dashboard(settings => { .... }).GetHtml()
  1. Implement the DashboardValidateAntiForgeryTokenAttribute attribute.
public sealed class DashboardValidateAntiForgeryTokenAttribute : FilterAttribute, IAuthorizationFilter {
	public void OnAuthorization(AuthorizationContext filterContext) {
		if (filterContext == null) {
			throw new ArgumentNullException(nameof(filterContext));
		}

		HttpContextBase httpContext = filterContext.HttpContext;
		HttpRequestBase request = httpContext.Request;
		HttpCookie cookie = request.Cookies[AntiForgeryConfig.CookieName];
		string token = request.Headers["__RequestVerificationToken"];
		if (string.IsNullOrEmpty(token)) {
			token = request.Form["__RequestVerificationToken"];
		}
		AntiForgery.Validate(cookie?.Value, token);
	}
}
  1. Add the DashboardValidateAntiForgeryTokenAttribute attribute to the custom controller.
[DashboardValidateAntiForgeryTokenAttribute]
public class CustomDashboardController : DashboardController {   
}
  1. Handle the BeforeRender event and configure the Web Dashboard control's backend options.
<script type="text/javascript">
    function onBeforeRender(sender) {
        var control = sender.GetDashboardControl();
        control.option('ajaxRemoteService.headers', { "__RequestVerificationToken": document.querySelector('input[name=__RequestVerificationToken]').value })
    }
</script>

...
@Html.DevExpress().Dashboard(settings => {
    ...
    settings.ClientSideEvents.BeforeRender = "onBeforeRender";
}).GetHtml()

Documentation

More Examples

Does this example address your development requirements/objectives?

(you will be redirected to DevExpress.com to submit your response)

About

How to apply antiforgery request validation to the ASP.NET MVC Dashboard control.

Topics

business-intelligence csrf-protection csrf-tokens asp-net-mvc web-dashboard csrf-attacks antiforgery dashboard-for-mvc

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

55 watching

Forks

0 forks
Report repository

Contributors 3

  •  
  •  
  •  

Languages