ModelFilterAttribute Class
Validates that the model send back to the application is in the right scope
Namespace:
Walter.Web.FireWall.AnnotationsAssembly: Walter.Web.FireWall (in Walter.Web.FireWall.dll)
Remarks
Look at the Model errors in ModelState, you will find a key with the Key of the property PageGroupPropertyName or the name you look for as defined in PageGroupPropertyName if it did not validate.
If raising incidents is enabled the firewall will look at the user and if the total incidents on the user surpass your configured threshold the user will be blocked
If the model did not validate you can be sure that you are getting data that is submitted by a 3rd party
Examples
Browser Navigator supports simple submits, the Beacon Action accepts the json model inside the string value. We tell the ModelFilter to get the value from a specific json property
[HttpPost, Route(Links.BeaconPoint), AllowAnonymous]
[CrossSite, Ignore(skip: FireWallGuardActions.ALL & ~FireWallGuardActions.RejectCrossSiteRequests)]
[ModelFilter(Associations = RequestersAssociations.InCurrentPage
, GenerateIncident = false
, PageGroupPropertyName =Walter.Web.FireWall.Beacon.PageRequestGroupIdModelCode)]
public StatusCodeResult Beacon(string model)
{
if (!ModelState.IsValid)
{
_logger?.Lazy().LogInformation("beacon: failed has {errors} errors", ModelState.ErrorCount);
return this.Ok();//no need to make a fuss
}
if (!string.IsNullOrEmpty(model))
{
var beacon = JsonConvert.DeserializeObject<Beacon>(model);
_fireWall.ModelIsValid(pageContext: _page, model: beacon, out var errors);
if (errors.Sum(s => s.BlockingSeverityScore) < 100)
{
_fireWall.LogPageRequest(beacon, _page);
}
else
{
foreach (var error in errors)
{
_logger?.Lazy().LogInformation("beacon: {warn}", error);
}
}
}
return this.Ok();
}This sample shows how one can pass the validation to a Ajax script and allow only pages from the current session or the page that loaded the JavaScript if the session expired
using Walter.Web.FireWall; using Walter.Web.FireWall.Annotations; using Walter.Web.FireWall.Filters; [FireWall] public class OrderController : Controller { readonly IPageRequest _page; public OrderController(IPageRequest page) { _page = page; } public IActionResult Index() { var model = new OrderModel(_page.PageRequestGroupId); return View(model); } [HttpPost] [ModelFilter(associations : RequestersAssociations.InCurrentPage | RequestersAssociations.InCurrentSession)] public IActionResult AjaxUpdate(OrderModel model) { if (ModelState.IsValid) { //your code return Ok(); } return this.BadRequest("Model not valid"); } [Route("js/Variables.js")] [NoCache] [Ignore(skip: FireWallGuardActions.EmbeddedResources)] public FileResult VariablesScript() { var sb = new StringBuilder(); sb.AppendLine($"var userSalt ='{_page.User.GetUserSalt()}';"); sb.AppendLine($"var pageId = {_page.PageRequestGroupId};"); byte[] java = System.Text.Encoding.UTF8.GetBytes(sb.ToString()); return File(java, "application/javascript"); } } public class OrderModel: IPageRequestGroupIdValidation { public OrderModel(long firewallPageGroup) { PageRequestGroupId = firewallPageGroup.ToString(CultureInfo.InvariantCulture); } public string PageRequestGroupId { get; set; } }
Inheritance Hierarchy
Walter.Web.FireWall.Annotations..::..ModelFilterAttribute