Walter.BOM Namespace
Walter.Web.FireWall Namespace
ASP-WAF | .Net API for WAF Systems

ModelFilterAttribute Class

Validates that the model send back to the application is in the right scope

Namespace:  Walter.Web.FireWall.Annotations
Assembly:  Walter.Web.FireWall (in Walter.Web.FireWall.dll)


public sealed class ModelFilterAttribute : ProtectorBase


Look at the Model errors in ModelState, you will find a key with the Key of the property PageGroupPropertyName or the name you look for as defined in PageGroupPropertyName if it did not validate.

If raising incidents is enabled the firewall will look at the user and if the total incidents on the user surpass your configured threshold the user will be blocked

If the model did not validate you can be sure that you are getting data that is submitted by a 3rd party


You can use this filter attribute in several was to validate that the data submitted to your action and page is actually coming from you.
Browser Navigator supports simple submits, the Beacon Action accepts the json model inside the string value. We tell the ModelFilter to get the value from a specific json property
[HttpPost, Route(Links.BeaconPoint), AllowAnonymous]
   [CrossSite, Ignore(skip: FireWallGuardActions.ALL & ~FireWallGuardActions.RejectCrossSiteRequests)]
   [ModelFilter(Associations = RequestersAssociations.InCurrentPage
              , GenerateIncident = false
              , PageGroupPropertyName =Walter.Web.FireWall.Beacon.PageRequestGroupIdModelCode)]
   public StatusCodeResult Beacon(string model)
       if (!ModelState.IsValid)
           _logger?.Lazy().LogInformation("beacon: failed has {errors} errors", ModelState.ErrorCount);
           return this.Ok();//no need to make a fuss

       if (!string.IsNullOrEmpty(model))
           var beacon = JsonConvert.DeserializeObject<Beacon>(model);
           _fireWall.ModelIsValid(pageContext: _page, model: beacon, out var errors);
           if (errors.Sum(s => s.BlockingSeverityScore) < 100)
               _fireWall.LogPageRequest(beacon, _page);
               foreach (var error in errors)
                   _logger?.Lazy().LogInformation("beacon: {warn}", error);
       return this.Ok();
This sample shows how one can pass the validation to a Ajax script and allow only pages from the current session or the page that loaded the JavaScript if the session expired
using Walter.Web.FireWall;
using Walter.Web.FireWall.Annotations;
using Walter.Web.FireWall.Filters;

public class OrderController : Controller
    readonly IPageRequest _page;
    public OrderController(IPageRequest page)
        _page = page;

    public IActionResult Index()
        var model = new OrderModel(_page.PageRequestGroupId);
        return View(model);

    [ModelFilter(associations : RequestersAssociations.InCurrentPage | RequestersAssociations.InCurrentSession)]
    public IActionResult AjaxUpdate(OrderModel model)
        if (ModelState.IsValid)
            //your code
            return Ok();
        return this.BadRequest("Model not valid");

    [Ignore(skip: FireWallGuardActions.EmbeddedResources)]
    public FileResult VariablesScript()
        var sb = new StringBuilder();
        sb.AppendLine($"var userSalt ='{_page.User.GetUserSalt()}';");
        sb.AppendLine($"var pageId = {_page.PageRequestGroupId};");

        byte[] java = System.Text.Encoding.UTF8.GetBytes(sb.ToString());
        return File(java, "application/javascript");

public class OrderModel: IPageRequestGroupIdValidation
    public OrderModel(long firewallPageGroup)
        PageRequestGroupId = firewallPageGroup.ToString(CultureInfo.InvariantCulture);

    public string PageRequestGroupId { get; set; }

Inheritance Hierarchy